Well you do if you want to receive the confirmation text. And while you’re at it, you might as well use the same cell tower for data so that you get “residential” IP.
You can definitely fake geolocation and perhaps you could fake IP through some proxy, but you can’t use commercial VPN services as their IPs are well known VPN IP ranges at this stage. (these SIMs might have been used as such proxies for some spamming besides being used for this specific botnet) Effectively the more you want to blend in with the actual Ukrainian end user traffic, the more you need to be present in the country and the more complicated it is to fake it otherwise. Especially if you’re trying to hide from state level investigation, that has access to triangulation from cell towers, providers logs, etc…
It’s just I see one collab having a gateway on their PC for russian-based labs to operare rather than the whole scheme based oin Ukraine.
Cell-tower data would be hepfull to locate the guy, but do web\apps collect it?
You can do the gateway on a PC thing. You don’t even need to have collaborator to do that, plenty of people run outdated systems riddled with malware.
But once you need actual working SIM (Telegram, Watsapp, etc…) you really need that SIM somewhere in Ukraine. And you need plenty of them. (see the pictures in the article, there’s a ton) At minimum to activate the accounts and more realistically for occasional re-verification. (2fa) Sure you can then run actual bots in russia, but that need for physical presence is still there at least occasionally. The article mentions 100 individuals, when you consider that 150k SIMs were there, most of the operation indeed was in russia or somewhere else.
The triangulation is just a way to maybe correlate multiple SIMs in the same spot by Ukrainian officials once they had enough suspected malicious SIMs. (So that they know it’s not just few random persons with malware on their phone, but it’s indeed huge concentration of SIMs in one spot)