FBI warns Russian intelligence is hijacking Signal accounts via phishing—thousands compromised. Learn how attackers bypass encryption.

Continue reading
FBI issued a public service announcement (PSA) attributing a widespread, ongoing phishing campaign against encrypted messaging platforms—primarily Signal—to Russian intelligence services. The campaign has resulted in the compromise of thousands of accounts worldwide, targeting individuals with access to sensitive information.
Attackers do not exploit encryption weaknesses; instead, they bypass end-to-end encryption through account hijacking techniques, primarily via social engineering to steal verification codes or trick users into linking attacker-controlled devices.
This Threatfeed provides deep threat insights of the attack vectors, attribution, impact, and recommended mitigations, synthesizing information from the FBI, the Dutch General Intelligence and Security Service (AIVD), and France’s Cyber Crisis Coordination Center (C4).
End-to-end encrypted (E2EE) messaging apps like Signal and WhatsApp are widely used by government officials, military personnel, journalists, and activists to protect communications. However, Russian intelligence-linked threat actors have adapted their tactics to circumvent these protections. Rather than attempting to break cryptographic protocols, they employ targeted phishing campaigns to compromise user accounts at the authentication and device management layers. This approach grants persistent, undetected access to live conversations, contact lists, and group chats, enabling further intelligence gathering and secondary phishing attacks.
The FBI’s March 2026 PSA marks the first official U.S. attribution of these campaigns directly to Russian intelligence services (rather than a generic “state-sponsored” label). This conclusion aligns with earlier warnings from Dutch and French authorities:
The coordinated attribution suggests a strategic Russian intelligence operation, likely conducted by units such as the SVR, FSB, or affiliated groups, focusing on signal intelligence (SIGINT) collection via commercial messaging platforms.
The attack does not rely on vulnerabilities in the apps’ encryption. Instead, it exploits the device-linking and authentication features inherent to these platforms. Two primary methods have been observed:
Victims receive unsolicited messages (via SMS, email, or the messaging platform itself) that appear to be from the platform’s “support” or “security” team. These messages often create urgency—e.g., “Your account requires verification” or “A new device attempted to log in”—and instruct the user to perform an action that inadvertently gives the attacker access.
In this scenario, the attacker initiates a legitimate “register on new device” process using the victim’s phone number. The victim receives an SMS or in-app verification code. The phishing message tricks the victim into providing that code to the attacker, who then uses it to complete the registration on their own device. Once done, the attacker gains full access to the account, including all current and future messages.
Signal-specific nuance: When registering on a new primary device (e.g., a new phone), the old device is automatically disconnected. Victims may notice a sudden “no longer registered” state.
This method is particularly insidious because it does not deregister the victim’s primary device, making detection difficult. The attacker generates a QR code (or sends a malicious “link device” URL) that, when scanned by the victim, links the attacker’s device as a secondary device (Signal desktop or iPad, for example).
The phishing message disguises this QR code as a legitimate security or verification step. Upon scanning, the victim unknowingly authorizes the attacker’s device to read and send messages from their account.
After gaining access, attackers can:
The use of encrypted messaging apps by sensitive individuals makes this campaign particularly damaging, as it subverts the security assumptions of those apps.
Because the attack does not involve malware, traditional endpoint IOCs are limited. Detection relies on user behaviour and account anomalies.
User-Level Indicators:
Technical Detection (for organizations monitoring accounts):
Network-Level IOCs:
The Russian intelligence-linked phishing campaign targeting Signal and WhatsApp represents a significant shift in tradecraft—bypassing end-to-end encryption through social engineering of authentication and device-linking mechanisms. The campaign has already compromised thousands of high-value accounts, enabling persistent surveillance and secondary exploitation. The coordinated warnings from U.S.,
Dutch, and French authorities underscore the scale and severity of the threat. Mitigation relies almost entirely on user vigilance and the adoption of platform-specific security features like registration lock and regular device audits.
As encrypted messaging becomes increasingly central to sensitive communications, such account-hijacking techniques will likely become a staple of state-sponsored intelligence collection, demanding continuous user education and possible platform-level enhancements to make device linking more transparent and harder to abuse.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation