The FBI has uncovered cyberattacks by Russian intelligence agencies targeting users of Signal and other messaging apps
22 March 15:11
The U.S. Federal Bureau of Investigation (FBI) has uncovered cyberattacks linked to Russian intelligence agencies that targeted users of commercial messaging apps, including Signal.
The campaign targeted individuals of significant intelligence value, including current and former U.S. government officials, military personnel, politicians, and journalists, reports [Komersant].
“Globally, these efforts resulted in unauthorized access to thousands of individual accounts. Once inside, attackers can view messages and contact lists, send messages on the victim’s behalf, and launch additional phishing attacks from compromised accounts,” FBI Director Kash Patel said in a post shared on social media.
How it worked
This is a classic scheme that requires no technical vulnerabilities. The attacker messages the victim, posing as Signal’s security team or another trusted organization, and asks the victim to verify their account—by sharing an SMS code or a QR code to connect an additional device. The victim grants access to their account themselves.
That is why Signal emphasizes: their infrastructure and encryption system are secure. The problem isn’t with the product—the problem is with people.
Not the first warning
Earlier this month, Dutch intelligence agencies reported a similar global campaign—the same actors, the same methods, but a broader geographic scope: Signal and WhatsApp, government officials, and intelligence targets around the world.
In response to the report from the Netherlands, Signal explained that the attacks were carried out through sophisticated phishing campaigns that misled users and forced them to share confidential information. At the same time, the company emphasized that its infrastructure and encryption system remain secure.
What to do
Never share verification codes with anyone—not even those claiming to be customer support. Signal never asks for a verification code in private messages. Enable the registration PIN in Signal’s settings—this prevents your account from being re-registered on another device without your knowledge.
