Spyware Investigator Uncovers Russian Hackers’ Attempt to Hijack Signal Accounts
In early 2026, Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, became the target of a sophisticated phishing attempt aimed at compromising his Signal account. The attackers, posing as Signal’s security team, sent a message warning of suspicious activity and prompted him to enter a verification code to prevent a data leak. Recognizing the message as a phishing attempt, Ó Cearbhaill seized the opportunity to investigate the attack.
His investigation revealed that this attack was part of a broader campaign targeting over 13,500 Signal users. The hackers employed social engineering tactics, impersonating Signal support to deceive users into linking their accounts to devices controlled by the attackers. This method aligns with previous campaigns attributed to Russian government-backed groups, as noted by cybersecurity agencies in the U.S., U.K., and the Netherlands.
Ó Cearbhaill discovered that the attackers utilized an automated system called ApocalypseZ, which facilitated large-scale phishing operations with minimal human oversight. The system’s codebase and operator interface were in Russian, and the hackers translated victim communications into Russian, further indicating their origin.
The attack’s opportunistic nature suggests that compromised accounts were used to identify new targets, creating a snowball effect. Ó Cearbhaill believes he was targeted due to his inclusion in group chats with previously compromised individuals.
To protect against such attacks, Signal users are advised to enable the Registration Lock feature, which requires a PIN to register the account on a new device, thereby preventing unauthorized access.
