A Spyware Investigator Exposed Russian Government Hackers Trying to Hijack Signal Accounts

State‑sponsored cyber‑espionage has increasingly focused on encrypted messaging platforms, and the recent Signal phishing wave underscores that trend. Unlike typical malware drops, the attackers masqueraded as official Signal support, sending messages that warned of fictitious security threats and demanded a verification code. By exploiting users’ trust in the app’s brand, the campaign bypassed traditional security layers, allowing the adversaries to hijack accounts and potentially monitor private conversations. This tactic mirrors earlier Russian operations targeting WhatsApp and other services, confirming a strategic shift toward social engineering at scale.

The technical backbone of the assault is a tool dubbed “ApocalypseZ,” which automates the creation and distribution of phishing prompts to thousands of victims simultaneously. Researchers observed that the codebase and operator interface are written in Russian, and the system translates intercepted chats before forwarding them to the attackers. Such automation reduces the need for manual oversight, enabling rapid expansion of the target pool—evidenced by the 13,500+ identified victims. Ó Cearbhaill’s investigation, conducted without revealing his methods, revealed that the campaign likely spreads through compromised group chats, creating a snowball effect that continuously adds new users to the list.

For end‑users, the episode serves as a stark reminder that even end‑to‑end encrypted apps are vulnerable to social‑engineering attacks. Security experts now advise activating Signal’s Registration Lock, a PIN‑based safeguard that blocks unauthorized device registrations. Organizations handling sensitive communications should also enforce multi‑factor authentication and conduct regular phishing awareness training. As geopolitical tensions persist, Russian intelligence groups are expected to refine these tactics, making proactive defense measures and rapid incident response critical for preserving the confidentiality of digital discourse.