The United States has warned that cyber actors associated with Russian intelligence services are targeting users of commercial messaging applications, with Signal identified as a particular focus in a campaign that has already compromised thousands of individual accounts worldwide.

In a joint public service announcement issued on 20 March, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency said the operation is aimed at individuals deemed to be of “high intelligence value”. Those identified as likely targets include current and former U.S. government officials, military personnel, political figures and journalists. The advisory described the campaign as global in scope and said it had resulted in unauthorised access to thousands of accounts.

The warning is significant not because it suggests any flaw in the encryption of the apps themselves, but because it underlines how state-backed hackers can bypass technical safeguards by manipulating users. According to the FBI and CISA, the attackers have not broken the encryption of messaging platforms or compromised the applications as systems. Instead, they have gained access by persuading users to hand over verification codes, PINs or other credentials, or by tricking them into linking an attacker-controlled device to the victim’s account.

The advisory says Russian intelligence-linked actors typically masquerade as official support accounts within the app, sending messages that appear to come from security teams. Those messages are designed to create urgency, warning of suspicious log-in attempts or alleged data leaks and urging recipients to respond with security codes. In some cases, the operation also uses malicious links or QR codes to exploit the linked devices function available in some messaging services. Once access is secured, the attackers can read messages, view contact lists, send messages from the compromised account and use the victim’s identity to mount further phishing attempts against others.

The U.S. warning closely mirrors concerns raised earlier this month by the Dutch intelligence and security services AIVD and MIVD. In an advisory published on 9 March, the Dutch agencies said Russian state hackers were engaged in a large-scale global campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch services said targets and victims included government employees in the Netherlands and added that journalists and other individuals of interest to the Russian state could also be at risk.

Dutch officials were explicit that the campaign does not depend on discovering technical vulnerabilities in the apps. Rather, it exploits legitimate security features and users’ willingness to trust what appear to be authentic messages. The Dutch advisory noted that, once an account has been compromised, attackers can read incoming messages, including those exchanged in group chats, and are likely to obtain sensitive information in the process. It also warned users to watch for duplicate accounts in chat groups, altered display names and unauthorised additions via group links, all of which may indicate that an account has been taken over or that an attacker has inserted a second identity into a conversation.

Signal, responding to the earlier Dutch warning, said the incidents were carried out through sophisticated phishing campaigns intended to trick users into sharing information, and stressed that neither its encryption nor its infrastructure had been compromised. That distinction is central to the current case. End-to-end encryption remains effective when messages are transmitted between legitimate users. The vulnerability arises when an attacker succeeds in becoming one of those apparent users by taking control of an account or quietly adding a linked device. In such circumstances, the security of the underlying platform becomes largely irrelevant because the intruder is effectively inside the conversation.

For officials, military personnel and journalists, the implications are clear. Messaging applications that are widely regarded as secure remain attractive targets precisely because they are used for sensitive exchanges. The reputational strength of platforms such as Signal can create a false sense of immunity, especially when the real point of failure lies not in the software but in user behaviour. The FBI and CISA urged users never to share PINs, passwords or two-factor authentication codes for actions they did not initiate, to treat unexpected messages with suspicion, to inspect links before clicking and to verify unusual requests through another channel.

The episode serves as a reminder that in cyber security the weakest point is often not the application but the account holder. State-backed operators do not always need to defeat encryption if they can persuade a target to open the door. For governments, news organisations and others handling sensitive material, the lesson is straightforward: secure tools remain necessary, but they are not sufficient without disciplined user practice and constant vigilance against social engineering.