Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 28, 2026 · 5 min read

Russia Targets Officials' Messaging Apps With Fake Support Texts

Ukraine's SSU and the FBI jointly disclosed a long running Russian intelligence campaign that used fake support texts to hijack Signal, WhatsApp, and Telegram accounts belonging to officials, journalists, and activists across three continents.

A text message arrives at 6 a.m. It looks like it's from Signal's support team. It warns that someone is trying to access your account. It asks for a verification code. If you hand it over, a Russian intelligence operative has your private conversations — every source, every contact, every message. This is not a hypothetical. On June 25, 2026, Ukraine's Security Service (SSU) and the FBI issued a joint advisory confirming that Russian intelligence services have been running exactly this campaign — at scale — against government officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States.

Key Takeaways

  • The SSU and FBI jointly disclosed on June 25, 2026 that Russian intelligence services have compromised messaging app accounts through sustained social engineering campaigns.
  • Attackers send fake support texts impersonating Signal, WhatsApp, and other platforms in the early morning hours, deliberately targeting victims when they are most physically and emotionally vulnerable.
  • The campaign does not exploit software vulnerabilities — it exploits people, making no app update or patch capable of stopping it.
  • Dutch intelligence agencies had already warned of the same campaign in March 2026, documenting cases where government employees' messages were compromised.
  • Targets include current and former U.S. government officials, military personnel, politicians, and journalists — anyone whose private communications hold intelligence value.

How Did Russia Get Into Officials' Messaging Apps?

Russian intelligence did not find a zero day in Signal's encryption. They did something far more effective: they called the humans holding the phones.

The core technique is impersonation via SMS. Attackers send text messages that appear to come from the official support team of a messaging platform. The message warns of suspicious activity, a potential data breach, or an unauthorized login attempt — the kind of alert that triggers an immediate, anxious response. The target is then prompted to share a verification code that the attacker has already requested from the platform. Handing over that code gives the attacker full account access.

On WhatsApp, the method exploits the platform's "linked devices" feature, which lets users connect a secondary device like a laptop. A malicious QR code — delivered through phishing pages designed to look like official support portals — links the victim's account to an attacker controlled instance. From that point, messages arrive simultaneously on both devices in real time. The victim has no idea they are being watched.

Google's Threat Intelligence Group documented Russian-aligned threat actors crafting malicious QR codes embedded in phishing content that, when scanned, silently pair the victim's Signal account to infrastructure the attackers control. The persistent access means they read messages as they happen, not just after a one time break-in.

Why the Early Morning Timing Matters

The SSU advisory specifically flagged that attackers send these messages in the early morning hours, when targets are "particularly vulnerable due to their physical and emotional state." This is not accidental — it is operational doctrine.

Security researchers call this temporal social engineering. A 6 a.m. alert about your account being compromised hits differently than the same message at 2 p.m. You are disoriented, your threat assessment is slower, and the instinct to act fast overrides the instinct to verify. Russian intelligence units are treating their targets' sleep cycles as an attack surface.

This detail also points to something significant: these operations have matured well beyond opportunistic phishing. Dutch intelligence agencies — the AIVD and MIVD — warned in March 2026 that Russian state actors were using AI tools to impersonate technical support staff, generating natural-sounding voice messages, texts, and video calls that even trained officials found convincing.

Smartphone screen with a fake security alert notification at 5:47 AM, shadowy government building silhouette reflected in the glass, deep indigo and charcoal tones

Who Is Being Targeted?

The joint SSU/FBI advisory names a wide target set: government officials, military personnel, politicians, activists, and ordinary civilians across Ukraine, Europe, and the United States. The Internet Crime Complaint Center advisory from March 2026 explicitly added journalists to the list of high value targets — anyone whose private communications carry intelligence value for Moscow.

That breadth is important. Russian signals intelligence has historically concentrated on government and military targets. The explicit inclusion of journalists and activists reflects a strategic shift: private communications between reporters and their sources, or between organizers and their networks, are now treated as legitimate collection targets. If a journalist has sources inside the Ukrainian military, Russian intelligence wants those conversations.

The campaign has grown since the initial March 2026 warnings. What started as documented incidents against European government employees has expanded into a systematic, multi-platform operation with thousands of confirmed account compromises.

What This Means for Journalists and Activists

The threat model here is different from a data breach or a malware infection. There is no server to patch. There is no vulnerability disclosure coming that will fix this. The attack surface is the person holding the phone.

For journalists, the immediate risk is source exposure. If an attacker gains persistent access to a Signal account through a linked device, every future conversation with a protected source is compromised — even if the source is practicing good operational security on their end. The weak link becomes the journalist's device and account.

For activists, particularly those working on Ukraine, Russia, or European security issues, the risk is operational: movement plans, contact lists, and internal communications become visible to an adversary with a demonstrated willingness to act on that intelligence.

The Dutch case is instructive. Dutch government employees' messages were confirmed compromised before their intelligence agencies went public. The gap between initial compromise and detection gave attackers real time visibility into government communications for an unknown period. The same gap exists for any journalist or activist who has not audited their active sessions recently. You can find similar patterns in how Russia previously hacked an activist's iPhone using Cellebrite — the methods differ but the targeting logic is identical.

What to Do Right Now

The SSU advisory is specific about defensive steps, and they are all actionable today.

  • Audit your active sessions. Both Signal and WhatsApp let you see every device currently linked to your account. Open Settings, navigate to linked devices or active sessions, and terminate anything you do not recognize. If you see a session you cannot explain, treat it as a compromise and act accordingly.
  • Enable 2FA with a complex PIN. Signal's registration lock and WhatsApp's two step verification both add a PIN requirement before an account can be transferred to a new device. Use a PIN that is not a birthday or a repeated digit.
  • Never share a verification code. No legitimate support team for Signal, WhatsApp, or Telegram will ever ask for the six digit code sent to your phone. If someone asks for it, they are not support — they are an attacker.
  • Reject suspicious links and QR codes. The linked device attack requires you to scan a QR code. Before scanning any QR code related to a messaging platform, navigate directly to the app's official settings instead.
  • Report incidents. The SSU's Cybersecurity Situation Centre can be reached at incident@dis.gov.ua. U.S.-based journalists or officials should file with the FBI's IC3 at ic3.gov.

The encryption protecting your messages is not broken. What Russian intelligence learned is that they do not need to break it — they just need you to hand over the key. You can read more about broader surveillance patterns in the FBI's investigation of 100 journalists without cause, which documents how state actors treat journalists as intelligence targets by default.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.