Your encrypted chats are safe—until you hand the keys to a fake support bot.
CISA and the FBI say Russian-affiliated actors are running large-scale phishing campaigns to hijack WhatsApp and Signal accounts belonging to high-value targets.
The technique is embarrassingly simple: pose as “Signal Support,” ask for the SMS verification code or trick the victim into scanning a QR code, and the account is theirs.
FBI Director Kash Patel said:
"The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists."
Thousands of CMA accounts have been compromised globally. The apps’ end-to-end encryption is untouched; the weak link is human gullibility.
Two takeover paths exist. Hand over your PIN and the attacker registers the account on a new device—no old messages, only new ones. Scan the attacker’s QR code and they silently link their own device, gaining full history while you stay logged in, blissfully unaware.
Microsoft and Google previously tied similar activity to clusters Star Blizzard, UNC5792/UAC-0195 and UNC4221/UAC-0185. France’s ANSSI, Germany and the Netherlands have issued parallel alerts.
Signal’s public guidance is blunt: “Signal Support will never initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN.”
No platform patches are required. The fix is the same advice CISA, the FBI and Signal already give: never share codes, review linked devices monthly, ignore unsolicited offers of help.
Source: Thehackernews