FBI Warns Russian Hackers Are Hijacking Signal and WhatsApp Accounts in Mass Phishing Campaign
The FBI and the Cybersecurity and Infrastructure Security Agency have warned that threat actors linked to Russian intelligence services are carrying out phishing campaigns to seize control of accounts on commercial messaging applications such as Signal and WhatsApp. The operation is aimed at people considered to have high intelligence value, including current and former U.S. government officials, military personnel, political figures, journalists, and others whose private communications could offer strategic insight.
Officials say the campaign has already led to the compromise of thousands of messaging accounts worldwide. The attackers are not breaking Signal’s or WhatsApp’s encryption. Instead, they are bypassing that protection by tricking users into handing over account access through phishing, impersonation, and linked-device abuse.
How the phishing campaign works
According to the joint advisory, the attackers rely on social engineering rather than malware exploits or platform vulnerabilities. In one common approach, they pose as “Signal Support” or a similar fake help account and pressure the target to click a phishing link, scan a QR code, or share a verification code or PIN. The goal is simple: get the victim to authorize access on the attacker’s behalf.
That distinction matters. End-to-end encryption still protects messages in transit, but it does not help if an attacker successfully logs in as the victim or links a rogue device to the account. Once that happens, the threat actor may be able to read messages, access contact lists, send messages while impersonating the target, and launch follow-on phishing attacks using a trusted identity.
The advisory outlines two main outcomes. If a victim shares a verification code or PIN directly, the attacker can recover the account and begin monitoring future activity, even if historical messages are not immediately available. If the victim instead clicks a phishing link or scans a malicious QR code that links a new device, the attacker may gain access to message history as well, while the victim can remain unaware that a second device has been attached to the account.
Who is being targeted
U.S. officials say the campaign is focused on individuals whose communications could hold intelligence, political, diplomatic, or military value. That includes government personnel, former officials, members of the armed forces, journalists, policy figures, and others with access to sensitive networks of contacts. Reuters reported that the operation has affected thousands of accounts globally, underscoring that this is not a narrow one-off intrusion campaign but a broad and sustained collection effort.
While the joint warning did not publicly assign the activity to one named group, it fits a pattern already described by researchers tracking Russia-aligned clusters. Prior reporting and threat intelligence have linked similar phishing campaigns against messaging platforms to actors such as Star Blizzard and other Russia-linked operators that specialize in credential theft, impersonation, and high-trust social engineering.
Why Signal and WhatsApp users are attractive targets
Encrypted messaging apps have become essential communication channels for public officials, journalists, researchers, and civil society figures who need a higher degree of privacy than ordinary SMS or email can provide. That makes the accounts themselves extremely valuable. Even without breaking encryption protocols, a successful account takeover can reveal live conversations, contact networks, operational habits, and trusted relationships.
These attacks also exploit the way users think about security. Many people assume that because a platform is encrypted, any message appearing inside the app is inherently trustworthy. The attackers are exploiting that assumption by using fake support personas and convincing workflows that feel official enough to lower suspicion at exactly the wrong moment.
French authorities have warned about a similar pattern as well, saying instant messaging accounts belonging to government officials, journalists, and business leaders are increasingly being targeted. That wider context suggests the campaign is part of a broader international push to compromise secure communications through account hijacking rather than pure technical intrusion.
Signal’s response and what users should watch for
Signal has publicly emphasized that these attacks rely on social engineering and that the service itself has not been breached. The company said a Signal SMS verification code is needed only when someone is first registering the app, and it warned that Signal Support will never initiate contact through in-app messages, SMS, or social media to ask for a verification code or PIN. Any such request should be treated as a scam.
That guidance is central because the phishing is designed to look routine. A message that claims to be from support, a prompt to “secure” an account, or a QR code presented as part of a verification process can all feel plausible under pressure. In reality, they are the mechanism by which the attacker gets the victim to open the door.
What defenders and high-risk users should do now
The FBI and CISA advise users never to share SMS verification codes or messaging-app PINs with anyone, to be cautious with unexpected support messages, to inspect links carefully before clicking them, and to review linked devices regularly inside app settings. If a linked device appears unfamiliar, it should be removed immediately. High-risk users should also consider tightening device hygiene, refreshing account protections, and verifying suspicious requests through a separate trusted channel.
The broader lesson is uncomfortable but important. In modern espionage-focused phishing, the weak point is often not the encrypted platform itself. It is the human layer around it. Russian-linked actors appear to understand that well, and the latest warnings suggest they are scaling that insight into a sustained campaign against some of the world’s most sensitive communications targets.
