The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (FBI) have issued a warning about a phishing campaign linked to Russian intelligence actors targeting secure messaging platforms such as Signal and WhatsApp.
This campaign isn’t random, it’s going after people who actually matter in terms of information. Think government officials (current and former), military folks, political figures, journalists, basically anyone with access to sensitive stuff. And it’s working.
According to the advisory, thousands of messaging accounts have already been compromised worldwide. Once attackers get in, it’s not just about reading chats, they can see your contacts, pretend to be you, and even scam others using your identity. It turns one hacked account into a chain reaction, and that’s what makes it way more dangerous than it looks at first glance.
This isn’t some high-tech system hack, it’s way more basic (and honestly, more effective). The attackers are just playing smart with people, not breaking the app.
They send messages that look super legit, like they’re from official support, sometimes even pretending to be something like a “Signal Support” account. And the message usually pushes you to do something quickly, click a link, share a verification code, or enter your PIN. If you fall for it, that’s all they need.
They can link their own device to your account and basically slip in without you realizing, or just keep ongoing access. No alarms, no obvious signs, just someone quietly sitting inside your account.
Importantly, these attacks do not exploit flaws in the platforms themselves. Both Signal and WhatsApp remain secure in terms of encryption. Instead, the campaign succeeds by manipulating users into handing over sensitive information, effectively bypassing security protections through deception.
Signal has reiterated that verification codes are only required during initial account setup and that it does not contact users via messages, SMS, or social media to request codes or PINs. Any such request should be treated as a scam.
Security agencies advise users to remain cautious, avoid sharing verification codes or PINs, be wary of unsolicited support messages, and verify requests only through official channels. Even the most secure communication platforms can be undermined by social engineering, highlighting that human trust remains one of the most exploited vulnerabilities in cybersecurity.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
