Russian Hackers Targeted 13,500 Signal Users in Phishing Campaign

Key Takeaways

• Russian government hackers targeted over 13,500 Signal users with account-hijacking phishing messages
• The attack impersonates Signal support and tricks users into linking accounts to attacker devices
• CISA, UK cybersecurity agencies, and Dutch intelligence have all attributed similar campaigns to Russian state actors

The Spyware Hunter Becomes the Target

Donncha Ó Cearbhaill has spent years investigating spyware attacks for Amnesty International's Security Lab. Earlier this year, he found himself on the other side.

A message arrived on his Signal account claiming to be from "Signal Security Support ChatBot." It warned of suspicious activity and a potential data leak. The message asked him to enter a verification code. Then came the red flag: "DON'T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES."

Ó Cearbhaill immediately recognized the attempt for what it was. But instead of deleting it, he saw an opportunity.

“Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up.”

— Donncha Ó Cearbhaill, Amnesty International Security Lab

He told TechCrunch he had "never knowingly" been targeted with a one-click cyberattack or phishing attempt before.

A Campaign Spanning 13,500 Targets

Ó Cearbhaill's investigation revealed that the attack on him was part of something much larger. He traced the campaign to over 13,500 targets.

The hackers' playbook was straightforward: impersonate Signal, warn of fake security threats, then trick users into giving access to their accounts. The goal was to link victims' accounts to devices controlled by the attackers.

These techniques match a wider campaign that multiple government agencies have warned about. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK's cybersecurity agency, and Dutch intelligence have all attributed similar attacks to Russian government spies. Signal itself has issued warnings about phishing attacks targeting its users.

The Snowball Effect

Ó Cearbhaill declined to reveal his exact investigation methods. He didn't want to tip off the hackers. But he shared what he learned about the target list.

Among the targets: journalists he had worked with and at least one colleague. This pattern suggested what he called a "snowball hypothesis." The hackers compromise one target, then use that access to identify new potential victims in their contacts.

Ó Cearbhaill believes he became a target because he appeared in the contact lists or conversations of people the hackers had already compromised.

German news magazine Der Spiegel reported that Russian hackers successfully compromised several people inside Germany, including high-profile politicians.

How the Attack Works

Signal's device-linking feature lets users access their account on multiple devices. It's convenient. It's also an attack vector.

The phishing campaign exploits this by posing as Signal support. Victims receive urgent warnings about account security. They're asked to "verify" by entering a code. That code is actually a device-linking authorization. Enter it, and the attacker gains persistent access to your Signal messages.

• The message claims to be from Signal Security Support
• It warns of "suspicious activity" or "data leaks"
• It requests a verification code
• The code actually links the victim's account to an attacker-controlled device

How to Protect Yourself

Signal will never message you through the app asking for verification codes. If you receive such a message, it's a scam.

1. Check your linked devices regularly in Signal Settings > Linked Devices
2. Remove any devices you don't recognize
3. Never share verification codes with anyone, even if they claim to be Signal support
4. Enable registration lock in Signal to add a PIN requirement

If you suspect your account has been compromised, unlink all devices and consider re-registering your Signal account.

Frequently Asked Questions

Can Russian hackers read my Signal messages?

Only if you fall for phishing attacks that link your account to their devices. Signal's encryption remains secure. The attack targets human behavior, not the cryptography.

How do I check if my Signal account has been compromised?

Go to Signal Settings > Linked Devices. If you see any devices you don't recognize, remove them immediately.

Will Signal warn me about security threats through the app?

No. Signal does not send security alerts or verification requests through in-app messages. Any such message is a phishing attempt.

Why are Russian hackers targeting Signal users?

Signal is popular among journalists, activists, and officials who communicate sensitive information. Compromising these accounts can yield valuable intelligence.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai