FBI, CISA warn Russian hackers are targeting Signal and other messaging apps to hijack high-value accounts

The FBI and CISA have warned that Russian intelligence-linked hackers are targeting high-value individuals through phishing attacks aimed at commercial messaging apps, especially Signal accounts. The agencies say the campaign has already led to unauthorized access to thousands of accounts worldwide.

According to the joint public service announcement, the attackers are not breaking Signal’s encryption or compromising the apps themselves. Instead, they are tricking people into handing over account access through fake support messages, malicious links, QR codes, and requests for PINs or verification codes.

The advisory says the targets include current and former U.S. government officials, military personnel, political figures, and journalists. That makes this less like random spam and more like a focused espionage campaign aimed at people with intelligence value.

What the FBI and CISA are warning about

The March 20, 2026 advisory says Russian Intelligence Services-linked actors are running ongoing phishing campaigns against commercial messaging application accounts. The agencies add that reporting shows the threat actors specifically target Signal accounts, though the same methods can work against other messaging apps too.

Once an account is compromised, the attackers can read messages, access contact lists, send messages as the victim, and launch more phishing attacks against other users. The agencies say that is exactly how the campaign has spread across so many accounts globally.

How the Signal phishing attacks work

The FBI and CISA say the attackers often pose as automated support or security accounts inside the app. The messages try to create urgency by claiming there has been suspicious activity, a data leak, or an unauthorized login attempt.

From there, the victim is pushed to take an action that gives the attacker access. In some cases, the user shares a PIN or verification code. In others, the user scans a malicious QR code or clicks a link that silently links the attacker’s device to the victim’s messaging account.

The agencies describe two main attack paths: linked-device abuse and full account takeover. In both cases, the encryption stays intact, but the attacker gets into the account itself, which lets them bypass that protection entirely.

Main tactics named in the advisory

Tactic	What the attacker wants
Fake support messages	To pressure the victim into trusting the message
Requests for PINs or verification codes	To take over the account
Malicious QR codes or links	To link the attacker’s device to the victim’s account
Follow-on phishing from hijacked accounts	To compromise more trusted contacts

Source: FBI and CISA joint PSA.

Why Signal is part of the story

The FBI and CISA advisory covers commercial messaging apps broadly, but it explicitly notes that reporting shows Signal accounts are a specific target in this campaign. Reuters separately reported that Signal users were a major focus of the operation and that the company said its systems were not breached.

That distinction matters. The warning is not that Signal’s encryption failed. The warning is that phishing can defeat strong security if the attacker convinces the user to link a device or surrender authentication details.

Who is most at risk

The agencies say the campaign targets people with high intelligence value. That includes:

• Current and former U.S. government officials
• Military personnel
• Political figures
• Journalists

These groups appear in the joint advisory itself. Reuters reported the same targeting profile when covering the warning.

What users should do right now

The FBI and CISA say users should stop interacting with suspicious messages immediately and never share PINs, passwords, or two-factor authentication codes for any action they did not start themselves. They also warn people to be cautious even when a message seems to come from a friend if the request looks unusual.

The agencies also tell users to inspect links and attachments before opening them, verify group members regularly for duplicates or fake accounts, and use available app security settings such as disappearing messages where appropriate and lawful.

Recommended mitigations from the advisory

• Stop and do not respond if a message feels suspicious
• Never share PINs, passwords, or 2FA codes you did not initiate
• Treat unexpected messages with caution, even from known contacts
• Inspect links and files before clicking
• Review group chats for duplicate or fake accounts
• Use app security features, including message expiration where allowed

These steps come directly from the FBI and CISA guidance.

Why this warning matters

This alert shows how attackers are adapting to stronger messaging security. Instead of attacking encryption directly, they are going after the human layer with phishing that looks routine, urgent, and official.

That approach works because a compromised account gives the attacker most of what they want anyway. They can read conversations, map relationships, impersonate trusted people, and move deeper into sensitive networks one message at a time. That conclusion follows directly from the access the advisory says attackers gain after takeover.

FAQ