FBI and CISA Warn of Russian Intelligence Cyberattacks Targeting Signal Users

The FBI and the Cybersecurity and Infrastructure Security Agency issued a joint warning on Friday, March 20, 2026, alerting the public that hackers linked to Russian intelligence have gained unauthorized access to thousands of individual accounts on commercial messaging applications, primarily Signal. FBI Director Kash Patel announced the findings via the social media platform X, stating that the agency had identified cyber actors connected to Russian intelligence services targeting users of commercial messaging apps. The targets include current and former U.S. government officials, military personnel, political figures, and journalists — individuals described in the joint notice as "of high value in the intelligence field." Patel confirmed that the breaches resulted in unauthorized access to thousands of individual accounts, though neither the FBI nor CISA disclosed further details on the precise scope of the intrusions. The Russian embassy in Washington did not immediately respond to a request for comment, according to Reuters.

Phishing, not broken encryption, opened the door The FBI and CISA emphasized that the breaches did not result from any flaw in Signal's encryption, but rather from phishing campaigns that exploited human behavior rather than technical vulnerabilities. Hackers posed as security personnel and tricked users into disclosing their security codes, thereby bypassing the application's protections without ever compromising the underlying encryption. Once attackers gained access to an account, the consequences extended well beyond passive surveillance. According to Patel's statement, attackers could read messages, view contact lists, send messages while impersonating the victim, and launch further phishing attacks using the victim's trusted identity to reach new targets. Signal, responding to an earlier warning from Dutch authorities, stated that the cyberattacks were carried out through sophisticated phishing campaigns designed to trick users into sharing information, and confirmed that its infrastructure and encryption had not been compromised. „FBI zidentyfikowała podmioty cybernetyczne związane z rosyjskim wywiadem, atakujące użytkowników komercyjnych komunikatorów, takich jak Signal” (FBI identified cyber entities linked to Russian intelligence, targeting users of commercial messaging apps such as Signal) — Kash Patel via wiadomosci.radiozet.pl

Dutch intelligence flagged the same campaign weeks earlier The American alert follows a similar warning issued earlier in March 2026 by Dutch intelligence services, the AIVD and MIVD, who reported that Russian-backed hackers had launched a broad global campaign targeting Signal and WhatsApp accounts belonging to government officials, journalists, and military personnel. Dutch authorities noted that some of those accounts had been successfully compromised. The convergence of warnings from both American and Dutch intelligence agencies points to a coordinated and sustained effort rather than isolated incidents. Signal responded to the Dutch warning by acknowledging the phishing campaigns while reiterating that its core infrastructure remained intact. The pattern described by both sets of authorities — impersonation of security personnel, manipulation of security codes, and lateral movement through trusted contact networks — suggests a methodical operation designed to exploit the human element of secure communications rather than their technical architecture. thousands (accounts) — individual accounts accessed without authorization

Russian state-linked cyber operations targeting Western officials and journalists have been documented for over a decade. Intelligence services in multiple NATO countries have previously attributed intrusion campaigns to Russian military intelligence, known as the GRU, and the FSB domestic security service. Messaging applications became a focus of such operations as governments and sensitive-sector workers shifted away from traditional email toward encrypted platforms. The use of social engineering rather than technical exploits to bypass encryption reflects a broader trend in state-sponsored hacking, where human vulnerability is targeted when cryptographic barriers prove too costly to overcome directly.

Warning lands amid broader U.S.-Russia tensions in 2026 The joint FBI-CISA alert arrives at a moment of heightened geopolitical tension, with the Russia-Ukraine war continuing into its fifth year and U.S. intelligence agencies operating under close public scrutiny. Kash Patel, who has served as FBI Director since 2025, used his personal social media account to amplify the warning directly to the public, a communication approach that bypasses traditional press channels. The joint notice urges high-value individuals — particularly those in government, military, and media roles — to exercise heightened caution around unsolicited requests to share security codes or account credentials, regardless of how legitimate the source may appear. The FBI and CISA did not publicly attribute the campaign to a specific Russian intelligence unit or name any individuals suspected of orchestrating the operation. Authorities in both the United States and the Netherlands have now publicly identified the same attack methodology within weeks of each other, suggesting that Western intelligence services are coordinating their public messaging on the threat.