FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks

Summary

Russian Intelligence Services-affiliated threat actors are conducting large-scale phishing campaigns against Signal and WhatsApp users, primarily targeting U.S. government officials, military personnel, politicians, and journalists. The attacks use social engineering to trick victims into sharing verification codes or clicking malicious links, potentially granting attackers access to message histories and the ability to impersonate victims. CISA and FBI attribute the activity to clusters including Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185), with thousands of accounts compromised globally.

Full text

FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Ravie LakshmananMar 21, 2026Cyber Espionage / Threat Intelligence Threat actors affiliated with Russian Intelligence Services are conducting phishing campaigns to compromise commercial messaging applications (CMAs) like WhatsApp and Signal to seize control of accounts belonging to individuals with high intelligence value, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said Friday. "The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists," FBI Director Kash Patel said in a post on X. "Globally, this effort has resulted in unauthorized access to thousands of individual accounts. After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity." CISA and the FBI said the activity has resulted in the compromise of thousands of individual CMA accounts. It's worth noting that the attacks are designed to break into the targeted accounts and do not exploit any security vulnerability or weakness to crack the platforms' encryption protections. While the agencies did not attribute the activity to a specific threat actor, prior reports from Microsoft and Google Threat Intelligence Group have linked such campaigns to multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185). In a similar alert, the Cyber Crisis Coordination Center (C4), part of the National Cybersecurity Agency of France (ANSSI), warned of a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders. "These attacks – when successful – can allow malicious actors to access conversation histories, or even take control of their victims' messaging accounts and send messages while impersonating them," C4 said. The end goal of the campaign is to enable the threat actors to gain unauthorized access to victims' accounts, enabling them to view messages and contact lists, send messages on their behalf, and even conduct secondary phishing against other targets by abusing trusted relationships. As recently alerted by cybersecurity agencies from Germany and the Netherlands, the attack involves the adversary posing as "Signal Support" to approach targets and urge them to click on a link (or alternatively scan a QR code) or provide the PIN or verification code. In both cases, the social engineering scheme allows the threat actors to gain access to the victim's CMA account. However, the campaign has two different outcomes for the victim depending on the method used - If the victim opts to provide the PIN or verification code to the threat actor, they lose access to their account, as the attacker has used it to recover the account on their end. While the threat actor cannot access past messages, the method can be used to monitor fresh messages and send messages to others by impersonating the victim. If the victim ends up clicking the link or scanning the QR code, a device under the control of the threat actor gets linked to the victim's account, allowing them to access all messages, including those sent in the past. In this scenario, the victim continues to have access to the CMA account unless they are explicitly removed from the app settings. To better protect against the threat, users are advised to never share their SMS code or verification PIN with anyone, exercise caution when receiving unexpected messages from unknown contacts, check links before clicking them, and periodically review linked devices and remove those that appear suspicious. "These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent 'Signal Support Bot') to trick victims into handing over their login credentials or other information," Signal said in a post on X earlier this month. "To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app. We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal-related code, it is a scam." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cyber espionage, cybersecurity, data security, Phishing, Signal, social engineering, Threat Intelligence, Whatsapp Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• malware — Star Blizzard
• malware — UNC5792
• malware — UNC4221