Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (AIVD and MIVD) warned of a large-scale Russian cyber campaign targeting individual Signal and WhatsApp accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose security verification codes and PINs. The activity does not involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a Signal Support chatbot to solicit verification information, enabling account takeover and access to messages and group chats.
The agencies also reported abuse of the apps’ “linked devices” functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake Red Alert Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
19 events from the most recent confirmed update back to the earliest known activity.
Phishing campaign targets Signal backup recovery keys
A targeted phishing campaign impersonating Signal Support was reported as trying to trick users into sharing 64-character backup recovery keys. If attackers also gain account access, they can decrypt victims’ entire encrypted Signal backup archives, exposing historical conversations; observed targets included journalists, activists, and Chinese dissidents.
Amnesty researcher exposes 13,500-target Signal hijack operation
Amnesty International Security Lab head Donncha Ó Cearbhaill investigated a phishing attempt against his own Signal account and said he uncovered a broader campaign targeting more than 13,500 users. He described attackers impersonating Signal support to steal verification codes for linked-device hijacking and revealed new technical details including an automation system dubbed 'ApocalypseZ,' Russian-language tooling, and translated victim chats.
Signal rolls out in-app anti-phishing warnings and verification prompts
Signal introduced new in-app confirmations, warning labels, and educational prompts to help users detect social-engineering and phishing attempts. The safeguards include indicators such as 'Name not verified' and 'No groups in common,' stronger prompts on message requests, and reminders that Signal will never ask for a registration code, PIN, or recovery key.
German government members reportedly compromised in Signal phishing campaign
Reporting said a likely Russia-linked phishing campaign abusing Signal’s linked-device QR code feature compromised members of the German government, including Bundestag President Julia Klöckner. German authorities assessed Russia was probably behind the operation, while Chancellor Friedrich Merz’s phone was examined and found not compromised.
BfV warns Bundestag of Signal phishing campaign affecting hundreds in Germany
Germany’s domestic intelligence agency, the BfV, reportedly warned parliamentary party leaders and Bundestag party offices about an ongoing Signal phishing campaign. Security circles said at least 300 victims were known in Germany, including high-profile figures, and the warning assessed that numerous parliamentary Signal groups might already be monitored by attackers without detection.
Impersonator uses ProPublica reporter identity on Signal and WhatsApp
A ProPublica reporter disclosed that an unknown actor used his name and headshot on WhatsApp and Signal to contact people tied to foreign military and Ukraine-related matters. Reported targets included a Canadian military official and a Latvian businessman supporting the Ukrainian military, and one approach appeared to include fake secure video-call instructions aimed at compromising an email account.
FBI warns Russian intelligence-linked actors hijacked thousands of messaging accounts
The FBI issued a public service announcement warning that Russian intelligence-linked threat actors are phishing users of Signal and WhatsApp, especially people with access to sensitive information. The bureau said the campaign has already compromised thousands of accounts worldwide through stolen verification codes and malicious QR codes rather than by breaking app encryption.
CISA publishes U.S. advisory on Russian targeting of messaging accounts
CISA published guidance on Russian intelligence services targeting commercial messaging application accounts, reflecting broader official concern about the same account-takeover tradecraft. The advisory extended awareness of the threat beyond the Dutch warning.
France’s C4 warns of messaging account targeting in government sectors
France’s Centre de Coordination des Crises Cyber (C4) issued an alert about rising social-engineering attacks against instant-messaging accounts used by political figures, senior officials, and government administrators, especially in sovereign sectors. The alert described abuse of linked-device and account-transfer features across Signal, WhatsApp, and other platforms, warned of risks including exposure of sensitive chats and impersonation, and advised public administrations to favor Tchap for professional exchanges.
Signal says it is adding safeguards and UI warnings
Signal said it was working on additional safeguards and user-interface improvements to better protect high-risk users from phishing and fraudulent device-linking attempts. It also reiterated that legitimate support would not request verification credentials through messages, SMS, or social media.
Signal confirms targeted phishing caused account takeovers
Signal publicly acknowledged an ongoing wave of targeted phishing and social-engineering attacks that successfully took over some user accounts, including those of journalists and government officials. The company said its infrastructure and end-to-end encryption were not compromised and that attackers were tricking users into sharing SMS verification codes and Signal PINs.
Dutch authorities warn sensitive communications should avoid consumer chat apps
Alongside the advisory, Dutch officials stated that end-to-end encrypted consumer messaging apps are not suitable for classified, confidential, or otherwise sensitive government information. They emphasized that encryption does not protect against account takeover through social engineering.
AIVD and MIVD publish advisory on Signal and WhatsApp phishing
Dutch intelligence and military security agencies issued a public cybersecurity advisory warning about phishing via Signal and WhatsApp. The advisory described tactics such as fake Signal support messages, credential theft, malicious QR codes, and abuse of linked devices, and provided guidance to help users detect and respond to account compromise.
Dutch agencies confirm Dutch government employees were affected
The Netherlands’ AIVD and MIVD said the campaign had already led to compromises, including accounts belonging to Dutch government employees, and assessed that sensitive information was likely exposed. They also warned the activity was not limited to the Netherlands.
Russian-linked campaign compromises Signal and WhatsApp accounts
A large-scale Russia-linked operation targeted Signal and WhatsApp accounts of government officials, military personnel, journalists, diplomats, researchers, and other high-value individuals worldwide. The campaign used social engineering to steal verification codes and PINs and abused linked-device features rather than exploiting vulnerabilities in the apps themselves.
Poland launches mSzyfr and directs officials to stop using Signal
Poland said public officials and entities in its National Cybersecurity System should stop using Signal and adopt the state-backed mSzyfr Messenger, citing phishing and social-engineering campaigns against Signal users. The platform was launched through the Ministry of Digital Affairs and NASK as a government-jurisdiction alternative for approved public-sector and cybersecurity organizations.
German federal prosecutors open preliminary Signal espionage probe
German federal prosecutors opened a preliminary investigation in mid-February 2026 into alleged cyberattacks on Signal accounts, including possible espionage tied to the phishing campaign targeting politicians and others. The probe preceded later public reporting about hundreds of compromised accounts and suspected Russian involvement.
BfV and BSI issue joint warning on messenger phishing campaign
Germany’s BfV and BSI issued a joint security advisory warning of phishing attacks via messenger services including Signal. The agencies said a likely state-controlled actor was targeting senior figures in politics, the military, diplomacy, and investigative journalism in Germany and across Europe, with risks extending to confidential chats and wider contact networks.
Google documents Russian abuse of Signal linked-device feature
Google Threat Intelligence Group reported that Russia-linked actors were using malicious QR codes to link victims’ Signal accounts to attacker-controlled devices for real-time eavesdropping, particularly in activity tied to the war in Ukraine. Later reporting cited this as an earlier precursor to the broader campaign described by Dutch authorities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
46 references tracked. Mallory keeps watching after this page renders.
Hackers Attacking Signal Users to Steal Backups in New Wave of Attacks
cybersecuritynews.com
Open sourceSignal Phishing Campaign Targets Journalists and Activists to Steal Backup Recovery Keys
securityaffairs.com
Open sourcePoland directs officials to cease Signal use amid cyberattack concerns | brief | SC Media
scworld.com
Open sourcePoland shifts away from Signal following cyberattacks on officials’ accounts
securityaffairs.com
Open sourceBundesamt für Verfassungsschutz - Publikationen - Gemeinsamer Sicherheitshinweis von BSI und BfV zum Phishing über Messengerdienste
verfassungsschutz.de
Open sourceCISA urges mobile security as it warns of sophisticated spyware attacks | Cybersecurity Dive
cybersecuritydive.com
Open sourceWarning over privacy of encrypted messages as Russia targets Signal Messenger | Computer Weekly
computerweekly.com
Open sourceCert Ssi
cert.ssi.gouv.fr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
Apr 30, 2026
German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s **Federal Office for the Protection of the Constitution (BfV)** and **Federal Office for Information Security (BSI)** warned of suspected **state-linked phishing** operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably **Signal**. The advisory emphasizes the campaign relies on **social engineering**, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating *Signal* support personnel or a “security chatbot.” Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) **full account takeover** by tricking targets into sharing their Signal **PIN** or **SMS/one-time verification code**, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) **silent monitoring** by persuading targets to scan a **QR code** that abuses Signal’s legitimate `linked devices` feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
Mar 21, 2026
Signal Users Targeted Through Twilio Exposure and QR-Code Device Linking
Signal disclosed that attackers accessed limited user data after compromising Twilio through a phishing campaign against Twilio employees, exposing information tied to about 1,900 users. The intruders sought three phone numbers and re-registered one affected account, while Signal said message histories, contact lists, profile information, and other account data remained protected because the service does not store them. Signal notified impacted users and advised them to re-register their numbers and enable additional account protections. More recently, Google Threat Intelligence Group and other researchers reported that Russian state-linked actors have targeted Signal users in Ukraine through social engineering rather than by breaking Signal encryption. The most prominent tactic abuses Signal's **linked devices** feature by luring victims into scanning malicious QR codes, silently attaching an attacker-controlled device that can then receive future messages. Reporting linked activity to **Sandworm** and **UNC5792/UAC-0195**, and warned that similar QR-code and messaging-app takeover techniques are also being used against **WhatsApp** and **Telegram**, indicating a broader shift toward user-manipulation attacks on encrypted platforms.
May 25, 2026