FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks

FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Ravie LakshmananMar 21, 2026Cyber Espionage / Threat Intelligence Threat actors affiliated with Russian Intelligence Services are conducting phishing campaigns to compromise commercial messaging applications (CMAs) like WhatsApp and Signal to seize control of accounts belonging to individuals with high intelligence value, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said Friday. "The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists," FBI Director Kash Patel said in a post on X. "Globally, this effort has resulted in unauthorized access to thousands of individual accounts. After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity." CISA and the FBI said the activity has resulted in the compromise of thousands of individual CMA accounts. It's worth noting that the attacks are designed to break into the targeted accounts and do not exploit any security vulnerability or weakness to crack the platforms' encryption protections. While the agencies did not attribute the activity to a specific threat actor, prior reports from Microsoft and Google Threat Intelligence Group have linked such campaigns to multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185). In a similar alert, the Cyber Crisis Coordination Center (C4), part of the National Cybersecurity Agency of France (ANSSI), warned of a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders. "These attacks – when successful – can allow malicious actors to access conversation histories, or even take control of their victims' messaging accounts and send messages while impersonating them," C4 said. The end goal of the campaign is to enable the threat actors to gain unauthorized access to victims' accounts, enabling them to view messages and contact lists, send messages on their behalf, and even conduct secondary phishing against other targets by abusing trusted relationships. As recently alerted by cybersecurity agencies from Germany and the Netherlands, the attack involves the adversary posing as "Signal Support" to approach targets and urge them to click on a link (or alternatively scan a QR code) or provide the PIN or verification code. In both cases, the social engineering scheme allows the threat actors to gain access to the victim's CMA account. However, the campaign has two different outcomes for the victim depending on the method used - If the victim opts to provide the PIN or verification code to the threat actor, they lose access to their account, as the attacker has used it to recover the account on their end. While the threat actor cannot access past messages, the method can be used to monitor fresh messages and send messages to others by impersonating the victim. If the victim ends up clicking the link or scanning the QR code, a device under the control of the threat actor gets linked to the victim's account, allowing them to access all messages, including those sent in the past. In this scenario, the victim continues to have access to the CMA account unless they are explicitly removed from the app settings. To better protect against the threat, users are advised to never share their SMS code or verification PIN with anyone, exercise caution when receiving unexpected messages from unknown contacts, check links before clicking them, and periodically review linked devices and remove those that appear suspicious. "These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent 'Signal Support Bot') to trick victims into handing over their login credentials or other information," Signal said in a post on X earlier this month. "To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app. We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal-related code, it is a scam." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, data security, Phishing, Signal, social engineering, Threat Intelligence, Whatsapp Trending News Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Load More ▼ Popular Resources Guide - Discover How to Validate AI Risks With Adversarial Testing Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures