Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (AIVD and MIVD) warned of a large-scale Russian cyber campaign targeting individual Signal and WhatsApp accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose security verification codes and PINs. The activity does not involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a Signal Support chatbot to solicit verification information, enabling account takeover and access to messages and group chats.
The agencies also reported abuse of the apps’ “linked devices” functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake Red Alert Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
Timeline
Apr 29, 2026
German government members reportedly compromised in Signal phishing campaign
Reporting said a likely Russia-linked phishing campaign abusing Signal’s linked-device QR code feature compromised members of the German government, including Bundestag President Julia Klöckner. German authorities assessed Russia was probably behind the operation, while Chancellor Friedrich Merz’s phone was examined and found not compromised.
Apr 11, 2026
Impersonator uses ProPublica reporter identity on Signal and WhatsApp
A ProPublica reporter disclosed that an unknown actor used his name and headshot on WhatsApp and Signal to contact people tied to foreign military and Ukraine-related matters. Reported targets included a Canadian military official and a Latvian businessman supporting the Ukrainian military, and one approach appeared to include fake secure video-call instructions aimed at compromising an email account.
Mar 20, 2026
FBI warns Russian intelligence-linked actors hijacked thousands of messaging accounts
The FBI issued a public service announcement warning that Russian intelligence-linked threat actors are phishing users of Signal and WhatsApp, especially people with access to sensitive information. The bureau said the campaign has already compromised thousands of accounts worldwide through stolen verification codes and malicious QR codes rather than by breaking app encryption.
Mar 20, 2026
CISA publishes U.S. advisory on Russian targeting of messaging accounts
CISA published guidance on Russian intelligence services targeting commercial messaging application accounts, reflecting broader official concern about the same account-takeover tradecraft. The advisory extended awareness of the threat beyond the Dutch warning.
Mar 9, 2026
Signal says it is adding safeguards and UI warnings
Signal said it was working on additional safeguards and user-interface improvements to better protect high-risk users from phishing and fraudulent device-linking attempts. It also reiterated that legitimate support would not request verification credentials through messages, SMS, or social media.
Mar 9, 2026
Signal confirms targeted phishing caused account takeovers
Signal publicly acknowledged an ongoing wave of targeted phishing and social-engineering attacks that successfully took over some user accounts, including those of journalists and government officials. The company said its infrastructure and end-to-end encryption were not compromised and that attackers were tricking users into sharing SMS verification codes and Signal PINs.
Mar 9, 2026
Dutch authorities warn sensitive communications should avoid consumer chat apps
Alongside the advisory, Dutch officials stated that end-to-end encrypted consumer messaging apps are not suitable for classified, confidential, or otherwise sensitive government information. They emphasized that encryption does not protect against account takeover through social engineering.
Mar 9, 2026
AIVD and MIVD publish advisory on Signal and WhatsApp phishing
Dutch intelligence and military security agencies issued a public cybersecurity advisory warning about phishing via Signal and WhatsApp. The advisory described tactics such as fake Signal support messages, credential theft, malicious QR codes, and abuse of linked devices, and provided guidance to help users detect and respond to account compromise.
Mar 9, 2026
Dutch agencies confirm Dutch government employees were affected
The Netherlands’ AIVD and MIVD said the campaign had already led to compromises, including accounts belonging to Dutch government employees, and assessed that sensitive information was likely exposed. They also warned the activity was not limited to the Netherlands.
Mar 9, 2026
Russian-linked campaign compromises Signal and WhatsApp accounts
A large-scale Russia-linked operation targeted Signal and WhatsApp accounts of government officials, military personnel, journalists, diplomats, researchers, and other high-value individuals worldwide. The campaign used social engineering to steal verification codes and PINs and abused linked-device features rather than exploiting vulnerabilities in the apps themselves.
Feb 1, 2025
Google documents Russian abuse of Signal linked-device feature
Google Threat Intelligence Group reported that Russia-linked actors were using malicious QR codes to link victims’ Signal accounts to attacker-controlled devices for real-time eavesdropping, particularly in activity tied to the war in Ukraine. Later reporting cited this as an earlier precursor to the broader campaign described by Dutch authorities.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like cyber security news, cyberscoop, cisa.gov, bleeping computer and ic3 alerts
Related Stories
Signal Account Takeover Campaign Targeting German Officials
A **social-engineering campaign targeting Signal and WhatsApp accounts** has hit prominent German officials and security figures, including former BND vice president **Arndt Freytag von Loringhoven**. Attackers reportedly impersonated **Signal support** and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as **security-relevant** and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts. The campaign appears to be part of a broader **espionage-focused operation** affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to **Russian hybrid activity**. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is **not related** to the account-takeover campaign and should be excluded.
6 days ago
German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s **Federal Office for the Protection of the Constitution (BfV)** and **Federal Office for Information Security (BSI)** warned of suspected **state-linked phishing** operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably **Signal**. The advisory emphasizes the campaign relies on **social engineering**, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating *Signal* support personnel or a “security chatbot.” Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) **full account takeover** by tricking targets into sharing their Signal **PIN** or **SMS/one-time verification code**, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) **silent monitoring** by persuading targets to scan a **QR code** that abuses Signal’s legitimate `linked devices` feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
1 months ago
Phishing Kit Hijacks WhatsApp Accounts via WhatsApp Web QR Code and Targets Iran-Related Individuals
A phishing campaign targeting high-profile individuals involved in Iran-related activities has been using WhatsApp messages to lure victims to a fake site that impersonates *WhatsApp Web* and steals access to accounts and other credentials. U.K.-based Iranian activist and investigator **Nariman Gharib** shared the phishing link and technical findings, which indicated the operation aimed to compromise WhatsApp accounts and harvest credentials (including **Gmail** and other online logins), with victims including a Middle Eastern academic in national security studies, the head of an Israeli drone maker, a senior Lebanese cabinet minister, at least one journalist, and individuals with U.S. phone numbers. TechCrunch reported it was able to view a real-time copy of victim submissions because the attackers’ server storing responses was left exposed without a password, showing dozens of victims had entered credentials and were likely subsequently compromised. Technical reporting described the attack as a “surveillance kit” that hijacks accounts by abusing the WhatsApp Web linking flow: the phishing page continuously polls the attacker’s infrastructure and presents a live QR code tied to the attacker’s own WhatsApp Web session, so when a victim scans it they unknowingly authenticate the attacker’s browser and link their account. The infrastructure was reported as hosted on a **DuckDNS** domain and running on an **Ubuntu** server with **nginx**. Beyond account takeover, the kit was described as requesting browser permissions that could enable invasive monitoring—camera, microphone, and location access—allowing attackers to capture photos, record audio in intervals, and track location in near real time; attribution remained uncertain in one report, while another linked the activity to Iranian intelligence.
1 months ago