Russia Used Fake Texts to Steal Messaging Credentials

📅 June 28, 2026  |  🏷 News Analysis  |  Cyber Security, Information Security, Threat Management

A soldier on the front line receives a text message from what appears to be a military support service, asking them to verify their Signal or WhatsApp credentials to maintain access to secure communications. It looks legitimate. It feels urgent. And the moment they comply, Russian intelligence has everything it needs to intercept their conversations, map their contacts, and potentially compromise an entire unit’s operational security. This is not a hypothetical scenario — according to Ukraine’s Security Service (SBU), it has been happening at scale since at least early 2026, and the implications stretch far beyond the battlefield.

The Operation: How Russian Intelligence Weaponized SMS

Ukraine’s SBU disclosed in late June 2026 that operatives linked to Russian military intelligence — widely attributed to the GRU and its cyber units — had been running a coordinated smishing (SMS phishing) campaign targeting Ukrainian military personnel, government officials, and civilians. The texts impersonated legitimate support channels for popular encrypted messaging applications, including Signal and Telegram, warning recipients of suspicious login activity or account suspension unless they immediately verified their credentials through a provided link.

The infrastructure behind these attacks was sophisticated. According to the SBU’s technical analysis, the actors used SIM farms, spoofed sender IDs, and rapidly rotating domains designed to evade blocklisting. The landing pages mimicked official app interfaces with near-pixel-perfect accuracy, and several were served over HTTPS with valid certificates — a detail that routinely disarms users who’ve been trained to “look for the padlock.”

Credential Harvesting at Scale

What makes this campaign particularly dangerous is its scalability. Unlike spear-phishing attacks that require individualized targeting and significant reconnaissance, bulk smishing campaigns can reach tens of thousands of numbers simultaneously with minimal marginal cost. The SBU reported that some message waves reached over 100,000 recipients in a single 48-hour window. Even a 0.5% compromise rate against that volume translates to 500 accounts — each potentially a node in a military communication network, a journalist’s source list, or a government coordination chain.

The harvested credentials weren’t just used for passive eavesdropping. In several documented cases, attackers used stolen session tokens to silently add linked devices to victims’ accounts, enabling persistent, real-time access to ongoing conversations without triggering obvious login alerts. This technique — sometimes called a “ghost device” attack — exploits the multi-device functionality built into modern messaging apps.

The Technical Anatomy of a Ghost Device Attack

Understanding why this specific attack vector is so dangerous requires a brief look at how linked-device functionality works in applications like Signal and WhatsApp. Both platforms allow users to connect multiple devices to a single account using a QR code or, in some flows, a verification code sent via SMS or generated in-app. The security model assumes that anyone who can complete that verification process has legitimate access to the account.

Russian operators exploited this assumption directly. By harvesting the initial SMS verification code through a fake support portal, they could add a device they controlled as a “linked device” on the victim’s account. From that point forward, all incoming and outgoing messages were mirrored to the attacker’s device in real time — even after the victim changed their password, because linked devices don’t automatically de-authorize on password reset in all implementations.

Why Encrypted Apps Aren’t Automatically Safe

This attack illustrates a critical truth that security practitioners often struggle to communicate to end users: end-to-end encryption protects data in transit, not the endpoint. Signal’s encryption is mathematically sound. The problem isn’t the cryptography — it’s the account takeover that precedes the encryption layer. Once an attacker has a linked device, they are, from the protocol’s perspective, a legitimate recipient. The ciphertext is decrypted for them automatically.

A 2025 study by the Citizen Lab at the University of Toronto documented a similar technical pattern used against civil society groups in Central Asia, finding that account-linking exploits had become the preferred method for accessing encrypted communications precisely because they circumvent the need to break the underlying cryptography. Russia’s use of this technique against wartime targets in 2026 represents a weaponization of that same approach at a geopolitical scale.

The Intelligence Context: Why Ukraine’s Military Is the Perfect Target

Ukraine’s armed forces have leaned heavily on consumer-grade encrypted messaging apps since the 2022 full-scale invasion, partly out of necessity and partly because these tools offer genuine security advantages over legacy military communication systems. Signal in particular became a de facto coordination tool at the platoon and company level, used for everything from logistics requests to casualty reporting.

That adoption pattern created a high-value, high-density target environment. Compromising the Signal account of a company commander doesn’t just reveal their personal conversations — it potentially exposes their entire unit’s network graph, pending orders, supply chain contacts, and the identities of informants or liaison officers. From an intelligence collection standpoint, the return on investment is extraordinary.

Historical Precedent: Russian Cyber Operations in Kinetic Conflict

Russia has a documented history of integrating cyber and signals intelligence operations with kinetic military activity. The 2016 Ukrainian artillery targeting hack — in which GRU operatives compromised an Android app used by D-30 howitzer crews to extract location data — demonstrated the same underlying logic: penetrate the communication layer, and the physical world becomes easier to attack. The 2026 credential harvesting campaign follows that same doctrine, updated for an era when messaging apps have become the primary nervous system of modern military units.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged similar Russian smishing tactics in its 2025 advisory on threats to critical infrastructure, noting that SMS-based credential theft had increased 340% among state-sponsored actors between 2023 and 2025. Ukraine’s experience in 2026 suggests that trajectory has continued upward.

Geopolitical Dimensions: Information Warfare Beyond the Front Line

The SBU’s disclosure wasn’t just a technical bulletin — it was a deliberate strategic communication. By publicly attributing the campaign to Russian intelligence, Ukraine accomplished several things simultaneously: it warned potential victims, it signaled to Russia that the operation had been detected and disrupted, and it contributed to the ongoing international narrative about Russian information warfare tactics. That kind of transparency is itself a defensive tool.

The campaign also targeted non-military actors. Journalists covering the conflict, humanitarian aid workers, and Ukrainian government officials in non-military ministries were all among the reported target sets. This broader scope indicates that the objective wasn’t purely tactical — compromising a humanitarian coordinator’s Signal account yields intelligence about aid delivery routes, donor relationships, and potentially diplomatic back-channels that have strategic value independent of battlefield outcomes.

The Role of Disinformation Amplification

There is a secondary risk that security analysts are only beginning to map: once an attacker has persistent access to a high-value messaging account, they can do more than read. They can write. Injecting false orders, fabricated intelligence reports, or disinformation into compromised accounts — particularly those of trusted military or government figures — could cause tactical confusion, erode institutional trust, or manipulate decision-making at critical moments. The SBU has not confirmed active exploitation of this capability in the current campaign, but the technical preconditions for it exist wherever account takeovers are successful.

Defensive Countermeasures: What Organizations and Individuals Must Do Now

The good news is that this class of attack, while sophisticated in execution, is highly susceptible to procedural defenses. The countermeasures aren’t exotic or expensive — they require discipline, training, and organizational commitment.

Multi-device audit and management should be the immediate first step for any high-risk user. Signal, WhatsApp, and Telegram all allow users to view and remove linked devices from their settings menus. Any device that isn’t recognized should be revoked immediately and treated as an indicator of compromise. Organizations operating in high-threat environments should mandate this audit on a regular schedule — monthly at minimum, weekly for the most sensitive roles.

Registration lock / SIM lock features add a critical layer of defense. Signal’s Registration Lock ties account re-registration to a PIN that SMS-based attackers cannot intercept. Enabling this feature directly defeats the most common variant of the credential harvesting attack described by the SBU, because even if an attacker obtains the SMS verification code, they cannot complete account registration without the PIN.

Out-of-band verification for any request that arrives via SMS claiming to be from a messaging service or IT support function should be standard policy. Legitimate support channels for Signal, WhatsApp, or Telegram will never ask users to enter credentials or verification codes via a link texted to their phone. A single-sentence policy — “We never text you links to verify your account” — communicated consistently, can neutralize a significant percentage of smishing attempts.

Organizational Training That Actually Works

Phishing and smishing simulations consistently show that generic security awareness training has minimal impact on behavior in high-stress, time-pressured environments — exactly the conditions experienced by frontline military personnel and their support networks. Research published in the Journal of Cybersecurity (2024) found that scenario-specific training, where participants practice identifying the exact type of attack they’re likely to encounter in their operational context, reduces successful phishing rates by 67% compared to general awareness programs.

For organizations supporting Ukraine’s military, civil society, or government functions, this means training should explicitly address the fake-support-text scenario, use realistic examples drawn from actual campaigns, and be delivered repeatedly in short, high-retention formats rather than annually in multi-hour modules.

Key Takeaways

• Account takeover, not cryptographic compromise, is the primary threat vector against encrypted messaging apps. Russia’s campaign confirms that attackers reliably choose to circumvent encryption rather than break it, by targeting the account authentication layer instead.
• The “ghost device” technique provides persistent, real-time access that survives password changes. All high-risk users should audit their linked devices immediately and enable Registration Lock on Signal.
• Scalable smishing campaigns can achieve strategic intelligence objectives at very low cost. A 0.5% success rate across 100,000 messages yields 500 compromised accounts — potentially spanning military units, government ministries, and media organizations simultaneously.
• Encryption protects data in transit; it cannot protect against an authorized recipient that the attacker controls. Security training must update its messaging to reflect this distinction clearly and consistently.
• Transparency in attribution is itself a defensive tool. Ukraine’s public disclosure of this campaign serves warning, deterrence, and alliance communication functions that purely technical responses cannot.

Conclusion: The Front Line Has a New Address

The SBU’s disclosure of Russia’s fake-support-text campaign is more than a cybersecurity incident report — it is a window into the integrated nature of modern conflict, where signals intelligence, social engineering, and kinetic operations are orchestrated in a single campaign architecture. The techniques Russia is deploying against Ukrainian military and civilian targets today will be adapted, exported, and used against other adversaries tomorrow. State-sponsored smishing infrastructure doesn’t disappear when one conflict ends; it gets repurposed.

For security teams, IT administrators, and organizational leaders outside of active conflict zones, the lesson is urgent: your users are being targeted by the same playbook. The specific pretext may differ — a fake IT helpdesk text instead of a fake Signal support alert — but the mechanism is identical. The defenses are available, proven, and deployable today.

Your immediate action: audit your organization’s linked-device policies for messaging applications, enable Registration Lock on all high-risk Signal accounts, and run a scenario-specific smishing simulation within the next 30 days. If you’re a security leader, schedule a tabletop exercise that specifically walks through the ghost-device attack chain described here. The gap between understanding a threat and having a practiced response to it is exactly where attackers live. Don’t give them the room.