| CyberScoop cyberscoop.com
By
Tim Starks

March 20, 2026

It echoes earlier alerts from the Netherlands and Germany, and is the latest to warn about targeting of Signal users and others.

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.

The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).

The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.

The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”

However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.

The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps.

There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.

‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

cisa.gov Alert
Release DateNovember 24, 2025

CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.

These cyber actors use tactics such as:

• Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.
• Zero-click exploits,2 which require no direct action from the device user.
• Impersonation3 of messaging app platforms, such as Signal and WhatsApp.
  While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials,4 as well as civil society organizations (CSOs) and individuals across the United States,5 Middle East,6 and Europe.7

CISA strongly encourages messaging app users to review the updated Mobile Communications Best Practice Guidance and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society for steps to protect mobile communications and messaging apps, as well as mitigations against spyware.

• A fraudster develops or uses an automated bot or low-skilled workforce to trigger actions such as fake account creation, OTP requests, or password resets. These bots or human bots mimic real user activity, often bypassing security measures through direct API calls.
• These actions trigger SMS messages, which are sent to phone numbers controlled by the fraudster, creating inflated traffic.
• The fraudster collaborates with a “rogue party,” often a corrupt telecom provider or intermediary with access to SMS routing infrastructure.
• The rogue party intercepts the inflated SMS traffic, typically avoiding message delivery to reduce costs. Instead, they route the traffic to numbers they control.
• The rogue party earns revenue by collecting funds from the inflated SMS traffic, benefiting from volume-based pricing or other arrangements.

LY Corp., which operates popular messaging app Line and internet portal Yahoo! Japan, said Monday that an estimated 440,000 records of personal information may have been compromised by a third-party breach of its system.