German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) warned of suspected state-linked phishing operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably Signal. The advisory emphasizes the campaign relies on social engineering, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating Signal support personnel or a “security chatbot.”
Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) full account takeover by tricking targets into sharing their Signal PIN or SMS/one-time verification code, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) silent monitoring by persuading targets to scan a QR code that abuses Signal’s legitimate linked devices feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
Timeline
Feb 6, 2026
German agencies publish defensive guidance for targeted users
Alongside the warning, BfV and BSI advised users to ignore and report unsolicited support messages, never share PINs or verification codes, enable Signal's Registration Lock, and regularly review linked devices for unauthorized access. The guidance emphasized that these attacks can succeed without malware because they abuse legitimate app functionality.
Feb 6, 2026
Germany warns similar messaging-app abuse could affect WhatsApp
German authorities said the same social-engineering approach could be adapted to other messaging platforms with comparable account-linking and verification features, specifically naming WhatsApp. The warning expanded the significance of the campaign beyond Signal alone.
Feb 6, 2026
Authorities detail PIN/code theft and QR-linking attack methods
In the advisory, German authorities described two main techniques: impersonating Signal support or chatbots to steal a victim's Signal PIN or SMS verification code for account takeover, and tricking victims into scanning a QR code that links an attacker-controlled device to the account. They warned that successful access could expose chats, contact lists, and enable impersonation or broader compromise through group conversations.
Feb 6, 2026
BfV and BSI issue joint warning on Signal phishing campaign
On 2026-02-06, Germany's BfV and BSI issued a joint advisory warning that a likely state-backed actor was targeting senior political figures, military officials, diplomats, and investigative journalists in Germany and across Europe via Signal. The agencies said the campaign used social engineering and legitimate app features rather than malware or software vulnerabilities.
Jan 31, 2026
German interior minister cites ongoing hybrid cyberattacks
At the end of January 2026, Interior Minister Alexander Dobrindt said Germany was facing constant cyberattacks against institutions, infrastructure, and companies, and referenced hybrid attacks including those from Russia. He also said the Interior Ministry was preparing a center to coordinate defense against hybrid threats later in the year.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
5 more from sources like data breaches net, cyber security news, the hacker news, bleeping computer and help net security
Related Stories
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
6 days ago
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
1 weeks ago
Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the *Red Alert* rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable **GPS tracking**, **SMS interception (including one-time passwords)**, contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used **certificate spoofing** to make the installation appear as if it came from Google Play. Separate consumer-focused advisories described multiple **social-engineering/phishing** lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of **fake calendar invitations** increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
1 months ago