A major Signal phishing attack campaign is actively targeting journalists, politicians, military personnel, and current and former U.S. government officials. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint public service announcement last Friday, formally linking the operation to Russian intelligence services. Thousands of accounts have already been compromised globally, and the attacks are still ongoing.
This is the first time the FBI has publicly attributed these campaigns to Russian intelligence specifically, rather than referring broadly to state-linked hackers. The warning is significant — and so is the method behind the attacks.
Signal’s Encryption Is Not Broken
The first thing to understand is that Signal itself has not been compromised. No vulnerabilities in the app have been exploited, and the platform’s end-to-end encryption remains intact. Attackers are not cracking the code. They are bypassing it entirely by targeting the user instead.
As the joint FBI and CISA advisory put it, phishing remains one of the most effective forms of cyberattack precisely because it renders other protections irrelevant — including encryption. When an attacker tricks you into handing over access to your account, strong cryptography provides no protection at all.
Signal reinforced this in a public statement, noting that it will never initiate contact via in-app messages or ask for verification codes. Any message claiming to be from “Signal Support” asking you to verify your account is a scam.
Two Methods, One Goal
Investigators have identified two distinct techniques used in this Signal phishing attack campaign.
Linked Device Hijack
The first method exploits Signal’s legitimate “linked devices” feature, which normally allows users to access their account across multiple devices. Attackers impersonate a trusted contact or support service and send a malicious link or QR code. If the victim interacts with it, the attacker’s device gets silently linked to the victim’s account.
The victim stays logged in. Nothing appears wrong. But the attacker now has full, ongoing access to all incoming and outgoing messages in real time.
Full Account Takeover
The second method goes further. Victims receive messages designed to look like official security alerts, warning of suspicious activity or an unrecognized login attempt. These messages create urgency and prompt the victim to share a verification code or PIN.
Once that information is handed over, the attacker uses it to recover the account on their own device. The victim loses access. Past messages remain inaccessible to the attacker in this scenario, but all future communications can be monitored. The attacker can also send messages as the victim to anyone in their contact list.
Why These Attacks Are Particularly Dangerous
What makes this Signal phishing attack campaign especially effective is what happens after an account is compromised. Attackers can silently monitor private conversations, join group chats, and send messages while impersonating the victim. Because those messages appear to come from a trusted identity, the people on the receiving end have no reason to be suspicious.
This creates a chain reaction. Each compromised account becomes a tool to phish the next target. Contacts who would ordinarily dismiss a message from an unknown sender may act on one that appears to come from a colleague or friend.
The campaign focuses on individuals with high intelligence value, and has already resulted in unauthorized access to thousands of accounts worldwide. That scale, combined with the ability to impersonate victims within their own trusted networks, makes this one of the more sophisticated social engineering operations to come to public attention in recent months.
A Coordinated International Warning
The FBI and CISA did not act alone. Dutch intelligence agencies issued a similar warning earlier in March, highlighting the same account-hijacking tactics targeting Signal and WhatsApp users. France’s Cyber Crisis Coordination Center published its own alert around the same time, describing the activity as widespread and ongoing across multiple countries.
All three advisories point to the same core method: bypassing encryption not by breaking it, but by owning the account. Prior reporting from Microsoft and Google’s Threat Intelligence Group has linked these types of campaigns to Russia-aligned threat clusters, including groups tracked as Star Blizzard, UNC5792, and UNC4221.
How to Protect Your Signal Account
The FBI and CISA outline several concrete steps users can take to reduce their exposure.
- Never share your verification code or PIN. Legitimate support services will not ask for them, and no one should ever request them through a direct message.
- Audit your linked devices. Open Signal’s settings and check which devices are connected to your account. Remove anything you do not recognize.
- Treat unexpected security alerts with skepticism. Messages claiming suspicious activity on your account, especially those prompting urgent action, are a classic phishing signal. Verify through a separate channel before doing anything.
- Check links before clicking. Do not scan unsolicited QR codes or click unverified links sent by unknown contacts, even if the message appears to come from someone you know.
- Enable disappearing messages. This limits the data available to an attacker if your account is ever compromised.
- If you believe your account has been targeted, report it to the FBI’s Internet Crime Complaint Center at ic3.gov.
Final Thoughts
This Signal phishing attack campaign is a clear reminder that the weakest point in any secure system is usually the person using it. Signal’s encryption is sound. The app itself has not been breached. What Russian intelligence-linked actors are exploiting is human behavior — urgency, trust, and the instinct to comply with what looks like an official request.
The tactics used here are not technically complex. They work because they are convincing. A fake support message or a spoofed QR code does not require sophisticated malware. It just needs one moment of inattention from the right person.
Staying secure on Signal, or any encrypted platform, means treating unexpected messages with skepticism, protecting your verification codes like passwords, and regularly reviewing which devices have access to your account. The encryption holds. The question is whether you do too.
