TL;DR

  • Russian state-sponsored hackers are running mass phishing campaigns against Signal and WhatsApp users
  • They're targeting high-value individuals: government officials, military personnel, journalists, business executives
  • Thousands of accounts have already been compromised worldwide
  • The attack bypasses encryption — it doesn't break the crypto, it steals the account credentials
  • Once compromised, attackers can read messages, send messages as you, and phish your contacts
  • Businesses with staff using personal messaging apps for work are at risk

The Attack: What's Happening

On March 21, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint alert: Russian intelligence services are conducting large-scale phishing campaigns against commercial messaging applications like Signal and WhatsApp [1].​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The t

argets: individuals with "high intelligence value" — current and former government officials, military personnel, political figures, and journalists [2].

But here's what matters for businesses: your executives, managers, and employees are in the crosshairs too.​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

FBI Director Kash Patel confirmed that globally, this effort has resulted in unauthorized access to thousands of individual accounts [3]. After gaining access, attackers can:

  • View all messages and contact lists
  • Send messages appearing to come from the victim
  • Conduct secondary phishing attacks against the victim's contacts using a trusted identity [4]

This isn't about breaking encryption. It's about stealing the keys to the account.

How the Attack Works

The phishing campaign is deceptively simple. Attackers pose as "Signal Support" or similar official-sounding entities and approach targets through [5]:

  1. Fake support messages: "Your account will be deactivated unless you verify now"
  2. Malicious links: "Click here to restore your account access"
  3. QR codes: "Scan this to verify your identity"
  4. Direct requests: "Please provide your PIN or verification code"

There are two attack paths, each with different outcomes:

Path 1: PIN/Verification Code Theft

If the victim provides their PIN or verification code to the attacker:

  • The attacker uses it to recover the account on their own device
  • The victim loses access to their account
  • The attacker can't read past messages (encryption protects those)
  • But they can monitor all new messages and send messages as the victim [6]

Business impact: An attacker gains ongoing access to future conversations, can impersonate the victim to contacts, and intercept sensitive information shared after the compromise.

If the victim clicks a link or scans a QR code:

  • A device controlled by the attacker links to the victim's account
  • The attacker gains full access to all messages, including historical conversations
  • The victim retains access, but now shares the account with the attacker [7]

Business impact: Complete exposure of conversation history, ongoing monitoring, and the ability to impersonate the victim with full context from past messages.

Why This Matters for Your Business

You might be thinking: "We use Slack/Teams/Email for work. Why should we care about Signal and WhatsApp?"

Here's why:

1. Your Staff Uses Personal Apps for Work

According to recent data, 67% of employees use personal messaging apps for work communications [8]. They share:

  • Sensitive documents and files
  • Client information and contract details
  • Internal discussions and decisions
  • Login credentials and password resets
  • Financial information and invoices

If those personal accounts are compromised, your business data is exposed.

2. Executives Are High-Value Targets

Senior executives — CEOs, CFOs, CTOs — are exactly the kind of "high-value individuals" nation-state hackers target. They have:

  • Access to strategic plans and financial data
  • Authority to authorize transactions and approvals
  • Relationships with other high-value targets (suppliers, partners, investors)
  • Credibility within their industry

Compromising an executive's messaging account gives attackers enormous leverage for:

  • Business email compromise (BEC) attacks
  • Supply chain fraud
  • Insider trading opportunities
  • Competitive intelligence gathering

3. Trusted Identity Abuse

Once an attacker controls a messaging account, they can phish the victim's contacts with automatic trust. When your business partner gets a message from your CEO's verified WhatsApp account asking for an urgent wire transfer, they're more likely to act [9].

This is how phishing campaigns scale: one compromised account becomes a launchpad for hundreds more.

Who's Behind These Attacks

While CISA and the FBI didn't attribute the activity to a specific threat actor in their alert, prior reporting from Microsoft and Google Threat Intelligence Group has linked similar campaigns to multiple Russia-aligned threat clusters [10]:

  • Star Blizzard (aka APT29, Cozy Bear)
  • UNC5792 (aka UAC-0195)
  • UNC4221 (aka UAC-0185)

These are state-sponsored hacking groups with a track record of targeting:

  • Government agencies and military organizations
  • Think tanks and policy organizations
  • Journalists and media outlets
  • Businesses with government contracts or geopolitical relevance

The goal isn't just credential theft. It's espionage — gathering intelligence, understanding relationships, and positioning for future operations.

The Encryption Myth

There's a dangerous misconception floating around: "Signal and WhatsApp are encrypted, so they're safe."

Here's the reality:

End-to-end encryption protects messages in transit. It prevents attackers from intercepting and reading communications as they travel between devices.

It does not protect account credentials. If an attacker convinces you to give them your PIN, verification code, or to link their device to your account, encryption doesn't help. The attacker is now you — with full access to your messages and contacts.

Think of encryption like a lock on your front door. It works great if you keep the door locked. But if someone convinces you to hand over the key, the lock is meaningless.

What Your Business Needs to Do Right Now

Immediate Actions (Today)

  1. Alert all staff about the phishing campaign targeting Signal and WhatsApp
  2. Emphasize never sharing PINs, verification codes, or scanning QR codes from unsolicited messages
  3. Verify through another channel if anyone receives a suspicious "support" message — call or email the person directly
  4. Check for linked devices in Signal (Settings > Linked Devices) and WhatsApp (Settings > Linked Devices) — remove any unrecognized devices

Policy Updates (This Week)

  1. Update acceptable use policy: Prohibit sharing sensitive business information via personal messaging apps unless explicitly approved and secured
  2. Add messaging app security to your security awareness training program
  3. Create a verification protocol: When someone receives an unusual request via messaging app, verify through a separate, trusted channel
  4. Mandatory reporting: Require staff to report suspicious messaging app activity immediately

Technical Controls (This Month)

  1. Deploy mobile device management (MDM) with messaging app monitoring capabilities
  2. Implement conditional access: Require additional authentication for high-risk actions (like linking new devices)
  3. Deploy endpoint detection on mobile devices to detect phishing attempts and compromised apps
  4. Data loss prevention (DLP): Monitor for sensitive data being shared to unapproved messaging apps

For Executives and High-Risk Staff

  1. Dedicated devices: Consider providing separate work phones with managed messaging apps
  2. Enhanced monitoring: Flag unusual messaging activity, new device links, or mass message sends
  3. Incident response plan: Specific playbooks for compromised messaging accounts — what to do, who to notify, how to contain damage
  4. Regular security briefings: Keep high-risk staff informed about the latest threat intelligence

The Bigger Picture: Messaging Apps Are the New Email

Twenty years ago, email was the primary business communication tool. Attackers targeted it with phishing. Businesses built defenses: spam filters, authentication protocols, security awareness training.

Today, messaging apps have become the primary communication channel for many professionals. Attackers have followed them.

The pattern is identical:

  1. New communication platform gains adoption
  2. Attackers find ways to exploit it
  3. Businesses build defenses
  4. Attackers evolve and find new platforms

We're in step 2 for messaging apps. The question isn't whether your business will face this threat — it's whether you'll be prepared when it happens.

FAQ

No. The attacks don't break encryption — they steal account credentials through social engineering. Once an attacker has access to the account, they can read messages legitimately, just like the account owner.

Check for linked devices you don't recognize (Signal: Settings > Linked Devices; WhatsApp: Settings > Linked Devices). Watch for messages you didn't send, contacts receiving messages you didn't write, or being logged out of your account unexpectedly.

Yes, but with precautions: never share verification codes or PINs, verify unusual requests through another channel, use dedicated work devices with MDM, avoid sharing sensitive information unless necessary, and monitor for suspicious activity.

Messaging apps provide access to high-value targets (government, military, journalists, executives), contain rich conversation history for intelligence gathering, allow impersonation for secondary phishing, and are trusted by recipients — making them powerful tools for espionage.

Train staff to recognize phishing attempts across all channels, implement technical controls (MDM, endpoint detection, DLP), create clear policies about business use of personal apps, require verification for unusual requests, and have incident response plans ready.

References

[1] U.S. Cybersecurity and Infrastructure Security Agency (CISA) & Federal Bureau of Investigation (FBI), "Russian Intelligence Services Target Commercial Messaging Application Accounts," CISA Alert, Mar. 2026. [Online]. Available: https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts

[2] FBI Director Kash Patel, "Statement on Russian Cyber Operations Targeting Messaging Apps," FBI.gov, Mar. 2026.

[3] Ibid.

[4] CISA & FBI, op. cit.

[5] FBI Internet Crime Complaint Center (IC3), "PSA260320: Phishing Attacks Targeting Messaging Applications," IC3 PSA, Mar. 2026. [Online]. Available: https://www.ic3.gov/PSA/2026/PSA260320

[6] The Hacker News, "FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html

[7] Ibid.

[8] Verizon Business, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[9] FBI IC3, "2025 Business Email Compromise Report," FBI IC3, 2025. [Online]. Available: https://www.ic3.gov/Media/PDF/AnnualReport/2025_BEC_Report.pdf

[10] Microsoft Threat Intelligence, "Star Blizzard: Evolving Russian Threat Actor Targets Multiple Sectors," Microsoft Security Blog, Jan. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/01/star-blizzard-shifts-tactics-to.html

[11] Google Cloud Threat Intelligence Group, "UNC5792: Russian APT Targeting Government and Military," Google Cloud Security, Feb. 2025. [Online]. Available: https://cloud.google.com/security/threat-intelligence/unc5792-russian-apt

[12] French National Cybersecurity Agency (ANSSI) C4, "Alert CERTFR-2026-ALE-003: Targeted Phishing Against Messaging Applications," CERT-FR, Mar. 2026. [Online]. Available: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2026-ALE-003/

Your messaging apps are under attack. lilMONSTER can help you build defenses that protect your business communications across every channel. Get secure →

TL;DR

  • Bad guys are pretending to be "Signal Support" or "WhatsApp Help" to steal accounts
  • They trick people into sharing secret codes or clicking dangerous links
  • Once they have your account, they can read your messages and pretend to be you
  • Thousands of people have already been tricked
  • Never share your PIN or verification code with anyone, no matter what they say

What's Happening?

Imagine someone knocks on your door and says, "Hi, I'm from the phone company. I need to check your phone. Can you give me your keys?"

You wouldn't do it, right? Because a real phone company would never ask for your keys.

But the same trick is happening on messaging apps like Signal and WhatsApp — and lots of people are falling for it.

The Fake Support Trick

Bad guys are sending messages that look like they're from Signal or WhatsApp support. They say things like:

  • "Your account will be deleted unless you verify now"
  • "We detected suspicious activity. Click this link to fix it"
  • "Scan this QR code to confirm your identity"
  • "Please share your PIN to protect your account"

These messages are lies. They're not from Signal or WhatsApp. They're from hackers who want to steal your account.

How They Trick You

Trick 1: "Give Me Your Secret Code"

When you set up Signal or WhatsApp, you create a PIN or get a verification code. Think of this like the key to your house.

The hackers say: "To keep your account safe, tell us your PIN or verification code."

If you share it:

  • They use your code to take over your account
  • You get locked out
  • They can read all your new messages
  • They can send messages pretending to be you

Trick 2: "Click This Link"

The hackers send a link that looks real. They say: "Click here to fix your account."

If you click:

  • It connects their device to your account
  • Now both you AND the hacker are using your account
  • They can read all your messages — even old ones
  • They can see all your contacts
  • They can pretend to be you with everything you've ever said

Why This Is Scary

Once someone has your account, they can:

  1. Read your messages: See what you're saying to friends, family, coworkers
  2. Pretend to be you: Send messages that look like they're from you
  3. Trick your friends: Use your account to scam the people you know
  4. Steal information: Get passwords, photos, documents you've shared

Imagine someone sending a message to your boss asking for money — and it looks like it came from you. That's what these hackers do.

The Sneaky Part: They Don't Break the Lock

Here's what makes this clever: Signal and WhatsApp have strong security (encryption). Your messages are protected.

But the hackers don't try to break that protection. Instead, they trick you into giving them the key.

It's like having a really strong lock on your door — but someone tricks you into opening it yourself.

Who's Being Targeted?

The hackers are especially interested in:

  • Government workers
  • Military personnel
  • Reporters and journalists
  • Business executives
  • People with important jobs

But regular people get caught in the trap too. If your parent, friend, or colleague uses these apps for work, they might be targeted.

What You Can Do

Never Share These Things (Ever!)

  • ❌ Your PIN
  • ❌ Your verification code
  • ❌ The six-digit code you get when setting up the app
  • ❌ Any code sent to your phone or email

Real support will never ask for these. Ever.

Check for Strangers

If you use Signal:

  1. Open the app
  2. Go to Settings
  3. Tap Linked Devices
  4. If you see a device you don't recognize, remove it

If you use WhatsApp:

  1. Open the app
  2. Go to Settings
  3. Tap Linked Devices
  4. Remove any device you don't know

If Something Seems Wrong...

  1. Don't click anything
  2. Don't share any codes
  3. Contact the person directly through another way (call them, email them)
  4. Tell an adult or your IT person at work

Talk to Your Family and Friends

Lots of people don't know about this scam. Tell them:

  • "Signal and WhatsApp will never ask for your PIN"
  • "If someone says your account will be deleted, it's a lie"
  • "Never share verification codes, no matter what the message says"

What If You Already Clicked?

If you think you might have shared your code or clicked a bad link:

  1. Unlink all devices from your account (in Settings)
  2. Tell someone — a parent, teacher, or your IT person at work
  3. Check your messages — see if anything strange was sent
  4. Warn your contacts — let people know your account was compromised

The Big Lesson

This scam teaches us something important:

Not everyone is who they say they are online.

Just because a message says it's from "Signal Support" doesn't mean it really is. Hackers are good at pretending.

The good news: You're in control. By never sharing your secret codes and checking for strange devices, you can keep your account safe.

FAQ

Yes! They have strong security. The problem isn't the apps — it's people tricking you into giving away access. Keep using them, just be smart about it.

Real support will never ask for your PIN, verification code, or password. Never. If a message asks for these, it's fake.

Don't panic. Go to Settings > Linked Devices and remove any devices you don't recognize. Then tell someone who can help you secure your account.

Only if you clicked a link or scanned a QR code that connected their device to your account. If you only shared your PIN, they can see new messages but not old ones.

They want to spy on people, steal information, and pretend to be others to scam more people. It's like identity theft, but for messaging apps.

Tell them: "Never share your PIN or verification codes, even if the message says it's urgent. Real support never asks for this."

References

[1] U.S. Cybersecurity and Infrastructure Security Agency (CISA), "Russian Intelligence Services Target Messaging Applications," CISA Alert, Mar. 2026. [Online]. Available: https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts

[2] FBI, "Phishing Attacks Targeting Signal and WhatsApp," FBI Alert, Mar. 2026. [Online]. Available: https://www.ic3.gov/PSA/2026/PSA260320

[3] The Hacker News, "FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html

[4] French National Cybersecurity Agency (ANSSI), "Alert: Targeted Phishing Against Messaging Applications," CERT-FR, Mar. 2026. [Online]. Available: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2026-ALE-003/

[5] Signal Support, "Security Best Practices," Signal.org, 2026. [Online]. Available: https://signal.org/learn/security/

Want to keep your family and business safe online? lilMONSTER helps people understand cybersecurity and protect what matters. Start here →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation