Russian Signal Phishing Hijacks VIP Accounts in Support Scam

Russian Signal phishing is exposing the softest part of secure messaging: not the encryption, but the moment a trusted user is tricked into handing over the key to their own account.

The FBI, CISA, and the Security Service of Ukraine say cyber actors associated with Russian Intelligence Services are posing as commercial messaging app support teams to target high-value users, including current and former U.S. government officials, military personnel, political figures, and journalists, according to TechRadar Pro. The campaign specifically targets Signal accounts, although the agencies say similar methods can apply to other commercial messaging applications.

“RIS actors have compromised individual CMA accounts, but not CMAs’ encryption or the applications themselves,” the FBI and CISA said in their joint public service announcement.

That sentence is the core of the story. The app isn’t reported as broken. The user workflow is being abused.

Moscow Is Attacking Signal Where Encryption Can’t Help: The User’s Own Recovery Key

The Russian Signal phishing campaign shows why secure messaging risk has moved beyond app security. The target is now the account holder’s trust, attention, and recovery behavior.

The FBI says the actors masquerade as automated support accounts and push victims to click links or provide verification codes, account PINs, or other recovery material. TechRadar’s report focuses on Backup Recovery Keys, which attackers ask users to submit under the false cover of account protection or backup setup.

For intelligence targets, that’s enough. If a known official, military contact, political figure, or journalist loses control of a Signal account, the attacker doesn’t just gain a mailbox. They gain a trusted identity inside private and group conversations.

XOOMAR analysis: This is not a campaign built around defeating secure messaging head-on. It’s built around entering through the side door. A compromised account can expose messages, contact lists, group memberships, and the victim’s credibility with other targets. That makes the account itself operational infrastructure.

This is also why Russian Signal phishing matters beyond Signal users in Ukraine. The agencies describe a global campaign that has resulted in unauthorized access to thousands of individual commercial messaging application accounts.

How the Signal Support Phishing Trap Turns Backup Recovery Keys Into Account Takeover Tools

The attack flow is simple, which is what makes it dangerous.

According to the FBI warning described by TechRadar, attackers send emails that appear to be automated messages from Signal. The lure asks users to turn on message backup using their Backup Recovery Key. The provided instructions are false. Instead of securing the account, the victim sends the key to the attacker.

The lures use urgency. One sample frames the message as protection against recent hacking attempts from “Iran and post-Soviet countries.” Another claims the victim’s account data “is at risk of permanent loss due to a sync issue.”

That is classic pressure engineering: fear of compromise, fear of data loss, and a trusted support wrapper.

A Backup Recovery Key should be treated as a master credential. It is not a routine support token. It is not something to paste into a chat because a message claims your account is at risk.

Once attackers obtain it, TechRadar reports they can access the victim’s message history, private and group messages, and fully take over the account. The FBI and CISA say compromised accounts can then be used to view messages and contact lists, send messages, and conduct more phishing against other commercial messaging accounts.

This is where the campaign compounds. A fake support message becomes a real message from a real compromised contact.

XOOMAR has tracked related social-engineering patterns in Fake OpenAI Invites Lure Security Staff into ChatGPT Trap and Fake Receipts Hijack Shop App in Callback Phishing Trap. The details differ, but the shared lesson is blunt: attackers don’t need a technical exploit when users are pushed into authenticating the attacker themselves.

The Numbers That Make Signal Account Hijacking Dangerous for Government and Military Targets

The FBI and CISA say the campaign has produced unauthorized access to thousands of individual commercial messaging application accounts. They do not give a precise count, name victims, or disclose how many were Signal accounts.

That limit matters. Overstating the scale would be sloppy. But the reported scale is already serious because these are not random consumer accounts in the usual spam sense. The agencies say the activity targets individuals of “high intelligence value.”

The security math is ugly. A single stolen recovery credential affects one account directly, but that account may touch many high-trust relationships. The agencies specifically warn that attackers can conduct additional phishing after compromise.

XOOMAR analysis: For government and military users, the danger is not only the content of one chat. It is the contact graph. Who talks to whom, which groups exist, and which identities can be used to approach the next target all have intelligence value.

Security teams should measure this campaign in practical signals, not just malware detections:

• Reported lures: Fake support messages, backup prompts, verification requests.
• Device anomalies: Unexpected linked-device changes or account re-registrations.
• Recovery events: New Backup Recovery Keys created after suspicious contact.
• Impersonation reports: Messages sent from known accounts with unusual requests.
• Group hygiene: Duplicate or suspicious accounts in sensitive group chats.

From Email Lures to Encrypted Messenger Takeovers: Russia’s Long Game Against Trusted Channels

The FBI and CISA describe phishing as “one of the most unsophisticated, yet effective means of cyber compromise.” That phrase should sting. It means end-to-end encryption can remain effective while the attacker still wins by getting inside the account.

“While encryption remains effective, phishing allows malicious actors to bypass the encryption entirely by gaining access to user accounts,” the agencies said.

The medium has changed. The goal has not. Steal access. Read communications. Map relationships. Send follow-on messages from an identity the recipient already trusts.

The agencies say actors may use lures that ask for links to be clicked, verification codes, account PINs, or actions that add an attacker’s device as a linked device. They also warn that as the campaign evolves, actors may use additional techniques, such as malware to infect the victim.

That evolution matters because encrypted messaging apps now sit inside the daily workflows of officials, journalists, political figures, and military personnel. The PSA does not say these platforms are insecure. It says their users are being targeted because account access can make encryption irrelevant at the moment of compromise.

Russian Signal phishing is therefore best understood as trusted-channel abuse. The attacker wants to become the person the target already answers.

Signal Users, Security Teams, and App Makers Face Different Problems in the Same Phishing Campaign

For individual users, the prescription is direct: never provide recovery keys, PINs, passwords, or 2FA codes for an action you did not initiate. The agencies also advise users to treat unknown messages with suspicion, verify odd requests through another channel, inspect links before clicking, and report suspected incidents.

For anyone who fears their Signal Backup Recovery Key has been compromised, TechRadar says users should create a new Backup Recovery Key in Signal settings. That invalidates previous Backup Recovery Keys and can prevent account takeover if the old key leaked.

For security teams, the problem is visibility. Many organizations may allow or rely on commercial messaging applications for sensitive communication, while having limited insight into private account takeover attempts. The FBI and CISA recommend reporting suspected phishing to an organization’s security team or IT department, and to IC3.

For app makers, the problem is harder: privacy-preserving products must reduce confusion around legitimate support without turning private communications into centrally monitored systems. The PSA says legitimate support services generally use official email addresses and do not request verification codes via direct message inside the app.

For national security teams, the stakes are broader. The agencies say compromised accounts can be used to send messages, access contact lists, and conduct additional phishing. That can support intelligence gathering and targeting around the original victim.

What the Russian Signal Phishing Warning Means for VIPs, Agencies, and Secure Messaging Policies

The immediate rule is simple: treat any request for a Backup Recovery Key as hostile unless you initiated the recovery through a legitimate channel you reached yourself.

Agencies, companies, campaigns, and media organizations with high-risk personnel should turn that rule into policy:

• VIP briefings: Train officials, military personnel, political figures, and journalists on fake support lures.
• Messenger playbooks: Define how account recovery, device changes, and suspected takeovers are verified.
• Out-of-band checks: Confirm unusual Signal requests through another secure channel.
• Group reviews: Periodically scan sensitive chats for duplicates or suspicious participants, as the PSA recommends.
• Fast reporting: Route suspicious messages to security teams and IC3 quickly.

The next version of this campaign may be cleaner. The FBI and CISA already warn that actors may adapt their techniques. Better support impersonation, more convincing security alerts, and phishing from already compromised contacts would all fit the pattern described in the PSA.

The evidence that would confirm the thesis is more reporting of account takeovers without any break in app encryption, especially involving support impersonation, linked-device abuse, or recovery prompts. Evidence that would weaken it would be a disclosed technical flaw in the app itself. That is not what the agencies are saying now.

For now, the Russian Signal phishing warning points to a narrower but sharper lesson: secure messaging policies fail when they stop at “use Signal.” The harder rule is teaching high-value users when not to trust a message that appears to come from Signal at all.

Impact Analysis

• The warning shows that secure apps can still be undermined when attackers manipulate account recovery workflows.
• Government, military, political, and media targets face heightened risk if attackers take over trusted messaging accounts.
• The campaign highlights the need to protect verification codes, PINs, and recovery keys as carefully as passwords.