Russian Intelligence Uses Fake Support Texts to Steal Messaging Credentials Across Europe and the U.S.

A multi-year cyber espionage operation by Russian intelligence services has been uncovered, using carefully crafted SMS messages to trick officials, soldiers, politicians and activists into handing over their messaging app login details. The campaign, revealed by Ukrainian authorities with support from U.S. investigators, shows how adversaries are exploiting mobile messaging platforms to steal sensitive conversations and personal data at scale.

The Security Service of Ukraine (SSU) and the U.S. Federal Bureau of Investigation (FBI) jointly exposed a long-running campaign that targeted messaging accounts across Ukraine, Europe, and the United States. According to the SSU, the attackers sent deceptive SMS messages that appeared to come from the messaging platform’s official support bot, urging recipients to enter their account credentials. Once obtained, these credentials were used to access private messages, contact lists, and personal data belonging to government officials, military personnel, politicians, and activists. The SSU emphasized that the operation was not limited to high-profile targets or organizational accounts; it also compromised personal messaging accounts of Ukrainian citizens, indicating a broad and indiscriminate approach to intelligence gathering.

The attackers’ goal was clear: to infiltrate sensitive networks by harvesting credentials that would unlock private conversations about military operations, political strategies, and economic policies. The SSU warned that once inside these accounts, adversaries could monitor ongoing communications, impersonate users to request sensitive information from contacts, and exfiltrate stored data. This kind of access provides a direct window into decision-making processes, coordination efforts, and confidential exchanges—making it a high-value target for intelligence operations. The campaign highlights how low-cost, high-impact social engineering tactics can bypass technical defenses when combined with psychological manipulation.

This recent disclosure follows broader patterns of Russian cyber operations targeting mobile messaging platforms. While the SSU did not explicitly name the hacking groups involved, previously documented campaigns with similar tactics have been linked to clusters such as Star Blizzard, UNC5792 (also tracked as UAC-0195), and UNC4221 (also known as UAC-0185). These groups have repeatedly used phishing lures disguised as support messages to harvest credentials from users of Signal, WhatsApp, and other secure messaging applications. The recurrence of such tactics underscores a strategic preference for exploiting human trust over exploiting software vulnerabilities—a method that is cheaper, harder to detect, and often more effective against well-defended targets.

The FBI has separately attributed ongoing campaigns by Russian Intelligence Services (RIS) to a broader effort targeting high-value individuals through commercial messaging applications. In these attacks, adversaries trick users into surrendering backup recovery keys, which provide permanent access to accounts even if passwords are changed. This technique is particularly dangerous because recovery keys act as master credentials, allowing attackers to bypass two-factor authentication and regain control of compromised accounts indefinitely. It also enables adversaries to silently monitor accounts long after the initial breach, extracting sensitive information without triggering alerts.

In parallel, Ukrainian cybersecurity teams have continued to respond to related threats. The Computer Emergency Response Team of Ukraine (CERT-UA) recently attributed a spear-phishing campaign to the Belarus-aligned threat actor UNC1151 (also known as Ghostwriter or UAC-0057). This campaign targeted government organizations using compromised accounts to deliver an information-stealing malware called OYSTERBLUES. While distinct from the SMS credential harvesting operation, this incident illustrates the broader ecosystem of cyber threats facing Ukraine and its allies, where multiple threat actors use overlapping tactics to infiltrate government and military networks.

The convergence of these campaigns—one focused on credential theft via fake support texts, another on delivering malware through compromised email chains—points to a coordinated Russian cyber strategy aimed at maintaining persistent access to sensitive communications. These operations are not isolated incidents but part of a larger campaign to erode trust in digital communication tools and exploit weaknesses in authentication and user behavior. For organizations and individuals handling sensitive information, the implications are serious: even the most secure messaging platforms can be compromised through human error, and once credentials are stolen, recovery can be difficult without proper safeguards.

To mitigate the risk posed by such credential-harvesting attacks, cybersecurity experts are urging individuals and organizations to adopt a series of practical security measures. First, regularly review active sessions on messaging apps and log out of any unfamiliar or outdated connections. This simple step can reveal unauthorized access before sensitive data is compromised. Second, enable two-factor authentication (2FA) wherever possible, ideally using app-based authenticators rather than SMS-based codes, which can themselves be intercepted. Third, treat QR codes with extreme caution, especially when received from unknown users, as scanning a malicious code can immediately grant an attacker access to an account. Fourth, never disclose confirmation codes, PINs, passwords, or account recovery keys—these are the keys to your digital identity and should never be shared, even with supposed support staff. Finally, avoid clicking on suspicious links or opening files from unknown or dubious chats, as these often serve as the initial entry point for credential theft and malware delivery.

These recommendations are not theoretical; they are grounded in real-world incidents where attackers exploited lapses in user vigilance. For example, a government official might receive a message claiming to be from WhatsApp support, warning of a “security alert” and requesting login details to “prevent account suspension.” If the official complies, the attacker gains full control of the account and can monitor private conversations with colleagues, intercept sensitive documents, and impersonate the official to request further access from others. In military contexts, such breaches could reveal troop movements or operational plans; in political settings, they could expose confidential negotiations or strategy documents. The damage is not limited to the compromised account—it can cascade through entire networks of trust.

The broader implications of this campaign extend beyond immediate data loss. They challenge the assumption that end-to-end encrypted messaging platforms are inherently secure. While encryption protects data in transit, it does not protect against compromised credentials or social engineering. This means that even platforms like Signal or WhatsApp—long trusted for their security—can become vectors for espionage if users are tricked into revealing their login details. The rise of such attacks also reflects a shift in adversary tactics: instead of investing in zero-day exploits or complex malware, attackers are increasingly relying on deception and psychological manipulation, which are easier to execute and harder to attribute.

For organizations handling sensitive information, this trend underscores the need for layered defenses. Beyond individual user training, institutions should implement session monitoring tools that alert administrators to unusual login activity. They should also enforce policies that restrict the sharing of recovery keys and require secure storage of 2FA secrets. In high-risk environments, organizations may consider deploying dedicated secure messaging systems with hardware-based authentication or integrating behavioral analytics to detect anomalous usage patterns. These measures, combined with regular security awareness training, can help reduce the risk of credential theft and limit the impact of successful breaches.

For individuals, especially those in sensitive roles, the key takeaway is to treat every unexpected message as a potential threat. Legitimate support teams will never ask for passwords, recovery keys, or confirmation codes via SMS or chat. If in doubt, users should navigate directly to the official support website or app to verify any request. It is also advisable to use unique, strong passwords for each messaging account and to store recovery keys in a secure, offline location. By adopting a skeptical and proactive stance toward digital communications, users can significantly reduce their exposure to credential harvesting attacks.

The ongoing nature of this campaign suggests that similar operations will continue as long as they remain effective. Russian intelligence services have demonstrated both the willingness and the capability to sustain long-term cyber espionage efforts, adapting their tactics in response to countermeasures. This makes it essential for governments, businesses, and civil society organizations to remain vigilant and to treat mobile messaging security as a critical component of their overall cybersecurity posture. The stakes are not just about protecting personal data—they are about safeguarding national security, democratic processes, and public trust in digital communication.

Looking ahead, cybersecurity professionals expect to see further evolution in these tactics. Attackers may increasingly use AI-generated messages to mimic support bots more convincingly, or leverage deepfake audio to add authenticity to phone-based social engineering attempts. The integration of generative AI into phishing campaigns could lower the barrier to entry for credential harvesting, enabling even less sophisticated actors to launch convincing attacks. This technological shift will require defenses to evolve beyond static rules and toward adaptive, AI-driven detection systems that can identify anomalies in user behavior and message content in real time.

Organizations should also prepare for potential spillover effects. As attackers refine their methods, they may begin targeting not only messaging apps but also collaboration platforms, cloud storage services, and enterprise communication tools. The same tactics used to harvest credentials from a WhatsApp account could be applied to a Microsoft Teams or Slack login, especially if users are accustomed to receiving legitimate notifications from these platforms. This broadening of attack surfaces means that security teams must adopt a unified approach to identity and access management across all digital tools used by their workforce.

In the coming months, security researchers and law enforcement agencies will likely continue to uncover new details about this campaign, including the full scope of compromised accounts and the specific intelligence gathered by the attackers. These findings will be critical in informing both defensive strategies and potential policy responses. Governments may need to consider stricter regulations around the use of recovery keys, enhanced verification processes for high-risk accounts, and international cooperation to disrupt the infrastructure supporting these operations.

For now, the best defense remains a combination of technical safeguards and user awareness. Enabling 2FA, reviewing active sessions, treating unsolicited messages with skepticism, and storing recovery keys securely can collectively reduce the risk of falling victim to credential harvesting. While no system is entirely foolproof, these steps make it significantly harder for attackers to succeed—and in the high-stakes world of cyber espionage, even small barriers can deter determined adversaries.

Ultimately, this campaign serves as a reminder that in cybersecurity, the human element remains both the strongest and weakest link. Technology can encrypt messages and detect intrusions, but it cannot prevent a user from handing over the keys to their own account. As digital communication continues to dominate public and private life, the responsibility to secure it rests not only with developers and security teams but with every individual who uses these tools. By staying informed and adopting rigorous security practices, users can help deny adversaries the access they seek—and protect the integrity of the conversations that shape our world.