Key Findings

• Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists

• Thousands of accounts have already been compromised worldwide through these operations

• Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or clicking malicious links

• Once access is gained, threat actors can read messages, access contacts, impersonate victims, and launch further phishing campaigns using trusted identities

• Signal is the primary target but similar tactics are deployed across multiple messaging platforms

• The attacks do not exploit app vulnerabilities but abuse legitimate features like linked devices

Background

Russian cyber actors have been running coordinated phishing campaigns targeting encrypted messaging applications, with the FBI formally attributing this activity to Russian Intelligence Services in March 2026. This represents the first public attribution directly linking these account-hijacking operations to Russian intelligence rather than generic state-sponsored actors. Dutch intelligence agencies initially warned about the campaign, followed by France's Cyber Crisis Coordination Center publishing alerts about the same tactics. The operation is widespread and ongoing across multiple countries, representing a significant threat to sensitive communications infrastructure.

Targeting and Scope

The campaigns specifically target individuals of high intelligence value whose compromised accounts could yield valuable information or provide access to sensitive networks. Current and former U.S. government officials, military personnel, political figures, and journalists are primary targets. The attackers have already succeeded in compromising thousands of accounts globally. Dutch intelligence emphasized that the targeting focuses on government officials, civil servants, and military personnel, highlighting the national security implications of this activity.

Attack Methodology

Threat actors impersonate messaging app support accounts in phishing messages crafted to appear legitimate and urgent. They request that targets perform actions that secretly grant attackers access to their accounts. The primary tactics include tricking users into sharing verification codes, scanning malicious QR codes, or clicking links that enable attackers to link their own devices to victim accounts. When users comply, attackers can either add their device as a linked device or perform a full account takeover. As the campaign evolves, actors may deploy malware to further compromise victims beyond initial account access.

Access and Exploitation

Once inside compromised accounts, attackers gain extensive capabilities that make detection difficult. They can silently monitor all communications, access complete contact lists, join group chats without notification, and send messages while impersonating the victim. This access enables them to launch additional phishing campaigns against contacts using the trusted identity of the compromised user. The attackers can also gather intelligence from sensitive government and military communications that flow through these platforms. Dutch intelligence highlighted that Signal was specifically targeted because of its strong end-to-end encryption, as compromising accounts grants access to communications that would otherwise be protected.

Technical Assessment

The attacks do not exploit vulnerabilities in Signal, WhatsApp, or other messaging platforms. End-to-end encryption remains intact and unbroken. Instead, threat actors abuse legitimate platform features, specifically the linked devices functionality that allows users to access their accounts across multiple devices. By manipulating users into authorizing these device links or sharing the codes required to establish them, attackers leverage the platforms' own security architecture against their users. This approach is significantly more effective than attempting to break encryption because it sidesteps technical protections entirely.

Risk Mitigation

Users can substantially reduce compromise risk by maintaining heightened awareness of social engineering tactics. Never share personal identification numbers, two-factor authentication codes, or verification codes with anyone, regardless of who requests them or how urgent the request appears. Treat unexpected messages with suspicion even when they appear to come from known contacts or official support accounts. Pause before clicking any links, especially those requesting account verification or security updates. Verify group membership before engaging in sensitive discussions. Use built-in security features within messaging apps. Legitimate app support will never request codes or ask users to click verification links through unsolicited messages. Always use official channels to contact support if questions arise.

Broader Implications

Government experts stress that messaging applications like Signal and WhatsApp should not be used for classified or confidential information due to the account-hijacking threat. While the platforms themselves remain secure in terms of encryption, user account compromise eliminates that protection entirely. The Dutch and French governments specifically warned their officials about the campaign, indicating this is treated as an active national security concern. The targeting of sensitive communications infrastructure reflects Russia's broader cyber espionage objectives and demonstrates how human-focused attacks remain among the most effective tools for intelligence collection.

Sources

• https://securityaffairs.com/189808/intelligence/russia-linked-actors-target-whatsapp-and-signal-in-phishing-campaign.html

• https://www.bleepingcomputer.com/news/security/fbi-links-signal-phishing-attacks-to-russian-intelligence-services/

• https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html

• https://www.reddit.com/r/pwnhub/comments/1rztsnw/fbi_alerts_on_russian_hackers_targeting_whatsapp/