News

Spyware investigator exposes Russian-linked Signal phishing campaign after hackers target him

A security researcher who investigates spyware attacks has exposed details of a large Signal phishing campaign after becoming one of its targets.

Donncha Ó Cearbhaill, who leads Amnesty International’s Security Lab, received a message on Signal earlier this year claiming to be from a fake “Signal Security Support ChatBot”. The message warned of supposed suspicious activity and urged him to complete a verification process by entering a Signal code. Instead of falling for the attempt, Ó Cearbhaill recognised the message as phishing and used the incident to investigate the campaign behind it.

The attack appears to be part of a broader espionage campaign targeting Signal users by impersonating the platform’s support function. The technique is designed to trick victims into helping attackers link their Signal account to a device controlled by the hackers, allowing them to access private chats and group conversations without breaking Signal’s encryption.

Ó Cearbhaill said he was able to identify more than 13,500 targets connected to the campaign. He did not disclose exactly how he investigated the operation, citing the need to avoid revealing his methods to the attackers.

The campaign reportedly used a system called “ApocalypseZ” to automate bulk phishing attempts against Signal users. Ó Cearbhaill found that the tool’s operator interface and codebase were in Russian, and that victim chats were being translated into Russian, details that align with earlier warnings from Western intelligence agencies about Russian-linked operations targeting encrypted messaging users.

The tactics match previous warnings from Dutch intelligence agencies, the FBI and CISA, which have all raised concerns about Russian-linked hackers targeting Signal and WhatsApp accounts. Those warnings stressed that the campaigns do not involve breaking the apps’ encryption. Instead, attackers rely on social engineering, fake support messages and linked-device abuse to take over accounts.

The targets appear to include high-value individuals such as journalists, politicians, military personnel, civil servants and researchers. German authorities have also warned of similar Signal phishing activity affecting politicians, military figures and journalists, with around 300 accounts reportedly compromised in Germany.

The case underlines a key weakness in secure messaging: even strong encryption cannot protect users who are tricked into handing over access. Signal’s security model remains widely respected, but attackers are increasingly targeting the people and processes around encrypted apps rather than the cryptography itself. Signal describes itself as a private messaging service with end-to-end encrypted messaging, calls and file sharing.

For Signal users, the most important warning is simple: no legitimate support message should ask for a verification code or instruct users to link a device unexpectedly. Users should also enable Registration Lock, which requires a PIN before a phone number can be registered again on another device. This can reduce the risk of account hijacking if attackers obtain a verification code.

The campaign is another reminder that phishing attacks are becoming more targeted, automated and convincing. Attackers are not only trying to steal passwords. They are exploiting trust, urgency and familiar app workflows to gain access to sensitive conversations.

As threats like this become more sophisticated, stronger digital security starts with better knowledge. Upskill your cybersecurity awareness and learn how to recognise modern phishing tactics with The Hack Academy’s online training courses: https://training.thehackacademy.com/course/

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *