The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.
The FBI’s PSA is the first public attribution linking these campaigns directly to Russian intelligence services, rather than a broader description of just state hackers.
According to the FBI, the campaigns are designed to bypass the protections of end-to-end encryption in commercial messaging apps (CMAs), not by breaking encryption, but through account hijacks.
The FBI says the techniques used in these attacks can be applied to multiple CMAs but predominantly target Signal users.
Depending on the access they obtain, attackers can read private messages and contact lists, impersonate victims, and launch additional phishing campaigns as trusted people.
The FBI says the attacks have affected “thousands” of accounts worldwide and primarily target those with access to sensitive information.
“The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists,” reads the FBI’s PSA.
The FBI’s attribution comes after earlier advisories from Dutch and French cybersecurity authorities that described similar account-hijacking operations.
Earlier this month, Dutch intelligence agencies warned that state-backed attackers were targeting Signal and WhatsApp users in phishing campaigns aimed at gaining access to secure communications.
The advisory highlighted that the attacks relied on tricking users into allowing attackers to add the account to their devices or link attacker-controlled devices to the account.
Today, France’s Cyber Crisis Coordination Center (C4) also published an alert about the same tactics targeting instant messaging platforms, stating the activity is widespread and ongoing across multiple countries.
Signal phishing attacks
All three advisories state that the phishing attacks follow the same tactic of bypassing the platform’s encryption by hijacking accounts or linking devices to an existing account.
Source: FBI
The FBI says that most phishing messages impersonate support accounts, which request that the target perform an action that secretly grants threat actors access to the account.
Victims are typically tricked into sharing verification codes or scanning malicious QR codes that link their accounts (Signal and WhatsApp) to attacker-controlled devices.
Source: France’s Cyber Crisis Coordination Center (C4)
Once the threat actors gain access to accounts, they can silently monitor communications, join group chats, and send messages as the compromised user, making detection more difficult and enabling further phishing campaigns.
The PSA emphasizes that encryption in Signal, WhatsApp, and similar platforms is not broken and no vulnerabilities are being exploited.
The FBI says the campaign has already led to unauthorized access to thousands of messaging accounts, which were then used to target additional victims.
Users are advised to remain suspicious of unexpected messages, be wary of requests to scan QR codes or link devices to their accounts, and never share verification codes with anyone, including accounts claiming to be a platform’s support personnel.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
