FBI Phishing Alert on Encrypt Messaging Attributed to Russian Intelligence that Beats Accounts Through Linked Devices

The past FBI public notice puts in large letters something many experts were suspicious of: there are phishing campaigns that are taking account of encrypted messaging applications and, according to the agency, these operations are directly linked to Russian intelligence services. The FBI statement - the first to explicitly attribute these campaigns to Russian intelligence - describes a disturbing pattern: it is not a question of breaking the encryption protocols from end to end, but of skipping protection by taking advantage of the confidence and verification mechanics of the applications themselves.

The tactics observed are simple in their technique and effective in their execution. The attackers send messages posing as support accounts or trust contacts and ask the recipient to perform an apparently inoculated action, such as sharing a verification code or scanning a QR code. These same actions are those that allow Signal and WhatsApp to link a new device to an existing account; maliciously exploited, allow the intruder to add a device under its control and access to the messages and contact list. Signal explains how the linked devices and WhatsApp details its verification mechanism in its aid section on codes.

The FBI stresses that the objective of these attacks is not to "break" the encryption; the encryption continues to work for legitimate devices. The problem happens when the attacker gets his own device treated by the platform as one more user, capable of reading messages, entering groups, posing as the victim and launching new waves of phishing from an already committed account. According to the FBI note, these operations have already reached "thousands" of accounts around the world and have targeted people with access to sensitive information: current and previous officials, military, political positions and journalists. You can read the full FBI ad on your PSA available here.

The US alert comes after similar warnings issued in Europe; for example, the French cybercrisis coordination authority published a report showing the same patterns and examples of phishing messages used against instant messaging users. The C4 document (Centre de réponse aux incidents) details samples and tactics in a public PDF that helps to see how the hook is presented in the real conversation: C4 alert.

Why are these campaigns so dangerous? Because they change the nature of the threat: encryption continues to offer confidentiality between legitimate devices, but if the opponent gets his device to be part of the user's set of devices, then he can read and send messages without the need to violate cryptographic protocols. That makes contacts and conversations a vector of propagation: a message from a compromised account seems legitimate and is much more effective in cheating new victims.

In practice, fraudulent messages often ask for concrete actions: enter or send verification codes, scan a QR to "reconnect" the service or follow links that lead to pages that reemulate the app interface. In the event of such a request, it is recommended to distrust by default. It is never necessary to provide verification codes or scan QR codes that have not been requested from the user's own device. It is also a good idea to regularly review the list of devices linked to your application and close sessions that you do not recognize; Signal and WhatsApp's own help pages teach how to manage these links and close remote devices.

For those working with sensitive information - journalists with sources, officials, members of NGOs or any person at high risk - the measures must be more stringent: use the registration blocking function offered by Signal (which imposes a PIN to avoid re- records) or activate the verification in two steps of WhatsApp to add an additional layer of defence, keep critical communication channels separate and, where possible, use dedicated devices and accounts for sensitive communications. These practices reduce the likelihood that an email or an ingenious message will result in an account kidnapping.

Technically, platforms can also improve the detection and presentation of these delusions, and some have already worked on it; however, the most effective defense remains the user's awareness. An unexpected impulse to "solve a security problem" in the conversation is not harmless: stop, check another channel and do not share codes or credentials.

If you think your account has been compromised, disconnect the linked devices, change the security settings and alert your contacts to be alert to atypical messages that may come from your identity. Organizations should also consider specific response and reporting procedures for employees with access to sensitive information, because the supply chain can quickly scale if the compromising account belongs to a person with many influential contacts.

Finally, it should be recalled that to attribute attacks to the nation adds a political and operational layer to the problem: when an intelligence is behind these campaigns, the objective is not only timely access, but the prolonged and selective exploitation of information. That is why the FBI's warning is not just another news about cybersecurity; it is a call to reorganize habits and controls to protect what encryption protocols cannot defend on their own: the integrity of devices and human prudence. Keeping informed and implementing the recommendations of the applications themselves and of the authorities is the least we can do. For more technical details and examples, check the FBI PSA Here. and the practical guide to French C4 Here. and the official aid pages of the Signal and WhatsApp.