Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
NEWS

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ukraine's SSU and the FBI have exposed a sustained Russian intelligence campaign using fake support SMS messages to steal Signal, WhatsApp, and Telegram...

Dylan H.

News Desk

June 28, 2026
5 min read

Russian Intelligence Weaponizes Fake SMS Support Messages

Ukraine's Security Service (SSU/SBU) and the United States FBI have jointly disclosed a sustained Russian intelligence operation that uses fraudulent support text messages to steal credentials for Signal, WhatsApp, and Telegram accounts. The campaign has compromised thousands of accounts worldwide, targeting current and former government officials, military personnel, politicians, journalists, and Ukrainian nationals.

The operation does not break end-to-end encryption. Instead, it exploits human trust — social engineering targets into handing over verification codes or recovery keys that grant the attacker full account access while bypassing cryptographic protections entirely.


Attack Methods

Signal: Fake Verification Code Theft

For Signal users, attackers send SMS messages impersonating the platform's official support bot. Messages warn of "suspicious activity" or a "possible data leak" and instruct the victim to verify their account. The attacker has already requested a verification code from Signal on the victim's number — when the victim enters that code plus their PIN into the fake form, the attacker gains full account access on an attacker-controlled device.

More recently, the FBI and CISA have noted attackers specifically targeting Signal backup recovery keys. A stolen recovery key allows full message history restoration and persistent access even if the victim changes devices.

WhatsApp: Linked Devices Abuse

For WhatsApp, attackers abuse the platform's Linked Devices feature. Victims receive messages prompting them to add what appears to be a legitimate secondary device. When the victim approves the pairing QR code presented in the fake message, an attacker-controlled device is silently linked. The victim remains logged in and may not notice — but all past and future messages are now accessible to the attacker.

Telegram: Credential Harvesting via Fake Portals

Telegram-targeting variants direct victims to phishing pages impersonating Telegram's official web login, harvesting session credentials directly.


Attribution

Ukrainian and US authorities attribute this campaign to Russian Intelligence Services (RIS), with specific threat clusters identified:

Threat ActorOther NamesAffiliation
Star BlizzardSEABORGIUM, Callisto GroupFSB (Russian Federal Security Service)
UNC5792UAC-0195Russian military services
UNC4221UAC-0185Russian military services

The US State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792 operators.


Targets

The campaign focuses on high-value individuals whose communications carry strategic value:

  • Current and former US government officials
  • International government officials and diplomats
  • Military and defense personnel
  • Politicians and political campaign staff
  • Journalists and civil society figures
  • Ukrainian nationals and diaspora

The scope is global — intelligence services in the Netherlands (AIVD/MIVD), Germany (BfV/BSI), and France (ANSSI) have all issued overlapping warnings about the same campaign patterns.


Why This Works

The attack is effective precisely because it does not attack cryptography — it attacks people. Signal and WhatsApp's encryption is unbroken. The attacker tricks the user into handing over a credential (verification code, recovery key, session token) that then grants legitimate access to the account.

Key insight: No amount of encryption protects an account if the user is persuaded to hand the attacker a valid key.


Protective Measures

ActionPriority
Enable Registration Lock / PIN on Signal — prevents account re-registration without your PINCritical
Review Linked Devices in WhatsApp and Telegram — remove any unrecognized devices immediatelyHigh
Never share verification codes with anyone via SMS, email, or in response to unsolicited messagesCritical
Be suspicious of any "support" message — Signal, WhatsApp, and Telegram do not proactively contact users via SMSHigh
Use a hardware security key as a second factor where supportedMedium
Enable screen lock on messaging apps — adds a barrier if a device is compromisedMedium

How to Check Linked Devices

Signal: Settings → Account → Linked Devices
WhatsApp: Settings → Linked Devices
Telegram: Settings → Devices → Active Sessions

Remove any device you do not recognize immediately.


Incident Response

If you suspect your account has been compromised:

  1. Revoke linked devices immediately using the platform's device management screen
  2. Change your Signal PIN / Registration Lock and re-enable it
  3. Generate new backup keys if your Signal backup recovery key was potentially exposed
  4. Notify your organization's security team — particularly if you communicate on behalf of a government, military, or NGO
  5. Report to CISA (US government entities) or your national CERT

References

  • The Hacker News — Ukraine Says Russian Intelligence Used Fake Support Texts
  • The Record / Recorded Future — Russia Ukraine Messaging Campaign
  • TechCrunch — Dutch Intelligence Warning on Russian Signal Campaign
  • The Next Web — FBI Warns on Signal Recovery Key Theft

Related Reading

  • ZeroDayRAT Mobile Spyware Enables Total Surveillance
#Russia#Threat Intelligence#Social Engineering#Signal#WhatsApp#Telegram#Phishing#APT

Related Articles

U.S. Offers $10 Million for Russian Hackers Targeting WhatsApp and Signal Users

The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and...

3 min read

Ukraine and FBI Expose Russian Intelligence Campaign Stealing Signal Credentials via Fake SMS

The SSU and FBI jointly disclosed a sustained Russian intelligence operation targeting messaging credentials of government officials, military personnel,...

5 min read

FBI: Russian Hackers Now Target Signal Backup Recovery Keys

The FBI and CISA warn that a Russian-linked phishing campaign targeting Signal users has evolved to steal Backup Recovery Keys, giving attackers full...

4 min read
Back to all News