Signal Account Takeover Campaign Targeting German Officials
A social-engineering campaign targeting Signal and WhatsApp accounts has hit prominent German officials and security figures, including former BND vice president Arndt Freytag von Loringhoven. Attackers reportedly impersonated Signal support and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as security-relevant and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts.
The campaign appears to be part of a broader espionage-focused operation affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to Russian hybrid activity. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is not related to the account-takeover campaign and should be excluded.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Signal phishing campaign reportedly compromises Julia Klöckner and newsroom staff
Reporting on 2026-04-23 said the Signal phishing campaign had successfully compromised Bundestag President Julia Klöckner, at least one additional Bundestag member, and staff at major German newsrooms. Germany's domestic intelligence service also warned that numerous parliamentary Signal groups may be under undetected monitoring, indicating broader impact on political and media communications.
Signal says no platform vulnerability was exploited
Signal stated that its encryption and infrastructure were not compromised in the incidents. The company said the account takeovers resulted from phishing and misuse of legitimate features, not from a software vulnerability in Signal itself.
Dutch intelligence attributes broader campaign to Russia-linked actors
Dutch intelligence agencies publicly attributed a wider global campaign targeting government officials, military personnel, civil servants, and possibly journalists to Russia-linked threat actors. The attribution connected the German cases to a broader espionage effort against messaging app users.
German authorities classify the messaging campaign as security-relevant
German authorities assessed the Signal and WhatsApp account takeover activity as security-relevant after the targeting of senior officials came to light. The incidents were described as phishing and abuse of legitimate platform features rather than a compromise of Signal's encryption or infrastructure.
German officials targeted in Signal and WhatsApp takeover campaign
A targeted social-engineering campaign affected high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven, by impersonating Signal support and soliciting PINs or verification data. In some cases, attackers abused Signal's linked devices feature to maintain access to victim communications.
German Interior Ministry publishes cyber law draft
At the end of February 2026, Germany's Federal Ministry of the Interior published the draft law "Gesetz zur Stärkung der Cybersicherheit." The proposal would expand the powers of the Bundespolizei, BKA, and BSI to take active measures such as shutting down systems, redirecting traffic, and altering or deleting data on IT systems.
Federal prosecutors open preliminary espionage probe into Signal phishing campaign
In mid-February 2026, German federal prosecutors began a preliminary investigation on suspicion of espionage related to the Signal phishing campaign targeting politicians, officials, military personnel, diplomats, and journalists. The probe marked an early law-enforcement response before the campaign's broader public disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Suspected Russian phishing campaign targets German officials via Signal | brief | SC Media
scworld.com
Open sourceSignal Phishing Campaign Targets German Officials in Suspected Russian Operation
securityaffairs.com
Open sourceSignal phishing campaign targets Germany’s Bundestag President Julia Klöckner
securityaffairs.com
Open source(S+) Julia Klöckner ist Opfer des Signal-Hacks - Bundestag President Klöckner is a victim of the signal hack - Infosec.Pub
infosec.pub
Open sourceAttacke auf Politik und Journalismus: Signal-Phishing gegen Julia Klöckner erfolgreich
netzpolitik.org
Open sourceAttacken bei Signal und WhatsApp: Immer mehr Spuren beim Messenger-Phishing weisen auf Russland
netzpolitik.org
Open sourceFormer Germany’s foreign intelligence VP hit in Signal account takeover campaign
securityaffairs.com
Open sourceGesetzentwurf zur Stärkung der Cybersicherheit: Gefährliche Offensive
netzpolitik.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s **Federal Office for the Protection of the Constitution (BfV)** and **Federal Office for Information Security (BSI)** warned of suspected **state-linked phishing** operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably **Signal**. The advisory emphasizes the campaign relies on **social engineering**, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating *Signal* support personnel or a “security chatbot.” Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) **full account takeover** by tricking targets into sharing their Signal **PIN** or **SMS/one-time verification code**, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) **silent monitoring** by persuading targets to scan a **QR code** that abuses Signal’s legitimate `linked devices` feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
Mar 21, 2026
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Jun 1, 2026
Signal Users Targeted Through Twilio Exposure and QR-Code Device Linking
Signal disclosed that attackers accessed limited user data after compromising Twilio through a phishing campaign against Twilio employees, exposing information tied to about 1,900 users. The intruders sought three phone numbers and re-registered one affected account, while Signal said message histories, contact lists, profile information, and other account data remained protected because the service does not store them. Signal notified impacted users and advised them to re-register their numbers and enable additional account protections. More recently, Google Threat Intelligence Group and other researchers reported that Russian state-linked actors have targeted Signal users in Ukraine through social engineering rather than by breaking Signal encryption. The most prominent tactic abuses Signal's **linked devices** feature by luring victims into scanning malicious QR codes, silently attaching an attacker-controlled device that can then receive future messages. Reporting linked activity to **Sandworm** and **UNC5792/UAC-0195**, and warned that similar QR-code and messaging-app takeover techniques are also being used against **WhatsApp** and **Telegram**, indicating a broader shift toward user-manipulation attacks on encrypted platforms.
May 25, 2026