Security researcher Donncha Ó Cearbhaill discovered a hacking attempt by Russian government spies targeting Signal users, with phishing tactics affecting over 13,500 accounts.
Phishing Attempt Exposed
Ó Cearbhaill, head of Amnesty International’s Security Lab, received a suspicious message on Signal, claiming to be from Signal Security Support. The message warned of alleged data leaks and attempted to collect verification codes to gain access.
Recognizing the phishing attempt, Ó Cearbhaill seized the opportunity to investigate further, uncovering a wider campaign targeting Signal users through impersonation and bogus security alerts.
Government Involvement Confirmed
The tactics matched those in a campaign previously warned about by the U.S. cybersecurity agency CISA, the UK's cybersecurity agency, and Dutch intelligence, all attributing the attacks to Russian government hackers. German magazine Der Spiegel reported similar breaches affecting high-profile figures.
Ó Cearbhaill's findings revealed the use of an automated hacking system called “ApocalypseZ,” which operates with minimal human intervention. The system’s interface and codebase were in Russian, further linking it to the government-backed group.
Broader Implications
The investigation showed that other targets included journalists and colleagues, suggesting a “snowball hypothesis” where compromised accounts lead to new targets. This strategy allows hackers to expand their reach significantly.
Ó Cearbhaill continues to monitor the campaign, noting that attacks are ongoing and the actual number of affected users is likely much higher than initially identified.
Advice for Signal Users
To protect against such attacks, Ó Cearbhaill advises Signal users to enable Registration Lock, a feature that prevents unauthorized account registration on different devices. He welcomes further communication from the hackers, especially if they have “zero-days” to share, referring to unknown security flaws often used in cyberattacks.
Ó Cearbhaill remains vigilant, suggesting that hackers might regret targeting him, given his expertise in investigating security vulnerabilities.
Source: https://techcrunch.com/2026/05/14/a-spyware-investigator-exposed-russian-government-hackers-trying-to-hijack-signal-accounts/
