Russian intelligence-linked hackers have been quietly targeting users of secure messaging apps like Signal, compromising thousands of accounts worldwide through phishing rather than by breaking encryption, officials warn. The FBI and CISA say the campaign reads private messages, harvests contacts, and lets attackers impersonate victims to spread more attacks, with U.S. officials and other high-value targets in the crosshairs. This piece lays out how the scheme works, who’s at risk, and why a tougher, commonsense response is needed.
The agencies described a broad operation that has already hit a large number of commercial messaging app users. “This global campaign has resulted in unauthorized access to thousands of individual CMA accounts,” the agencies said in a joint public service announcement. That phrasing underlines both the scale and the clear concern from U.S. cyber teams about sustained, focused targeting.
Once a bad actor gets in, the damage is practical and immediate: messages and contacts are exposed, and attackers can send conversations that look like they came from the real user. “After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts.” That capability turns a single compromise into a force multiplier for deception.
Officials point to actors tied to Russian intelligence as the force behind this campaign, and FBI leadership has highlighted the risk to people of special interest. FBI Director Kash Patel warned the campaign is targeting individuals of “high intelligence value,” including U.S. officials, military personnel and journalists, and has already resulted in widespread account compromises. Saying it plainly: this is not low-level crime, it’s strategic exploitation of trust networks.
Importantly, the agencies stressed the attack method is social engineering, not a failure of underlying cryptography. “RIS actors have compromised individual CMA accounts, but not CMAs’ encryption or the applications themselves,” the FBI and CISA said. That distinction matters because it means the weakest link is human behavior, not the math behind encryption.
Phishing is the blunt tool being used, often dressed up as urgent support messages or fake security alerts that push people to click or hand over verification codes. “Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant, including end-to-end encryption,” the agencies said. Criminals exploit panic, and the consequences cascade once an account is linked to an attacker’s device.
When victims fall for the bait, attackers can fully seize or piggyback on an account and use the trusted identity to widen the attack. “After gaining access, the actors can view messages and contact lists, send messages as the victim and conduct additional phishing from a trusted identity,” Patel said. That trusted-identity tactic is why people get duped by messages coming from someone they already know.
The advisory urges anyone who suspects they were targeted to report it to the FBI’s Internet Crime Complaint Center and to take immediate defensive steps like revoking sessions, changing passwords, and using hardware-backed authentication where possible. From a policy angle, this is a moment to press for tougher consequences against state-linked cyber aggression and stronger public-private cooperation to harden the user experience against social-engineering tricks.
The alert stopped short of naming specific Russian units or operatives. The link to “cyber actors” associated with Russian Intelligence was not made more specific in the agencies’ joint PSA. Signal did not immediately respond to requests for comment, and the FBI declined additional public detail, so the public-facing fix remains simple: be skeptical of urgent messages, verify through another channel, and assume bad actors will impersonate trusted contacts.
