Russia Ran Fake Messenger Support Scams Against Officials Across Three Continents, SSU and FBI Say
GRU and FSB-linked operators impersonated tech-support staff and trusted contacts to hijack Signal, Telegram, and WhatsApp accounts belonging to soldiers, politicians, and activists in Ukraine, Europe, and the United States.

Ukraine's Security Service (SSU) and the FBI have jointly mapped a sustained Russian intelligence operation that systematically targeted the messaging accounts of military officers, elected officials, policy researchers, and civil-society activists. The campaign spanned Ukraine, multiple European countries, and the United States — and it relied entirely on social engineering, not software vulnerabilities.
How the Operation Worked
Operators posed as messenger platform support staff or, in more targeted cases, as someone the victim already knew. They pushed targets through convincing but fraudulent account-verification flows. The goal was session hijacking — gaining authenticated access to Signal, Telegram, and WhatsApp without ever cracking a password or finding a zero-day.
The two main technical mechanisms were QR-code linked-device abuse and real-time interception of SMS one-time codes. Neither is new. Both have appeared repeatedly in tradecraft attributed to Russian state clusters, including groups Microsoft and the UK National Cyber Security Centre have publicly tracked under names like Star Blizzard and activity clusters designated UAC-0195. The SSU attributed the campaign to Russian special services without specifying unit numbers in its public statement; granular, indictment-grade attribution, if it comes, will likely arrive via a U.S. Department of Justice filing or a follow-up advisory.
The Real Prize Was the Second Hop
Account access was the delivery system. The campaign itself was what came next.
Once operators held a compromised session — say, a Ukrainian battalion commander's Signal account — they could pivot into that person's contact graph. A message from a verified, familiar sender is not suspicious. That trust turned hijacked accounts into launchpads for next-hop spear-phishing against contacts in European ministries of defense, U.S. congressional offices, and NGO networks. The SSU also noted that compromised accounts were used to distribute malware and to run influence operations against follower networks, a pattern consistent with how Coldriver-linked clusters have targeted policy researchers and civil-society organizations in previous campaigns.
The 2024 Verizon Data Breach Investigations Report found that the human element was involved in 68 percent of breaches — and this operation is a textbook illustration of why. No patch closes a gap that lives entirely in human decision-making and account hygiene habits.
Which Controls Failed
This campaign exposed two compounding weaknesses. First, victims lacked the habit of critically evaluating inbound contact from apparent support staff. Real Signal support does not call you. Real Telegram staff do not send you a verification prompt through a third-party channel. The absence of that mental firewall — the reflexive skepticism that security-awareness training builds — is what let operators advance the social engineering past the first conversation.
Second, linked-device management on consumer messaging apps is largely invisible to most users. When an attacker adds a linked device through an approved QR code flow, the account owner receives a notification that is easy to miss or dismiss. Without a regular audit habit, a compromised linked session can persist for weeks. Organizations whose personnel use these apps for even semi-sensitive coordination had no policy requiring periodic device-list reviews. That gap is operational, not technical.
A structured training program that teaches personnel to treat any unsolicited account-verification request as a social engineering attempt — regardless of how official it looks — directly addresses the root cause here. That is not a hypothetical. Security-awareness training built around real-world threat scenarios conditions exactly this kind of skepticism before an operator ever gets a reply.
What Defenders Must Do Now
The SSU's guidance, echoed in Star Blizzard advisories from NCSC and CISA, points to four concrete actions.
Audit linked devices immediately. On Signal: Settings → Linked Devices. On Telegram: Settings → Devices. On WhatsApp: Settings → Linked Devices. Remove anything unrecognized. Do this now, not next quarter.
Enable registration locks. Signal's registration lock and Telegram's two-step verification password both add a second factor that SMS codes alone cannot satisfy — and SMS is vulnerable to real-time phishing and, in some regions, SS7-based interception.
Treat every inbound support contact as hostile until proven otherwise. Verification requests that arrive via in-app message, SMS, or phone call from someone claiming to represent Signal, Telegram, or WhatsApp are not legitimate. None of those platforms initiate unsolicited contact with users through these channels.
Enable disappearing messages for sensitive threads. For higher-risk personnel — military, government, advocacy — minimizing the window of exposure on stored message content limits damage even if a session is eventually compromised.
Verify out-of-band before acting on any link a contact sends. A message from a trusted sender is no longer inherently trustworthy once account hijacking is a live threat model. Call the person on a separate channel before clicking.
For Organizations
This is not a consumer problem the platforms will patch away. The attack surface is human cognition and account management habit. Organizations whose personnel use Signal or Telegram for coordination — and many legitimate defense, government, and civil-society organizations do — need written policy on linked-device audits, mandatory use of registration locks, and clear escalation paths when a staff member receives a suspicious verification request.
Reviewing your organization's compliance posture against frameworks like NIST SP 800-53 or ISO/IEC 27001 is a reasonable starting point for structuring those controls. A quick look at applicable security standards can help teams identify which access-management and awareness requirements map to this threat.
No software update fixes this operation. The mitigation is entirely behavioral — and behavior is trainable.
How this attack could have been stopped before the first reply
- Train personnel to recognize fake account-verification flows — including QR code prompts and unsolicited 'support' messages — as social engineering attempts, not routine platform activity.
- Establish an organizational policy requiring regular linked-device audits on Signal, Telegram, and WhatsApp for all staff who use these platforms for work-adjacent communication.
- Run simulated social engineering exercises that mirror real threat-actor tactics so staff build the reflexive skepticism this campaign exploited.
Train2Secure delivers scenario-based security-awareness training built around the exact techniques state-linked operators use — so your team recognizes them before anyone clicks.
Start free — no card requiredSources & further reading
- https://ssu.gov.ua/en/novyny/sbu-ta-fbi-rozkryly-merezhevi-operatsii-rosiiskykh-spetssluzhb-zi-zlamom-akkauntiv-v-mesendzhery
- https://www.ncsc.gov.uk/news/star-blizzard-spear-phishing-campaigns
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://www.verizon.com/business/resources/reports/dbir/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/star-blizzard-increases-sophistication-and-evasion-in-spear-phishing-campaigns/
Frequently asked questions
How did Russian operators hijack Signal and Telegram accounts without hacking the apps?
They used social engineering — impersonating support staff or trusted contacts — to trick targets into approving a new linked device via a fraudulent QR code scan or surrendering an SMS one-time code in real time. No software vulnerability was exploited.
How can I check whether my Signal or Telegram account has an unauthorized linked device?
On Signal, go to Settings → Linked Devices and remove anything you do not recognize. On Telegram, go to Settings → Devices. On WhatsApp, use Settings → Linked Devices. Make reviewing this list a regular habit, especially after any unexpected account-related notification.
Does enabling two-factor authentication on these apps actually stop this type of attack?
It significantly raises the bar. Signal's registration lock and Telegram's two-step verification password both require an additional PIN or passphrase that an attacker cannot obtain simply by intercepting an SMS code. SMS-only verification is insufficient against operators who can phish or intercept those codes in real time.
Who were the primary targets of this Russian messaging campaign?
The SSU and FBI identified targets including Ukrainian military personnel, European government officials, U.S.-based individuals, politicians, and civil-society activists. Compromised accounts were then used as launchpads to reach the victim's own contacts, extending the campaign's reach further.



