German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) warned of suspected state-linked phishing operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably Signal. The advisory emphasizes the campaign relies on social engineering, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating Signal support personnel or a “security chatbot.”
Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) full account takeover by tricking targets into sharing their Signal PIN or SMS/one-time verification code, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) silent monitoring by persuading targets to scan a QR code that abuses Signal’s legitimate linked devices feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
German agencies publish defensive guidance for targeted users
Alongside the warning, BfV and BSI advised users to ignore and report unsolicited support messages, never share PINs or verification codes, enable Signal's Registration Lock, and regularly review linked devices for unauthorized access. The guidance emphasized that these attacks can succeed without malware because they abuse legitimate app functionality.
Germany warns similar messaging-app abuse could affect WhatsApp
German authorities said the same social-engineering approach could be adapted to other messaging platforms with comparable account-linking and verification features, specifically naming WhatsApp. The warning expanded the significance of the campaign beyond Signal alone.
Authorities detail PIN/code theft and QR-linking attack methods
In the advisory, German authorities described two main techniques: impersonating Signal support or chatbots to steal a victim's Signal PIN or SMS verification code for account takeover, and tricking victims into scanning a QR code that links an attacker-controlled device to the account. They warned that successful access could expose chats, contact lists, and enable impersonation or broader compromise through group conversations.
BfV and BSI issue joint warning on Signal phishing campaign
On 2026-02-06, Germany's BfV and BSI issued a joint advisory warning that a likely state-backed actor was targeting senior political figures, military officials, diplomats, and investigative journalists in Germany and across Europe via Signal. The agencies said the campaign used social engineering and legitimate app features rather than malware or software vulnerabilities.
German interior minister cites ongoing hybrid cyberattacks
At the end of January 2026, Interior Minister Alexander Dobrindt said Germany was facing constant cyberattacks against institutions, infrastructure, and companies, and referenced hybrid attacks including those from Russia. He also said the Interior Ministry was preparing a center to coordinate defense against hybrid threats later in the year.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
German intelligence warns of state-sponsored phishing attacks on messaging apps | SC Media
scworld.com
Open sourceGermany warns of state-linked phishing campaign targeting journalists, government officials | The Record from Recorded Future News
therecord.media
Open sourceHackers Use Signal QR Codes to Spy on Military and Political Leaders
hackread.com
Open sourcePhishing attacks on politicians, journalists via Signal messenger
gdatasoftware.com
Open sourceHackers Linked to State Actors Target Signal Messages of Military Officials and Journalists
cybersecuritynews.com
Open sourceGerman Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists
thehackernews.com
Open sourceGermany warns of Signal account hijacking targeting senior figures
bleepingcomputer.com
Open sourceState-backed phishing attacks targeting military officials and journalists on Signal - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
Apr 30, 2026
Signal Users Targeted Through Twilio Exposure and QR-Code Device Linking
Signal disclosed that attackers accessed limited user data after compromising Twilio through a phishing campaign against Twilio employees, exposing information tied to about 1,900 users. The intruders sought three phone numbers and re-registered one affected account, while Signal said message histories, contact lists, profile information, and other account data remained protected because the service does not store them. Signal notified impacted users and advised them to re-register their numbers and enable additional account protections. More recently, Google Threat Intelligence Group and other researchers reported that Russian state-linked actors have targeted Signal users in Ukraine through social engineering rather than by breaking Signal encryption. The most prominent tactic abuses Signal's **linked devices** feature by luring victims into scanning malicious QR codes, silently attaching an attacker-controlled device that can then receive future messages. Reporting linked activity to **Sandworm** and **UNC5792/UAC-0195**, and warned that similar QR-code and messaging-app takeover techniques are also being used against **WhatsApp** and **Telegram**, indicating a broader shift toward user-manipulation attacks on encrypted platforms.
May 25, 2026
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Jun 1, 2026