Hard2bit
← Back to blog

When encryption is not the target: hijacking Signal and WhatsApp accounts without malware

By Adrián González · CEO · Published: 01 July 2026 · Updated: 01 July 2026
Russian actors hijack Signal and WhatsApp accounts

On 30 June 2026, the US Department of State’s Rewards for Justice programme offered up to $10 million for information on UNC5792 and UNC4221, two Russian-linked threat groups associated with campaigns against Signal and WhatsApp accounts used by US officials, military leadership, allied personnel and other high-value individuals.

The reward is not the most important part.

The uncomfortable detail is this: the attackers did not break Signal’s or WhatsApp’s end-to-end encryption.

And yet, according to public US government alerts, they still gained unauthorised access to thousands of individual messaging accounts.

That distinction matters for every organisation whose executives, board members, legal advisers, corporate operations teams or public-facing leaders use encrypted messaging apps for sensitive conversations.

End-to-end encryption did its job: it protected the message in transit. The weakness appeared one step later — in the account, in the linked device, in the recovery process and in the trust placed in a screen, a QR code or a fake support message.

What is now worth $10 million is not a cryptographic vulnerability.

It is the abuse of legitimate features designed for convenience.

Executive summary: what companies should learn from this case

This case does not show that Signal or WhatsApp are broken. It shows something more relevant for businesses: a conversation can remain encrypted and still become exposed if an attacker convinces the user to link a device, hand over a recovery key or follow a fake support flow.

For companies, the priorities are clear:

  1. Identify high-risk individuals: executives, board members, legal, finance, M&A, communications, security, critical operations and institutional relations.
  2. Understand which messaging channels they actually use for sensitive conversations.
  3. Define which information must not be discussed through personal messaging apps.
  4. Provide targeted training to those profiles, not only generic annual awareness.
  5. Regularly review linked devices in Signal, WhatsApp and similar applications.
  6. Make it explicit that PINs, one-time codes, recovery keys and QR linking codes must never be shared.
  7. Create a fast reporting channel for suspicious messages.
  8. Prepare a response process for compromised messaging accounts.

This attack follows the same pattern seen in many modern account takeover campaigns: the attacker does not need to defeat the password if they can get the victim to authorise a legitimate flow.

That is also the logic behind Microsoft 365 device code phishing⁠ and Microsoft 365 account takeover⁠: the session becomes the asset.

The attack does not break encryption. It joins the session.

End-to-end encryption protects the content of a message from someone intercepting it in transit, and even from the service provider itself.

What it does not protect is the point where the message is decrypted so a human can read it: an authorised device.

That is the opening.

Signal and WhatsApp allow users to link additional devices to an account, such as desktop clients, web sessions or companion devices. Once authorised, those devices can receive and send messages as part of the legitimate account model.

If an attacker persuades the victim to approve a device controlled by the attacker, the attacker does not need to break the encryption.

They simply become one of the authorised endpoints.

The conversation may still appear encrypted to both sides, but one of the trusted endpoints is no longer exclusively controlled by the victim.

For defenders, the exact technical differences between Signal and WhatsApp matter less than the shared risk model: one account, multiple trusted devices, and a wider trust boundary than the primary phone.

How the technique works: linked devices, QR codes and user trust

Google Threat Intelligence Group documented in February 2025 how Russia-aligned actors were abusing Signal’s linked-device feature. Since then, the technique has continued to evolve.

At a high level, the mechanics are simple:

  1. The attacker prepares a believable lure.
  2. The victim believes they are joining a group, verifying an account or following a support instruction.
  3. In reality, they approve the linking of a device controlled by the attacker.
  4. From that moment, the attacker can access messages from that authorised device.

No malware is required.

No password has to be guessed.

No CVE has to be exploited.

The attack works because the victim performs an action inside a legitimate feature.

That makes it particularly dangerous for senior staff. The victim may not see anything obviously suspicious. They may see a QR code, a group invite, a familiar-looking screen or a support message that appears to fit the context.

Technique 1: manipulated group invitations

One of the observed techniques involves manipulating group invitation flows.

The victim believes they are accepting a legitimate invitation to join a work conversation. In reality, the action does not add them to a group. It authorises a new device on their account.

There is no attachment.

There is no executable.

There is no classic antivirus alert.

There is only a convincing screen and one action too many.

For an executive, lawyer, adviser or communications lead, this is a plausible lure. Group invitations have become normal. Informal channels are created quickly. Sensitive decisions often move faster than corporate process.

That is exactly the risk.

Technique 2: QR phishing kits

Another observed technique involves phishing kits that rely on QR codes.

The attacker imitates an application, portal or workflow the victim trusts and asks them to scan a QR code to continue. In reality, the QR code may link a device controlled by the attacker or lead the victim into fake recovery instructions.

In a corporate environment, the same pattern is easy to adapt:

  • “Scan this code to join the crisis group.”
  • “Link your device to keep using the desktop version.”
  • “Validate your account to avoid deactivation.”
  • “Update your Signal or WhatsApp security settings.”
  • “Support needs to confirm your device.”

QR codes are useful to attackers because they can bypass several corporate controls. An email gateway may analyse links, but it may not catch the risk when a user scans a code from a screen with a personal phone.

This sits in the same family as other social engineering⁠ techniques and campaigns such as ClickFix and fake CAPTCHA attacks⁠: the attacker does not force the system. They persuade the user to make the system work against them.

Technique 3: stealing PINs, codes and recovery keys

The more recent evolution, warned about by the FBI and CISA, goes further: attackers impersonate technical support and convince the victim to disclose codes, PINs or recovery keys.

The goal is no longer only to link a live device. It may also be to gain persistence or recover historical messages where backup functionality allows it.

The key point for any organisation is simple: no legitimate support team should ever ask a user to disclose verification codes, PINs, recovery keys or secret phrases.

If someone asks, treat it as a potential incident.

Reinstalling the app or re-registering the phone number may not be enough if the attacker still holds a valid recovery key or if the recovery mechanism has not been properly rotated.

That is why, when there is suspicion, the response cannot stop at “log out and log back in”.

What we know and what we do not

This case should be handled with precision.

What we know:

  • Rewards for Justice is offering up to $10 million for information on UNC5792.
  • The announcement links UNC5792 to Russian intelligence activity and also refers to UNC4221.
  • The campaigns targeted Signal and WhatsApp accounts used by US officials, military leadership and allied personnel.
  • The FBI and CISA have warned about campaigns against commercial messaging applications.
  • Authorities have stated that the end-to-end encryption and the apps themselves were not compromised.
  • Google documented the abuse of Signal linked devices by Russia-aligned actors.
  • The UK NCSC has published guidance for high-risk individuals.

The correct conclusion is that encryption may remain intact while the account is still compromised.

This is not only a government problem

It is tempting to file this story under state espionage and move on.

That would be a mistake.

The same methods can be reused against corporate targets whenever there is something worth stealing:

  • M&A activity.
  • Sensitive litigation.
  • Labour or shareholder negotiations.
  • Intellectual property.
  • Financial information.
  • Commercial strategy.
  • Reputational crises.
  • Supplier access to critical infrastructure.
  • Board, executive and adviser communications.

In a company, the equivalents of “high-level officials” are obvious: CEO, CFO, COO, CISO, legal leadership, operations leadership, board members, external advisers, communications leads and anyone involved in sensitive decision-making.

There is also a corporate factor that increases the risk: shadow messaging.

Conversations that should happen in governed channels often move to the CEO’s WhatsApp, the lawyer’s Signal account or an informal group with advisers and suppliers, outside corporate visibility and control.

That shortcut is convenient.

And that is why it is attractive to a patient attacker.

Why your usual controls may not see it

This attack falls between the cracks of many security programmes.

There may be no malware, so EDR may not detect anything. There may be no CVE to patch, because the attacker is not exploiting a software flaw. There may be no traditional login attempt, because the attacker is not always trying to authenticate as the victim. Instead, they get the victim to authorise a legitimate flow.

These apps also often live on personal phones or partially managed devices, limiting corporate visibility.

The email gateway may not inspect a QR code scanned from another screen. The SIEM may not receive telemetry from a consumer messaging app. The security team may not be able to see which devices are linked to a senior executive’s personal account.

This is a blind spot by design, not just by accident.

A strong password and classic MFA are not enough if the attack relies on linked-device approval or on persuading the victim to disclose recovery material.

The defence has to move towards channel governance, linked-device reviews, high-risk individual protection and fast reporting.

What you can monitor

For unmanaged consumer messaging apps, corporate telemetry is limited. Pretending otherwise does not help.

But there are still useful controls.

1. Regular linked-device reviews

For high-risk individuals, reviewing linked devices should become routine.

This does not need to be a complex project. It is a periodic settings check.

Any unrecognised device should be treated as an incident.

2. New linked-device notifications

If an app notifies the user that a new device has been linked and the user did not initiate it, that notification is a detection signal.

The problem is that many users ignore it or do not know whom to report it to.

The solution is targeted education and a fast route to security.

3. Fake support messages

Any message asking for codes, PINs, recovery keys or urgent account actions should be treated as suspicious.

Legitimate support should not ask for secrets.

4. Domains, lures and infrastructure

Threat intelligence⁠ can provide what the app itself does not: phishing domains, reused infrastructure, impersonated brands, message patterns and active campaigns.

That information can feed DNS controls, proxy blocking, safe browsing and targeted awareness.

5. Fast executive reporting

An executive who receives a strange message and knows who to forward it to within 30 seconds may be more valuable than many correlation rules.

In this attack, the person is part of the detection system.

Early detection often starts with someone doubting at the right moment and reporting quickly.

Practical defence for high-risk individuals

The useful measures are not exotic, but they need discipline.

1. Review and remove linked devices

In Signal, WhatsApp and similar applications, high-risk users should periodically check which devices are linked to their accounts.

Any unknown device should be removed immediately and escalated to security.

2. Use phishing-resistant recovery where available

When the application and platform support it, use passkeys or other phishing-resistant recovery and authentication options.

Availability varies by app, operating system, country and version, so the policy should be framed carefully: use the strongest available method and periodically review the security options of each application.

3. Never share codes, PINs or recovery keys

This rule should be absolute.

No legitimate support team should ask for:

  • PINs.
  • Verification codes.
  • Recovery keys.
  • Device-linking QR codes.
  • Secret phrases.
  • Screenshots of security settings.

If someone asks, report it.

4. Use disappearing messages, but understand the limits

Disappearing messages can reduce historical exposure, but they do not prevent a linked attacker-controlled device from reading messages in real time while the session is active.

They limit damage. They do not prevent compromise.

5. Verify sensitive group invitations through another channel

If a user receives an invitation to a group related to leadership, legal, M&A, crisis response or sensitive operations, they should verify it through an independent channel.

This is especially important when the invitation includes QR codes, linking instructions or unexpected steps.

6. Define what must not happen in personal messaging apps

Some conversations should not happen in personal consumer apps.

Each organisation should decide which information requires governed corporate channels with retention, traceability, DLP, access control and incident response.

This does not mean banning all informal messaging. It means not outsourcing critical business decisions to unmanaged personal channels.

A protection programme for high-risk individuals

Generic annual awareness training is not enough for this threat.

A mature organisation should have a specific programme for high-risk individuals.

That programme should define:

  • Who is a plausible target.
  • Which apps they actually use.
  • Which conversations are happening outside corporate channels.
  • What signals they should report.
  • How to review linked devices.
  • What to do with suspicious QR codes.
  • Which codes and keys must never be shared.
  • What to do if they suspect someone knows a private conversation.
  • Which internal channel to use for urgent help.

This fits naturally with a virtual CISO⁠ function or an executive security governance programme. The objective is not only technical control, but protecting the people who make sensitive decisions.

It can also be reflected in a cyber resilience dashboard for the board⁠, with indicators around executive channels, targeted training, access reviews and crisis readiness.

What to do if you suspect an account has been compromised

If an unknown device appears, if the victim received support instructions, if they shared a PIN, or if an attacker seems to know private conversations, treat the account as potentially compromised.

The response should include:

  1. Remove all unrecognised linked devices.
  2. Review remaining linked devices.
  3. Change PINs or recovery mechanisms.
  4. Rotate backup or recovery keys where available.
  5. Update the application.
  6. Review recent sensitive conversations.
  7. Warn relevant contacts if impersonation may have occurred.
  8. Preserve evidence: messages, domains, screenshots, dates and numbers.
  9. Determine whether the attack arrived via email, SMS, social media or messaging.
  10. Assess whether corporate information was exposed.
  11. Evaluate internal, contractual or regulatory notification needs.
  12. Extend the lessons to other high-risk individuals.

If corporate information may have been exposed, this becomes an incident response⁠ matter, not just user support.

The Microsoft 365 analogy is useful: as with corporate session theft, the goal is not only to recover the account, but to understand what the attacker saw, for how long and what they could do next.

Crisis communications are part of the risk

There is another important point: messaging apps are often used precisely when pressure is highest.

During a cyber incident, an internal investigation, a critical negotiation or a reputational crisis, many decisions are coordinated in fast messaging groups.

That makes those groups valuable targets.

If an attacker compromises the account of a key person during a crisis, they may be able to read internal deliberations, anticipate decisions, manipulate messages or impersonate someone trusted.

That is why the organisation’s crisis plan should define not only what will be said externally, but also which channels leadership, legal, communications and security will use internally.

Secure coordination is part of crisis management.

Identity, sessions and Zero Trust

Although this case involves messaging apps, the underlying logic is familiar from modern identity attacks: the attacker stops fighting the password and looks for a session, a token, an authorised device or a recovery flow.

That connects directly to:

  • Token theft.
  • Device code phishing.
  • Persistent sessions.
  • Unmanaged devices.
  • Weak account recovery.
  • Personal channels outside corporate control.
  • Excessive trust in the phrase “it is encrypted”.

The answer is not paranoia. It is applying Zero Trust⁠ logic to communication channels: verify devices, limit exposure, review sessions, govern access and assume trust must be renewed.

NIS2, DORA and ENS implications

The regulatory angle is more direct than it may seem.

NIS2⁠ makes management bodies responsible for approving, overseeing and being trained on cybersecurity risk management measures. If those same bodies use unmanaged channels for sensitive decisions, those channels belong in the risk analysis.

DORA⁠ pushes financial entities to govern digital operational resilience, including communications, incident management, third parties, continuity and response. A compromised messaging account during a crisis can directly affect that resilience.

The ENS⁠ requires protection, traceability and control over information and communications in the public sector and its suppliers. If certain communications move to unmanaged personal channels, they create both an operational and evidentiary gap.

Across all three, the message is the same: the security of the channels leadership actually uses is in scope, even when those channels are consumer applications.

Leaving them out because they are “personal” is precisely the gap this campaign exploits.

For organisations working across several frameworks, it is also worth reviewing the relationship between ENS, ISO 27001, NIS2 and DORA⁠, because all of them eventually point to the same controls: governance, access control, incident management, training, traceability and continuous improvement.

What companies should decide now

After this campaign, any organisation with high-risk individuals should be able to answer these questions:

  1. Who are our most sensitive profiles?
  2. Which messaging apps do they actually use?
  3. What information is being discussed outside corporate channels?
  4. Are there clear rules on what must not go through WhatsApp, Signal or Telegram?
  5. Do high-risk users regularly review linked devices?
  6. Do they know that legitimate support will never ask for PINs, codes or recovery keys?
  7. Is there a fast reporting channel for suspicious messages?
  8. Do we have a procedure if a personal messaging account used for work is compromised?
  9. Do we know how to preserve evidence without destroying traceability?
  10. Is this covered in executive, crisis and compliance training?

These questions can be addressed through a cybersecurity audit⁠, a Microsoft 365 security⁠ review when the risk extends into corporate identity, or a high-risk individual protection programme led by security leadership or a vCISO.

The uncomfortable conclusion

The conclusion is not that Signal or WhatsApp are no longer useful. It is not that encryption does not work.

The conclusion is more uncomfortable: encryption protects a message in transit, but it does not protect a poorly linked account, a stolen recovery key or an executive persuaded to scan the wrong QR code.

What we know is solid: the technique is documented, attributed and now publicly rewarded.

What most organisations do not control by default is a senior executive’s personal phone on a Sunday afternoon.

Between those two realities lies the real work: reduce exposure, train the people who are actually targeted, govern sensitive channels and accept that the convenience of linking a device has a cost.

It is better to manage that cost before someone else does.

Do you control the channels your leadership uses during a crisis?

Hard2bit helps organisations protect identities, sessions, critical communication channels and high-risk individuals against social engineering, account takeover and executive communication compromise.

We can support you with:

If you want to review how your critical profiles communicate, which channels should be governed and how to respond to a compromised messaging account, contact the Hard2bit team through our contact page⁠.

Recommended sources

  • Rewards for Justice: UNC5792
    https://rewardsforjustice.net/rewards/unc5792/
  • FBI / IC3 PSA: Russian Intelligence Services Targeting Commercial Messaging Applications
    https://www.ic3.gov/PSA/2026/PSA260320
  • Google Threat Intelligence Group: Signals of Trouble — Russia-aligned threat actors targeting Signal Messenger
    https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
  • NCSC: Messaging app targeting guidance
    https://www.ncsc.gov.uk/news/ncsc-warns-of-messaging-app-targeting
  • The Hacker News: FBI warns Russian hackers target Signal backup recovery keys
    https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html

Frequently asked questions

Do the attackers break Signal or WhatsApp encryption?

No. Neither the Russian campaign behind the ten-million-dollar reward nor the associated techniques break end-to-end encryption. The attacker does not decrypt the message: they get a device under their control linked legitimately to the victim's account and, from there, receive every conversation already decrypted. The cryptography stays intact; what fails is control over which devices have access to the account.

How do they read the messages without installing malware?

By abusing the linked-devices feature. Signal and WhatsApp let you connect desktop or web clients to a single account, and each linked device receives messages in clear text. The attacker tricks the victim into approving the linking of a device they control, with a tampered group invitation, a QR code or fake instructions, and from then on reads the conversation in real time, running no program on the phone.

Is MFA or two-step verification any use here?

It helps, but on its own it is not enough against this technique. MFA protects sign-in, and here the attacker does not sign in: they abuse device linking or steal the recovery key. Passkeys harden the recovery process and are a sound reinforcement. Even so, the essential measure is to review linked devices regularly and never share keys or codes.

Who do these campaigns target?

The authorities describe high-risk targets: senior officials and diplomats, defence and intelligence personnel, journalists and organisations working on Russia and Ukraine. In business terms, that profile maps onto the board, the executive committee, legal and corporate-development teams, and suppliers with access to critical infrastructure. Anyone whose conversations hold strategic value is a plausible target.

Why is the backup recovery key so dangerous?

Because it grants persistence. If the victim hands over their recovery key or PIN, that key remains valid even if they later reinstall the application or re-register with the same number. Reinstalling does not evict the attacker. That is why no legitimate support asks for these keys, and why, on any suspicion, you must rotate the recovery key as well as unlink devices.

What can an organisation do if its directors use Signal or WhatsApp for sensitive matters?

First, decide at policy level which conversations may travel over consumer applications and which must stay on managed corporate channels. Then give high-risk profiles tailored instructions: enable passkeys, review linked devices regularly, use disappearing messages and never share recovery codes. And keep a response procedure that treats the account as persistently compromised at the first sign of trouble.

How does this relate to NIS2, DORA or the ENS?

Under NIS2, the management body is accountable for risk-management measures, and the security of the channels leadership uses to decide falls within that scope. DORA requires financial entities to govern the human and technological sides of their operational resilience. The Spanish ENS sets protection measures for the communications of public-sector staff and their suppliers. In all three frameworks, the security of the channels leadership actually uses is part of compliance, even when they are consumer applications.