U.S. cybersecurity authorities have issued a new warning about Russian intelligence-linked threat actors targeting secure messaging platforms, specifically highlighting the increased risk for Signal users.
These threat actors are employing sophisticated phishing campaigns designed to steal verification codes and account PINs.
In a joint Public Service Announcement (PSA) published on June 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that Russian Intelligence Services (RIS) are actively exploiting the trust placed in commercial messaging applications to gain unauthorized access to sensitive communications.
FBI and CISA Warn Russian Hackers
The advisory indicates a continuation and evolution of activities first documented in March 2026, with attackers refining their social engineering techniques to bypass built-in security protections.
According to the PSA, these threat actors are impersonating trusted contacts, service providers, or security teams to trick users into disclosing one-time verification codes or account registration PINs for their Signal accounts.
Once these credentials are obtained, attackers can hijack accounts, intercept messages, and potentially impersonate victims to compromise them further.
Researchers note that while Signal’s end-to-end encryption remains intact, these attacks exploit human behavior rather than cryptographic weaknesses.
By convincing users to share authentication codes, often under the guise of account recovery, urgent security alerts, or device re-registration, attackers can effectively register the victim’s account on a separate device.
In some instances, adversaries use real-time phishing techniques, prompting targets to immediately relay verification codes they receive via SMS or in-app notifications.
The campaign is believed to target individuals associated with government entities, military personnel, journalists, activists, and others involved in matters of interest to Russian intelligence operations.
However, CISA and the FBI caution that the tactics employed are broadly applicable and could affect any user relying on secure messaging platforms for sensitive communications.
The PSA also outlines additional tactics observed in recent campaigns, including the use of malicious links disguised as legitimate Signal group invites, credential-harvesting pages that mimic authentication portals, and spoofed domains resembling official services.
These techniques are often combined with a sense of urgency and social pressure to increase their success rates, particularly in mobile-centric environments where users are more likely to act quickly.
To mitigate risks, CISA and the FBI recommend several security best practices. These include enabling Signal’s registration lock feature, which requires a PIN to re-register an account, and never sharing verification codes or PINs with anyone under any circumstances.
Users are also advised to verify requests through secondary communication channels, scrutinize unexpected messages, even from known contacts, and keep their devices and applications updated to reduce exposure to additional vulnerabilities.
This latest advisory highlights a broader trend of nation-state actors targeting communication platforms, not by breaking encryption, but by exploiting user behavior and trust.
As secure messaging applications continue to play a critical role in both personal and professional communications, organizations and individuals are urged to remain vigilant against evolving phishing tactics that aim to undermine account integrity and confidentiality.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
