Russian intelligence services are quietly slipping into private chats around the world, according to U.S. cyber officials, who say a sprawling phishing operation is hijacking personal accounts on popular messaging apps. Once inside, the attackers can read messages in real time and pose as their victims, with thousands of accounts reportedly compromised, including those belonging to current and former government officials, military personnel, and journalists. The twist: the spies are not cracking encryption, they are tricking people.
The FBI’s Internet Crime Complaint Center and the Cybersecurity and Infrastructure Security Agency laid out the scheme in a joint public service announcement released last Friday. The PSA details two main tactics that target app features instead of the underlying crypto: abusing linked-device options and staging direct account takeovers by coaxing users into surrendering verification codes. The advisory, circulated through field offices and highlighted in an FBI-Dallas Facebook post, warns that the hackers impersonate automated support contacts and emphasizes that the encryption itself is intact, according to IC3. Once an account is compromised, attackers can read chats, mine contact lists, send messages as the victim, and pivot into fresh phishing attempts.
European intelligence services were already raising red flags earlier this month. Dutch security officials reported that Russian state-aligned operators were running a large-scale push to seize Signal and WhatsApp accounts tied to officials and journalists, and confirmed that some accounts had been successfully breached, according to AIVD. That warning quickly drew international attention and sparked deeper analysis in tech outlets such as TechCrunch, helping push U.S. agencies to amplify their own alerts.
How the account hijacks work
The playbook leans on psychology rather than codebreaking. Attackers pretend to be trusted contacts or official support staff, then nudge targets to click a link, scan a QR code, or hand over a one-time verification PIN. The IC3 PSA singles out two favored moves: slipping an attacker-controlled device into a user’s account via a linked-device feature, and phishing for login or verification codes that enable a full takeover. The scammers even reassure victims with lines like “Don’t tell anyone the code,” a neat bit of reverse psychology that should ring alarm bells. Once inside, they quietly read conversations, harvest contacts, and send highly convincing follow-up lures from an account everyone already trusts.
What you can do
The defenses are not glamorous, but they work. Stop engaging with sketchy messages, never share verification codes or PINs with anyone, and confirm any supposed support request through a completely separate channel. For more technical hardening tips on mobile security and phishing red flags, users can turn to guidance from CISA, which urges people to use phishing-resistant multifactor authentication wherever possible and to routinely audit which devices are linked to their accounts. Employers and journalists dealing with sensitive material are being urged to treat commercial messaging apps as fragile tools and to tighten operational security, from better device hygiene to keeping the most sensitive conversations out of chat entirely.
Security analysts say this fits a broader pattern: instead of trying to punch through hardened encryption, nation-state hackers increasingly scale their spying by manipulating people. Coverage in mainstream tech media, including TechRadar, suggests the latest advisory has reignited debate over how heavily officials and reporters should rely on everyday messaging apps for serious business.
If you think your account has been hijacked, officials urge you to tell your organization’s IT or security team and consider filing a report with the Internet Crime Complaint Center (IC3) or your local FBI field office. Early reports help investigators map out campaigns and warn others who might be in the blast radius. Victims should save anything that might be useful to investigators, including screenshots, timestamps, and suspicious messages. For most users, the most effective move is to stay ahead of the con: do not share codes, review which devices are linked to your apps, and enable phishing-resistant multifactor authentication wherever it is offered.
