Russian Intelligence-Linked Hackers Run Phishing Campaigns Against WhatsApp and Signal Users

Security researchers have identified active phishing campaigns conducted by hacker groups with proven ties to Russian intelligence, specifically targeting users of encrypted messaging apps like WhatsApp and Signal. The most important conclusion is straightforward: the encryption on these platforms remains intact. Nobody is breaking the Signal protocol or WhatsApp's cipher system. The attack targets people — not technology. ## The groups behind the operations ### Star Blizzard (SEABORGIUM / TA446) Linked to Russia's FSB (Federal Security Service), Star Blizzard specializes in long-term spear-phishing campaigns against journalists, NGOs, academic researchers, former government officials and political figures in the UK, US, Baltic states and Ukraine. The group is known for patience: building relationships over weeks before launching the attack. ### UNC5792 and UNC4221 Groups tracked by Mandiant with infrastructure and technique overlaps associated with Russian intelligence operations. Focused on high-value targets: diplomats, investigative journalists, activists and officials of international organizations. ## How the attacks work ### 1. Account hijacking via verification code The attacker poses as WhatsApp or Signal support, alerting about "suspicious activity" on the account. The victim is instructed to share the SMS verification code the app just sent — exactly the code the attacker requested to migrate the account to a device under their control. ### 2. Malicious QR codes for device linking Both WhatsApp and Signal allow linking secondary devices via QR code. Attackers create fake "support" or "security verification" pages displaying a QR code — actually the linking code generated by the attacker's device. The victim scans it and unknowingly grants full real-time access to their messages. ### 3. Impersonation of known contacts Using compromised accounts of people in the victim's network, attackers send messages appearing to come from friends, colleagues or family members, requesting an "urgent favor" involving sharing a code or clicking a link. ## What the attacker gains Once with account access: real-time message monitoring, full contact list, ability to launch secondary attacks using the victim's identity, and for high-value targets, access lasting weeks or months before detection. ## How to protect yourself **Never share verification codes** — not with anyone claiming to be WhatsApp, Signal or any other platform support. No legitimate support will ever ask for this. **Check linked devices regularly** - WhatsApp: Settings → Linked Devices - Signal: Settings → Linked Devices Remove any device you don't recognize immediately. **Enable registration lock/PIN** - Signal: Settings → Account → Signal PIN - WhatsApp: Settings → Account → Two-step verification **The fundamental lesson**: Signal and WhatsApp encryption is solid. But encryption protects data in transit — it doesn't protect against a user who voluntarily grants access. The weakest link is human behavior under pressure, urgency or misplaced trust.