Signal Users Targeted Through Twilio Exposure and QR-Code Device Linking
Signal disclosed that attackers accessed limited user data after compromising Twilio through a phishing campaign against Twilio employees, exposing information tied to about 1,900 users. The intruders sought three phone numbers and re-registered one affected account, while Signal said message histories, contact lists, profile information, and other account data remained protected because the service does not store them. Signal notified impacted users and advised them to re-register their numbers and enable additional account protections.
More recently, Google Threat Intelligence Group and other researchers reported that Russian state-linked actors have targeted Signal users in Ukraine through social engineering rather than by breaking Signal encryption. The most prominent tactic abuses Signal's linked devices feature by luring victims into scanning malicious QR codes, silently attaching an attacker-controlled device that can then receive future messages. Reporting linked activity to Sandworm and UNC5792/UAC-0195, and warned that similar QR-code and messaging-app takeover techniques are also being used against WhatsApp and Telegram, indicating a broader shift toward user-manipulation attacks on encrypted platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google links Russian actors to Signal social-engineering campaigns in Ukraine
Google Threat Intelligence Group reported that multiple Russian state-linked actors were targeting Ukrainian Signal users through social engineering, especially by abusing Signal's linked-devices feature with malicious QR codes. The report attributed Signal-focused activity to groups including Sandworm and UNC5792/UAC-0195 and warned the tactics could spread to other regions and messaging platforms.
Signal notifies affected users and urges account re-registration
Signal said it identified the approximately 100 potentially affected users, deregistered impacted devices where appropriate, and prompted users to re-register Signal on their devices. The company also stated that message histories, contact lists, profile information, and other personal data were not exposed from Signal systems.
Attackers access Signal user data through Twilio incident
As a result of the Twilio breach, attackers obtained information for about 1,900 Signal users, primarily phone numbers and SMS verification codes, and could have attempted to re-register some accounts. Signal said roughly 100 users were directly targeted or had their account registration exposed.
Twilio suffers phishing-based breach of customer support systems
Twilio disclosed that attackers used a phishing campaign against employees to gain access to internal systems and customer data. The incident affected a limited number of Twilio customers, including Signal.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ukrainian Signal Users Fall to Russian Social Engineering
bankinfosecurity.com
Open sourceTwilio breach exposed some Signal users’ numbers | The Record from Recorded Future News
therecord.media
Open sourceTwilio Incident: What Signal Users Need to Know - Signal Support
support.signal.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s **Federal Office for the Protection of the Constitution (BfV)** and **Federal Office for Information Security (BSI)** warned of suspected **state-linked phishing** operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably **Signal**. The advisory emphasizes the campaign relies on **social engineering**, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating *Signal* support personnel or a “security chatbot.” Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) **full account takeover** by tricking targets into sharing their Signal **PIN** or **SMS/one-time verification code**, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) **silent monitoring** by persuading targets to scan a **QR code** that abuses Signal’s legitimate `linked devices` feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
Mar 21, 2026
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Jun 1, 2026
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
Apr 30, 2026