Recently, there have been reports in the media of a large-scale hacker attack targeting the communication software Signal. German media has reported that around 300 political accounts have been compromised, prompting investigations by German intelligence and cybersecurity agencies.
In New York, on April 26th (Sunday), an anti-communist activist received a text message requesting verification of his Signal account. After entering the verification code, his Signal account was hacked.
Global security analyst Josh Rogin of The Washington Post revealed on X on the 27th that several human rights activists opposing the Chinese Communist Party have also fallen victim to these phishing attacks. He himself received a message last week claiming to be from Signal support, asking for account verification, which he found suspicious and deleted.
The anti-communist activist in New York, who is active in several Chinese anti-communist groups on Signal, experienced his account becoming inaccessible on April 26th. He received a message in Chinese asking for a “SIGNAL verification code,” and upon inputting it, his Signal account was logged out – a situation he had never encountered before. Upon logging back in with his phone number, he discovered that all his communication records were missing.
It was only after seeing reports of the recent large-scale phishing attack on Signal that he realized his account had been compromised by hackers when he was logged out. The reports indicated that a political cybersecurity breach occurred in Germany, involving approximately 300 Signal accounts linked to suspected Russian hackers. The hackers were able to access all private messages within the past 45 days, with the extent of leaked confidential information inestimable.
Signal responded to the reports of the large-scale hack on April 27th, stating that sophisticated attackers launched a malicious phishing campaign by posing as “Signal support.” By changing display names and employing social engineering tactics, these attackers tricked users into divulging their login credentials – enabling them to take control of specific Signal accounts. After users unwittingly provided their credentials, the attackers then seized control of their accounts, often changing associated phone numbers.
As altering phone numbers leads to the account being deactivated, attackers would inform users in advance that the deactivation was a normal occurrence, prompting users to “re-register” or create a new account. When users established a new Signal account (by now separated from the compromised one), they mistakenly believed they were logging into their main account. Consequently, many did not realize their accounts had been compromised. Subsequently, the attackers would utilize these compromised accounts to impersonate the account owners and target the victims’ contact lists.
Signal also reassured users that Signal support staff will never send messages requesting information or ask for registration verification codes or Signal PIN codes. To further safeguard accounts, users can enable “registration lock” in Signal settings. In the upcoming weeks, Signal will roll out a series of changes to help prevent such attacks.
On March 20th, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States announced that hackers had successfully breached thousands of Signal accounts, targeting individuals of high intelligence value such as current and former US government officials, military personnel, politicians, and media journalists.
FBI Director Kash Patel posted on social media platform X on March 20th, stating that once attackers gained user access permissions, they would review messages and contact lists, send messages in the victims’ identities, and conduct further phishing activities under a guise of trust.