The alleged method is the useful part. The Rewards for Justice notice and Ars Technica's account described phishing that impersonated Signal support agents and told targets a mandatory two-factor verification was required. Targets were tricked into revealing a backup or device-linking key, giving attackers access to prior communications. Ars Technica reported that thousands of accounts were compromised, including accounts used by US government, military and allied personnel.
That is not a story about Signal or WhatsApp encryption being broken. It is a story about the chain around the protocol. Signal and WhatsApp use end-to-end encryption for message content in transit, meaning the service provider is not meant to read the messages as they move between sender and recipient. Attackers who cannot break that protocol can still look for weaker points around it: linked devices, account recovery, cloud backups, phone-number takeover, malware on endpoints or social engineering.
The fake-support ruse shows why recovery channels deserve the same seriousness as the app itself. A person may use a secure messenger while also trusting a restoration process, backup setting or linked-device flow that is easier to manipulate than the underlying cryptography. If an attacker obtains the key material or adds a device, the cryptographic strength of the live chat does not undo the exposure.
Rewards for Justice notices are not technical papers, so the attribution and operational detail should be handled as US government allegations. They are still primary evidence of what the government is willing to reward: information about named groups, alleged Russian intelligence links and a campaign aimed at communications accounts rather than a mathematical break in the messaging protocols.
