Russian Government Hackers Are Hijacking Signal Accounts of U.S. Officials, Military, and Journalists — Via Simple Phishing Tricks
Russia's intelligence-linked hackers have breached thousands of Signal and WhatsApp accounts belonging to U.S. government officials, military personnel, politicians, and journalists using a shockingly low-tech phishing playbook. The FBI, CISA, Google, and allied intelligence agencies across Europe have all confirmed it. The real story isn't that Signal was hacked — it wasn't. The real story is that the Russians don't need to break the encryption. They just need you to hand them the keys.
Russia Doesn't Need to Crack Signal. You'll Do That For Them. Signal's encryption is not broken. What Russian government-aligned hackers figured out is far simpler — and more embarrassing. They're using fake customer support messages and malicious QR codes to trick users into linking their Signal accounts to devices controlled by the hackers. Once that's done, every future message is delivered to the attacker in real time. No zero-days. No sophisticated intrusion tools. Just social engineering. And it's working. How the Attack Actually Works According to Google's Threat Intelligence Group, which published its findings on February 19, 2025, multiple Russia state-aligned threat actors have been systematically exploiting Signal's legitimate "linked devices" feature — the same one you use to run Signal on your laptop and phone simultaneously. The attack is straightforward. Hackers send a message impersonating Signal support, warn of fake suspicious activity on the target's account, then instruct the target to scan a QR code or share a verification code to "fix" the problem. That QR code, when scanned, silently links the victim's account to a hacker-controlled device. The result: Russia reads your messages live. Without touching Signal's servers. Donncha Ó Cearbhaill, who heads Amnesty International's Security Lab, got hit with exactly this tactic. He told TechCrunch the message read: "Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device." It told him not to share the code with "ANYONE, NOT EVEN SIGNAL EMPLOYEES." Classic social engineering pressure. Ó Cearbhaill recognized it immediately. Most people won't. He flipped the script, investigated the campaign, and determined he was one of more than 13,500 targets . Who's Getting Hit The FBI and CISA issued a joint warning confirming the scope, according to Euronews. Targets include U.S. government officials, military personnel, politicians, and journalists. The Dutch General Intelligence and Security Services (MIVD and AIVD) said Russia is specifically hunting Signal because of its reputation as a secure channel — it's what officials actually use when they want private communications. German news magazine Der Spiegel reported that Russian hackers successfully compromised several high-profile politicians inside Germany. France's Cyber Crisis Coordination Center (C4) issued its own alert. Portugal and the Netherlands warned earlier. This isn't a single incident — it's a coordinated, multi-country espionage campaign. And it's not just Signal. Google's Threat Intelligence Group confirmed WhatsApp and Telegram are being hit with similar techniques. What Mainstream Coverage Is Getting Wrong Most headlines — left and right — frame this as a "Signal vulnerability." That's lazy and inaccurate. Signal's infrastructure was NOT compromised. Signal said so explicitly on X: its servers were not breached, and Signal support will "never initiate contact via in-app messages, SMS or social media" to ask for a verification code. The vulnerability here is human behavior , not software. Fox News's coverage focused heavily on the FBI warning and the threat to Americans — accurate, but thin on technical depth. TechCrunch gave the most substantive account of how the attack actually functions, thanks to Ó Cearbhaill's investigation. Google's own threat intelligence report is the most technically comprehensive document available on this, though most mainstream outlets gave it minimal attention. Russia is doing this because it works. Thirteen thousand five hundred targets is not a fishing expedition — that's a systematic intelligence operation. The Linked Devices Loophole Once a hacker successfully links their device to a victim's Signal account, they receive a persistent, real-time feed of all messages — without ever needing to touch the victim's phone again. No malware installed. No ongoing access to the device. Just a silent observer on every conversation, indefinitely, until the victim notices the unknown linked device and removes it. Most people never check their linked devices list. Google's Threat Intelligence Group explicitly warned in February 2025 that these tactics will "grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war." They were right. It's now happening across Europe and the United States. What You Should Actually Do Signal has already updated its Android and iOS apps with hardened features specifically designed to counter these phishing campaigns. Update your app. Now. Beyond that: Check your linked devices list in Signal settings. Remove anything you don't recognize. Never share your Signal PIN or SMS verification code with anyone. Ever. Treat any unsolicited message claiming to be from Signal support as an attack. It is. Enable your Signal registration lock (a PIN that prevents
Read on Unbiased Headlines
