Russian Hackers Exploit Signal's Device-Linking Feature to Target Ukrainian Military

Google researchers reveal phishing campaigns by Russian state-linked groups abusing Signal's QR code functionality to intercept secure communications.

Google's Threat Intelligence Group identified Russian-aligned hackers using malicious QR codes to exploit Signal's device-linking feature, allowing unauthorized access to accounts.
The phishing technique targets Ukrainian military personnel by disguising QR codes as group invites, security alerts, or apps like the artillery guidance tool Kropyva.
Hackers linked Signal accounts on seized devices to their own infrastructure, enabling real-time interception of secure messages without compromising encryption.
Signal has implemented updates, including authentication requirements and device-linking notifications, to protect users from such social engineering attacks.
Experts warn these tactics could extend beyond Ukraine to target dissidents, activists, and other vulnerable groups globally.