Short version: Ukrainian security services and the FBI say a long-running scheme was found where attackers posed as messaging platform support to trick people into handing over access to their accounts. It’s the digital equivalent of someone slipping a fake badge across the desk and saying, “Trust me, I’m support.” Spoiler: don’t trust that badge.

What happened

Investigators uncovered a campaign that targeted a broad swath of people — government officials, military personnel, politicians, activists, and ordinary citizens — across Ukraine, Europe, and the U.S. The attackers used SMS messages that impersonated the messaging app’s support bot and asked victims to reveal login details or recovery information. Once the attackers had those secrets, they could take over accounts and scoop up messages, contacts, and other sensitive data.

The campaign didn’t just go after public figures; personal accounts were hit too. Some similar attack waves have been linked to known threat clusters that focus on high-value targets and try to trick people into handing over their confirmation codes or backup recovery keys. The overall aim: access to military, political, and economic communication — and, of course, juicy personal data.

How to not get pwned (practical steps)

If you don’t want to be the next cautionary tale, here are the basics — short, sharp, and actually useful:

  • Enable two-factor authentication and use a robust second factor (not SMS if you can avoid it).
  • Never share verification codes, passwords, or recovery keys with anyone who messages you — even if they claim to be support.
  • Regularly check active sessions in your messaging apps and sign out any devices you don’t recognize.
  • Don’t scan QR codes from strangers or accept file links from dubious chats.
  • Treat unsolicited help like a suspicious pastry: looks tempting, but probably poisoned. When in doubt, contact official support via the app’s settings or the provider’s official website.

Bottom line: attackers are getting creative and sometimes very convincing. A little skepticism and a few habit changes — like using strong account recovery practices and double-checking where requests actually come from — go a long way toward keeping your chats and contacts safe.