John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Signal’s encryption is solid. WhatsApp’s too. The math checks out. Nobody’s breaking that crypto anytime soon.
They don’t have to.
The UK’s National Cyber Security Centre just warned of “growing malicious activity from Russia-based actors using messaging apps to target high-risk individuals.” The Dutch MIVD issued separate guidance around the same time. Both agencies are pointing at the same problem, and it has nothing to do with encryption.
Russia-linked FSB actors are going after Signal, WhatsApp, and Messenger accounts belonging to journalists, lawyers, activists, and people in government. The techniques are embarrassingly simple: malicious QR codes, device linking tricks, phishing for verification codes, impersonating trusted contacts, even infiltrating group chats to build credibility before striking.
Think about how Signal’s linked devices feature works. Scan a QR code, and a new device gets full access to your messages. Incredibly convenient. Also incredibly dangerous if someone tricks you into scanning the wrong one. An attacker who links their device to your account reads everything you send and receive, in real time, without touching the encryption.
Do this right now. Pick up your phone. Go to Settings > Linked Devices on Signal or WhatsApp. If you see anything you don’t recognize, remove it. Ten seconds.
Then: never share verification codes with anyone. Don’t scan unexpected QR codes. Enable Registration Lock on Signal and two-step verification on WhatsApp. Check your linked devices regularly, not just once.
There’s a persistent misconception that end-to-end encryption makes you untouchable. It doesn’t. Encryption protects messages in transit. It does nothing to protect you from giving someone access to your account.
They’re not trying to crack the code. They’re trying to crack you.