Amnesty researcher exposes Russian spyware campaign targeting Signal users
Security investigator identifies over 13,500 targets in phishing scheme impersonating Signal support, aligning with warnings from US, UK, and Dutch intelligence agencies.
Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, has exposed a sophisticated cyberespionage campaign attributed to Russian government hackers targeting Signal users. The investigation began earlier this year when Ó Cearbhaill received a phishing message impersonating Signal security support, attempting to hijack his account. Rather than succumbing to the attack, the researcher utilised the incident to uncover the mechanics of a broader espionage operation.
The attackers sent messages claiming suspicious activity on the user’s device, urging recipients to verify their identity by sharing codes with the fake support bot. Ó Cearbhaill identified the automated system driving these bulk attacks as "ApocalypseZ". The platform allows hackers to target numerous individuals simultaneously with limited human oversight. Analysis of the system revealed that its codebase and operator interface are in Russian, and attackers were translating victim chats into the language, supporting the hypothesis of a state-sponsored group.
Ó Cearbhaill determined that he was one of more than 13,500 users targeted in the campaign, which included journalists and colleagues. He proposed a "snowball hypothesis" to explain the spread, suggesting the hackers compromised contacts in group chats to harvest new victim information. He believes his own targeting was opportunistic, resulting from his presence in a group chat with a previously compromised individual.
The campaign mirrors warnings issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom's cybersecurity agency, and Dutch intelligence regarding Russian state-sponsored activity. Additionally, German news magazine Der Spiegel reported that Russian hackers had compromised individuals within Germany, including high-profile politicians. Signal has also issued warnings to its user base regarding these specific phishing tactics.
The researcher noted that the total number of victims is likely significantly higher than the 13,500 observed earlier in the year, as monitoring of the campaign continues. To mitigate the risk of account hijacking, Ó Cearbhaill advised Signal users to enable "Registration Lock," a feature that requires a PIN to register a phone number on a new device, thereby preventing unauthorised access.
