Russian state-sponsored hackers have been linked to an ongoing Signal and WhatsApp phishing campaign targeting government officials, military personnel, and journalists to gain access to sensitive messages.
This report comes from the Netherlands Defence Intelligence and Security Service (MIVD) and the Netherlands General Intelligence and Security Service (AIVD), who confirmed that Dutch government employees have been targeted in the attacks.
The Dutch intelligence agencies say the operation relies on phishing and social-engineering techniques that abuse legitimate authentication features to take over accounts and covertly monitor new messages.
Signal posted on social media that it is aware of targeted phishing attacks that have resulted in account takeovers and warned users to remain vigilant.
“We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists,” Signal posted on BlueSky.
“We take this very seriously. To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.”
Signal says that when sending SMS codes, they always warn not to share SMS codes or PINs with anyone, including Signal employees or services.
Phishing messages impersonate Signal support
One of the primary attack methods involves impersonating a fake “Signal Security Support Chatbot” that warns the user that suspicious activity was detected on their account.
The message then tells the user to complete a “verification procedure” by sharing a verification code sent to their phone.
“We have noticed suspicious activity on your device, which could have led to data leak. We have also detected attempts to gain access to your private data in Signal,” reads the Signal phishing message.
“To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot.”
Source: Signal
After the victim provides the SMS verification code and their Signal PIN, attackers can take full control of the account by registering it on their own device.
According to the advisory, once attackers gain access to an account, they can also change the phone number associated with it to one under their control. This allows them to access the victim’s contact list and incoming messages, including messages sent in group chats.
Attackers may also impersonate the victim by sending messages from the compromised account.
As Signal stores chat history locally on the device, when victims re-register a new account, they would regain access to their old messages, potentially leading them to believe nothing unusual occurred.
“The victim is unable to access their account, although they are able to create a new Signal account using their existing telephone number, as the actor has already linked the compromised account to a new telephone number,” warns the Dutch intelligence agencies.
“Because Signal stores the chat history locally on the phone, a victim can regain access to that history after re‑registering. As a result, the victim may assume that nothing is wrong. The Dutch services want to stress that this assumption could be incorrect.”
The advisory also says a second method was observed abusing Signal’s and WhatsApp’s device linking functionality.
Attackers send victims a malicious QR code or link that appears to be an invitation to join a chat group or connect with another user. When the victim scans the code or opens the link, it links the attacker’s device to the victim’s account instead.
Both Signal and WhatsApp offer a linked device feature that allows users to connect devices, such as computers or tablets, to their accounts so they can send and receive messages from multiple devices. This is typically done by scanning a QR code generated by the main mobile device, which authorizes the new device to access and synchronize the account’s messages.
Once connected, the attacker gains access to the victim’s messages and may be able to read chat history, monitor conversations in real time, and send messages in the victim’s name.
Unlike account takeovers, victims typically retain access to their accounts, which can make a breach harder to detect.
The Dutch intelligence agencies advise users not to share sensitive or classified information via messaging apps unless specifically approved.
They also recommend checking the list of devices linked to Signal and WhatsApp accounts and immediately removing unknown devices.
The same precautions against email phishing attacks apply to messaging apps, which include ignoring unsolicited invitations, links, or QR codes unless they have verified their legitimacy through another trusted communication channel.
These types of messaging app phishing campaigns are not new.
Last year, Google reported that Russian threat actors targeted Signal users by abusing features such as device linking to gain access to victims’ communications.
In December, GenDigital detected a WhatsApp device-linking QR code phishing campaign targeting users in Czechia, though it was not attributed to any specific threat actor.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
