Ukraine's Security Service (SBU) and the FBI went public on Thursday, June 25, 2026, with a long-running Russian social-engineering campaign aimed at compromising encrypted messaging accounts. The targets are government officials, military personnel, politicians, and activists in Ukraine, Europe, and the United States. The attackers do not break end-to-end encryption; they attack the user, not the algorithm.
- The SBU and FBI disclosed a Russian social-engineering campaign against messaging accounts on June 25, 2026.
- Phishing messages are sent in the morning hours to exploit recipients' physical and emotional state, according to the SBU's own statement.
- Dutch intelligence (MIVD/AIVD) had already warned in March 2026 of similar techniques against Signal and WhatsApp, involving support impersonation and requests for verification codes.
- Signal stated the intrusions occur through "sophisticated phishing campaigns" and that its encryption and infrastructure remain uncompromised.
The Method: Morning SMS, Verification Codes at the Ready
The most common technique, documented in the joint advisory, begins with an SMS that impersonates official technical support for messaging platforms. The goal is to solicit credentials, verification codes, or other access data. According to the SBU, the messages are timed for morning hours, when recipients are more vulnerable due to their physical and emotional state.
This temporal detail is not journalistic flourish. It is a tactical variable explicitly declared by an intelligence agency and a rare element in official advisories, which typically limit themselves to describing technical mechanisms without delving into attack psychology. The morning timing turns daily routine into an attack surface.
Dutch intelligence had already captured the mechanism in March 2026. Attackers impersonate Signal support to request SMS verification codes and PINs. For WhatsApp, they abuse the "Linked devices" feature to add unauthorized devices and access message history. All of this without ever breaking end-to-end encryption, which remains mathematically intact.
The Paradox: Perfect Security Shifts the Target
Signal and WhatsApp are built on robust cryptographic protocols. The problem is that this robustness has shifted attacker focus from data in transit to the human endpoint. When the tunnel is impenetrable, you besiege the front door.
The platforms have responded with educational communications, not structural countermeasures. Signal published warning threads. WhatsApp updated help-center pages. Neither has implemented barriers that break the full attack chain, such as mandatory additional verification for new device registration or forced re-authentication delays.
User frustration is understandable: the apps' own interfaces, with their verification codes and QR codes for linked devices, become part of the attack kit. The trust placed in security mechanisms is weaponized against the very people those mechanisms are meant to protect.
Drawing the Line Between Campaigns
The June 2026 SBU-FBI advisory does not identify which Russian intelligence service is responsible. It also does not specify which platforms were primarily targeted, nor does it provide a victim count. These limits are explicit and must be respected as such, not filled with speculation.
A prior CISA and FBI advisory, dated March 2026, attributed a campaign with similar techniques against current and former government officials, military personnel, political figures, and journalists to the SVR (Russian Foreign Intelligence Service). According to United24 Media, that advisory mentioned "thousands of compromised accounts," but this figure is not verifiable in primary sources and does not appear in the SBU's June 2026 advisory. No direct evidence emerges that the two campaigns are the same operation or distinct entities.
The dossier does not clarify whether the SBU-FBI documented phase involved actual compromises or only attempts, nor the extent of any exfiltrated information.
"The messages are sent in the morning hours, when users are particularly vulnerable due to their physical and emotional state" — Security Service of Ukraine (SBU)
Immediate Actions
The SBU's June 25, 2026 advisory issued specific recommendations, also reported by Kyiv Post:
- Enable two-factor authentication where available.
- Do not share SMS verification codes with anyone, including those claiming to be official technical support.
- Avoid opening suspicious links in unexpected messages.
- Do not scan QR codes from bots or unverified contacts.
Why the Defense Perimeter Has Shifted
The campaign documented by the SBU and FBI redraws the line between consumer security and institutional security. Mass-market messaging apps have become critical infrastructure for military, diplomatic, and journalistic communications. Their original threat model did not account for state-backed APTs studying targets' biorhythms.
Organizations relying on these apps must extend anti-phishing training from email to instant messaging. The tech-support impersonation pattern is highly reproducible and is emerging as a standard tactical playbook for Russian operators. The difference between a victim and an official who resists increasingly lies in contextual recognition, not in the technical complexity of the attack.
The paradox remains: end-to-end encryption works so well that the weak point has become the person using it.
Sources
- https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
- https://windowsnews.ai/article/russian-linked-phishing-campaign-targets-encrypted-messaging-users-cisa-warns.406170
- https://www.kyivpost.com/post/78951
- https://techcrunch.com/2026/03/09/russian-government-hackers-targeting-signal-and-whatsapp-users-dutch-spies-warn/
- https://united24media.com/latest-news/fbi-warns-russian-hackers-hijacked-signal-whatsapp-accounts-in-global-phishing-campaign-17125
- https://therecord.media/russian-hackers-target-signal-whatsapp-warn-dutch-intelligence-agencies
- https://therecord.media/ukraine-military-personnel-cyber-espionage-uac-0184
Information verified against cited sources and current as of publication.