Russian intelligence services have been conducting a widespread phishing campaign targeting users of commercial messaging apps, particularly Signal, resulting in the compromise of thousands of accounts, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) jointly warned on March 20, 2026. The operation, which began months ago, focuses on individuals considered high-value targets, including current and former U.S. Government employees, military personnel, politicians, and journalists.
The public warning, designated Public Service Announcement I-032026-PSA, comes as the campaign gains renewed urgency, according to the agencies. “Cyber actors are sending phishing messages that impersonate automated support accounts for commercial messaging apps,” the FBI and CISA stated. The attackers pose as official support personnel, attempting to trick victims into revealing verification codes, PINs, or two-factor authentication codes. “Legitimate support services for commercial messaging apps never request verification codes, especially not through direct messages within the application itself,” the agencies emphasized.
Signal itself has previously cautioned users about similar phishing attempts, clarifying that the app itself has not been compromised. “The app itself has not been compromised – the attacks rely exclusively on social engineering and not vulnerabilities in the encryption or code of the application,” the company stated. The core issue, authorities say, is that while end-to-end encryption protects message content, it does not prevent attackers from gaining control of an account through phishing.
Once an account is compromised, attackers can view messages, access contact lists, send communications on behalf of the victim, and launch further phishing campaigns leveraging the trusted identity. The FBI identified the cybercriminals associated with Russian intelligence, noting that the operation exploits a vulnerability in user behavior rather than technical flaws in the applications themselves.
The campaign extends beyond the United States, with similar activity reported in the Netherlands and Germany as early as February and March 2026, targeting WhatsApp and Signal users. Dutch intelligence services (AIVD and MIVD) described a “large-scale global cyber campaign” aimed at individuals in the public eye, military personnel, and journalists. The U.S. Warning confirms the global scope of the operation and the significant number of compromised accounts.
According to the FBI, the operation is relatively inexpensive for Russian intelligence services, relying on simple phishing techniques rather than costly exploits or zero-day vulnerabilities. However, the intelligence gains are substantial, providing access to sensitive conversations among policymakers, military officials, and journalists. The agencies have issued guidance to aid users identify and protect their accounts, urging increased vigilance regarding digital security practices.
The FBI, along with CISA, has issued a joint warning to help identify this type of activity and provide users with guidance on how to protect their accounts. Users are advised to regularly check group chats for duplicate accounts or accounts belonging to unfamiliar individuals.
Leave a Reply