The message arrived like any other Signal notification — a QR code, an invitation to join a group, a routine-looking link. But behind it sat operatives from Russia’s GRU, methodically exploiting a feature baked into one of the world’s most trusted encrypted messaging platforms. Not a vulnerability in the cryptography itself. Something worse: a vulnerability in how people use it.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory in early 2025 warning that Russian-aligned threat actors had been targeting Signal Messenger users through abuse of the app’s “linked devices” feature — a legitimate function that lets users connect Signal to a secondary device like a desktop computer or tablet. According to The Hacker News, the campaign was initially detected in the context of Russia’s war against Ukraine, where Signal is widely used by military personnel, journalists, and government officials for sensitive communications. But the implications stretch far beyond any single conflict zone.
Here’s how it works. Signal’s linked devices feature generates a QR code that, when scanned, grants a new device access to all incoming messages in real time. Russian operatives crafted malicious QR codes — disguised as group invite links, security alerts, or even legitimate Signal pairing instructions — and distributed them to targets. Once scanned, the victim’s Signal account would silently begin mirroring every message to an attacker-controlled device. No malware installation required. No zero-day exploit. Just social engineering aimed at a trust point in the application’s own workflow.
The threat groups involved aren’t amateurs. Google’s Threat Intelligence Group identified the activity as originating from clusters it tracks as UNC5792 and UNC4221, both linked to Russian state intelligence operations. UNC5792 modified legitimate Signal group invite pages to redirect victims to malicious linking URLs, while UNC4221 built a phishing kit designed to mimic components of the Kropyva application — an artillery guidance tool used by the Ukrainian military. That last detail matters. It shows a level of operational specificity that goes well beyond opportunistic hacking.
And Signal isn’t the only target.
The same advisory noted that similar techniques have been observed or are expected against WhatsApp and Telegram, both of which offer comparable device-linking or session-management features. Microsoft’s threat intelligence team separately flagged a campaign by a group it calls Star Blizzard — also tied to Russian intelligence — that targeted WhatsApp accounts of government and diplomatic officials using similar QR code phishing methods. The pattern is consistent: rather than attacking the encryption protocols themselves, which remain mathematically sound, these actors are going after the human-facing features that sit on top of the encryption.
This represents a fundamental shift in how state-sponsored actors approach encrypted communications. For years, the debate around apps like Signal centered on whether governments would try to mandate backdoors into end-to-end encryption. Law enforcement agencies from the FBI to Europol have publicly complained that strong encryption creates “going dark” problems — conversations they simply cannot intercept, even with a warrant. But the Russian operations demonstrate that backdoors aren’t necessary when the front door can be tricked open.
Signal, for its part, responded to the threat by releasing updated versions of the app with additional safeguards around the device-linking process. As reported by The Hacker News, Signal introduced new alerts and authentication steps designed to make it harder for users to unknowingly link their accounts to hostile devices. But the core challenge remains: the attack exploits user behavior, not software bugs. You can patch code. Patching human judgment is a different problem entirely.
The timing of these revelations is significant. Encrypted messaging apps have seen explosive adoption not just among activists and journalists but across corporate boardrooms, government agencies, and military command structures. Signal’s user base surged after high-profile privacy incidents involving other platforms, and the app has been recommended by security professionals worldwide as a gold standard for private communication. The Pentagon itself has issued guidance endorsing the use of Signal for certain unclassified but sensitive discussions. So when Russian intelligence figures out how to silently sit in on those conversations, the ripple effects are enormous.
Consider the operational security implications for a moment. A Ukrainian artillery officer using Signal to coordinate fire missions could have every message mirrored to a GRU analyst in real time. A diplomat negotiating sanctions policy could unknowingly broadcast their private deliberations to Moscow. A journalist communicating with a source inside Russia could expose that source to lethal consequences. None of these scenarios require breaking encryption. They require one careless QR code scan.
The broader cybersecurity community has taken notice. Multiple researchers have pointed out that the linked-device vector isn’t unique to Signal — it’s a structural feature of how modern messaging apps handle multi-device synchronization. Telegram’s session management, WhatsApp’s web linking, even iMessage’s integration across Apple devices all present similar trust assumptions. The user grants access; the system honors that grant. If the grant is fraudulently obtained, the system has no reliable way to distinguish it from a legitimate one.
Some security firms have begun recommending that organizations audit linked devices on employee messaging accounts as part of standard security hygiene — a practice that barely existed a year ago. The FBI’s advisory specifically recommended that users regularly check their Signal linked-devices list and remove any unrecognized entries. Simple advice. But the kind of simple advice that most people ignore until it’s too late.
There’s also a geopolitical dimension that shouldn’t be overlooked. The United States government has, in recent months, actively encouraged citizens and officials to use encrypted messaging in the wake of the Salt Typhoon breach — a massive Chinese espionage operation that compromised major U.S. telecommunications providers and exposed call metadata on a staggering scale. CISA itself recommended encrypted apps as a countermeasure. The irony is sharp: the very tools recommended to defend against Chinese surveillance are now being targeted by Russian intelligence through entirely different means.
This creates an uncomfortable paradox for policymakers. Encrypted messaging apps remain, by a wide margin, more secure than standard phone calls or SMS for sensitive communications. The encryption works. But the applications surrounding that encryption — the user interfaces, the convenience features, the QR codes and group links — introduce attack surfaces that sophisticated adversaries can and will exploit. Security isn’t a binary state. It’s a spectrum, and even the best tools can be undermined by clever social engineering.
The GRU’s approach here also reflects a broader trend in state-sponsored cyber operations: the move toward living-off-the-land techniques. Rather than deploying custom malware that might trigger antivirus detections or leave forensic traces, attackers increasingly abuse legitimate features of trusted software. It’s harder to detect, harder to attribute, and harder to defend against. When the attack vector is a feature, not a flaw, traditional security tools are largely blind to it.
For organizations that rely on Signal or similar apps for sensitive communications, the practical takeaways are uncomfortable but clear. First, treat device-linking as a privileged operation — the equivalent of granting someone access to your email account. Second, establish policies requiring periodic review of linked devices. Third, train personnel to recognize QR code phishing, which remains a relatively novel social engineering vector that many security awareness programs don’t yet cover. And fourth, don’t assume that encryption alone equals security. It doesn’t. It never did.
The Russian campaigns against Signal represent something more significant than a single threat actor exploiting a single feature. They represent the maturation of a strategy: if you can’t break the math, break the human. Every encrypted messaging platform on the market today faces some version of this problem. The cryptography is sound. The people using it are not invulnerable. And the gap between those two realities is exactly where intelligence agencies will continue to operate.
That gap isn’t closing anytime soon.
WebProNews is an iEntry Publication