Signal Targeted by Russian Cyber Espionage in Fake QR Code Campaign, X Blocks Signal.me Links

• Google has warned about a new Russian cyber espionage tactic targeting Signal.
• Several Russia-aligned threat actors exploit QR-code group invites for individuals of interest to Russia's intelligence services.
• The aim is to compromise their Signal Messenger accounts and access real-time messages.

Google's threat intelligence team revealed that Russian-linked hacker groups UNC5792 and UNC4221 systematically targeted Signal, the encrypted messaging service widely used for secure communications. Meanwhile, X (formerly Twitter) blocked Signal.me links on its platform over spam and malware concerns.

By spoofing group invite QR codes, the hackers secretly link victims' devices to third-party ones controlled by the attacker via abusing Signal's Linked Devices feature. 

These attacker-controlled devices then gain real-time access to every message sent or received by the victim, which will be delivered to the threat actor-controlled Signal instance simultaneously.

Dan Black, a cybersecurity researcher at Google, explained in the recent security report, “Every message is relayed in real-time to the attackers while the victim remains unaware.”

Upon receiving Google's report, Signal prioritized developing countermeasures. The app recently released iOS and Android updates.

While Russia’s military has leveraged this phishing method against Ukrainian soldiers, the danger isn’t confined to war zones. Google warned the same technique could be repurposed to target dissidents, activists, and even everyday Signal users globally.

Reports also indicate similar strategies have been used to compromise other secure communication platforms like WhatsApp and Telegram. However, Signal has been a focal point due to its heavy tactical use within the Ukrainian military.

The issue takes a curious twist with recent reports that X blocked Signal.me links, citing concerns over spam and malware. Users attempting to share Signal.me URLs via posts, direct messages, or profile bios receive error messages stating, “This request looks like it might be automated.”

Interestingly, other URLs related to Signal—such as Signal.org—are reportedly unaffected. The timing and reason behind the block remain speculative, with journalist Matt Binder suggesting it was a recent platform change.

Despite these blocks, pre-existing Signal.me links on X remain clickable, though users are met with warnings about potential risks.