A security researcher at Amnesty International’s Security Lab turned a phishing attack on his own Signal account into an investigation of a likely Russian government hacking campaign, revealing that more than 13,500 people had been targeted.
Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab and investigates spyware attacks, received a message earlier in 2026 impersonating Signal’s support team and warning of “suspicious activity” on his device. The message urged him to enter a verification code into a “Signal Security Support Chatbot” — a tactic designed to link his account to a device controlled by the attackers. Ó Cearbhaill immediately recognized the attempt as a phishing attack and chose to investigate rather than ignore it.
His investigation revealed the hackers were using an automated system called “ApocalypseZ,” which allows attackers to target large numbers of people simultaneously with limited human oversight. The codebase and operator interface were in Russian, and victim chats were being translated into Russian — details consistent with attribution by CISA, the UK’s cybersecurity agency, and Dutch intelligence, all of which have publicly blamed the campaign on Russian government spies. German news magazine Der Spiegel separately reported that the hackers compromised several people in Germany, including high-profile politicians.
Ó Cearbhaill said he likely became a target through what he called a “snowball hypothesis” — the hackers compromised someone in a shared group chat, then used that access to identify new targets, including the researcher himself, journalists he had worked with, and a colleague.
He said the campaign is ongoing and the total number of targets is likely significantly higher than the 13,500 he identified earlier this year.
Signal users concerned about this type of attack can enable Registration Lock, a feature that requires a user-set PIN before a phone number can be registered on a new device, which would block the method used in this campaign.
Source: TechCrunch