Russian Hackers Target Signal and WhatsApp in Messaging App Phishing Campaign

Dutch intelligence agencies warn that phishing attacks are hijacking messaging accounts of officials, journalists, and military personnel.

Dutch intelligence agencies have issued a warning about an ongoing phishing campaign targeting users of secure messaging platforms such as Signal and WhatsApp. According to the Netherlands Defence Intelligence and Security Service (MIVD) and the Netherlands General Intelligence and Security Service (AIVD), the attacks have been linked to Russian state-sponsored threat actors.

The campaign focuses on high-value targets, including government officials, military personnel, and journalists. Attackers aim to gain unauthorized access to private conversations and sensitive communications by hijacking messaging accounts.

Unlike traditional cyber intrusions that exploit software vulnerabilities, this campaign relies heavily on social engineering and phishing techniques. Attackers manipulate users into revealing authentication credentials or linking malicious devices to their messaging accounts.

Signal confirmed that it is aware of these attacks and emphasized that its encryption and infrastructure remain secure. However, the attackers successfully exploit human trust rather than technical weaknesses in the platform.

Phishing Messages Impersonating Signal Support

One of the primary attack techniques involves impersonating a fake "Signal Security Support Chatbot." Victims receive messages claiming that suspicious activity has been detected on their accounts. The message then instructs them to complete a verification process to secure their account.

To complete the fake verification, users are asked to share the SMS verification code sent to their phone and sometimes their Signal PIN. Once attackers obtain this information, they can register the victim's account on a new device and gain full control.

After hijacking the account, attackers may change the associated phone number, making it difficult for the victim to regain access. They can then monitor conversations, access contact lists, read group messages, and even impersonate the victim in chats.

Because Signal stores chat history locally on the device, victims who later re-register their accounts may still see their previous messages. As a result, they might assume that nothing unusual occurred, even though attackers previously accessed their communications.

Device Linking Exploited for Silent Surveillance

Another attack method abuses the device-linking features available in both Signal and WhatsApp. These features allow users to connect additional devices, such as laptops or tablets, to their messaging accounts.

Attackers send victims malicious QR codes or links disguised as chat invitations or collaboration requests. When the victim scans the QR code or opens the link, it silently links the attacker's device to the account.

Once linked, the attacker can monitor conversations in real time, access message history, and even send messages on behalf of the victim. Unlike full account takeovers, the victim typically retains access to their account, which makes this intrusion much harder to detect.

Intelligence Agencies Urge Messaging Security Awareness

Dutch intelligence agencies recommend that users avoid sharing sensitive or classified information through messaging platforms unless officially approved. Additionally, users should regularly review the list of linked devices on their accounts and immediately remove any unknown devices.

Security experts also advise users to ignore unsolicited links, invitations, or QR codes received through messaging platforms. Instead, they should verify such requests through a trusted communication channel before taking any action.

This campaign highlights a growing trend where attackers increasingly target messaging platforms rather than traditional email systems. As encrypted messaging becomes a primary communication tool for professionals and government officials, these platforms have become attractive targets for cyber espionage operations.

Organizations must therefore expand their security awareness programs to include messaging-based phishing threats. While encryption protects message content, human manipulation remains one of the most effective attack vectors for cyber adversaries.