FBI links Signal phishing attacks to Russian intelligence services

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityFBI links Signal phishing attacks to Russian intelligence services

FBI links Signal phishing attacks to Russian intelligence services

By Lawrence Abrams

March 20, 2026
04:45 PM
0

The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.
The FBI's PSA is the first public attribution linking these campaigns directly to Russian intelligence services, rather than a broader description of just state hackers.
According to the FBI, the campaigns are designed to bypass the protections of end-to-end encryption in commercial messaging apps (CMAs), not by breaking encryption, but through account hijacks.
The FBI says the techniques used in these attacks can be applied to multiple CMAs but predominantly target Signal users.
Depending on the access they obtain, attackers can read private messages and contact lists, impersonate victims, and launch additional phishing campaigns as trusted people.
The FBI says the attacks have affected "thousands" of accounts worldwide and primarily target those with access to sensitive information.
"The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists," reads the FBI's PSA.
The FBI's attribution comes after earlier advisories from Dutch and French cybersecurity authorities that described similar account-hijacking operations.
Earlier this month, Dutch intelligence agencies warned that state-backed attackers were targeting Signal and WhatsApp users in phishing campaigns aimed at gaining access to secure communications.
The advisory highlighted that the attacks relied on tricking users into allowing attackers to add the account to their devices or link attacker-controlled devices to the account.
Today, France's Cyber Crisis Coordination Center (C4) also published an alert about the same tactics targeting instant messaging platforms, stating the activity is widespread and ongoing across multiple countries.
Signal phishing attacks
All three advisories state that the phishing attacks follow the same tactic of bypassing the platform's encryption by hijacking accounts or linking devices to an existing account.

Two different phishing methods seen targeting SignalSource: FBI
The FBI says that most phishing messages impersonate support accounts, which request that the target perform an action that secretly grants threat actors access to the account.
Victims are typically tricked into sharing verification codes or scanning malicious QR codes that link their accounts (Signal and WhatsApp) to attacker-controlled devices.

Samples of Signal phishing messages used in the phishing campaignSource: France’s Cyber Crisis Coordination Center (C4) 
Once the threat actors gain access to accounts, they can silently monitor communications, join group chats, and send messages as the compromised user, making detection more difficult and enabling further phishing campaigns.
The PSA emphasizes that encryption in Signal, WhatsApp, and similar platforms is not broken and no vulnerabilities are being exploited.
The FBI says the campaign has already led to unauthorized access to thousands of messaging accounts, which were then used to target additional victims.
Users are advised to remain suspicious of unexpected messages, be wary of requests to scan QR codes or link devices to their accounts, and never share verification codes with anyone, including accounts claiming to be a platform's support personnel.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Dutch govt warns of Signal, WhatsApp account hijacking attacksFBI warns of phishing attacks impersonating US city, county officialsGermany warns of Signal account hijacking targeting senior figuresFBI warns of Handala hackers using Telegram in malware attacksMicrosoft Azure Monitor alerts abused for callback phishing attacks

Device Linking
FBI
Phishing
Russian Intelligence
Signal
WhatsApp

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Microsoft Azure Monitor alerts abused for callback phishing attacks

Sponsor Posts

Secure your AI agents without sacrificing speed.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The FBI has issued a public service announcement detailing a sophisticated phishing campaign orchestrated by Russian intelligence services targeting users of encrypted messaging applications, primarily Signal and WhatsApp. This campaign, as highlighted by the FBI, Dutch, and French cybersecurity authorities, doesn’t involve breaking the encryption of these platforms – Signal, WhatsApp, and others – but rather exploits vulnerabilities in user behavior and account security protocols. The core tactic involves hijacking accounts by tricking users into granting access to their accounts through methods such as scanning malicious QR codes or sharing verification codes with seemingly legitimate support accounts. These compromised accounts are then utilized for extensive surveillance, impersonation, and the launch of further phishing schemes.

According to the FBI’s assessment, thousands of accounts have been affected globally, primarily targeting individuals of significant value to intelligence agencies, including current and former government officials, military personnel, political figures, and journalists. The adversaries, dubbed “Handala” by some sources, leverage the same techniques across multiple CMA platforms, showcasing a strategic and adaptable approach. The phishing messages most commonly mimic official support channels, requesting actions that secretly grant access to the compromised account. Victims are typically lured into providing verification codes or scanning QR codes – the latter immediately linking their Signal and WhatsApp accounts to attacker-controlled devices.

Once access is gained, attackers can silently monitor communications, participate in group chats, and transmit messages as the compromised user, significantly increasing the difficulty of detection and enabling a cascade of further phishing operations. Critically, the FBI emphasizes that the encryption mechanisms within Signal, WhatsApp, and similar platforms remain intact and were not breached. This campaign’s success hinges on exploiting user trust and susceptible behavior, not technical vulnerabilities within the communications apps themselves. The FBI’s attribution represents a shift from attributing cybercrime to broader “state hackers” to pinpointing specific intelligence-linked groups, notably the Handala actors.

Earlier advisories from Dutch and French cybersecurity bodies corroborate this narrative, detailing similar account-hijacking operations reliant on the same trickery. The coordinated nature of these alerts across multiple European nations underscores the scope and sophistication of the threat. Lawrence Abrams, Editor in Chief of BleepingComputer.com, highlights the importance of heightened vigilance among Signal and WhatsApp users, recommending heightened suspicion of unexpected messages, conscious avoidance of QR code scans, and strict refusal to share verification codes, even with accounts claiming to represent official support channels. The overall picture presented by the FBI and allied cybersecurity agencies indicates a persistent and evolving threat that demands increased user awareness and proactive security measures.