Security & Infrastructure Tools
FBI Links Signal Phishing Attacks to Russian Intelligence Services
FBI warns that Russian intelligence-linked actors are hijacking accounts on encrypted messaging apps like Signal and WhatsApp through phishing campaigns, compromising thousands of users worldwide—especially high-value targets such as U.S. officials, military personnel, politicians, and journalists. The attacks bypass end‑to‑end encryption by tricking users into linking devices or sharing verification codes, enabling attackers to read messages, impersonate victims, and launch further phishing. Users are urged to be wary of unexpected support requests, QR codes, and device linking.
FBI Links Signal Phishing Attacks to Russian Intelligence Services
The Federal Bureau of Investigation has issued a public service announcement warning that threat actors tied to Russian intelligence services are actively targeting users of encrypted messaging apps such as Signal and WhatsApp. These campaigns, the agency says, have already compromised thousands of accounts worldwide. Rather than breaking the encryption itself, the attackers rely on account hijacking to bypass protections offered by end-to-end encrypted platforms.
According to the FBI, the attack playbook is designed to exploit user trust and device management workflows. The techniques can be adapted to multiple commercial messaging apps, but the emphasis remains on Signal. When successful, attackers can gain access to private messages and contact lists, impersonate the victim, and launch additional phishing efforts using the compromised account as a trusted intermediary. In effect, the criminals leverage legitimate access to the victim’s account to extend their reach, making detection far more difficult and enabling a broader phishing ecosystem to unfold from a single point of compromise.
The scope described by the FBI suggests thousands of accounts have been affected, with a concentration of targets among individuals who handle sensitive information. The PSA notes that the activity is aimed at high-value figures, including current and former government officials, military personnel, political figures, and journalists. This attribution marks a rare instance of a public statement tying the online operations directly to a nation-state actor, rather than describing the threat landscape in more general terms of state-backed hacking.
Context for these advisories is expanding beyond the United States. Earlier this month, Dutch cybersecurity authorities warned of similar account-hijacking campaigns targeting Signal and WhatsApp users in efforts to access secure communications. The Dutch advice explained that attackers attempt to entice users into allowing the attacker to add devices to their accounts or to link attacker-controlled devices to the account—techniques that effectively grant the intruder a seat at the security table. France’s Cyber Crisis Coordination Center later published an alert describing the same tactics as widespread and ongoing across multiple countries, underscoring the international nature of the threat.
Across the three advisories, the core tactic remains consistent: bypass the platform’s protections not by defeating the encryption, but by taking control of an existing account or attaching unknown devices to it. The FBI highlights two particular phishing paths observed with Signal. In one, messages masquerade as legitimate support communications and coax victims into performing actions that secretly grant attackers access to the account. In another, victims are manipulated into sharing verification codes or scanning malicious QR codes that connect attacker-controlled devices to the victim’s account. Once access is established, the attackers can operate in the background—silently monitoring conversations, joining group chats, and sending messages as the real user. This kind of misuse not only jeopardizes a single account but fuels a broader wave of fraud and deception, as the compromised identity is trusted by other users.
The FBI is careful to emphasize that the encryption technology itself remains intact and that no intrinsic vulnerability is being exploited in Signal, WhatsApp, or similar platforms. The real risk lies in how users authorize devices and manage their verification processes. In practice, this means a compromised account can serve as a springboard for further targeting, enabling phishing campaigns that appear legitimate because they originate from a trusted contact.
Given this landscape, users are urged to maintain healthy skepticism around unexpected messages, particularly those asking for actions that would link devices or reveal access credentials. Verification codes should never be shared with anyone, and requests to scan QR codes or to install or authorize new devices should be treated with heightened scrutiny. Even messages claiming to come from platform support personnel should be approached with caution and verified through official channels before any action is taken.
The evolving situation underscores a broader point about secure communications: while the underlying technology provides strong protections, the human element—how people authorize connections and manage devices—often constitutes the weakest link. As governments and security services continue to monitor and counter these evolving threats, individuals and organizations that rely on encrypted messaging should revisit device linking practices, review who has access to sensitive information, and reinforce verification procedures to reduce the risk of account takeover.