Russian hackers exploit Signal’s "Linked Devices" to hijack accounts via QR phishing. Learn risks & how to protect against covert spying

Continue reading
In a chilling revelation, cybersecurity researchers have uncovered a sophisticated espionage campaign orchestrated by Russian state-aligned hackers exploiting one of the world’s most trusted encrypted messaging apps: Signal. A bombshell report from Google’s Threat Intelligence Group (GTIG) details how Kremlin-backed threat actors weaponized Signal’s “Linked Devices” feature to hijack accounts, monitor private conversations, and steal sensitive data—all without breaking the app’s encryption.
The attacks hinge on a deviously simple trick: malicious QR codes. Russian operatives, including the notorious Sandworm group (aka APT44), crafted fake invites, security alerts, and even military-grade software updates to dupe victims into scanning these codes. Once scanned, the QR code links the victim’s Signal account to a device controlled by the attacker, granting real-time access to messages, media, and contacts.
_“This is the most novel and widely used technique in Russian-aligned attempts to compromise Signal accounts,”_ GTIG warned. The hackers tailored their approach based on the target:
In one alarming case, Sandworm exploited devices seized on the Ukraine battlefield, syncing soldiers’ Signal accounts to Russian-controlled hardware to intercept battlefield communications.
GTIG exposed a Russian hacking collective, tracked as UNC5792, that created near-perfect replicas of Signal group invite pages. These pages, hosted on attacker-controlled servers, replaced legitimate “join group” links with code forcing victims to link their account to a hacker’s device.
_“The fake invitations were indistinguishable from real ones,”_ researchers noted. When users clicked “accept,” they unknowingly handed over their Signal data to Russian spies. This group has ties to UAC-0195, a threat actor previously caught targeting WhatsApp accounts of diplomats and officials.
Another Russia-linked group, UNC4221 (UAC-0185), targeted Ukrainian soldiers with a custom phishing kit impersonating Kropyva—a critical app used by Ukraine’s military for artillery guidance and minefield mapping. Hackers created a fake Signal verification page (signal-confirm[.]site) to mask the device-linking scam, while QR codes distributed via phishing emails synced victims’ accounts to Russian servers.
Once linked, attackers used tools like Infamous Chisel malware, PowerShell scripts, and the WAVESIGN batch script to quietly extract Signal message databases from Android and Windows devices. GTIG warns that these breaches can go undetected for months, as Signal lacks tools to monitor unauthorized linked devices.
_“The risk of prolonged compromise is extremely high,”_ researchers stressed.
The report highlights a broader Russian obsession with encrypted messaging apps. The Coldriver campaign, for example, recently targeted diplomats via WhatsApp. But Signal’s open-source framework and “Linked Devices” feature made it uniquely vulnerable to this phishing tactic.
GTIG and Signal urge users to:
This campaign exposes a harsh truth: even the most secure apps can be undermined by human error. As Russian hackers refine their social engineering tactics, the line between digital safety and catastrophe grows thinner. For high-risk users—journalists, soldiers, diplomats—the stakes have never been higher.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation