Russian Hackers Exploit Signal’s ‘Linked Devices’ Feature to Spy on Encrypted Conversations

Cybersecurity experts are raising alarms after uncovering a stealthy hacking campaign by Russian state-sponsored attackers that hijacks Signal Messenger accounts to eavesdrop on private, encrypted conversations in real-time.

In a newly released investigation, security researchers from Mandiant, a division of Google, warn that multiple Russian Advanced Persistent Threat (APT) groups have developed a powerful method to compromise Signal’s “linked devices” feature — a key capability that allows users to sync their secure messaging app across multiple phones, tablets, or computers.

However, this convenience is being twisted into a dangerous weapon. By exploiting linked devices, hackers can invisibly tap into victims’ accounts and monitor their encrypted messages without breaking Signal’s end-to-end encryption. Once access is gained, every message is copied directly to the attackers—without the target ever knowing.

How the Attack Works: QR Code Phishing and Device Hijacking

The hackers’ method relies on deception. Victims are tricked into scanning malicious QR codes that look like legitimate Signal group invites or device-pairing instructions. Once scanned, the attackers’ device is secretly added to the victim’s Signal account as a “linked device.”

From that moment on, all messages—both sent and received—are mirrored in real-time to the attacker’s system. This bypasses Signal’s robust encryption because the attackers are now an authorized participant, not breaking the encryption but stealthily joining the conversation.

Mandiant’s report highlights that:

• Russian APT groups aligned with the Kremlin have been seen using this method in phishing attacks targeting military personnel, politicians, journalists, and activists—individuals who commonly rely on Signal for secure communications.
• These phishing pages often mimic Signal’s official interface or pose as trusted apps like the Ukrainian military’s artillery guidance tool, Kropyva.
• In battlefield scenarios, Russian forces have been caught using captured devices to link Signal accounts back to their servers for intelligence gathering.

Invisible Access: Why this Exploit is So Dangerous

One of the most concerning aspects of this attack is how quietly it operates. Signal users typically don’t receive any noticeable alerts when a new device is linked to their account. This allows hackers to maintain long-term surveillance without detection.

Mandiant describes the technique as a “low-signature form of initial access,” meaning it leaves few traces behind. Without actively checking their “Linked Devices” settings, victims may remain unaware for months—or even longer—that their private conversations are being broadcast to hostile actors.

Broader Target: WhatsApp and Telegram at Risk Too

While Signal is the current focus, Mandiant emphasizes that this type of linked-device attack is not unique to Signal. Russian hackers are deploying similar tactics against other widely used messaging apps, including WhatsApp and Telegram.

All of these apps allow multi-device synchronization, and the process often involves QR codes for convenience—making them ripe for abuse through phishing.

Real-World Espionage: Military and Political Targets

The attackers’ primary focus appears to be gathering intelligence from high-value individuals and groups, including:

• Ukrainian military personnel
• European politicians
• Investigative journalists
• Human rights activists

One particularly sophisticated operation saw Russia’s notorious Sandworm hacking group leveraging this technique on the battlefield. After capturing enemy soldiers’ phones, they linked the devices to their infrastructure, enabling them to spy on military communications in real-time.

Signs You Could Be Compromised

Since this attack method is designed to be silent, self-checking is crucial. Here are some steps to detect and prevent unauthorized access:

1. Review Linked Devices Regularly: Open your Signal app, go to Settings → Linked Devices, and carefully inspect the list. If you see an unfamiliar device, unlink it immediately.
2. Enable Screen Lock: Use a long, complex password on your phone. This makes it harder for someone to link a device if they briefly gain physical access.
3. Stay Updated: Always install the latest version of Signal and other messaging apps. Updates often include security enhancements that can reduce attack surfaces.
4. Beware of QR Codes: Treat unexpected QR codes with suspicion, even if they appear to come from a trusted source. Verify group invites directly with the sender before scanning.
5. Use Multi-Factor Authentication (MFA): While Signal itself doesn’t support MFA for linking devices, enabling two-factor authentication on your smartphone’s cloud backups and accounts can provide an extra layer of defense.

What Signal Users Should Do Now

Mandiant’s report is a sobering reminder that no app is immune to exploitation—especially when facing nation-state actors with vast resources. Signal’s end-to-end encryption remains robust, but this attack bypasses encryption by exploiting human behavior and the app’s device-syncing convenience.

If you’re in a sensitive profession or live in a region with active surveillance threats, auditing your Signal security settings should become a regular habit.

Security experts stress that vigilance is key:

• High-risk users (military personnel, journalists, activists) should check linked devices weekly.
• Avoid scanning QR codes unless absolutely certain of their source.
• Report suspicious messages or phishing attempts to your organization’s IT team or cybersecurity provider.

A New Era of Silent Surveillance

The exploitation of Signal’s “linked devices” feature marks a chilling evolution in state-backed cyber-espionage. Unlike malware that leaves traces or disrupts systems, this method operates quietly, blending into the background while funneling sensitive conversations to Russian intelligence agencies.