Russian hackers target Signal account takeovers
Amnesty security lab traces phishing campaign to automation tool ApocalypseZ, encryption holds while device linking becomes the seam
Images
A screenshot of the phishing attack that targeted donncha Ó Cearbhaill, a security researcher at Amnesty International. (Image: DONNCHA Ó Cearbhail)Image Credits:Donncha Ó Cearbhaill
Image Credits:Donncha Ó Cearbhaill
Lorenzo Franceschi-Bicchierai
techcrunch.com
A security researcher at Amnesty International says he was targeted in a campaign attempting to hijack Signal accounts by impersonating the app’s support function, according to TechCrunch. Donncha Ó Cearbhaill, who leads Amnesty’s Security Lab, received a phishing message earlier this year from an account claiming to be “Signal Security Support ChatBot.” The message warned of suspicious activity and tried to trick him into handing over a verification code that could be used to link his account to a device controlled by the attacker.
Ó Cearbhaill said he recognised it as a takeover attempt and treated it as part of a broader operation aimed at large numbers of Signal users. He estimates he was one of more than 13,500 targets identified in the campaign, and believes the real number is higher. TechCrunch reports that the tradecraft matches techniques previously warned about by the U.S. cybersecurity agency CISA, the UK’s cybersecurity agency, and Dutch intelligence, which have blamed similar activity on Russian government spies.
The mechanics of the attack underline why “secure messaging” often fails at the edges rather than the core. Signal’s encryption can remain intact while an attacker simply convinces a user to authorise a new device, turning account recovery and multi-device convenience into the weak point. Ó Cearbhaill described a “snowball hypothesis,” where compromised contacts in group chats help attackers find the next wave of targets, making a campaign scale through social graphs rather than through bespoke targeting.
Ó Cearbhaill also identified what he called “ApocalypseZ,” a system that automates bulk attacks with limited human oversight. He said the codebase and operator interface are in Russian, and that victim chats were translated into Russian—details he argues are consistent with Russian government involvement. Der Spiegel, TechCrunch notes, has separately reported that Russian hackers compromised several people in Germany, including high-profile politicians.
Signal has issued warnings about phishing aimed at its users, but the campaign Ó Cearbhaill is tracking is still active. The attack he received was a single message; the leverage it sought was the one thing encryption cannot protect against: a user being persuaded to approve the wrong screen at the wrong time.