A cybersecurity investigation led by spyware researcher Donncha Ó Cearbhaill has uncovered a widespread phishing campaign targeting users of the encrypted messaging platform Signal.

The researcher, who heads Amnesty International’s Security Lab, became the target of the attack himself before turning the incident into a broader investigation.

Ó Cearbhaill received messages posing as official Signal security alerts warning of suspicious activity on his account.

The fraudulent messages attempted to convince him to submit a verification code that would have allowed attackers to gain access to his Signal account.

Recognizing the messages as phishing attempts, the researcher instead began tracing the methods and infrastructure behind the operation.

The investigation revealed that the campaign likely targeted more than 13,500 individuals. According to Ó Cearbhaill, the attackers appeared to use compromised accounts to identify additional victims through shared group chats and contact lists.

He described the strategy as a “snowball” effect, where each successful compromise expanded the pool of potential targets.

The researcher identified an automated attack system known as “ApocalypseZ,” which he said enabled hackers to conduct large-scale phishing operations with limited human supervision.

He also found evidence suggesting the operators were Russian-speaking, including Russian-language code and translated victim communications.

The tactics closely matched warnings previously issued by cybersecurity agencies in the United States, the United Kingdom, and the Netherlands regarding Russian government-linked hacking activities.

Investigators believe the campaign focused on impersonating Signal security support to trick users into linking their accounts to devices controlled by the attackers.

Reports from European media organizations have indicated that several high-profile individuals, including politicians in Germany, may have been compromised through similar attacks.

Ó Cearbhaill advised Signal users to activate the platform’s Registration Lock feature, which adds an additional PIN-based layer of protection to prevent unauthorized device registrations.

He said the campaign remains active and warned that the number of affected targets is likely far higher than current estimates.

Source: TechCrunch