Russia Turned Signal's QR Code Into a Wiretap — IOCs Inside

# Russia Turned Signal's QR Code Into a Wiretap — IOCs Inside

On March 20, 2026, the FBI, CISA, NSA, and allied agencies issued joint advisory PSA260320. The subject: Russia's SVR and FSB have developed a reliable technique for silently reading Signal, WhatsApp, and Telegram messages from government officials, military personnel, journalists, and activists — without exploiting a single vulnerability in those apps.

Our PreCog V2 system caught the supporting infrastructure 35 days before the advisory was published.

The Technique

Signal, WhatsApp, and Telegram all support linked devices — a legitimate feature that lets you read your messages on a laptop or a second phone. When you link a device, you scan a QR code. The QR authorizes the new device and gives it persistent, silent read access to all your messages going forward.

Russian intelligence identified this as the attack surface.

Here is what the attack looks like. The victim receives what appears to be a Signal security alert, a group invite, or a message forwarded from a trusted contact. The link leads to a page that looks like Signal's official site — correct colors, correct fonts, correct copy. The page displays a QR code the victim is told to scan to verify their account or join a secure group. The QR code is not a security check. It is a link-this-device authorization code. The victim scans it. The attacker's device is now linked to the victim's Signal account. From that point forward, the attacker receives a silent copy of every message the victim sends or receives.

No vulnerability. No exploit. No zero-day. The victim used Signal's own legitimate enrollment feature to authorize the attacker.

The session stays active until the victim audits their linked devices and removes the unknown entry. Most people never do this. Many don't know the feature exists.

The Actors

PSA260320 named UNC4221, an FSB-linked operator active since 2022 targeting Ukrainian military Signal users, and Star Blizzard — also known as Callisto Group, operated by Russia's Federal Security Service Center 18. Star Blizzard has been running targeting campaigns against UK and US government officials, defense sector employees, and journalists since at least 2019.

These are the same groups that adapted when end-to-end encryption became standard practice. They didn't try to break the encryption. They moved the attack surface to the enrollment flow. The message is readable. The attacker is just receiving it alongside you.

Our Precursor

DugganUSA PreCog V2 flagged signal.clint9vargo.coupons on February 13, 2026 at 14:06 UTC — 35 days before PSA260320.

The construction is deliberate. It takes "signal" — the trusted brand name — attaches it to an unrelated registrant string, and deploys it under the .coupons TLD. Browsers don't flag .coupons as suspicious. Most DNS filters don't block it by default. Legitimate businesses almost never register there, which means it has an exceptionally high malicious-to-legitimate domain ratio relative to its small registration base. It is exactly the kind of infrastructure a signals intelligence shop uses when it needs a domain that survives automated blocklists for a few weeks.

The domain was live, not parked. Our Novel Domain Detector caught it as anomalous: new registration, no legitimate business context, brand impersonation pattern across a TLD with near-zero legitimate Signal traffic.

What the Advisory Doesn't Say Loudly Enough

PSA260320 is written for government security teams. It describes TTPs in incident response language. What it soft-pedals is who the real targets are: anyone who chose Signal specifically because they thought it was safe.

Journalists protecting sources. Defense contractors discussing contract terms. Activists in countries the FSB monitors. NGO workers in Ukraine and adjacent countries. Diplomatic staff. Anyone who downloaded Signal because a lawyer, a source, or a security professional told them it was the right tool.

End-to-end encryption doesn't protect you if the attacker has a linked device on your account. The encryption works perfectly. The attacker is just receiving the decrypted plaintext at the same time you do.

What to Do Right Now

Open Signal. Go to Settings, then Linked Devices. You should see only devices you have personally linked and recognize. If you see anything unfamiliar — a device name you don't recognize, a linked date you don't remember — remove it immediately.

Run the same check in WhatsApp under Settings, then Linked Devices. In Telegram, go to Settings, then Devices, then Active Sessions.

This takes 30 seconds. If an unauthorized device is linked to your account, you will not know until you look.

For anyone handling sensitive information professionally — government employees, defense contractors, journalists working with confidential sources — treat linked-device audits the same way you treat password rotation. Put it on a monthly calendar reminder. The attacker is patient. An active linked-device session can persist for years.

For security teams: add linked-device audit procedures to your onboarding and annual security training. Most employees have never seen that settings screen.

Our Feed

We index domains impersonating Signal, Telegram, and WhatsApp as part of our live STIX 2.1 feed. signal.clint9vargo.coupons is in the index. If your DNS filter or SIEM is pulling our feed, your users couldn't have reached that infrastructure.

PSA260320 was published March 20. Our IOC was indexed February 13. That gap — 35 days — is what early detection looks like.

Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo.

Search our index: analytics.dugganusa.com/api/v1/search?q=signal+phishing

STIX feed (free): analytics.dugganusa.com/api/v1/stix-feed

Register: analytics.dugganusa.com/stix/register

Her name was Renee Nicole Good. His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet. 275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC · Audit your brand on AIPM · See pricing