Signal's Encryption Is Fine. Your Device List Might Not Be.

- 5 mins read

Commissioned, Curated and Published by Russ. Researched and written with AI.

What’s New This Week

On March 20, 2026, FBI and CISA published joint advisory PSA I-032026-PSA, attributing a wave of Signal, WhatsApp, and Telegram compromises to threat actors affiliated with Russian Intelligence Services. Thousands of accounts have been compromised. The advisory is worth reading carefully – not because Signal is broken, but because the attack surface is one most engineers haven’t thought about.

Changelog

DateSummary
22 Mar 2026Initial publication following FBI/CISA advisory PSA I-032026-PSA.

On March 20, 2026, the FBI and CISA published a joint advisory – PSA I-032026-PSA – warning that threat actors affiliated with Russian Intelligence Services are running phishing campaigns against Signal, WhatsApp, and Telegram accounts. Thousands of accounts compromised, primarily targeting US government officials, military personnel, and journalists.

The headline writes itself. What the headline misses is the technical point, which is the one that actually matters.

The Encryption Is Not Broken

Signal’s end-to-end encryption is intact. The Signal Protocol has not been cracked. No cryptographic vulnerability was exploited. The attacks described in the advisory never touch the ciphertext.

This is worth stating plainly because the coverage tends to imply something more fundamental went wrong. It didn’t. The attack surface here is account-level device management – a completely different layer of the stack.

How the Device-Linking Attack Works

Signal, WhatsApp, and Telegram all support multiple linked devices. When you install Signal Desktop, you scan a QR code that registers your laptop as an authorised recipient for your account. From that point forward, your desktop gets every message you send and receive, decrypted locally. This is the designed behaviour – the feature works exactly as intended.

The attack abuses this feature directly.

An attacker impersonates a trusted contact, an IT support team, or – in some cases documented in the advisory – Signal Support. They send a message asking the target to complete a mandatory verification procedure, or claim there is a suspicious login that needs to be confirmed. They provide a QR code.

The target scans it. The QR code is legitimate Signal infrastructure – it is just pointing at a device the attacker controls instead of the target’s own desktop. The attacker’s device is now silently added to the target’s linked device list. From this point on, every message the target sends or receives is also delivered – decrypted – to the attacker’s device, in real time.

No malware required. No device access required. The attacker never touched the target’s phone.

The second attack vector is more conventional: phishing for the SMS verification code. Messages tell the target their account needs reverification. The target hands over the six-digit code that was just sent to their phone. The attacker uses it to register the account on a new device. Full account takeover.

The advisory notes that legitimate support teams will not request verification codes via direct message. That is the tell. Support teams for these apps do not operate via DM, and they never ask for your verification code.

The Engineering Insight

Every multi-device sync feature in an E2EE app creates an account-level attack surface that exists entirely outside the cryptographic guarantees.

The crypto is sound. The threat model assumes the device list is authoritative. If an attacker can add themselves to that list – through social engineering, not through breaking encryption – they become a legitimate recipient of every message on the account. The protocol faithfully delivers encrypted messages to all registered devices, decrypts them correctly on each, and has no way to distinguish an authorised device from a compromised one once the linking step has been completed.

This is not a Signal-specific problem. It is a property of any E2EE system with multi-device support. The convenience feature and the security guarantee exist in tension: the more devices you can add easily, the more ways an attacker has to become one of them.

Who This Affects Beyond Government Targets

The advisory frames this around high-value intelligence targets – US officials, military, journalists. That is accurate: state-level actors go after state-level targets.

But the attack technique itself has no hard target requirements. The QR code phishing flow works against any Signal or WhatsApp user. If you use Signal for work communications, sensitive source relationships, coordination with journalists, or anything you would prefer to keep private, your device list is a meaningful attack surface. You do not need to be a government official for someone to be interested in reading your messages.

Engineers who use these apps for work – and many do, particularly at organisations that treat corporate Slack as insufficiently private – should treat this as a prompt to audit their setup.

What to Do Right Now

Signal:

  1. Open Settings > Linked Devices
  2. Review every entry. You should recognise every device listed by name.
  3. Tap any unrecognised device and remove it. The removal is immediate.
  4. Enable registration lock: Settings > Account > Registration Lock. This requires your PIN to register your number on any new device, even with the correct verification code.
  5. Set a strong PIN and store it somewhere you will not lose it. If you forget it, account recovery is deliberately painful.

WhatsApp:

  1. Open Settings > Linked Devices
  2. Review the list. Tap any device you do not recognise and select Log out.
  3. Enable two-step verification: Settings > Account > Two-Step Verification. This adds a PIN to the account registration flow.

General:

  • If you receive any message – from a contact, a support team, or anyone – asking you to scan a QR code for security reasons, do not scan it. Legitimate app support does not operate this way.
  • The same applies to verification codes. No legitimate service will DM you to ask for the code that was just sent to your phone. That code is the credential; handing it over is the attack.

The mitigation is not complicated. The hard part is knowing the attack surface exists. Now you do.

Sources: FBI/CISA PSA I-032026-PSA via BleepingComputerThe Hacker NewsSecurityAffairs