A security researcher who studies spyware attacks became the latest victim of a large‑scale phishing campaign targeting users of the encrypted messaging app Signal. Donncha Ó Cearbhaill, who leads Amnesty International’s Security Lab, received a fake “Signal Security Support ChatBot” message warning of “suspicious activity” on his device and demanding that he enter a verification code to prevent a data leak.
Ó Cearbhaill recognised the message as a classic social‑engineering ploy and, rather than ignoring it, used the incident as a chance to investigate the broader operation. In an interview with TechCrunch he said he had never before been the target of a one‑click cyber‑attack of this nature. The phishing attempt, he discovered, was part of a campaign that has affected thousands of Signal users.
The fraudsters impersonate Signal, claim that the account is at risk, and instruct recipients to supply a verification code that would give the attackers control of the account and allow them to link it to a device under their control. The technique mirrors tactics described in alerts from the United States Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre and Dutch intelligence, all of which have attributed similar attacks to Russian state‑linked threat actors. Signal itself has previously warned users about phishing messages that spoof its brand.
Through analysis of the message and its metadata, Ó Cearbhaill determined that more than 13,500 individuals had been targeted. Among them were journalists he had previously collaborated with and a colleague from Amnesty International. He described the pattern as a “snowball” effect: once a single account in a group chat is compromised, the attackers harvest the contacts list and expand the victim pool.
The researcher identified the tool the hackers employ as “ApocalypseZ”, an automated framework that enables bulk phishing campaigns with minimal human oversight. The codebase and operator interface are in Russian, and victim chats are being translated into Russian before being processed, reinforcing the link to the Russian‑backed group previously cited by western intelligence agencies. Ó Cearbhaill continues to monitor the campaign and believes the total number of affected users is larger than the initial figure he uncovered.
While Ó Cearbhaill does not expect further attacks against him personally, he welcomed any future communications that might include undisclosed security vulnerabilities, noting that such “zero‑day” information is valuable for defensive research. For ordinary Signal users, he recommends enabling the app’s Registration Lock feature, which requires a personal PIN before a phone number can be registered on a new device, thereby mitigating the risk of account hijacking.
The incident highlights the persistent threat posed by state‑affiliated cyber‑espionage groups that exploit trusted platforms to harvest communications data. As encrypted messaging becomes more prevalent across Africa and worldwide, users are urged to remain vigilant, verify any security prompts through official channels, and adopt available protective settings. Ongoing collaboration between security researchers, platform providers and national cyber‑security agencies will be essential to curb such campaigns and safeguard digital communications.
