Russian Hackers Are Targeting Signal in a Massive Phishing Campaign, FBI Warns

FBI and CISA Issue Joint Warning Over Russian Espionage Targeting Messaging Apps

The Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Public Service Announcement warning about an active espionage campaign being carried out by Russian Intelligence Services (RIS)-affiliated threat actors. The campaign specifically targets commercial messaging applications (CMAs), with Signal named explicitly — though the agencies stress that other CMAs are almost certainly in the crosshairs too.

The victims aren't random. Current and former US government officials, military personnel, political figures, and journalists are the primary targets. These are people whose private conversations carry real weight, which makes them exactly the kind of high-value targets Russian cyber actors go after.

How the Attack Works: Phishing and Social Engineering, Not Exploits

Here's what makes this campaign particularly unsettling — it doesn't rely on breaking the apps themselves. There's no zero-day exploit, no vulnerability being abused in Signal's code. Instead, it's built entirely on phishing and social engineering. The attackers manipulate people into handing over access willingly.

According to the joint PSA, "RIS cyber actors send phishing messages masquerading as automated CMA support accounts." The messages are carefully crafted to trick targets into taking a specific action — clicking a link, handing over a verification code, or sharing an account PIN.

If the target does any of that? The actors either add their own device as a linked device to the victim's account, or pull off a full account takeover. Either way, the damage is serious.

What Attackers Can Do Once Inside

Once they've gained access, the threat doesn't stop at reading messages. FBI Director Kash Patel spelled it out on X, warning that after gaining access, "the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity."

That last part is especially dangerous. When an attacker sends phishing messages as you, using your identity and your contact list, the people on the receiving end have no reason to be suspicious. It creates a chain reaction that's very hard to stop.

Patel also confirmed the scale of the operation, stating the effort "resulted in unauthorized access to thousands of individual accounts."

Dutch Intelligence Had Already Flagged This Campaign

Roughly two weeks before the FBI and CISA announcement, Dutch authorities were already raising the alarm. The General Intelligence and Security Service (AIVD) — the Netherlands' primary civilian intelligence and security agency — published a similar warning noting that Russian spies were targeting not just Signal, but WhatsApp as well.

The AIVD described the campaign as "large-scale" and "global." Their list of targets mirrors what the FBI later confirmed: dignitaries, military personnel, civil servants, and Dutch government employees.

Russia Likely Already Has What It Came For

The Dutch warning carried a particularly grim assessment. AIVD stated that "the Russian hackers likely gained access to sensitive information through this campaign" — though it stopped short of specifying whether that access came from Dutch targets or others caught in the wider net.

That's not a hypothetical threat anymore. It's an operation that, by multiple intelligence agencies' own accounts, has already delivered results for Russian actors.

Q&As

Q: What messaging apps are being targeted in this Russian espionage campaign?

A: Signal is specifically named by the FBI and CISA, but the agencies stress that other commercial messaging applications (CMAs) are most likely targeted as well. Dutch intelligence also flagged WhatsApp as a target in a related warning.

Q: How do the attackers gain access to victims' accounts?

A: The attackers use phishing and social engineering — not software exploits. They send messages disguised as automated CMA support accounts, tricking targets into clicking links, sharing verification codes, or providing account PINs. This leads to either the attacker's device being added as a linked device or a full account takeover.

Q: Who are the main targets of this campaign?

A: The primary targets include current and former US government officials, military personnel, political figures, and journalists. Dutch intelligence reported similar targets in Europe, including dignitaries, civil servants, and Dutch government employees.