Security Digest

Signal Under Siege

How state actors and scammers target encrypted messaging, and how to protect yourself.

2 min read By FTRCRP

Issue #001 | Week 5, January 2026

The promise of end-to-end encryption has long made Signal the go-to choice for journalists, activists, and security-conscious users. But a troubling pattern has emerged: attackers are not breaking the encryption. They are bypassing it entirely.

The Norwegian Front

In January 2026, Telenor issued an urgent warning about sophisticated “Signal support” scams. Victims receive messages appearing to come from official Signal customer service, claiming their phone number is registered to multiple devices. Under threat of account closure, they’re asked to share an SMS verification code. Once shared, attackers gain complete account control.

“This is classic social engineering. Attackers exploit both brand trust and time pressure to make users act quickly and uncritically.”

Thorbjorn Busch, Security Leader, Telenor

The Russian Connection

Google’s Threat Intelligence team has documented Russian APT groups, including the notorious Sandworm (APT44), actively exploiting Signal’s “Linked Devices” feature for real-time surveillance.

Real-world consequence: A compromised Signal account led Russia to launch an artillery strike against a Ukrainian army brigade, resulting in casualties.

Protect Yourself

  • Enable Registration Lock. Requires your PIN to register Signal on new devices
  • Audit Linked Devices. Check Settings → Linked Devices regularly
  • Never Share SMS Codes. Signal will never ask for verification codes
  • Verify QR Codes. Only scan codes generated directly within Signal

This Week In Breaches

ESA Servers Compromised

200GB stolen including API tokens, Bitbucket repos, and source code

Ledger Wallet Data Breach

292,000 customers exposed via payment processor Global-e

Trust Wallet Chrome Extension Hack

Shai-Hulud supply chain attack. $8.5 million stolen.

DarkSpectre Browser Extensions

Chinese threat group compromised 8.8 million users over 7 years

Ransomware Roundup

LockBit 5: Eros Elevators (India), Collins Computing (USA)

Quilin: Sugawara Labs (Japan), CSV Group (Italy), Auforum AG (Switzerland, 74GB)

Quick Stats

MetricValue
SMS blocked by Telenor (2024)60 million
Scam calls blocked by Telia (2025)95.1 million
DarkSpectre infections8.8 million
Trust Wallet theft$8.5 million

Questions or tips? Contact HAL0zum@proton.me

Subscribe to Security Digest | Unsubscribe