Key Takeaways

- Russian government hackers targeted over 13,500 Signal users with account-hijacking phishing messages
- The attack impersonates Signal support and tricks users into linking accounts to attacker devices
- CISA, UK cybersecurity agencies, and Dutch intelligence have all attributed similar campaigns to Russian state actors
The Spyware Hunter Becomes the Target
Donncha Ó Cearbhaill has spent years investigating spyware attacks for Amnesty International's Security Lab. Earlier this year, he found himself on the other side.
A message arrived on his Signal account claiming to be from "Signal Security Support ChatBot." It warned of suspicious activity and a potential data leak. The message asked him to enter a verification code. Then came the red flag: "DON'T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES."
Ó Cearbhaill immediately recognized the attempt for what it was. But instead of deleting it, he saw an opportunity.
“Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up.”
— Donncha Ó Cearbhaill, Amnesty International Security Lab
He told TechCrunch he had "never knowingly" been targeted with a one-click cyberattack or phishing attempt before.
A Campaign Spanning 13,500 Targets
Ó Cearbhaill's investigation revealed that the attack on him was part of something much larger. He traced the campaign to over 13,500 targets.
The hackers' playbook was straightforward: impersonate Signal, warn of fake security threats, then trick users into giving access to their accounts. The goal was to link victims' accounts to devices controlled by the attackers.
These techniques match a wider campaign that multiple government agencies have warned about. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK's cybersecurity agency, and Dutch intelligence have all attributed similar attacks to Russian government spies. Signal itself has issued warnings about phishing attacks targeting its users.
The Snowball Effect
Ó Cearbhaill declined to reveal his exact investigation methods. He didn't want to tip off the hackers. But he shared what he learned about the target list.
Among the targets: journalists he had worked with and at least one colleague. This pattern suggested what he called a "snowball hypothesis." The hackers compromise one target, then use that access to identify new potential victims in their contacts.
Ó Cearbhaill believes he became a target because he appeared in the contact lists or conversations of people the hackers had already compromised.
German news magazine Der Spiegel reported that Russian hackers successfully compromised several people inside Germany, including high-profile politicians.
How the Attack Works
Signal's device-linking feature lets users access their account on multiple devices. It's convenient. It's also an attack vector.
The phishing campaign exploits this by posing as Signal support. Victims receive urgent warnings about account security. They're asked to "verify" by entering a code. That code is actually a device-linking authorization. Enter it, and the attacker gains persistent access to your Signal messages.
- The message claims to be from Signal Security Support
- It warns of "suspicious activity" or "data leaks"
- It requests a verification code
- The code actually links the victim's account to an attacker-controlled device
How to Protect Yourself
Signal will never message you through the app asking for verification codes. If you receive such a message, it's a scam.
- Check your linked devices regularly in Signal Settings > Linked Devices
- Remove any devices you don't recognize
- Never share verification codes with anyone, even if they claim to be Signal support
- Enable registration lock in Signal to add a PIN requirement
If you suspect your account has been compromised, unlink all devices and consider re-registering your Signal account.
Logicity's Take
This campaign shows how state-sponsored hackers adapt to encryption. They can't break Signal's cryptography, so they target the human layer. The "snowball" method is clever: each compromised account leads to new targets through contact lists. For anyone handling sensitive communications, regular linked-device audits should be routine.
Frequently Asked Questions
Can Russian hackers read my Signal messages?
Only if you fall for phishing attacks that link your account to their devices. Signal's encryption remains secure. The attack targets human behavior, not the cryptography.
How do I check if my Signal account has been compromised?
Go to Signal Settings > Linked Devices. If you see any devices you don't recognize, remove them immediately.
Will Signal warn me about security threats through the app?
No. Signal does not send security alerts or verification requests through in-app messages. Any such message is a phishing attempt.
Why are Russian hackers targeting Signal users?
Signal is popular among journalists, activists, and officials who communicate sensitive information. Compromising these accounts can yield valuable intelligence.
Another recent campaign showing how attackers exploit trusted communication platforms
Need Help Implementing This?
If your organization needs to secure communications against state-sponsored threats, or you want help auditing your team's messaging security practices, reach out to the Logicity team. We can connect you with experts who specialize in operational security for high-risk environments.
Source: TechCrunch / Lorenzo Franceschi-Bicchierai
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.



