Russian Threat Actors Continue Signal and WhatsApp Targeting

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering Russian Threat Actors Continue Signal and WhatsApp Targeting Thousands of Victims Tricked Into Giving Attackers Account Access, Say Officials Mathew J. Schwartz (euroinfosec) • June 29, 2026     Credit Eligible Get Permission Russian military hackers foiled by end-to-end encryption in Signal and WhatsApp have compromised thousands of people by tricking them into granting direct access to their accounts. (Image: Shutterstock) Russian military hackers, foiled by end-to-end encryption in messaging apps, have compromised thousands of people by tricking them into granting direct access to their accounts instead. See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime The hackers' phishing campaigns targeting users of commercial messaging applications often masquerade as Signal and WhatsApp automated support bots and don't exploit any flaw in the apps, their cryptography or underlying platform, according to an alert issued Friday by the FBI and U.S. Cybersecurity and Infrastructure Security Agency. Instead, multiple Russian intelligence services threat actors "continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims' backup recovery keys" to gain access to their accounts, the warning says. "The threat actors have compromised individual CMA accounts, but not the CMA's encryption or the application itself," said the FBI's cyber division in a post to social platform X. While these attacks remain long-running, recent variants have been trying to trick targets into sharing their backup recovery keys and account PINs, which gives attackers access to the account. Some phishing messages first instruct targets to back up all of their messages. In such cases, Russian intelligence agents can take over a victim's account and also "view the account's historical messages, private and group messages," the alert says. "If a victim inadvertently shares the backup recovery key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well," the alert warns. To avoid this, users must create a new backup recovery key inside "settings," which will invalidate the old key. "Please note that this does not prevent the actor from having already downloaded a backup of the original account," the alert says. The FBI and CISA alert updates their March warning about these "unsophisticated, yet effective" phishing attacks, and requests individuals notify the agencies if they suspect they've fallen victim (see: Breach Roundup: Russian State Actors Target Signal, WhatsApp). The attackers are continuing to try and socially engineer high-value people in multiple jurisdictions, including in the United States, Ukraine, Australia and Europe. "The most frequently observed method used by the Russian hackers is to masquerade as a Signal support chatbot to induce their targets to divulge their codes. The hackers can then use these codes to take over the user's account. Another method used by the Russian actors takes advantage of the 'linked devices' function within Signal and WhatsApp," warned Dutch intelligence agencies in March. Attackers also have "altered legitimate 'group invite' pages to redirect users to a malicious URL" that will link an attacker-controlled device "to the victim's Signal account," said the U.S. Department of State. Thousands of commercial messaging application accounts have been compromised, and attackers have gained "unauthorized access to sensitive government communications, contact lists and group conversations," it said. "The purpose of these hacks is to gain access to sensitive military, political and economic information exchanged by users, as well as to steal their personal data," says a joint alert last week from the Security Service of Ukraine, aka the SBU, posted to Telegram. The phishing attempts often arrive as SMS messages sent by "support teams," frequently arriving "in the morning hours, when the user is extremely vulnerable due to their physical and emotional state," the warning said. Targeted phishing attacks suspected of being launched by Russia-aligned hackers in March compromised the WhatsApp accounts of an Australian member of parliament and three staffers. An Australian official said in May that all evidence pointed to a nation-state hacking group being behind the attacks, which also targeted officials in Germany, the Netherlands and the United States. Once attackers compromise an account, they often use it to disguise themselves and attack others. "Targets of this cyber scheme include U.S. government officials, diplomatic personnel and foreign affairs officials, defense and national security personnel, policy analysts and advisers, NATO member-state officials and diplomats, allied intelligence and defense partners, investigative journalists covering Russia, Ukraine and international affairs, non-governmental organizations providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs," the Department of State said. As part of its Rewards for Justice program, last week the Department of State posted a reward of up to $10 million for information that helps authorities identify or locate anyone working with two of the hacking groups tied to these attacks. They include UNC5792, which appears to be part of the Russian Federal Security Service - aka FSB - Border Guards, and UNC4221, which appears to be tied to Russia's military services. Officials said they're seeking everything from the threat actors' biographical details and funding sources to details of their bank accounts and cryptocurrency wallets. Signal has continued to issue warnings to users to beware such attacks, and said it's prepping more robust defenses to help. "Sophisticated attackers have engaged in a harmful phishing campaign posing as 'Signal support' by changing their profile display name and using social engineering to trick people into handing over their credentials - information that allowed attackers to take over some targeted Signal accts," the service said in an April post to social platform Bluesky. "Please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal support will ever send you a message request or ask for your registration verification code or Signal PIN," Signal said. Ukraine's SBU recommends E2EE messaging app users regularly review all active connections to their account and terminate anything that looks suspicious. Also, enable two-factor authentication and never share any verification codes, PIN codes or recovery keys. Finally, "do not click on suspicious links, even if they come from acquaintances. Their account may have already been hacked," it said.