The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, the Ministry for Public Order, members of the ruling party, ranking members of the opposition Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. Phones of Athens-based Arab businessmen were also tapped.
Foreign and Greek media have raised United States intelligence agencies as the main suspects. AFP reported that one Greek official stated on background that the likely initial penetration occurred during the run-up to the 2004 Athens Olympics, stating: "it is evident that the wiretaps were organized by foreign intelligence agencies, for security reasons related to the 2004 Olympic Games." The leader of the PASOK socialist opposition George Papandreou said that the Greek government itself had pointed towards the US as responsible of the wiretaps by giving up the zone of listening range, in which the US embassy was included.
The Ericsson switches used by Vodafone Greece were compromised and unauthorized software was installed that made use of legitimate tapping modules, known as “lawful interception”, while bypassing the normal monitoring and logging that would take place when a legal tap is set up. This software was eventually found to be installed on 4 of Vodafone's Ericsson AXE telephone exchanges.
In modern mobile telecommunication networks, legal wiretaps, known as lawful interceptions, are performed at the switch. Ericsson AXE telephone exchanges support lawful intercepts via the remote-control equipment subsystem (RES), which carries out the tap, and the interception management system (IMS), software used to initiate the tap which adds the tap to the RES database. In a fully operating lawful interception system the RES and IMS both create logs of all numbers being taped so that system administrators can perform audits to find unauthorized taps.
To successfully wiretap phone numbers without detection, as the intruders did, a special set of circumstances had to be present. The RES had to be active on the exchange, but the IMS had to be unused. At the time of the illegal wiretaps, Vodafone had not yet purchased the lawful intercept options, meaning the IMS was not present on their systems. However, an earlier exchange software upgrade had included the RES. In addition, the intruders needed to continue to have access to the exchange software to change tapped numbers, without alerting system administrators that the exchange had been modified. Normally, all changes to exchange software would be logged. To get around this, the intruders installed a rootkit on the exchange, a piece of software that would modify the exchange software on the fly to hide all changes and, in case of an audit, to make the exchange appear as though it had been untouched.
When one of the tapped phones made or received a phone call, the exchange, or switch, sent a duplication of the conversation to one of 14 anonymous prepaid mobile phones. As these phones are not associated with a contract, retrieving details of their owners is very difficult. About half of the intercepting phones were activated between June and August 2004. The base stations that serviced those phones were in an area near the center of Athens.
On January 24, 2005, an intruder update of exchange software resulted in customer text messages not being sent. Vodafone Greece sent firmware dumps of the affected exchanges to Ericsson for analysis. On March 4, 2005, Ericsson located the rogue code, 6500 lines of code written in the PLEX language used by Ericsson AXE switches. Writing such sophisticated code in a very esoteric language required a high level of expertise. Much of Ericsson's software development for AXE had been done by an Athens-based company named Intracom Telecom, so the skills needed to write the rogue software were likely available within Greece.
On March 7, 2005, Ericsson notified Vodafone of the existence of rogue wiretaps and software in their systems. The next day the general manager of the Greek Vodafone branch, George Koronias, asked for the software to be removed and deactivated. Because the rogue software was removed before law enforcement had an opportunity to investigate, the perpetrators were likely alerted that their software had been found and had ample opportunity to turn off the "shadow" phones to avoid detection. According to the head of Greece's intelligence service, Ioannis Korantis: "From the moment that the software was shut down, the string broke that could have lead us to who was behind this."
On March 9, the Network Planning Manager for Vodafone - Greece, Kostas Tsalikidis, was found dead in an apparent suicide. According to several experts questioned by the Greek press, Tsalikidis was a key witness in the investigation of responsibility of the wiretaps. Family and friends believe there are strong indications he was the person who first discovered that highly sophisticated software had been secretly inserted into the Vodafone network. Tsalikidis had been planning for a while to quit his Vodafone job but told his fiancée not long before he died that it had become "a matter of life or death" that he leave, says the family's lawyer, Themis Sofos. There is speculation that either he committed suicide because of his involvement in the tapping of the phones, or he was murdered because he had discovered, or was about to discover, who the perpetrators were. After a four-month investigation of his death, Supreme Court prosecutor Dimitris Linos said that the death of Tsalikidis was directly linked to the scandal. "If there had not been the phone tapping, there would not have been a suicide," he said.
In November, 2007, press reports in Greece quoted the Tsalikas family attorney, Themistokles Sofos, as saying they had commenced legal action against Vodafone, "suspect[ing] he was poisoned".
On March 10 Kornoias asked to meet Prime Minister Karamanlis to discuss matters of national security. At 20:00 on the same day he presented the facts to the Minister of Public Order and the Prime Minister's chief of staff, and on the next day he presented them to the Prime Minister.
A preliminary judicial investigation was carried out, which due to the complexity of the case, lasted until February 1, 2006. The preliminary investigation did not point out any persons connected with the case. The investigation was hindered by the fact that Vodafone disabled the interception system, and therefore locating the intercepting phones was no longer possible (the phones were apparently switched off), and that Vodafone had incorrectly purged all access logs. Police rounded up and questioned as suspects persons who called the monitoring phones, but all callers claimed they called these phones because their number was previously used by another person.
Ericsson has checked their equipment in other markets world-wide and has not found the illegal software installed anywhere else. "As far as Ericsson knows, this is a unique incident. We have never discovered anything like this before or since." Vodafone spokesman Ben Padovan said.
The investigation into the matter was further hampered when Greek law enforcement officials began to make accusations at both Vodafone and Ericsson, which forced experts on the defensive.
A recent appeal of the main opposition party, PASOK, to form an investigating parliamentary committee was rejected by the governing party.
In December 2006 Vodafone Greece was fined €76 million by The Communications Privacy Protection Authority, a Greek privacy watchdog group, for the illegal wiretapping of 106 cellphones. The fine were calculated as €500,000 for each phone that was eavesdropped on, as well as a €15 million for impeding their investigation.