Suspected Russian phishing via Signal targeted German officials, exploiting trust to access accounts and sensitive political communications.

A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.

According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.

The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.

One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.

Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.

“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.

“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.

“The German government has still not officially attributed the attacks to Russia.”

This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.

Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.

We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”

Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”

Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.

German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.

The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.

This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – German officials, Bundestag)

Germany’s Bundestag President Klöckner was targeted in a Signal phishing attack via a fake CDU group chat.

Germany’s Bundestag President Julia Klöckner has reportedly become the latest European political figure targeted through a Signal-based phishing attack, reported Der Spiegel. The incident is another reminder that even trusted messaging apps can become entry points when attackers go after the person, not the platform.

The attack targeted Klöckner’s phone through a Signal group chat linked to CDU officials. Chancellor Friedrich Merz was reportedly included but not compromised, and at least one other CDU lawmaker was also affected.

“Chancellor Friedrich Merz is also part of the group, although German domestic intelligence reportedly found no evidence his phone had been compromised. Der Spiegel also reported that at least one other CDU lawmaker was affected.” reported Politico.

What makes this case notable is not just the target, but the method. Attackers did not need to break Signal’s encryption. Instead, they appear to have used a phishing-style technique to trick users into revealing sensitive information, including PIN codes. That is a classic example of how cybercriminals often bypass strong technology by exploiting human trust.

The timing is also important. European cybersecurity and intelligence agencies had already warned earlier this month about a campaign in which attackers posed as a fake Signal support chatbot. The goal was simple: lure users into handing over authentication details. Germany’s domestic intelligence service had issued a similar warning in February, which shows that the threat was already known before this incident surfaced.

This matters because Signal has long been viewed as a secure communications tool. The European Commission has recommended since 2020 that officials use it for non-work communication. But secure design does not protect against account takeover, social engineering, or device compromise. If an attacker can get access to the phone number, the verification code, or the PIN, the app’s underlying security can be undermined.

The broader lesson is that messaging apps are only one layer of protection. Security now depends on the entire chain: the device, the account, the recovery process, and the user’s ability to spot deception. A secure app can still be weakened by weak endpoint hygiene, reused credentials, or a convincing fake support message.

For public officials, the risks are even higher. Their communications can expose political strategy, internal discussions, and personal details that attackers can later use for fraud, espionage, or influence operations. That makes identity protection and device hardening just as important as encryption.

Organizations and public bodies should treat this as a warning for their own staff. Any app used for sensitive communication should be backed by strong mobile security controls, phishing awareness, and rapid incident response procedures. Staff should be trained to ignore unsolicited support messages, verify any request through a separate trusted channel, and report suspicious account activity immediately.

There is also a governance issue here. If officials are encouraged to use secure consumer apps for private communication, those apps need to be protected by clear policies on device enrollment, PIN management, and recovery settings. Otherwise, the security benefit is only partial.

The key point is simple: modern attacks often succeed by attacking trust, not encryption. This case shows how a well-designed app can still become part of a compromise when users are deceived into giving away access. For governments and enterprises alike, the answer is not to abandon secure messaging, but to pair it with stronger identity controls, better training, and faster detection of phishing attempts.

In March, a cyberattack targeting Signal and WhatsApp users hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions.

“He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”

German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts.

In the case of former BND official Arndt Freytag von Loringhoven, attackers used his compromised account to send a malicious link to contacts. He quickly warned them not to open it and deleted his account. Investigators believe the incident is part of ongoing hybrid campaigns linked to Russia. Given Loringhoven’s work on Russian hybrid warfare and his book Putin’s Attack on Germany, he was likely considered a high-value target.

Signal warned that the attacks rely on social engineering, with attackers posing as trusted contacts or fake support services to trick users into sharing verification codes or PINs. The company stressed it will never ask for these details via messages or social media and urged users to stay vigilant and never share login codes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)

Apple fixed an iOS flaw that kept deleted notifications on devices, allowing recovery of messages, including from apps like Signal.

Apple released updates for iOS and iPadOS to address the vulnerability CVE-2026-28950, a flaw in Notification Services that stored notifications even after deletion. This logging issue could allow recovery of sensitive data, including messages from apps like Signal. The company resolved it by improving how data is redacted and handled on devices.

The recent revelations about FBI forensic access to Signal messages on an iPhone have reignited a long-standing misunderstanding about mobile privacy: the belief that disappearing messages and encrypted apps guarantee that no trace of communication remains once a message is deleted or an app is removed. A court case in Texas, reported by 404 Media and later analyzed by multiple security researchers, shows why that assumption does not match how modern smartphones actually work.

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.” reads the post published by 404 Media. “The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places.”

Investigators were able to recover incoming messages from a suspect’s iPhone even after Signal had been uninstalled, even though the messages were configured to disappear after a short time. The FBI did not break Signal’s encryption, nor did they exploit any vulnerability in its protocol. Instead, the data was retrieved from a completely different layer of the system: Apple’s own notification storage.

Court testimony reveals that only incoming iPhone messages were recovered, not outgoing ones. This is key because incoming messages are processed by Apple’s push notification system, temporarily stored for lock screen/notification previews, and may leave OS traces even if deleted from the app. Outgoing messages lack this notification trail, explaining the investigators’ limitation.

Users misunderstand what “deleting” or “disappearing” actually means, instant messaging apps like Signal encrypt in transit and delete from their interface per timer, but once delivered, messages decrypt on the recipient’s device for display. The OS may then cache notification content independently, outside Signal’s control.

“There is an important detail to keep in mind here: only incoming messages were recovered, not outgoing ones. This is entirely consistent with how push notifications work.” reads an analysis published by researcher Andrea Fortuna. “When someone sends you a message on Signal, the app server pushes a notification to Apple’s infrastructure, which then delivers it to your device. If the notification content was not stripped before delivery, the text lands in the operating system’s notification database. Outgoing messages, which originate directly from your device to the server, never go through this pathway and therefore leave no equivalent trace.”

Apple’s Push Notification service routes encrypted messages to devices via secure tokens. Payloads with visible alerts (if previews enabled) are decrypted locally but rendered by iOS, which caches notification data for history/reboot recovery. iOS databases persist fragments even after app deletion, enabling forensic recovery of past notifications despite end-to-end encryption.

According to Apple, the issue impacts the following devices:

• iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
• iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), iPhone 16e, iPad mini (5th generation – A17 Pro), iPad (7th generation – A16), iPad Air (3rd – 5th generation), iPad Air 11-inch (M2 – M3), iPad Air 13-inch (M2 – M3), iPad Pro 11-inch (1st generation – M4), iPad Pro 12.9-inch (3rd – 6th generation), and iPad Pro 13-inch (M4).

iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 releases address the flaw.

Signal welcomed Apple’s quick fix, noting that no user action is needed. After installing the update, any stored notifications are deleted and future ones won’t be retained.

“We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted.”Signal wrote on X. “Note that no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications,”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)

Apple patched an iPhone notification bug that let deleted messages linger in system storage, closing a privacy gap exposed by an FBI Signal case.

The post Apple Fixes iPhone Bug After FBI Retrieved Signal Messages appeared first on TechRepublic.

A vulnerability in iPhones and iPads allowed law enforcement to recover deleted notifications, including Signal message previews.

The post Apple fixes iOS bug that kept deleted notifications, including chat previews appeared first on Security Boulevard.

Apple has released a software update that deals with an issue that could allow deleted notifications to be retrieved. Something that, in at least one reported case, was used by law enforcement during forensic analysis.

Apple fixed the issue in iOS and iPadOS versions 18.7.8 and 26.4.2 (check availability for your device at those links). The update deals with a singular security vulnerability, tracked as CVE-2026-28950.

Although the description is brief—“a logging issue was addressed with improved data redaction”—the impact points us in the right direction.

“Notifications marked for deletion could be unexpectedly retained on the device.”

This suggests that Apple’s bug was that iOS kept copies of notification content in an internal database for longer than intended, even after the messages “disappeared” or the app was uninstalled. In a case reported by 404 Media, law enforcement was able to recover those notifications using standard forensic tools once they had access to the unlocked device. The example in that reported case involved Signal.

Mobile protection, anywhere, anytime.

TRY IT NOW

A response on X by Signal states:

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database.”

Before we go into the update process, you may want to know that you can mute or hide notifications in Signal, which also protects them from prying eyes. In Signal, open your Settings and tap on Notifications. You can adjust several settings there. For example, I have mine set so I only see the name of the sender.

Install the update

For iOS and iPadOS users, you can check if you’re using the latest software version by going to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

404 Media reports (alternate site):

The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

EDITED TO ADD (4/24): Apple has patched this vulnerability.

An FBI case in Texas shows Signal messages can still be recovered from iPhones even after app uninstall, via system artifacts, challenging privacy assumptions.

The recent revelations about FBI forensic access to Signal messages on an iPhone have reignited a long-standing misunderstanding about mobile privacy: the belief that disappearing messages and encrypted apps guarantee that no trace of communication remains once a message is deleted or an app is removed. A court case in Texas, reported by 404 Media and later analyzed by multiple security researchers, shows why that assumption does not match how modern smartphones actually work.

“The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.” reads the post published by 404 Media. “The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places.”

Investigators were able to recover incoming messages from a suspect’s iPhone even after Signal had been uninstalled and even though the messages themselves were configured to disappear after a short time. The FBI did not break Signal’s encryption, nor did they exploit any vulnerability in its protocol. Instead, the data was retrieved from a completely different layer of the system: Apple’s own notification storage.

Court testimony reveals that only incoming iPhone messages were recovered, not outgoing ones. This is key because incoming messages are processed by Apple’s push notification system, temporarily stored for lock screen/notification previews, and may leave OS traces even if deleted from the app. Outgoing messages lack this notification trail, explaining the investigators’ limitation.

Users misunderstand what “deleting” or “disappearing” actually means, instant messaging apps like Signal encrypt in transit and delete from their interface per timer, but once delivered, messages decrypt on the recipient’s device for display. The OS may then cache notification content independently, outside Signal’s control.

“There is an important detail to keep in mind here: only incoming messages were recovered, not outgoing ones. This is entirely consistent with how push notifications work.” reads an analysis published by researcher Andrea Fortuna. “When someone sends you a message on Signal, the app server pushes a notification to Apple’s infrastructure, which then delivers it to your device. If the notification content was not stripped before delivery, the text lands in the operating system’s notification database. Outgoing messages, which originate directly from your device to the server, never go through this pathway and therefore leave no equivalent trace.”

Apple’s Push Notification service routes encrypted messages to devices via secure tokens. Payloads with visible alerts (if previews enabled) are decrypted locally but rendered by iOS, which caches notification data for history/reboot recovery. iOS databases persist fragments even after app deletion, enabling forensic recovery of past notifications despite end-to-end encryption.

Security researchers and forensic analysts have long known that iOS maintains structured databases for notifications, often associated with system frameworks that track alerts and user interactions. These databases can persist even after an app is removed. In practice, this means that uninstalling Signal does not necessarily erase all traces of messages that once appeared on the screen. Instead, fragments of those messages can remain embedded in system-level storage designed for convenience features like notification history.

Forensic tools extract data from full filesystem images, backups, or unlocked snapshots. They analyze OS-decrypted data like system databases, cached files, and notification content, not breaking encryption, but accessing what iOS already decrypted/stored for usability.

In the Texas case, the FBI likely recovered Signal message remnants not by breaking encryption, but through iOS forensic artifacts stored on the device. Fortuna explained that one plausible route is a logical acquisition after the phone had been unlocked at least once (AFU state), followed by analysis of an encrypted iTunes backup, which can contain rich system and app data, including notification databases. Tools such as idevicebackup2 can extract backups without modifying the device.

Another possibility is the use of commercial forensic suites like Cellebrite UFED or Magnet AXIOM, which combine backup extraction, AFC-based logical access, and sometimes exploit-based methods to retrieve deeper iOS artifacts. These tools are widely used by law enforcement to access data not available through standard backups.

A third scenario involves iCloud backups, which—when legally obtained—may also include similar system-level data. Across all methods, the key point is that iOS preserves many artifacts beyond what users see. As a result, “deleted” or “uninstalled” does not necessarily mean unrecoverable in forensic contexts.

In the Texas case, the FBI reportedly retrieved evidence from Apple’s internal notification storage rather than from Signal itself. Once an iPhone is unlocked after reboot (“after first unlock”), more encrypted system data becomes accessible through standard forensic methods, including notification databases. This reveals a gap between user assumptions and system behavior.

Many people believe disappearing messages or app deletion means complete erasure. In reality, mobile operating systems retain data such as notification history, caches, logs, and predictive text for usability and performance, and these artifacts can persist beyond app removal.

Signal’s encryption remains intact; the issue lies in the operating system, which can store message content independently.

Reducing risk is possible by disabling notification previews or using “content hidden” modes, preventing readable message text from being stored on the device.

The FBI case highlights that digital privacy is layered. Encryption protects data in transit, but not always data at rest. Messaging apps can delete messages from their own systems, but they cannot fully control how operating systems store notifications or system-level data.

Even secure apps like Signal or WhatsApp operate within ecosystems designed for usability and persistence, not perfect data erasure. As a result, messages may vanish from the screen but still leave traces on the device.

The key lesson is that disappearance in an app does not guarantee disappearance from the phone. Smartphones inevitably retain system-level data, creating layers of information that persist beyond the user’s view.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)

In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.

Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.

Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.

In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.

It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.

The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.

So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.

How to protect your accounts

As the PSA puts it:

“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”

This calls asks for basic security measures:

• Treat unsolicited messages from “Support” inside apps as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask you, in a chat message, to send back verification codes, PINs, or passwords.​ If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
• Never share SMS verification codes or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Giving them away is like handing over the keys to your account. Consider anyone asking for them to be a scammer.
• Be careful what you discuss and with whom. Both the Dutch and US advisories remind us that even with end‑to‑end encryption, some conversations are too sensitive for commercial chat apps.
• Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
• Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

What to do if you think your account was hijacked

If you suspect an attacker has taken over your messaging account:

1. Try to re‑register your number in the app immediately to kick out other devices.
2. Revoke all linked devices and change any app‑specific PINs or lock codes.
3. Warn your contacts that someone may have impersonated you and ask them to treat recent messages with caution.
4. Review recent conversations for signs of data theft (for example, shared IDs, documents, or passwords that should now be considered exposed).
5. Report the incident to the app provider and, where appropriate, to national reporting centers such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov or the relevant authority in your country.​

The sooner you act, the smaller the window in which attackers can exploit your account.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Russia-linked actors target WhatsApp and Signal accounts of officials and journalists via phishing, gaining access to messages and contacts.

Threat actors linked to Russian Intelligence Services are running phishing campaigns to hijack high-value accounts on messaging apps like WhatsApp and Signal, the FBI warns.

“The FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.” FBI Director Kash Patel wrote on X. “The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.”

Targets include government officials, military personnel, politicians, and journalists. The attackers do not break app encryption but instead use phishing to gain account access. The attacks have already compromised thousands of accounts worldwide. Once inside, attackers can read messages, access contacts, impersonate victims, and launch further phishing using trusted identities.

Attackers especially target Signal but use similar tactics across other platforms. Users who strengthen their security and stay alert to social engineering attempts can reduce the risk and limit the impact of these attacks.

Russia-linked actors pose as messaging app support accounts and send phishing messages tailored to trick targets. They push users to click links or share verification codes or PINs. When victims comply, attackers gain access by linking their own device or taking over the account entirely. As the campaign evolves, they may also deploy malware to further compromise victims.

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker’s device as a linked device or through a full account takeover.” reads a joint Public Service Announcement (PSA) published by CISA and the Federal Bureau of Investigation. “As the campaign evolves, actors may use additional techniques, such as malware to infect the victim.”

Phishing remains a simple but highly effective way to compromise accounts, bypassing protections like end-to-end encryption by targeting users directly. Attackers trick victims into sharing codes or clicking malicious links, gaining full account access.

Users should stay alert: pause if something feels off, never share PINs or 2FA codes, and treat unexpected messages with suspicion, even from known contacts. Always check links before clicking, verify group members, and use built-in security features.

Report suspicious activity quickly to security teams or authorities. Remember, legitimate app support will never ask for codes or send links to “verify” accounts, always use official channels.

Recently, Dutch intelligence agencies (MIVD and AIVD) also warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stressed that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp, Signal)

Former BND VP Arndt Freytag von Loringhoven was targeted in a Signal cyberattack, part of a wave hitting officials and politicians in Germany.

A cyberattack targeting Signal and WhatsApp users has hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions.

“He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”

German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts.

In the case of former BND official Arndt Freytag von Loringhoven, attackers used his compromised account to send a malicious link to contacts. He quickly warned them not to open it and deleted his account. Investigators believe the incident is part of ongoing hybrid campaigns linked to Russia. Given Loringhoven’s work on Russian hybrid warfare and his book Putin’s Attack on Germany, he was likely considered a high-value target.

“Signal said the recent incidents were targeted phishing attacks that allowed attackers to hijack accounts of officials and journalists. The company stressed that its encryption and infrastructure were not compromised and remain secure.” Signal wrote on X. “We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously. To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust.”

Signal warned that the attacks rely on social engineering, with attackers posing as trusted contacts or fake support services to trick users into sharing verification codes or PINs. The company stressed it will never ask for these details via messages or social media and urged users to stay vigilant and never share login codes.

In early March, Dutch intelligence agencies (MIVD and AIVD) warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

“Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees.” reads the alert by Dutch intelligence agencies. “The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.”

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stress that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Dutch intelligence agencies recommend Signal users to carefully monitor their group chats for signs of compromised accounts. If a contact appears twice under the same or slightly altered name, this may indicate a compromised account or a victim-created account. Users should report suspicious cases to their organization’s information security team and verify the accounts through alternative channels such as email or phone. Group administrators should remove any unauthorized accounts, after which legitimate members can rejoin. Actor-controlled accounts may change display names, e.g., to “Deleted account,” or join via a shared Group Link, triggering notifications. Users should remain vigilant for unfamiliar members and unusual account behavior. If there is any suspicion that the group administrator has been compromised, it is recommended to leave the chat group and create a new one to ensure the security and integrity of communications within the group.

In February 2025, Google Threat Intelligence Group (GTIG) researchers warned of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculated that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will also be employed in regions outside Ukraine.

Russian hackers exploited Signal’s “linked devices” feature, they used specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.

“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”

Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools for data exfiltration.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

Russia-linked hackers are targeting Signal and WhatsApp accounts of government and military officials worldwide, warns Dutch intelligence.

Dutch intelligence agencies (MIVD and AIVD) warn of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

“Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees.” reads the alert by Dutch intelligence agencies. “The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.”

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warns that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stress that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Dutch intelligence agencies recommend Signal users to carefully monitor their group chats for signs of compromised accounts. If a contact appears twice under the same or slightly altered name, this may indicate a compromised account or a victim-created account. Users should report suspicious cases to their organization’s information security team and verify the accounts through alternative channels such as email or phone. Group administrators should remove any unauthorized accounts, after which legitimate members can rejoin. Actor-controlled accounts may change display names, e.g., to “Deleted account,” or join via a shared Group Link, triggering notifications. Users should remain vigilant for unfamiliar members and unusual account behavior. If there is any suspicion that the group administrator has been compromised, it is recommended to leave the chat group and create a new one to ensure the security and integrity of communications within the group.

“To increase resilience against this Russian campaign, MIVD and AIVD have published a Cyber Advisory explaining how to identify and respond to attacks. The advisory also give instructions for Signal users on how to identify potentially compromised contacts.” concludes the alert.

In February 2025, Google Threat Intelligence Group (GTIG) researchers warned of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculated that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will also be employed in regions outside Ukraine.

Russian hackers exploited Signal’s “linked devices” feature, they used specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.

“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”

Russian hackers used malicious QR codes disguised as Signal resources to hijack accounts, targeting military apps and even linking captured devices to their servers.

In some phishing attacks, attackers frequently masked malicious QR codes as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.

In some spear-phishing attacks, attackers embedded the QR codes in phishing pages crafted to appear as specialized applications used by the Ukrainian military.

APT44 (Sandworm) enables Russian forces to link captured Signal accounts to their servers, using battlefield devices for further exploitation.

The alleged Russia-linked cyberespionage group UNC5792 (which partially overlaps with a threat actor tracked as UAC-0195 by CERT-UA) was spotted modifying Signal group invites in phishing campaigns to trick recipients into linking their accounts to attacker-controlled devices.

Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools fordata exfiltration.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)

Dutch intelligence services AIVD and MIVD warn that Russian state‑backed hackers are running a large‑scale campaign to break into Signal and WhatsApp accounts of high‑value targets.

The targets are said to be senior officials, military personnel, civil servants, and journalists. The attackers are not breaking end‑to‑end encryption or exploiting a vulnerability in the apps themselves. Instead, they rely on proven phishing and social engineering methods to trick users into handing over verification codes and PINs, or to add a malicious “linked device” to their account.

Last year we reported on GhostPairing, a method that tricks the target into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device to the account.

In the cases reported by the Dutch intelligence services, the attackers contacted victims on Signal or WhatsApp while posing as “Signal Security Support Chatbot”, “Signal Support” or a similar official‑sounding account.

The message typically warns about suspicious activity or a possible detected data leak and instructs the user to complete a verification step to avoid losing data or having their account blocked.

Victims are then asked to send back the SMS verification code they just received and/or their Signal PIN.

If the victim complies, the attacker can register the account on a device they control and effectively take it over, receiving new messages and sending messages as the victim.

In a second variant, attackers abuse the “linked devices” feature (Signal’s and WhatsApp’s desktop or other secondary device function). Targets are pushed to click a link or scan a QR code that silently links the attacker’s device to the victim’s account. The victim keeps access as normal, but the attacker can now read along in real time without obvious signs of compromise.

These attacks are not new, but deserve a renewed warning because they rely entirely on human behavior, and understanding how they work makes them easier to stop. The methods used are not technically sophisticated and they can easily be copied by non‑state actors or ordinary cybercriminals.

Because of the current Russian campaigns, AIVD and MIVD say that chat apps such as Signal and WhatsApp are unsuitable for sharing classified, confidential, or otherwise sensitive government information, even though they technically support end‑to‑end encryption.

How to keep your conversations confidential

One specific warning for the targeted users is to use designated apps for sensitive information. Despite dedicated secure systems being available to many of them, some resorted to apps they already knew—Signal and WhatsApp. And to be fair, these apps are safe if you follow a few basic rules:

How to prevent and detect compromised accounts

• Never share verification codes or PIN numbers. Your SMS verification code and PIN are only needed when you install or re‑register the app on a device. They are never legitimately requested in a chat. Any in‑app message, direct message (DM), email, or SMS asking you to send these codes back is a phishing attempt.
• Do not trust “support” accounts in chat. Signal explicitly states that Support will never contact you via in‑app messages, SMS, or social media to ask for your verification code or PIN. Treat any “Signal Support Bot”, “Security Chatbot” or similar as malicious, block and report it and then delete the conversation.
• Be cautious with links and QR codes in chat. Only scan QR codes or click device‑linking links when you yourself are in the app’s device‑linking menu and you initiated the process. If a message pushes you to “verify your device” or “secure your data” via a link or QR, assume it is part of this campaign.
• Regularly review linked devices and group memberships. In Signal and WhatsApp, check the list of linked devices and remove anything you do not recognize. Also keep an eye out for strange group participants or duplicate contacts (for example “deleted account” or a contact that appears twice), which Dutch intelligence services mention as possible signs of account compromise.
• Use built‑in hardening features. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.

Use disappearing messages

Both Signal and WhatsApp support disappearing messages, and using them can meaningfully limit the impact of account compromise or device access (though they don’t prevent it completely).

Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

Signal lets you set a per‑chat timer so that all new messages in that conversation auto‑delete from all devices after the chosen period.​ You can enable it for 1:1 or group chats and choose from various durations (seconds to weeks), and either party can see it is enabled and change the timer.​

WhatsApp also supports disappearing messages with timers per chat (and a default option for new chats). Messages can auto-delete after periods such as 24 hours, 7 days, or 90 days, and newer builds include shorter options like 1 or 12 hours.

You turn it on in the chat info under “Disappearing messages,” then pick the desired timer; only messages sent after enabling it are affected.

For particularly sensitive media or voice messages, WhatsApp also offers “view once”  photos, voice messages, and videos that can only be opened a single time before disappearing from the chat.

Enable multi-factor authentication

We’ve written a complete guide on setting up two-step verification on WhatsApp.

To set up two-factor authentication (2FA) on Signal, enable the Registration Lock feature, which requires your set PIN to log in on a new device. Open Signal, go to Settings > Privacy > Registration Lock and turn it on. This ensures that even if someone steals your SIM, they cannot access your account without your personal PIN.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.