According to an investigation by the German outlet Correctiv, Russian state security agencies were behind a large-scale phishing campaign on the Signal messenger that targeted European politicians, officials, and journalists.
The attacks have been ongoing for several weeks. First, Signal users receive messages from an account called Signal Support claiming that their account is at risk. Victims are asked to enter a code and a PIN allegedly sent to them, after which the attackers gain full access to their accounts, messages, and contact lists. Among the known victims is a former vice president of Germany’s BND intelligence service, Arndt Freytag von Loringhoven. His account was hijacked, and messages were then sent to his contacts on his behalf with a link inviting them to join a WhatsApp channel — another part of the phishing scheme.
Correctiv identified several dozen domains believed to have been used in the campaign and linked them to the Russian hosting provider Aeza, a company sanctioned by the United States and the United Kingdom (but not the EU) for involvement in Russian propaganda campaigns and criminal activity.
A key tool in the attacks was Defisher, a software tool that had been advertised on Russian hacker forums as early as 2024, priced at $690. According to Correctiv, digital traces suggest the developer of Defisher is likely a young Moscow resident (and more of a freelancer than a state-backed hacker). They did not respond to the publication’s inquiries. According to Correctiv’s sources in IT security, hackers linked to Russian state agencies began using Defisher approximately a year ago. Google analysts associate the program with UNC5792, a group that has also targeted users in Georgia, France, and the United States.
Earlier, a Google report stated that Russian hacking groups, including GRU-affiliated APT44 (Sandworm), carried out a phishing attack on Signal accounts, primarily targeting Ukrainian military personnel. Signal released updates to protect users against such threats.
