US warns Russian spies are still hunting your WhatsApp and Signal accounts
CISA and the FBI say Russian intelligence officers are running fresh phishing campaigns to hijack accounts on messaging apps used by journalists, officials and activists.

Key points
- CISA and the FBI issued an updated public warning that Russian intelligence services are still targeting commercial messaging apps through phishing campaigns.
- The alert updates guidance first published in March about the same Russian operation.
- The agencies released fresh examples of the fake messages being sent to victims.
- Targets include people of interest to Russian intelligence, including officials, journalists and activists.
- CISA is urging users to review account security settings and treat unexpected login requests as suspicious.
Russian spies are still going after your messaging apps. That is the blunt message from two US agencies this week.
The Cybersecurity and Infrastructure Security Agency (CISA), which is the US government's civilian cyber defence agency, together with the Federal Bureau of Investigation, updated an earlier public warning about an ongoing campaign by Russian Intelligence Services. The original alert went out in March. The new version, published as a CISA advisory, adds fresh tactics and sample messages the agencies have seen in the wild.
The target is simple: accounts on commercial messaging applications. Think WhatsApp, Signal, Telegram and similar apps that ordinary people and professionals use every day.
The method is phishing — the practice of sending fake messages designed to trick someone into handing over a password, a login code or clicking a booby-trapped link. In this case, the messages are crafted to look convincing enough that the target links their account to a device controlled by the attackers, or gives up the one-time code that protects it.
Why would Russian spies want your chat app?
Because messaging apps are where sensitive conversations happen. Russian intelligence is not sweeping up random accounts for fun. The people in the crosshairs tend to be government officials, military personnel, defence contractors, journalists covering Russia or Ukraine, human rights workers, and activists inside and outside Russia.
Once inside a chat account, an attacker can read past conversations, watch new ones arrive in real time, impersonate the victim to trick their contacts, and quietly harvest sensitive information for months.
The agencies did not name a specific Russian unit in the public update, but earlier reporting has tied similar campaigns to groups linked to Russia's Federal Security Service and its military intelligence arm. These operators are patient. They pose as colleagues, embassy staff, or trusted contacts. Some campaigns have used fake QR codes that, when scanned, silently link the victim's Signal or WhatsApp account to a device the attacker controls.
What should ordinary users do?
Treat any unexpected login request, verification code, or "link a new device" prompt as suspicious until you can prove otherwise.
A few practical steps, drawn from the CISA guidance:
- Open your messaging app and check the list of linked devices. Remove anything you do not recognise.
- Turn on two-step verification, sometimes called a PIN or passcode, inside the app itself. This is separate from your phone's lock screen.
- Never share a login code that arrives by SMS or in-app message. Nobody legitimate — not support staff, not a colleague — needs it.
- Be wary of QR codes sent to you in a chat, even from a known contact. A hijacked contact is still a hijacked contact.
Journalists, aid workers and government staff should assume they are of interest and act accordingly. That means slowing down before tapping a link, and confirming odd requests through a second channel like a phone call.
What is new in this update?
CISA says the update reflects tactics observed since March, including fresh phishing lures and social-engineering scripts. The agencies published sample messages so defenders and everyday users can recognise the pattern.
The campaign has not stopped. It has adapted. The advisory is essentially a reminder that the same hands are still on the keyboard.



