When Donncha Ó Cearbhaill received a suspicious message on Signal claiming to be from “Signal Security Support ChatBot,” the security researcher immediately knew something was wrong. The message warned of suspicious activity and demanded he enter a verification code – classic signs of a phishing attempt. But instead of simply ignoring it, Ó Cearbhaill decided to investigate.
What he discovered was far more extensive than a simple scam. The attempted hack was part of a massive Russian government operation targeting Signal users worldwide, affecting more than 13,500 people. This campaign represents a significant escalation in state-sponsored attacks against secure messaging platforms, highlighting how authoritarian governments are adapting their tactics to compromise encrypted communications.
Ó Cearbhaill, who heads Amnesty International’s Security Lab, had never been personally targeted with such an attack before. “Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up,” he told TechCrunch.
The hackers used a sophisticated approach that involved impersonating Signal’s security team, warning users of fake security threats, and attempting to trick them into linking their accounts to devices controlled by the attackers. The fraudulent message Ó Cearbhaill received even included the warning “DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES” – an attempt to add legitimacy while preventing victims from verifying the request.
This attack method mirrors tactics previously identified by multiple intelligence agencies. The U.S. cybersecurity agency CISA, the UK’s cybersecurity agency, and Dutch intelligence have all warned about similar campaigns attributed to Russian government hackers. Signal itself has also issued warnings about phishing attacks targeting its users. German news magazine Der Spiegel found that Russian hackers successfully compromised several high-profile German politicians using these methods.
Through his investigation, Ó Cearbhaill uncovered several key details about the operation:
- The hackers used an automated system called “ApocalypseZ” to conduct bulk attacks with minimal human oversight
- The system’s codebase and operator interface were in Russian
- Victim conversations were being translated into Russian for analysis
- The attack followed a “snowball” pattern where successful compromises led to new targets
Ó Cearbhaill believes he became a target because he was likely in a group chat with someone who had already been compromised. This gave the hackers access to his contact information and allowed them to expand their victim list organically through existing social networks.
The researcher noted that other targets included journalists he had worked with and colleagues, suggesting the hackers were specifically interested in people involved in security research, journalism, and human rights work. This targeting pattern aligns with typical Russian intelligence operations that focus on civil society actors, activists, and media professionals.
What makes this campaign particularly concerning is its scale and automation. The ApocalypseZ system allows hackers to target thousands of users simultaneously, representing a significant shift from more targeted, manual approaches. This industrialization of phishing attacks means more people are at risk, and the attacks can be conducted more efficiently.
Ó Cearbhaill continues to monitor the campaign and has observed ongoing attacks, meaning the total number of targets is likely much higher than the 13,500 he initially identified. The persistence of these attacks demonstrates that Russian intelligence services view encrypted messaging platforms as high-value targets worth sustained effort.
For Signal users concerned about becoming targets, Ó Cearbhaill recommends enabling Registration Lock, a security feature that requires a PIN to register a phone number on a new device. This additional layer of protection can prevent attackers from taking over accounts even if they successfully trick users into providing verification codes.
The incident highlights the ongoing cat-and-mouse game between security researchers and state-sponsored hackers. As encrypted messaging becomes more common, authoritarian governments are investing heavily in techniques to circumvent these protections. Rather than trying to break encryption directly, they’re focusing on social engineering attacks that trick users into voluntarily compromising their own security.
Despite becoming a target himself, Ó Cearbhaill maintains a sense of humor about the situation. He doubts the hackers will target him again and suspects they regret going after someone with his expertise. “I welcome future messages, especially if they have zero-days they would like to share,” he joked, referring to unknown security vulnerabilities that attackers often use in their campaigns.