Russian state-backed hackers have been linked to an ongoing phishing campaign targeting users of Signal and WhatsApp, including government officials, military personnel, and journalists.
The attackers are attempting to gain access to private communications by tricking victims into giving away account verification details.
The Netherlands Defence Intelligence and Security Service and the Netherlands General Intelligence and Security Service revealed the campaign. According to the agencies, Dutch government employees have already been targeted in these attacks.
Investigators say the operation relies heavily on phishing and social engineering tactics that abuse legitimate authentication features of messaging apps. Instead of breaking encryption, attackers trick users into handing over verification codes or linking their accounts to attacker-controlled devices.
Signal confirmed that it is aware of the attacks and warned users to remain cautious. The company said its encryption systems and infrastructure remain secure and that the breaches happen only when victims are deceived into sharing sensitive information such as SMS verification codes or their Signal PIN.
One common method used in the campaign involves impersonating a fake Signal security support chatbot. Victims receive a message claiming that suspicious activity has been detected on their account. The message instructs them to complete a security verification process by entering a code sent to their phone.
The phishing message typically warns users that attempts have been made to access their private data and that verification is required to prevent a possible data leak. When victims send the verification code and their Signal PIN to the attackers, the hackers can register the victim’s account on their own device and take control of it.
Once inside the account, attackers may change the phone number linked to the account to one they control. This allows them to access the victim’s contact list and incoming messages, including messages from group chats. Hackers can also impersonate the victim and send messages from the compromised account.
Because Signal stores chat history locally on the user’s device, victims who later create a new account using the same phone number may still see their old messages. This can make it appear as if nothing unusual has happened even though attackers may still have access to their communications.
Authorities also identified another technique used in the campaign that exploits the device linking feature available in both Signal and WhatsApp. This feature normally allows users to connect additional devices such as computers or tablets to their messaging accounts.
In the attack scenario, victims receive a malicious QR code or link disguised as an invitation to join a chat group or connect with another user. When the victim scans the QR code or opens the link, it secretly links the attacker’s device to the victim’s account.
Once linked, the attacker can monitor messages, read conversations in real time, and potentially send messages pretending to be the victim. Unlike full account takeovers, the victim may still have access to their account, which makes the breach harder to detect.
Dutch intelligence agencies recommend avoiding the sharing of sensitive or classified information through messaging apps unless specifically approved. Users are also advised to regularly check the list of devices connected to their Signal or WhatsApp accounts and immediately remove any unfamiliar devices.
Security experts also recommend treating suspicious messages on messaging apps the same way users would treat email phishing attempts. People should avoid clicking unknown links, scanning unexpected QR codes, or responding to unsolicited messages unless they verify the sender through another trusted communication channel.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
These types of attacks are not new. Last year, Google reported similar campaigns in which Russian hackers targeted Signal users by exploiting the device linking feature to access private communications. A separate WhatsApp phishing campaign using QR codes was also detected in Europe late last year, showing that messaging platforms are becoming a growing target for cyber espionage and cybercrime.
