Russian government–linked hackers are hijacking Signal and WhatsApp accounts in a sweeping global operation aimed at government and military officials as well as journalists, according to a new warning from the Netherlands’ Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD).
Dutch Intelligence Flags Large-Scale Campaign
The Dutch services describe a coordinated, “large-scale” effort relying on phishing and social engineering rather than device malware. The goal is simple and effective: trick targets into handing over one-time SMS verification codes and security PINs, then re-register their messaging accounts on attacker-controlled devices to impersonate the victim and harvest sensitive contacts and conversations.
While attribution stops at “Russian state actors,” the tradecraft mirrors familiar techniques used by units historically tied to Moscow during operations against Ukraine and NATO-aligned institutions. European cybersecurity bodies, including ENISA in its Threat Landscape reports, have repeatedly ranked phishing as the top initial-access vector—underscoring why even highly secure apps are vulnerable when identity checks are subverted.
How the account takeovers on Signal and WhatsApp work
On Signal, attackers pose as “Signal Support” and message targets directly with urgent claims of suspicious activity, a possible leak, or privacy risks. The ruse culminates in requests for the victim’s SMS login code—generated when the attacker initiates a new registration—and the Signal PIN (used by registration lock). With both, the adversary binds the victim’s number to a new device and locks out the real owner.
That lockout can be deceptively quiet. Because Signal stores chat history locally, a victim who re-registers may see old conversations and assume nothing happened. Dutch analysts caution that the account may have been controlled by an impostor in the interim and contacts could have been messaged under the victim’s name.
The campaign also abuses QR codes and deep links. A malicious QR or invite link framed as “join a group” can instead authorize device linking or registration steps in the background, effectively adding the attacker’s device to the victim’s account.
How attackers abuse WhatsApp’s linked devices feature
On WhatsApp, the attackers lean on the “Linked devices” feature—legitimate functionality that mirrors messages to secondary devices. If a target scans a QR code or approves a prompt under false pretenses, the adversary can quietly mirror chats. Unlike Signal’s model, Dutch officials warn that WhatsApp’s linking can expose portions of past messages, and victims may remain logged in, masking the intrusion.
A Meta spokesperson has reiterated WhatsApp’s long-standing advice: never share the six-digit verification code, scrutinize unexpected messages urging you to link devices, and review the Linked Devices section to revoke unknown sessions. Signal, which does not provide in-app support, has separately reminded users to treat any “support” message in chats as fraudulent and to keep SMS codes and PINs private.
Why Encrypted Apps Are In The Crosshairs
End-to-end encryption remains robust against interception. That is precisely why state actors increasingly attack identities and session management instead of the cryptography. By seizing an account during registration or device linking, an adversary sidesteps encryption and sees data exactly as the user would. This identity-first strategy has been observed across multiple Russian-attributed campaigns, particularly against officials, NGOs, and newsrooms connected to the war in Ukraine.
For high-value targets, the consequences extend beyond privacy. Impersonation inside trusted chats can seed disinformation, solicit sensitive files, or pivot into broader networks. The Netherlands’ alert suggests the operation’s scope is global, which aligns with recent advisories from national cyber agencies and watchdogs such as the UK’s NCSC and the U.S. CISA urging vigilance around messaging-app account takeovers.
Immediate security steps high-risk users should take now
Enable and protect app-specific PINs. Turn on Signal’s registration lock and WhatsApp’s two-step verification, choosing unique, long PINs that are not reused elsewhere. Never share SMS codes or PINs in any chat, regardless of who is asking.
Verify “support” and invitation messages out of band. Treat any unsolicited QR code, invite link, or request to “confirm your account” as hostile until verified via official help centers or known contacts using a separate channel.
Audit linked devices frequently. On WhatsApp, open Linked Devices and remove anything unfamiliar. On Signal, review logged-in devices and revoke unknown sessions immediately. Notify contacts if you suspect an account hijack and assume some messages during the window were sent by an impostor.
Harden your phone number. Add a carrier PIN to reduce SIM-swap risk, disable call forwarding you do not use, and avoid publishing your number on public profiles. High-risk users—especially in government, defense, and media—should consider dedicated numbers for secure communications.
Seek expert support. Organizations like Access Now’s Digital Security Helpline and the Committee to Protect Journalists offer rapid-response guidance for victims and at-risk communities.
What to watch next as platforms and agencies respond
The Dutch alert raises pressure on platforms to curb social-engineering pathways with stronger device-binding signals, clearer in-app warnings, and more friction for high-risk actions like new-device registration. Expect additional advisories from European and North American cyber agencies, and watch for indicators of compromise published by national CERTs to help organizations hunt for linked-device abuse at scale.
The bottom line: encryption is not the weakness—identity is. As state actors refine low-tech, high-yield account takeovers, survival on secure messengers comes down to rigid code hygiene, skepticism toward unexpected prompts, and relentless auditing of where your conversations are actually logged in.
