A prominent security researcher, Donncha Ó Cearbhaill, who specializes in investigating spyware attacks, recently found himself in an unprecedented situation: he became the target of a sophisticated hacking attempt. The attack unfolded via a message on his Signal account, purportedly from “Signal Security Support ChatBot,” claiming suspicious activity and potential data leaks. The message instructed him to enter a verification code into the chatbot to prevent further compromise, explicitly warning against sharing the code with anyone, including Signal employees. Recognizing the deceptive nature of the request, Ó Cearbhaill, who leads Amnesty International’s Security Lab, seized the opportunity to investigate the perpetrators rather than fall victim.

Ó Cearbhaill’s experience was not an isolated incident but part of a much larger, coordinated campaign. This particular phishing strategy, which involves impersonating Signal support to trick users into linking their accounts to hacker-controlled devices, aligns precisely with warnings issued by the U.S. cybersecurity agency CISA, the United Kingdom’s cybersecurity agency, and Dutch intelligence. These agencies have consistently attributed such sophisticated cyber-espionage efforts to Russian government-backed operatives. Signal itself has also alerted its user base to an increase in phishing attacks.

Through his investigation, Ó Cearbhaill uncovered that he was one of more than 13,500 individuals targeted by this campaign. He observed that other victims included journalists he had collaborated with and a colleague, leading him to formulate a “snowball hypothesis”: successful breaches likely provided hackers with access to contact lists, enabling them to identify new potential targets. He further identified the automated system used by the hackers as “ApocalypseZ,” noting that its codebase and operator interface were in Russian, with victim chats being translated into Russian. These linguistic clues strongly corroborate the assessment that a Russian government hacking group is behind these widespread attacks.

The researcher continues to monitor the campaign, confirming that these attacks are ongoing and the total number of targets has undoubtedly grown since his initial findings. For Signal users concerned about becoming targets of similar attacks, Ó Cearbhaill strongly advises activating Registration Lock, a crucial security feature that requires a user-defined PIN to register their phone number on any new device, thereby preventing unauthorized account linking.