Background and context
U.S. authorities are reportedly warning that threat actors affiliated with Russian intelligence services are targeting commercial messaging applications, including Signal and WhatsApp, in phishing campaigns aimed at high-value individuals. The reporting lead comes from The Hacker News, which says the FBI and CISA issued a warning on Friday about efforts to seize control of accounts used by people with intelligence value. At the time of writing, the exact 2026 advisory referenced in that report could not be independently verified from the prompt alone, so some campaign-specific claims should be treated as unverified pending publication of the underlying government bulletin [1].
Even with that caveat, the alleged activity fits a well-documented pattern. Russian state-linked groups have repeatedly targeted diplomats, journalists, military personnel, contractors, activists, and government officials through phishing and social engineering rather than by trying to break the cryptography used by secure messaging apps [2][3][4]. That distinction matters. Signal and WhatsApp both use end-to-end encryption for message content, but encryption does not stop an attacker who can hijack an account, link a rogue device, compromise the user’s phone, or trick the victim into handing over a verification code.
This is why messaging platforms have become attractive intelligence targets. They contain not just chats, but contact graphs, group memberships, timing data, and often highly sensitive conversations. For a foreign intelligence service, access to one trusted account can open a path to many more people through impersonation and social engineering.
How these attacks likely work
No specific CVE has been named in the reporting lead, and that is notable. Many successful account-takeover campaigns against messaging apps do not depend on a software flaw at all. Instead, they abuse normal account workflows and human trust.
One common technique is phishing pages that imitate account verification or device-linking screens. On WhatsApp, attackers have historically abused interest in WhatsApp Web or linked-device features by tricking a victim into scanning a malicious QR code or authorizing a session they believe is legitimate [5]. On Signal, similar social engineering can revolve around registration prompts, PIN-related lures, fake support messages, or account alerts. In both cases, the attacker’s goal is to gain a foothold that lets them receive messages, impersonate the victim, or maintain ongoing access.
Another likely tactic is smishing or spearphishing. Victims may receive an SMS, email, or message from a compromised contact claiming there is a security problem, a policy update, a missed message, or a new device login. These lures work because they create urgency and exploit familiar app behavior. A user who is busy, stressed, or expecting sensitive communications may be more likely to act quickly.
Attackers may also target the recovery chain around the app rather than the app itself. If account access depends on a phone number, SMS verification, cloud backup, or a linked email account, those become weak points. SIM-swap fraud, mailbox compromise, and stolen one-time codes can all support messaging account takeover [6][7].
In more advanced intrusions, phishing can be only the first stage. Once a target clicks, the operation may escalate to mobile malware, a malicious configuration profile, or a remote-access tool designed to capture content on the device before it is encrypted or after it is decrypted. Security researchers and government agencies have repeatedly warned that state-backed operators often prefer endpoint compromise because it bypasses the protections of strong messaging encryption without needing to defeat the protocol itself [2][4].
Why Signal and WhatsApp are strategic targets
Signal and WhatsApp are valuable for different but overlapping reasons. Signal is widely used by journalists, activists, policy staff, and privacy-conscious officials because of its security model and minimal metadata design [8]. WhatsApp, meanwhile, has enormous global reach, making it useful for both broad and targeted operations. In many countries it is the default communications platform for professional and personal contacts alike [9].
For intelligence services, compromising these apps can reveal more than message text. An account may expose who talks to whom, when, from where, and in what groups. If the victim is a diplomat, defense employee, or journalist, that information can be operationally significant even when only partial access is achieved.
There is also a multiplier effect. Once one trusted account is compromised, attackers can send believable messages to colleagues, friends, and group chats. That can turn a single successful phishing event into a wider campaign.
Impact assessment
The people most likely to be affected are those with what the reported advisory calls “high intelligence value.” That likely includes government officials, military personnel, diplomats, national security staff, defense contractors, foreign policy researchers, journalists, NGO workers, and dissidents. Their family members and close contacts may also face secondary risk if attackers use a compromised account to expand access.
For ordinary users, the immediate risk is lower than for those in sensitive roles, but not negligible. Techniques used first against high-value targets often spread into criminal phishing ecosystems. A fake device-linking request or bogus account alert can be repurposed for mass fraud with little modification.
The severity is high because successful account takeover can produce several forms of harm at once: exposure of live conversations, surveillance of future messages, impersonation of the victim, compromise of contact networks, and reputational damage. In the case of national security or investigative journalism, the consequences can include exposure of sources, disruption of operations, and physical risk to people named in chats.
There is also a broader policy impact. These campaigns reinforce a point that security agencies and researchers have made for years: secure messaging apps remain valuable, but they are not a complete defense. The security of the account and the phone around the app matters as much as the protocol inside it [2][6][8].
What users and organizations should watch for
Although no official indicators of compromise were provided in the reporting lead, several warning signs are consistent with this type of operation. Unexpected prompts to link a new device, unsolicited QR codes, messages claiming your account needs urgent verification, and alerts about suspicious logins should all be treated with caution. So should messages from known contacts that feel out of character, especially if they ask you to click a link, scan a code, or share a one-time passcode.
On WhatsApp, users should periodically review linked devices and remove any they do not recognize [9]. On Signal, users should pay close attention to registration changes, linked-device activity, and any PIN or account-reset prompts they did not initiate [8]. In both apps, unusual login behavior should be treated as a possible compromise until proven otherwise.
How to protect yourself
Enable the strongest account protections available. Use Signal PIN protections where applicable and enable WhatsApp’s two-step verification. These add friction for attackers trying to re-register or hijack an account [8][9].
Never share verification codes. No legitimate support workflow should require you to send a one-time code to another person. If someone asks for one, assume fraud.
Be skeptical of QR codes and device-linking prompts. Only link a device from within the app’s official settings, and only when you initiated the process. Treat emailed or messaged QR codes as suspicious.
Secure the phone number itself. Ask your mobile carrier about SIM-swap protections, account PINs, and port-out locks. If a phone number is the root of trust, it needs protection [6].
Harden the device. Keep iOS or Android updated, install app updates promptly, and remove apps or profiles you do not recognize. A fully patched phone is not invulnerable, but it reduces easy paths to compromise [2][4].
Review linked devices and active sessions regularly. This is one of the fastest ways to spot unauthorized access.
Use separate devices for sensitive work where possible. High-risk users should consider a dedicated phone for sensitive communications, with a minimal app footprint and tighter operational discipline.
Verify unusual requests out of band. If a colleague sends a strange message, call them or contact them through another channel before acting.
Protect network privacy on untrusted connections. When traveling or using public Wi-Fi, a reputable VPN service can reduce exposure to local network snooping, though it will not stop phishing or account takeover by itself.
For organizations, train for messaging-app phishing specifically. Many awareness programs focus on email but ignore QR-code abuse, linked-device prompts, and mobile-first social engineering. That gap needs to close.
The bigger picture
If the reported FBI and CISA warning is confirmed, it will be another sign that state-backed operators continue to focus on the easiest route into protected communications: the user and the device. That does not mean secure messengers have failed. It means their strongest protections can be undermined when account workflows, phone-number security, and human behavior are targeted with enough patience.
For high-risk communities, the lesson is straightforward. End-to-end encryption remains important, but it is only one layer. The practical battle is often won or lost in verification prompts, linked devices, recovery channels, and the split-second decision to trust a message that looks familiar.
