Russian Hackers Hijack Signal App

Russian state-sponsored hackers are conducting a massive global operation targeting your Signal and WhatsApp accounts, bypassing encryption entirely by tricking users into handing over access through sophisticated phishing schemes that exploit the very features designed to protect you.

Story Snapshot

Dutch and German intelligence agencies confirmed Russian state hackers are targeting Signal and WhatsApp users worldwide through social engineering attacks, not encryption vulnerabilities
Government officials, military personnel, journalists, and activists represent primary targets as attackers seek access to sensitive communications and confidential source networks
The campaign uses fake support bots and device-linking exploits to hijack accounts, giving attackers real-time access to all encrypted messages without breaking encryption
Security experts warn the highly active operation spreads by harvesting contact lists from compromised accounts, expanding the threat to everyday users

State-Sponsored Espionage Campaign Targets Conservative Networks

Dutch intelligence agencies AIVD and MIVD issued a formal public warning on March 9, 2026, confirming Russian state-sponsored hackers are conducting a large-scale global campaign to compromise Signal and WhatsApp accounts. The operation specifically targets government officials, military personnel, journalists, and activists worldwide through sophisticated phishing and social engineering techniques. German intelligence agencies BfV and BSI issued similar warnings in February 2026, confirming the coordinated nature of this threat. Signal has publicly acknowledged these attacks occurred while emphasizing its encryption and infrastructure remain secure. This represents a significant escalation in foreign intelligence operations targeting individuals who depend on secure communications.

How Attackers Bypass Encryption Without Breaking It

The campaign exploits legitimate features in Signal and WhatsApp rather than compromising encryption protocols. Attackers use two primary methods: fake support bots that request verification codes and PINs, and device-linking exploits that secretly add attacker-controlled devices to victim accounts. Dutch intelligence Director-General Simone Smit clarified the threat: “It is not that Signal or WhatsApp as applications are compromised. The threat is directed at accounts of individual users.” Once attackers obtain account access, they gain real-time visibility into all encrypted communications without breaking the mathematical security of encryption itself. This approach succeeds because users trust encryption to provide complete protection, making them less vigilant about protecting account credentials and verification codes.

Journalists and Sources Face Exposure

Compromised journalist accounts expose confidential sources who communicate through Signal believing their identities remain protected by encryption. According to Citizen Lab researcher John Scott-Railton, who first publicly reported the campaign in October 2025, the attacks represent a sophisticated social engineering operation targeting high-value individuals. For activists and government officials, compromised accounts reveal political networks, contacts, and operational communications accumulated since account takeover. The campaign remains highly active as of March 2026, spreading through stolen address book entries from previous victims. German intelligence notes users rarely check linked device settings, creating a significant security gap that attackers exploit. This vulnerability threatens the operational security of conservative networks, government officials, and anyone communicating sensitive information.

Protecting Your Account From Foreign Intelligence

Security experts emphasize that encryption provides no protection once attackers gain account access through social engineering. Users must verify linked devices regularly in Signal and WhatsApp settings, never share verification codes or PINs with anyone claiming to represent platform support, and remain suspicious of unexpected messages requesting security information. The campaign demonstrates that account security mechanisms—verification codes, PINs, and linked devices—represent the actual vulnerability rather than encryption protocols. Intelligence agencies recommend implementing additional security measures including registration lock features and scrutinizing all device-linking requests. For government officials, military personnel, journalists, and activists, these basic security practices become essential defenses against state-sponsored intelligence operations. The threat extends beyond high-value targets as attackers harvest contact lists, potentially compromising everyday users connected to initial victims through address book theft.