The Security Service of Ukraine, working with the FBI, recently disclosed a multi-year campaign targeting messaging accounts belonging to government officials, military personnel, politicians, and activists across Ukraine, Europe, and North America. The attackers' method was deceptively simple: SMS messages impersonating support teams from popular messaging platforms, designed to harvest login credentials and session tokens. The campaign underscores a persistent gap between platform security controls and the reality of how people respond to perceived account emergencies.
The Phishing-to-Credential Pipeline
The attackers sent SMS messages spoofed to appear as though they originated from official support channels of major messaging services. The messages typically claimed the recipient's account had triggered a security alert or would be disabled unless the user "verified" their identity immediately. A link in the message directed targets to a credential-harvesting page designed to match the legitimate platform's login interface.
Once credentials were captured, the attackers moved quickly to establish sessions on the actual platform. They often activated account recovery options to lock out the legitimate owner, giving themselves a window to extract message history, contacts, and ongoing conversations before the account owner could regain control. For government and military personnel, this means exposure of operational discussions, intelligence sources, and tactical information that can be repurposed for further targeting or leverage.
What made this campaign effective was its targeting precision. Rather than mass-mailing millions of generic phishing links, the attackers researched their targets beforehand, personalising messages with names, titles, or recent account activity to increase credibility. This kind of preparation suggests dedicated human analysis rather than automated scanning, which aligns with known patterns of state-sponsored intelligence operations.
Why SMS Remains a Weak Link
Messaging platforms have invested heavily in endpoint security, encryption, and account-recovery mechanisms. Yet they cannot fully control how users perceive threats arriving via SMS, which sits outside the platform's own security perimeter. A message on your phone appears equally legitimate whether it comes from a legitimate service or a spoofed number. Most users are conditioned to treat account-security warnings as urgent, creating psychological pressure that bypasses rational verification.
Even organisations with security awareness training face challenges. An employee receiving an SMS warning about account suspension is likely to feel personal responsibility to respond quickly. They may not have an obvious way to verify the message's origin without already knowing the legitimate support contact method — which, by design, they often don't.
The campaign targeted messaging apps specifically because of their role in sensitive communication. Unlike email, which can be forensically reviewed and is often logged, messaging apps are often assumed to be more ephemeral. Compromising an active account grants access to real-time conversations and the ability to conduct further social engineering against the account holder's contacts.
Detection and Containment Measures
Organisations managing sensitive operations should assume that SMS-based account-recovery flows are a security boundary, not a protection. Several defensive approaches reduce the attack surface:
- Hardware security keys: Supporting FIDO2 or U2F tokens for account recovery prevents credential-only compromise. Even if an attacker has username and password, they cannot access the account without the physical key.
- Out-of-band verification: When users report being locked out, require verification through a separate channel — a pre-registered email address, a phone call to a known number, or in-person verification through an organisational system.
- Session monitoring: Log and alert on anomalies: new login locations, unusual message-export patterns, or rapid contact additions. Many data exfiltration attempts show detectable patterns before the attacker deletes logs.
- SMS-based alerts as anti-phishing: Some platforms are now sending SMS notifications when account recovery is triggered, allowing the legitimate owner to immediately block the process if it wasn't them.
Infrastructure Implications for High-Security Deployments
Organisations operating offshore or in adversarial environments should treat messaging apps as untrusted for sensitive discussion, regardless of their encryption claims. If messaging must be used, segregate sensitive communications to dedicated, airgapped devices that do not receive SMS or email, making credential theft via SMS irrelevant. For those operating privacy-focused infrastructure or accepting users from jurisdictions with active threat environments, documenting your authentication architecture — including whether SMS recovery is available and what it can unlock — is increasingly a security differentiation point.
The campaign is a reminder that infrastructure security extends beyond servers and networks. Account takeover via psychological manipulation and poor credential-recovery design can be as damaging as any vulnerability in a web application. The fastest remediation is not always a patch; sometimes it's a process redesign.

