FBI and Ukraine Expose Russian Smishing Campaign Stealing Messaging Credentials

What Happened

The Security Service of Ukraine (SSU) and the FBI have jointly disclosed a long-running Russian intelligence operation that used fake "support" text messages to compromise messaging app accounts belonging to government officials, military personnel, and politicians. The campaign relied on smishing — SMS-based phishing — where targets received texts impersonating platform support teams, tricking them into surrendering authentication credentials or session tokens and granting attackers persistent access to encrypted messaging platforms.

Why It Matters

When an adversary gains access to a messaging account rather than merely intercepting traffic in transit, end-to-end encryption provides zero protection. Everything is readable: linked devices, full message history, contact lists, active threads. For the officials targeted here the damage is obvious — operational security destroyed, coordination plans exposed.

The risk extends well beyond government targets. Technical professionals who hold infrastructure credentials, manage sensitive systems, or communicate with defense or government clients are attractive pivot points. Russian intelligence services routinely use one compromised account to reach higher-value targets through existing trust relationships. The "fake support" lure is especially effective because legitimate platforms genuinely do send account-security alerts by SMS — users have been conditioned to respond.

The fact that the SSU and FBI issued a joint public disclosure signals this campaign reached a scale and maturity warranting broad warning. Active, named-nation operations of this type do not stay narrowly targeted.

What to Do

Do these now — each takes under two minutes:

1. Audit linked devices. In Signal: Settings → Account → Linked Devices. In Telegram: Settings → Devices. Remove anything you don't recognize.

1. Enable registration lock / two-step verification. Signal and Telegram both offer a secondary PIN that blocks re-registration of your number even if an attacker intercepts an SMS code. If you haven't set this, do it immediately.

1. Treat all unsolicited support texts as untrusted. No legitimate messaging platform will ask for credentials, QR codes, or one-time codes over an inbound SMS. If you receive one, navigate directly to the app or official site — never through a link in the text.

1. Replace SMS-based MFA with TOTP or hardware keys. SMS authentication is vulnerable to SIM-swapping and carrier-level interception. Migrate to an authenticator app or FIDO2 hardware key wherever your threat model justifies it.

1. Brief your team. If you manage staff with access to sensitive systems or government-adjacent communications, share this advisory today. Social engineering campaigns succeed fastest against people who haven't heard the warning.