A security researcher investigating spyware attacks became a target himself—and turned the tables on his attackers.
Donncha Ó Cearbhaill, head of Amnesty International's Security Lab, received a message on Signal claiming to be from "Signal Security Support." The message warned of suspicious activity and demanded he enter a verification code—a classic phishing trap designed to hand over account access to hackers.
Instead of falling for it, Ó Cearbhaill decided to investigate. "Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up," he told TechCrunch.
What he uncovered was a sprawling operation linked to Russian government spies targeting over 13,500 Signal users globally. The hackers impersonated Signal, warned of fake security threats, and attempted to trick victims into linking their accounts to devices the attackers controlled.
The campaign was not random. According to German news magazine Der Spiegel, the Russian hackers successfully compromised several high-profile politicians inside Germany. Ó Cearbhaill discovered that among his fellow targets were journalists he had worked with and colleagues—suggesting the attackers used successful compromises to identify fresh victims.
U.S. cybersecurity agency CISA, the UK's National Cyber Security Centre, and Dutch intelligence have all blamed this campaign on Russian government operatives. Signal itself has publicly cautioned users about the phishing attacks.
Ó Cearbhaill has kept his investigation methods under wraps to avoid tipping off the hackers. The Russian operation has been exposed by the one person its operators should have avoided—a security researcher with access to their methods.
