Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencestate-sponsored-espionagecredential-access-methodgovernment-diplomatic-threat

Russian Social Engineering Campaign Hijacked Signal and Messaging Accounts

Updated 17h agoFirst seen Jun 26, 202613 sources

Ukraine’s Security Service (SBU) said, in coordination with the FBI, it uncovered a long-running Russian campaign that used social engineering to compromise messaging accounts belonging to government officials, military personnel, politicians, activists, journalists, and other high-value targets in Ukraine, Europe, and the United States. According to Ukrainian and U.S. authorities, the attackers impersonated messaging-platform support teams in text and in-app messages, often contacting victims in the morning, and tricked them into handing over credentials and other sensitive account data to gain access to military, political, economic, and personal communications.

The FBI and CISA separately warned that Russian intelligence-linked operators are specifically phishing Signal Backup Recovery Keys, allowing them to restore backups, read private and group message history, and take over accounts without breaking Signal’s encryption. The updated advisory said the broader operation has already compromised thousands of accounts worldwide and is tracked publicly as UNC5792 and UNC4221, with links to multiple Russian intelligence services, including FSB-associated personnel and Russian military services. U.S. and allied agencies in the Netherlands, Germany, and France urged users to distrust messages claiming to be from Signal support, never share verification codes, PINs, or Recovery Keys, and review linked devices for unauthorized access.

Share:
Russian Social Engineering Campaign Hijacked Signal and Messaging Accounts
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Jun 29, 20262d ago

U.S. offers $10 million reward for UNC5792 and UNC4221 members

The United States announced a reward of up to $10 million for information leading to the identification or location of members of the Russia-linked groups UNC5792 and UNC4221. Authorities said the groups are tied to Russian security and intelligence services and were involved in social-engineering campaigns targeting Signal and WhatsApp accounts.

US posts $10 million reward over Russian cyber campaign targeting Signal, WhatsApp | The Record from Recorded Future News
Jun 26, 20264d ago

State Department offers reward tied to UNC5792 activity

The U.S. State Department’s Rewards for Justice program offered up to $10 million for information on UNC5792. The reward was cited in connection with the Russian intelligence-linked activity targeting Signal users.

FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

FBI and CISA update advisory to add Signal Recovery Key phishing

The FBI and CISA updated their earlier advisory to warn that Russian intelligence-linked operators were phishing Signal users for Signal Backup Recovery Keys, enabling backup restoration, message access, and account takeover. The update said the broader campaign had already compromised thousands of accounts worldwide and identified tracking names UNC5792 and UNC4221.

FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

FBI and CISA issue advisory on Russian targeting of Signal users

A March advisory warned of a Russian intelligence-linked campaign targeting Signal users through social engineering rather than breaking the app's encryption. The activity targeted high-value individuals including government officials, military personnel, journalists, political figures, and Ukrainian officials.

FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

SBU and FBI uncover long-running messaging account campaign

Ukraine’s Security Service said, together with the FBI, it uncovered a long-running Russian campaign targeting messaging accounts of government officials, military personnel, politicians, activists, and others in Ukraine, Europe, and the United States. According to the disclosure, the operation relied primarily on social engineering, including impersonation of messaging platform support services to steal credentials.

Russia used social engineering to breach prominent messaging accounts, Ukraine says | The Record from Recorded Future News
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

21 LINKEDOpen in app
Malware
1 linked
Affected products
4 linked
WhatsappSignalTelegramMicrosoft 365
Organizations
11 linked
Signal MessengerSignal Messenger, LLCTelegramLinkedinPicus SecurityMeta PlatformsXGoogleFuture plcSecurity AffairsBluesky PBLLC
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.