Phishing Campaign Targeting Signal and WhatsApp Users Linked to Russian Intelligence

Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp through phishing campaigns that have already compromised thousands of accounts, according to a new FBI public service announcement.

The FBI has made the first public attribution linking these campaigns directly to Russian intelligence services, rather than describing them as attacks from broader state-sponsored groups.

According to the FBI, these campaigns are designed to bypass end-to-end encryption protections in commercial messaging apps (CMAs) not by breaking the encryption itself, but through account hijacking techniques.

While the techniques can be applied to multiple CMAs, they predominantly target Signal users.

Once attackers gain access, they can read private messages and contact lists, impersonate victims, and launch additional phishing campaigns by posing as trusted contacts.

The attacks have affected “thousands” of accounts worldwide and primarily target individuals with access to sensitive information, including current and former U.S. government officials, military personnel, political figures, and journalists.

The FBI’s attribution follows earlier advisories from Dutch intelligence agencies and France’s Cyber Crisis Coordination Center (C4) that described similar account-hijacking operations. Both agencies confirmed the activity is widespread and ongoing across multiple countries.

How the phishing attacks work

All three advisories describe the same tactic: phishing messages that trick users into granting attackers access to their accounts or linking devices to existing accounts.

Two different phishing methods seen targeting Signal
Two different phishing methods seen targeting Signal
Source: FBI

Most phishing messages impersonate support accounts and request that targets perform an action that secretly grants threat actors access. Victims are typically tricked into sharing verification codes or scanning malicious QR codes that link their Signal or WhatsApp accounts to attacker-controlled devices.

Samples of Signal phishing messages used in the phishing campaign
Samples of Signal phishing messages used in the phishing campaign
Source: France’s Cyber Crisis Coordination Center (C4)

Once threat actors gain access, they can silently monitor communications, join group chats, and send messages as the compromised user—making detection difficult and enabling further phishing campaigns.

The FBI emphasizes that encryption in these platforms is not broken and no vulnerabilities are being exploited. The campaign’s success relies entirely on social engineering.

Protecting yourself

Users are advised to remain suspicious of unexpected messages, be wary of requests to scan QR codes or link devices to their accounts, and never share verification codes with anyone, including accounts claiming to represent platform support personnel.

Related Articles

Back to top button
OrfthOYyb