FBI Warns Russian Hackers Compromised Thousands of Signal, WhatsApp Accounts

Russian intelligence operatives have successfully compromised thousands of Signal and WhatsApp accounts belonging to high-value targets worldwide, the FBI and CISA warned in a joint alert issued March 20, 2026. The campaign specifically targets current and former U.S. government officials, military personnel, political figures, and journalists.

Who Is Behind the Attacks

The phishing operation has been attributed to threat clusters previously tracked as Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185)—all with documented ties to Russian Intelligence Services. These groups have previously targeted European officials in similar credential-harvesting campaigns.

"Globally, this effort has resulted in unauthorized access to thousands of individual accounts," FBI Director Kash Patel stated in the advisory. The scale suggests a coordinated intelligence-gathering operation rather than opportunistic attacks.

How the Attacks Work

Unlike malware-based intrusions, these attacks rely entirely on social engineering. The operatives employ two primary techniques:

Signal Account Hijacking

Attackers pose as "Signal Support" and message targets directly, warning of suspicious account activity or potential data leaks. Victims are then asked to either:

1. Share their security PIN or verification code, granting attackers account recovery access
2. Click malicious links or scan QR codes that link an attacker-controlled device to the target's account

The second method is particularly dangerous because it grants access to the victim's entire message history, not just future communications.

WhatsApp Device Linking Abuse

For WhatsApp targets, the attackers exploit the legitimate "Linked Devices" feature. By convincing victims to scan a malicious QR code—often presented as a security verification step—attackers can link their own device to the target's account and view all messages in real-time.

This approach echoes the social engineering techniques that have become increasingly sophisticated across messaging platforms.

What Attackers Can Do After Compromise

Once inside an account, the threat actors gain significant capabilities:

• View all messages and contact lists
• Send messages impersonating the victim
• Launch secondary phishing attacks from a trusted identity
• Monitor ongoing communications indefinitely

The FBI emphasized that compromised accounts often remain accessible to attackers until victims specifically audit and remove unauthorized linked devices—something most users never think to check.

Why Encrypted Messaging Apps Are Targeted

The targeting of Signal and WhatsApp represents a tactical shift. Rather than attempting to break end-to-end encryption—which remains mathematically sound—Russian operatives have opted to hijack the accounts themselves. This bypasses cryptographic protections entirely.

The Germany government issued similar warnings about Signal phishing campaigns targeting politicians and military officials earlier this year, suggesting these operations have been running for months.

Recommended Protections

The FBI and CISA urge all users—especially those in sensitive positions—to implement the following protections:

1. Never share verification codes or PINs with anyone, regardless of how legitimate they appear
2. Regularly audit linked devices in Signal (Settings > Linked Devices) and WhatsApp (Settings > Linked Devices)
3. Enable registration lock in Signal to prevent unauthorized account recovery
4. Verify unexpected contacts through separate communication channels before responding
5. Be skeptical of urgency in messages claiming account compromise or security issues

Support teams from legitimate services will never initiate contact requesting verification codes or credentials.

Why This Matters

The campaign demonstrates that even security-focused messaging platforms are vulnerable when users can be manipulated. For individuals handling sensitive government or military communications, a compromised messaging account could expose classified discussions, operational planning, or intelligence sources.

The FBI's public disclosure signals that the operation has likely reached a scale where quiet remediation is no longer feasible—and that Russian intelligence services consider messaging app compromise a priority collection target. Organizations with employees in sensitive roles should consider mandatory security training focused on phishing recognition and messaging app security hygiene.