Russian Intelligence Services Compromise Thousands of Messaging Accounts
The FBI and CISA issued a joint advisory on March 20, 2026, warning that threat actors affiliated with Russian Intelligence Services are conducting a large-scale global phishing campaign targeting users of Signal, WhatsApp, and other commercial messaging applications.
| Attribute | Value |
|---|---|
| Threat Actor | Russian Intelligence Services (GRU-affiliated) |
| Campaign Type | Social engineering / phishing (no malware) |
| Targets | US government officials, military, politicians, journalists |
| Apps Targeted | Signal, WhatsApp |
| Accounts Compromised | Thousands globally |
| First Reported | Dutch MIVD/AIVD (March 9, 2026) |
| US Advisory Date | March 20, 2026 |
How the Signal Attack Works
The attackers impersonate Signal's support team, contacting targets directly within the app with warnings about suspicious activity, a "possible data leak," or unauthorized access attempts. If the target engages, the attackers:
- Request a verification code sent via SMS — which the attackers themselves trigger from Signal's servers
- Ask for the target's PIN code
- Use both credentials to hijack the account and link it to attacker-controlled devices
WhatsApp Exploitation
For WhatsApp, the attackers abuse the "Linked Devices" feature, which allows users to access WhatsApp from secondary devices like laptops. By tricking targets into scanning a malicious QR code or approving a device link, attackers gain persistent access to all messages without the victim's knowledge.
| Impact Area | Description |
|---|---|
| Account Takeover | Full access to messages, contacts, and media |
| Impersonation | Ability to send messages as the victim |
| Lateral Phishing | Secondary phishing from trusted identities |
| Intelligence Collection | Access to sensitive government communications |
| Operational Security | Compromises secure channels used for classified discussions |
Who Is at Risk
The Netherlands' Defence Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) first published details about the campaign on March 9, describing it as targeting individuals of "high intelligence value" globally. The FBI advisory expanded the scope to include:
- Current and former US government officials
- Military personnel across NATO countries
- Political figures and campaign staff
- Journalists covering national security topics
Recommendations
For High-Value Targets
- Enable Registration Lock in Signal (Settings → Account → Registration Lock)
- Review Linked Devices in both Signal and WhatsApp regularly
- Never share verification codes or PIN numbers with anyone claiming to be support
- Use hardware security keys for two-factor authentication where supported
For Organizations
- Brief personnel on this specific social engineering technique
- Implement endpoint detection for unauthorized device linking
- Consider moving classified discussions to government-approved encrypted platforms
- Monitor for anomalous login patterns on messaging platforms
Key Takeaways
- Russian intelligence is exploiting trust in encrypted messaging apps — the security of the encryption is irrelevant when the account itself is compromised
- No malware is involved — this is pure social engineering, making it harder to detect with traditional security tools
- Thousands of accounts have already been compromised globally, with victims unaware their messages are being read
- The campaign enables cascading attacks — compromised accounts are used to phish additional targets from a trusted identity
- Both Signal and WhatsApp are targeted through different but equally effective techniques
- Government employees should immediately audit their linked devices and enable all available account protections