John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The FBI and CISA just issued a joint advisory: Russian intelligence-linked hackers have compromised thousands of Signal and WhatsApp accounts.
Read fast and you might think: “Maybe those apps aren’t as secure as advertised.” That’s the wrong takeaway. The encryption is fine. It worked exactly as designed.
What’s not working is the human trust layer that sits above it.
What Actually Happened
Russian operatives didn’t break end-to-end encryption. They posed as Signal support staff, convinced targets to click malicious links, hand over verification codes, or share PINs. Once inside, they had full access – message history, contact lists, an established identity to phish further. Thousands of current and former US government officials, military personnel, and journalists compromised.
This isn’t based on intelligence chatter. The Netherlands flagged this campaign in March. Germany warned in February. Google’s Threat Analysis Group documented it in Ukraine months ago. The US government is now formally confirming it at scale.
Encryption Doesn’t Know Who’s at the Keyboard
Encryption protects data in transit. It has no opinion about whether the person approving a new linked device is actually you. If someone tricks you into approving their device on your Signal account, they receive every message you do. Cryptographically. Legitimately. The protocol worked correctly while the attacker walked right through.
The attack structure is standard social engineering: create urgency, present plausible authority, offer a simple action. It works on intelligent, cautious people because it’s designed to bypass careful thinking, not intelligence.
Salt Typhoon Adds a Second Layer
Separate reporting confirms Chinese threat actors (Salt Typhoon) remain active inside US telecom infrastructure months after public disclosure and carrier notifications. They didn’t break encryption either – they’re inside the infrastructure that carries messages before and after encryption. Your Signal message is encrypted. The metadata about who you’re talking to, when, and from where may not be.
What to Do Right Now
Review linked devices. In Signal: Settings > Linked Devices. Remove anything you don’t recognize.
Enable Registration Lock. Requires your PIN before a new device can register. Single highest-impact setting most people haven’t turned on.
Verify urgent requests out-of-band. If someone messages you urgently asking you to take action – call them. Urgency is a social engineering tool. Slow down when you feel pressure to move fast.
Higher-risk individuals: If your communications are operationally interesting to a foreign intelligence service, turn on Lockdown Mode and use Signal’s Safety Number verification with sensitive contacts.
The cryptography held. Everything else is still on us.