Signal’s phishing crisis exposes the limits of encrypted trust

Signal’s reputation as the gold standard for private messaging just took a direct hit. The FBI revealed this week that Russian hackers have successfully phished users of the encrypted app, gaining access to devices in what the bureau describes as a "huge" campaign TechRadar. The attack doesn’t exploit technical vulnerabilities in Signal’s encryption—it exploits the one weak link no app can patch: human behavior.

Phishing campaigns targeting messaging apps aren’t new, but Signal’s user base makes it a particularly juicy target. The app’s 40 million users Signal Foundation include journalists, activists, and government officials—exactly the kind of high-value targets state-sponsored hackers pursue. The FBI’s involvement suggests this isn’t just another opportunistic scam; it’s a coordinated effort with geopolitical stakes. Yet for all the sophistication of the attack, the methods remain depressingly familiar: fake login pages, spoofed messages, and malicious links dressed up as urgent requests.

What makes this campaign different is the way it weaponizes Signal’s own strengths. The app’s focus on privacy means there’s no central authority to flag suspicious activity or recover compromised accounts. If a user falls for a phishing link, Signal’s servers can’t intervene—even if they wanted to. This hands-off approach has long been a selling point, but in practice, it leaves users more exposed than they realize. The same features that protect conversations from surveillance also make it harder to detect or stop an attack once it’s underway.

The real-world impact of this campaign extends far beyond individual compromised accounts. For organizations that rely on Signal for secure communication—NGOs, media outlets, even some government agencies—the breach is a wake-up call. Many have treated Signal as a set-it-and-forget-it solution, assuming its encryption alone was enough to keep them safe. That assumption just got tested, and the results aren’t pretty. The attack forces a reckoning: no amount of technical security can compensate for poor user habits, and no app can fully protect users from themselves.

Signal’s response so far has been characteristically minimal. The company has long avoided the kind of proactive security features—like suspicious login alerts or two-factor authentication prompts—that could help mitigate phishing risks. That’s by design: Signal prioritizes privacy over convenience, even when convenience might save users from their own mistakes. But this latest campaign may force a shift in that calculus. If state-sponsored hackers are now actively targeting Signal users, the app’s hands-off approach starts to look less like principled design and more like a blind spot.

The broader tech industry should take note. Encrypted messaging apps have spent years competing on who can offer the strongest privacy guarantees, but this attack shows that security is about more than just encryption. It’s about the entire ecosystem—user education, account recovery, and even the psychology of how people interact with their apps. Signal’s phishing crisis isn’t just a problem for Signal; it’s a problem for anyone who assumed encryption alone was enough to stay safe.

For Signal users, the practical takeaway is simple: your app’s encryption won’t save you if you hand over your credentials. Enable Signal’s registration lock (a PIN-based safeguard) if you haven’t already, and treat every unexpected message with skepticism—even if it appears to come from someone you trust. For organizations, the lesson is harder: assume your communications are under constant scrutiny, and plan accordingly. That might mean additional training, stricter verification protocols, or even accepting that no app is truly foolproof.