The issue here is that almost nobody actually checks the signature. Some people edit their messages to invalidate them just to see if they'll get called out on it - they almost never are.
So in theory, yes. But in practice - people are too lazy to validate or check the key (if the attacker replaces it with their own signed message) for every single post. This is a bigger issue the more users you have signing messages - as users begin getting lazier with checking each and every signed message.
Unless they are under a lot of eyeballs from people who do care. If Wikileaks "signs" a message and it doesn't verify or wasn't with their key - a lot of people will call it out. If I "sign" a message or use a different private key (very possible that I sign with the wrong key when I have multiples) - I doubt anyone would call me out on it.
So in theory, yes. But in practice - people are too lazy to validate or check the key (if the attacker replaces it with their own signed message) for every single post. This is a bigger issue the more users you have signing messages - as users begin getting lazier with checking each and every signed message.
Unless they are under a lot of eyeballs from people who do care. If Wikileaks "signs" a message and it doesn't verify or wasn't with their key - a lot of people will call it out. If I "sign" a message or use a different private key (very possible that I sign with the wrong key when I have multiples) - I doubt anyone would call me out on it.