Shared Security Podcast

Russian intelligence services are targeting Signal, WhatsApp, and Telegram users through phishing, linked-device abuse, and backup recovery key theft — not by breaking encryption.

Show Notes

Russian intelligence services are targeting Signal, WhatsApp, and Telegram users — not by breaking encryption, but by stealing accounts through phishing, QR code tricks, linked-device abuse, and backup recovery key theft. Tom and Kevin break down the FBI warning, the $10 million Rewards for Justice bounty, and the practical security lesson for anyone relying on encrypted messaging: your app can be secure while your account, endpoint, or recovery path is still the weak link.

They also discuss why QR-code phishing and linked-device abuse can bypass what users expect from encrypted messaging, why endpoint and account recovery hygiene matter as much as encrypted transport, what to do when "support" asks for recovery keys or codes, and Tom's personal career update joining Secure Ideas as Executive Director of Consulting.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with multi-layered protection for your Android and iOS apps. Learn more at Guardsquare.com.

** Links mentioned on the show **

FBI IC3 PSA — Russian Intelligence Services Continue to Target Commercial Messaging Applications https://www.ic3.gov/PSA/2026/PSA260626

The Hacker News — FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html

Infosecurity Magazine — FBI Sounds Alarm Over Russian Intelligence Signal Phishing https://www.infosecurity-magazine.com/news/fbi-alarm-russian-intelligence/

Rewards for Justice — UNC5792 https://rewardsforjustice.net/rewards/unc5792/

SecurityWeek — US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve https://www.securityweek.com/us-offers-10-million-bounty-for-russian-state-hackers-as-messaging-app-attacks-evolve/

** Watch this episode on YouTube **

https://youtu.be/fxFfY_e_MOI

** Become a Shared Security Supporter **

Get exclusive access to bonus episodes, listen to new episodes before they are released, receive a monthly shout-out on the show, and get a discount code for 15% off merch at the Shared Security store. Become a supporter today by going to our YouTube channel's membership section: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/join

** Thank you to our sponsors! **

SLNT

Visit https://slnt.com to check out SLNT's amazing line of Faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 10% off your order at checkout using discount code "sharedsecurity".

** Subscribe and follow the podcast **

Subscribe on YouTube: https://www.youtube.com/c/SharedSecurityPodcast

Follow us on Bluesky: https://bsky.app/profile/sharedsecurity.bsky.social

Follow us on Mastodon: https://infosec.exchange/@sharedsecurity

Join us on Reddit: https://www.reddit.com/r/SharedSecurityShow/

Visit our website: https://sharedsecurity.net

Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe

Sign-up for our email newsletter to receive updates about the podcast, contest announcements, and special offers from our sponsors: https://shared-security.beehiiv.com/subscribe

Leave us a rating and review: https://ratethispodcast.com/sharedsecurity

Contact us: https://sharedsecurity.net/contact

What is Shared Security Podcast?

Shared Security is the the longest-running cybersecurity and privacy podcast where industry veterans Tom Eston, Scott Wright, and Kevin Tackett break down the week’s security WTF moments, privacy fails, human mistakes, and “why is this still a problem?” stories — with humor, honesty, and hard-earned real-world experience. Whether you’re a security pro, a privacy advocate, or just here to hear Kevin yell about vendor nonsense, this podcast delivers insights you’ll actually use — and laughs you probably need. Real security talk from people who’ve lived it.

Welcome to the Shared Security Podcast, the longest running cybersecurity and privacy

show for actual humans.

No jargon, no hype, just honest analysis from industry veterans who've seen everything

and survived it.

Each week we break down the stories that matter, expose the nonsense that doesn't, and give

you the tools to stay safe in a world where everything is connected and nothing

is guaranteed.

This is Shared Security.

Russian intelligence services are actively targeting signal WhatsApp and Telegram users

not by cracking encryption, but by stealing people's accounts through phishing, QR code

tricks, and backup recovery key theft.

Now the FBI put out a urgent PSA about it, the US government posted a $10 million bounty

on the hackers.

And the lesson here is one we've been saying on this show for years.

The encryption is only as strong as the person holding the key.

But before we get into all of that, I do have a little personal announcement that I would

like to make.

But quantifies as a personal announcement since both of us are involved?

Yes, and Kevin has involved with this announcement as well, but as you know, or hopefully

you may have seen my post on LinkedIn, but I had recently resigned from my role

at Sneak, and I have accepted a new role at Secure Ideas working with Kevin Tackett.

We know that place.

Yeah, I know, it's weird.

We know that place for some reason, but I am now the executive director of consulting

at Secure Ideas, which makes Kevin my boss.

So I mean, it just worked out that way.

The thing that I don't know, I really don't like the title boss.

Yeah, boss has a negative tone to it.

Yeah, you're my supervisor.

You're my.

I guess.

But I don't want that either.

And I think one of the main reasons I don't like it is, as you and I have talked about

and I feel free to share this kind of thing, is that, you know, the main goal of bringing

you in is to help us employee, build whatever the words are, are consulting business processes,

procedures.

And like we talked about in that, I'm going to listen to you, right?

You know, I accidentally built a company over almost 16 years.

You've purposefully built teams doing these things.

I feel like purposely trumps accidentally.

I feel like this is a sales pitch between, you know, expanding

in the QSA stuff with Jeff and having you, you know, I guess the question people should

be asking is which podcast is going to announce our next hire since.

Jeff, who now?

Tavis on Security Weekly, you've announced your year.

So if you run a podcast and you'd like to announce somebody joining Secure Ideas, reach

out.

Yeah, we'll get out of third podcast.

Why not?

Pretty excited about it.

I, we, you and I have talked for years about you coming on board.

Literally.

Tom turned down a job years ago.

I do.

Basically, he did it politely, but what we all knew was he didn't want to put up with

me day to day.

The reality actually was I just, it was the wrong time, maybe.

I don't know.

Like, I think it's going to be great, but yeah, I might be biased, but I think Secure

Ideas is pretty friggin cool.

And I think you joining it makes it cooler.

So yes.

Thank you.

I'm excited.

Thank you, Kevin.

I am really glad to be finally working at Secure Ideas and I can actually call myself

professionally evil officially.

Yeah.

You've always been professionally evil.

Yeah.

I mean, we were talking about it the other day, right?

You were wearing a professionally evil shirt and I'm like, yes.

I think those were only available to employees and I couldn't, you got one.

From that announcement, let's move on to our story.

Yes.

We're talking about the signal.

Those darn Russians.

I know.

And I want to preface this with like, this is a very targeted attack that's happening.

And of course, like we always say, go back to your threat model, right?

Like if you're, obviously if you're a journalist, if you're working in the governments,

you have a certain position or level, you know, this could be a concern for you,

but you know, if you're an average Joe user using a secure messaging app, this may not

apply or it may.

It just depends.

And I think the theme of this story is around some of the new phishing attacks we've seen

around recovery keys and the recovery codes.

To me, it feels like the core of this story.

Not so much the, oh my gosh, Russian hackers guys.

They're targeting us.

We're all doomed.

What I always get a kick out of is the minute you start talking about Russian something.

I find that you get three reactions.

The first reaction is the one that I think is reasonable and that is, hey, okay, this

specific instance is Russian hackers.

Is it something specific to Russia or is it something like that kind of thing?

Like, yeah, like let's think about it.

Let's talk about it.

Let's look at facts.

The second reaction you get is the news, you know, you hate Russia, whatever, and we can

ignore those idiots.

And then the third reaction is one that I'd like to ignore, but you really can't.

And this goes to, I disagree with your list of people who should be worried about this.

I want to add an additional category of people.

And that is the people who are responsible for IT and security at an organization with

a hysterical CISO or CTO or CIO.

The one that runs out of the room and says, oh, my God, I heard this about this and everything.

They need to be prepared for this as well.

Oh, yeah.

Their preparation is just calm down, relax.

Let's look at our risk model.

Let's look at our threat.

Right.

Um, but but really, I think to me, and I believe you, you've called this out

that the main primary thing that people should be focused on is not, hey, fishing is bad,

whatever, but keep in mind that no matter how secure the transmission is, the end points

are your weakness.

And please don't even say the users, right?

Like if I have control of your phone and I can get into the system, the app, I can

see the messages.

I've got control of the other end.

I can see the messages.

I just I just had a conversation with the Huffington Post.

I was interviewed on the Huffington Post for an article about WhatsApp doing usernames

or some crap like that.

It's like, I'm glad WhatsApp, the horrible application is now catching up with every

other messaging rights world, but when I was talking to the reporter, great, great

person really, really understands what she's talking about and looking at.

We were having the conversation and it was like, hey, look, I don't care how secure

something is no matter how good it is, right?

If the user falls for a scam, if the user or the end point is is compromised, the rest

of it does it irrelevant to the conversation.

And so when we were talking about, you know, phone numbers being publicly available

and used for scams and stuff like that.

But in this case, that ties directly to it, right?

If I know how to reach you, if I can get control of that.

And I think that's where people need to think more about their risk model

because I've talked to too many people about when they say, well, but it's encrypted.

It's like, not when you're looking at it.

I think that is they got in as interesting the way the attacks work

are interesting and everything else that, but really, I want I want people to walk

away from it with the idea of, man, end points are critical.

So I've been absolutely, you know, yeah.

I mean, it's just like with Signal as well.

Like, yes, Secure is a secure messaging app.

But if someone gets access to your phone physically and can access your app,

it's game over, right?

Like the encryption doesn't matter at that point, right?

It's the same thing with these types of attacks.

If you are fished, giving away either credentials or recovery

key codes or any of that thing, like you could have the best, most secure

app in the world, but it's the end point.

Right? Well, and, you know, I don't know about you, but, you know,

I get, I use Signal very often.

Well, I guess I do know you do as well, but.

Mobile apps are just part of everyday life now.

Banking, health care, shopping, entertainment, you name it.

And with that comes a lot of trust because users are putting

their personal data directly into your app.

But here's the reality.

Mobile apps are a growing target.

A recent survey found that 72% of organizations experienced

a mobile app security incident last year and 92% say threats are only increasing.

And the way attackers are going after apps is pretty sophisticated.

They're reverse engineering them, modifying them and redistributing

fake versions through fishing campaigns, side loading and even third

party app stores.

So from a user's perspective, everything can look completely legitimate.

That's why taking a proactive approach to mobile app security really matters.

You want to stay ahead of these threats, not react after the damage is done.

This is where Guard Square comes in.

They provide advanced protection for both Android and iOS apps,

along with automated security testing to catch vulnerabilities early

and real time threat monitoring so you can actually see what's happening out there.

If your mobile app is critical to your business, and it probably is,

this is something worth paying attention to.

You can learn more at GuardSquare.com.

That's GuardSquare.com.

Since we've messaged each other on signal, but let's not go there.

I use it quite often and very often when I go into it, it says to me,

hey, you know, vet your pen, rotate your backup keys, whatever.

You know, it's giving you those popups.

And that's, I want to be clear.

I'm not saying that's bad.

I think it's good that it does it.

I just wish it gave a little bit better explanation somewhere.

And maybe I'm missing it of why you want to do that,

because I think that this attack showcases

some level of misunderstanding what can happen with a backup recovery key.

Right.

Yeah, I, you know, I have talked to people

that that they just think that's a thing they use

to make sure their messages are backed up and it's like, no, no, no.

Like this, this is how you get access to the backup,

which means I can restore the messages, which like we saw in this attack was what happened.

I those popups are great as a reminder to do something and whatever.

And I cannot believe the words those popups are great came out of my mouth.

It did. Understand what those things mean.

Understand why your pen is so important, why those keys are so important and go from there.

Yeah. And where you store those backup recovery keys is also important.

You mean having my browser memorize them is not good?

Yeah, no, that's not good. That's not good.

I would recommend putting those into a password manager

or like I've actually said to people like, you know,

we've had this conversation too about writing them down into a notebook

actually may be more secure.

And I know we've talked about passwords writing down passwords and notebooks,

especially for elderly and other people,

because that is a trope in my opinion of, you know,

misinformation of like, oh, don't write passwords down.

That's bad. Well, it depends on the context and depends on the person

and all these other things. So but same thing goes for recovery key codes.

But I would say that

especially in this instance in the way like signal how it works

with the recovery key codes, even if you do create a new account,

those codes are still valid.

Like it doesn't invalidate over a new account.

You have to actually recreate the recovery key code.

So we'll link in the show notes.

There's some good articles on just like if you do want to change this

or if you think you are a victim of this or whatever, right?

Some reference for you.

But just be careful, you know, if you get a message from signal

support or WhatsApp support or whoever, right?

Like first of all, supports never going to really message you

on these apps in the first place.

Real message from signal support, right, right.

And they will never ask you to copy your recovery key codes

and paste them into a chat.

Secondly, so those should be some red flags to definitely look out for.

They should be. They should be.

Yes, just like someone asked you, hey, send me your password

so I can secure your account.

Yeah, no audit. Don't do that.

Send us all your and if you're going to send your backup recovery key

to somebody, send them to Tom, he likes collecting.

Yeah, yeah, send them secure ideas.

We would appreciate that. No, no, no, no, no.

I'm kidding. All right.

Well, I think that's all we have time for today.

Oh, one more thing, just a plug real quick.

If you have not signed up for the shared security newsletter,

please do so.

You can sign up at shared security dot net slash newsletter.

And we do send that out weekly now.

So you get a nice recap of the episode

and you also get some other stories that we find relevant

or interesting that I kind of curate each week.

So definitely check that out

if you have not signed up for the newsletter.

And with that, I think that's all we have time for today.

Thank you, Kevin. Thank you.

And looking forward to working with you.

Well, we'll make you regret that.

You'll probably hear more fun, secure idea stories on the show.

Not that we haven't been talking about that for years,

but now that I'm part of the team, I thought it was funny.

The conversation we had, I think it was Monday,

might have been Tuesday, where it was like, you know,

all those stories we've talked about, you'll now know who they're about.

I know. I know how the sausage is being made now.

So I like sausage. I do, too.

All right. Well, thanks for listening, everyone.

And until next time, stay safe, stay secure and stay private.

Thank you for listening or watching.

If you like this episode, hit subscribe,

share it with your friends and colleagues

or jump into our community at sharedsecurity.net

slash supporter to keep the conversation going.

Thanks again, and we'll see you next week

for another episode of shared security.