Signal Account Takeover Campaign Targeting German Officials
A social-engineering campaign targeting Signal and WhatsApp accounts has hit prominent German officials and security figures, including former BND vice president Arndt Freytag von Loringhoven. Attackers reportedly impersonated Signal support and tricked victims into disclosing their PINs, enabling account compromise and follow-on abuse. In Freytag von Loringhoven’s case, the hijacked account was then used to send a malicious link to his contacts before he warned them and deleted the account. German authorities had already classified the activity as security-relevant and advised potential victims to check for signs such as unknown linked devices and unexpected re-registration prompts.
The campaign appears to be part of a broader espionage-focused operation affecting politicians and officials in Germany, with investigators reportedly suspecting a connection to Russian hybrid activity. One additional report references the same incident only in passing while discussing a separate German cybersecurity legislative proposal, reinforcing that the compromise of the former intelligence official was one of several recent security incidents shaping the policy debate. A separate article on Frankfurt police use of a mobile facial-recognition app is not related to the account-takeover campaign and should be excluded.
Timeline
Apr 23, 2026
Signal phishing campaign reportedly compromises Julia Klöckner and newsroom staff
Reporting on 2026-04-23 said the Signal phishing campaign had successfully compromised Bundestag President Julia Klöckner, at least one additional Bundestag member, and staff at major German newsrooms. Germany's domestic intelligence service also warned that numerous parliamentary Signal groups may be under undetected monitoring, indicating broader impact on political and media communications.
Mar 16, 2026
Signal says no platform vulnerability was exploited
Signal stated that its encryption and infrastructure were not compromised in the incidents. The company said the account takeovers resulted from phishing and misuse of legitimate features, not from a software vulnerability in Signal itself.
Mar 16, 2026
Dutch intelligence attributes broader campaign to Russia-linked actors
Dutch intelligence agencies publicly attributed a wider global campaign targeting government officials, military personnel, civil servants, and possibly journalists to Russia-linked threat actors. The attribution connected the German cases to a broader espionage effort against messaging app users.
Mar 16, 2026
German authorities classify the messaging campaign as security-relevant
German authorities assessed the Signal and WhatsApp account takeover activity as security-relevant after the targeting of senior officials came to light. The incidents were described as phishing and abuse of legitimate platform features rather than a compromise of Signal's encryption or infrastructure.
Mar 16, 2026
German officials targeted in Signal and WhatsApp takeover campaign
A targeted social-engineering campaign affected high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven, by impersonating Signal support and soliciting PINs or verification data. In some cases, attackers abused Signal's linked devices feature to maintain access to victim communications.
Feb 28, 2026
German Interior Ministry publishes cyber law draft
At the end of February 2026, Germany's Federal Ministry of the Interior published the draft law "Gesetz zur Stärkung der Cybersicherheit." The proposal would expand the powers of the Bundespolizei, BKA, and BSI to take active measures such as shutting down systems, redirecting traffic, and altering or deleting data on IT systems.
Feb 15, 2026
Federal prosecutors open preliminary espionage probe into Signal phishing campaign
In mid-February 2026, German federal prosecutors began a preliminary investigation on suspicion of espionage related to the Signal phishing campaign targeting politicians, officials, military personnel, diplomats, and journalists. The probe marked an early law-enforcement response before the campaign's broader public disclosure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
3 more from sources like netzpolitik and security affairs
Related Stories
German Agencies Warn of Signal Account Hijacking via Support Impersonation and Linked-Device QR Codes
Germany’s **Federal Office for the Protection of the Constitution (BfV)** and **Federal Office for Information Security (BSI)** warned of suspected **state-linked phishing** operations targeting high-ranking individuals—politicians, military officers, diplomats, and investigative journalists—across Germany and Europe via messaging apps, notably **Signal**. The advisory emphasizes the campaign relies on **social engineering**, not malware or exploitation of technical vulnerabilities, with attackers contacting targets directly inside the app while impersonating *Signal* support personnel or a “security chatbot.” Authorities described two primary tactics to gain covert access to victims’ communications and networks: (1) **full account takeover** by tricking targets into sharing their Signal **PIN** or **SMS/one-time verification code**, enabling attackers to register the account on an attacker-controlled device and lock out the victim; and (2) **silent monitoring** by persuading targets to scan a **QR code** that abuses Signal’s legitimate `linked devices` feature to pair an attacker-controlled device, allowing ongoing access to one-to-one and group chats and contact lists. The agencies noted that while the activity is assessed as likely state-backed, the same methods could be replicated by non-state or financially motivated actors.
1 months ago
Russian Social-Engineering Campaign Targeting Signal and WhatsApp Accounts
The Dutch intelligence and military security services (**AIVD** and **MIVD**) warned of a **large-scale Russian cyber campaign** targeting individual **Signal** and **WhatsApp** accounts—particularly those of government officials, journalists, and military personnel—by persuading victims to disclose **security verification codes** and **PINs**. The activity does **not** involve breaking end-to-end encryption or exploiting a technical vulnerability in the apps; instead, it abuses legitimate account and security workflows. One commonly observed tactic is impersonation of a *Signal Support* chatbot to solicit verification information, enabling account takeover and access to messages and group chats. The agencies also reported abuse of the apps’ **“linked devices”** functionality, where attackers attempt to attach an additional device to a victim’s account to mirror messages in real time. AIVD/MIVD assessed that the campaign has already produced victims, including within the Dutch government, and that attackers likely accessed sensitive information as a result. Separate reporting about a fake *Red Alert* Android app used to spy on Israeli users describes a different mobile-malware operation (SMS lure, sideloaded trojanized app, extensive permissions, and data exfiltration) and is not part of the Signal/WhatsApp account-takeover campaign.
1 weeks ago
German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (**BND**) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US **NSA** for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.” Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the **Conti** ransomware ecosystem. A third item—a *Citizen Lab* job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
1 months ago