Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab and a veteran spyware investigator, recently became the target of a sophisticated phishing campaign. The attack, which impersonated Signal’s support team, exposed a massive, automated operation linked to Russian state-sponsored hackers.
The Anatomy of the Signal Phishing Scam
The attack began with a deceptive message sent directly to Ó Cearbhaill’s Signal account. Claiming to be the “Signal Security Support ChatBot,” the hackers warned of a fabricated “data leak” and “suspicious activity.” To “resolve” the issue, the message urged the researcher to enter a verification code into the fraudulent chatbot—a classic social engineering trap designed to hijack the victim’s account by linking it to a device controlled by the attackers.
Recognizing the threat immediately, Ó Cearbhaill transitioned from target to investigator, using the incident to map the scale of the campaign. His findings indicate that he was one of more than 13,500 individuals targeted by the group.
“ApocalypseZ”: The Automation Behind the Attacks
The investigation revealed that the hackers are utilizing a specialized tool dubbed “ApocalypseZ.” This system automates the delivery of phishing lures, allowing the threat actors to conduct bulk attacks with minimal human oversight. Evidence, including Russian-language code and operator interfaces, strongly suggests the campaign is the work of Russian government-backed hackers.
The campaign operates on a “snowball” effect. Hackers compromise one user, gain access to their contact list and group chats, and then use that trusted network to launch subsequent attacks on new victims. This explains how high-profile figures, including journalists and government officials, have been caught in the crosshairs.
Global Warnings and Strategic Links
These tactics align perfectly with recent warnings from the U.S. CISA, the U.K.’s NCSC, and Dutch intelligence services. Previous reports from Der Spiegel have confirmed that these operations have successfully compromised individuals in Germany, including high-level politicians.
How to Secure Your Signal Account
While the threat remains active, users can significantly harden their defenses. Ó Cearbhaill stresses that the most effective countermeasure is enabling the Registration Lock feature. By setting a personal PIN, users prevent attackers from registering their phone number on a foreign device, even if the hackers manage to obtain a verification code.
As for the hackers who attempted to compromise him, Ó Cearbhaill remains undeterred. “I welcome future messages,” he remarked, noting that he continues to monitor the campaign as it evolves. He views the attempt as a tactical error by the hackers, who inadvertently provided a security expert with a window into their operations.