Spyware Investigator Exposes Russia’s Covert Bid to Hijack Signal Accounts

Key Takeaways:

• Expert Turned Target: Renowned security researcher Donncha Ó Cearbhaill became the unlikely victim of a sophisticated Signal phishing attack, leveraging the incident into a rare opportunity to investigate the attackers directly.
• State-Sponsored Threat Uncovered: Ó Cearbhaill’s investigation linked the attack to a wider, automated campaign called “ApocalypseZ,” strongly attributed to Russian government-backed hackers targeting thousands of Signal users globally.
• Proactive Defense is Paramount: The findings underscore the critical need for users to activate Signal’s Registration Lock feature, offering a vital layer of protection against highly persistent and advanced state-level cyber threats.

Signal Under Siege: Expert Turns the Tables on Russian Hackers in Sophisticated Phishing Blitz

In a scenario that sounds more like a cyber-thriller plot than real life, Donncha Ó Cearbhaill, a security researcher widely known for his deep investigations into spyware attacks, found himself in an extraordinary position earlier this year. For the first time, the hunter became the hunted, as he was personally targeted by hackers.

The digital ambush arrived in the familiar interface of his Signal account, an app lauded for its end-to-end encryption and privacy. The message was crafted to induce panic and urgency: “Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak,” it read. The message continued, escalating the perceived threat: “We have also detected attempts to gain access to your private data in Signal.”

The instruction that followed was the critical pivot point, designed to exploit fear and a desire for security: “To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.” This final admonition, while seemingly a warning, was a clever psychological trick, reinforcing the supposed legitimacy of the “security chatbot” while isolating the victim from seeking external advice.

However, for Ó Cearbhaill, who leads Amnesty International’s Security Lab, the alarm bells were not for his data, but for the clumsiness of the attack itself. He immediately recognized it as an “unwise” and transparent attempt to compromise his Signal account. Yet, instead of simply dismissing it, his seasoned investigator’s mind saw a unique opportunity – a chance to turn the tables and launch an unexpected investigation of his own.

The researcher shared with TechCrunch that, until this incident, he had “never knowingly” been the direct target of a one-click cyberattack or a phishing attempt of this specific nature. This rarity for someone so deeply entrenched in cybersecurity made the experience even more compelling. “Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up,” he recounted, highlighting the unique confluence of events that spurred his unconventional response.

Unmasking a Wider, State-Sponsored Campaign

What began as a personal incident swiftly revealed itself to be a mere sliver of a much larger and more insidious operation. The attempted attack on Ó Cearbhaill was, as it turned out, likely part of a widespread hacking campaign meticulously targeting a significant population of Signal users. The attackers’ methodology was cunningly simple yet effective: impersonate Signal’s official channels, propagate fabricated security threats, and then coerce targets into divulging critical verification codes. These codes would then allow the hackers to link the victim’s Signal account to a device under their control, effectively seizing access.

The techniques observed in this particular incident were not novel. They mirrored precisely those documented in a broader campaign that has drawn stern warnings from major international cybersecurity agencies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre (NCSC), and Dutch intelligence agencies have all raised alarms about these attacks, unequivocally attributing them to Russian government-backed spies. Signal itself has also issued public advisories cautioning its user base against similar phishing attempts. Further underscoring the severity and reach of this campaign, German news magazine Der Spiegel reported that these Russian hackers had successfully compromised several individuals within Germany, including high-profile politicians, demonstrating the strategic importance and high-value targets pursued by the group.

The “Snowball Hypothesis” and Automated Warfare

Through a series of detailed online posts, Ó Cearbhaill disclosed that his investigation led him to conclude that he was one of more than 13,500 targets caught in this vast cyber dragnet. While he prudently refrained from revealing the intricate specifics of his investigative methodology – a tactical decision to keep his hand hidden from the adversaries – he did share invaluable insights into the campaign’s mechanics and scope.

A crucial early discovery was the presence of other targets within his professional and personal circles, including journalists he had collaborated with and a close colleague. This pattern immediately sparked what Ó Cearbhaill termed his “snowball hypothesis.” He theorized that this was not merely an opportunistic, random attack, but rather a campaign where hackers, upon successfully compromising an initial target, would then exploit that access to identify and target new potential victims. He is convinced that he himself became a target precisely because he was likely part of a group chat with someone whose Signal account had already been hacked, thereby exposing his contact information to the attackers and initiating his own chain of compromise. This “snowball” approach signifies a highly efficient and pervasive method of expanding the attack surface.

Delving deeper, the researcher managed to identify the sophisticated system underpinning these attacks, which he named “ApocalypseZ.” This system is a powerful automation engine, meticulously designed to orchestrate and execute attacks on a massive scale. It allows the hackers to inundate thousands of individuals simultaneously with these phishing attempts, dramatically reducing the need for extensive human oversight and maximizing their operational efficiency.

Further corroborating the prevailing attribution, Ó Cearbhaill also discovered that the codebase and the operator interface of “ApocalypseZ” were predominantly in Russian. Moreover, victim chats were being automatically translated into Russian, providing compelling linguistic evidence that strongly aligns with the hypothesis that this was indeed the same notorious Russian government hacking group implicated in similar, large-scale cyber campaigns globally.

Ongoing Threat and Empowering Users

Ó Cearbhaill’s vigilance continues; he reported that he is still actively monitoring the campaign and has observed the attacks persisting, indicating that the total number of targets has undoubtedly surged significantly beyond the figure he initially documented earlier in the year. This ongoing activity underscores the sustained and evolving nature of this state-sponsored threat.

Despite his deep dive into their operations, Ó Cearbhaill expressed skepticism that the hackers would attempt to target him again, suggesting they might regret their initial endeavor. With a touch of characteristic cybersecurity humor, he added: “I welcome future messages, especially if they have zero-days they would like to share.” This playful jab refers to zero-day exploits—critical security flaws unknown to vendors—which are highly prized tools in the world of cyberattacks and a common subject of his investigations.

For Signal users understandably concerned about becoming the next target of such sophisticated, state-level attacks, Ó Cearbhaill offered a crucial piece of advice: activate Registration Lock. This essential security feature empowers users to set a unique PIN for their Signal account. Once enabled, this PIN becomes mandatory for registering their phone number on any new device, effectively preventing unauthorized individuals from linking their account even if they manage to acquire a verification code through phishing or other means. It’s a simple, yet incredibly powerful deterrent against account hijackings.

Bottom Line: The harrowing experience of security researcher Donncha Ó Cearbhaill serves as a potent reminder of the escalating sophistication and relentless nature of state-sponsored cyber threats. His unique investigation, triggered by being targeted himself, not only unmasked a vast Russian-backed phishing campaign but also provided invaluable insights into their automated tools and propagation methods. While these advanced adversaries continue to probe for vulnerabilities, the incident powerfully underscores the critical role of expert vigilance and, more importantly, empowers everyday users with actionable defenses like Signal’s Registration Lock to protect their digital privacy against even the most determined nation-state actors.