Russian State Hackers Hijack Signal and WhatsApp Accounts Worldwide
Russian State Hackers Hijack Signal and WhatsApp Accounts Worldwide
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Russian State Hackers Hijack Signal and WhatsApp Accounts Worldwide
Dutch and U.S. intelligence agencies sound the alarm as a sophisticated Russian-linked phishing campaign bypasses end-to-end encryption by exploiting legitimate app features — compromising thousands of accounts belonging to officials, military personnel, and journalists.
A large-scale Russian-linked cyber espionage campaign is actively targeting Signal and WhatsApp accounts used by government officials, military personnel, diplomats, and journalists worldwide. Dutch intelligence agencies AIVD and MIVD issued the initial global warning in early March 2026, and by late March the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) confirmed the same threat in a joint Public Service Announcement. The campaign does not crack encryption — it walks straight around it, exploiting users’ trust in official app features to silently gain access to private conversations in real time.
How the Warnings Unfolded
How the Attack Works
The key insight behind this campaign is elegantly ruthless: rather than attempting to break Signal or WhatsApp’s well-regarded encryption, attackers bypass it entirely by targeting the human holding the account. Two primary techniques have been documented by intelligence agencies.
Method 1 — Malicious QR Codes & the “Linked Devices” Feature
Both Signal and WhatsApp allow users to connect their account to secondary devices (a laptop, tablet, or second phone) by scanning a QR code. Attackers reverse-engineer this flow:
The Linked-Device Attack Chain
- Attacker generates a malicious QR code or crafts a fake device-linking link that, when scanned or clicked, registers the attacker’s device as a legitimate secondary device on the victim’s account.
- Disguises include: “Signal Security Verification,” “Group Chat Invitation,” counterfeit military app login pages, or pages mimicking Signal’s official pairing screen.
- Once linked, all messages are silently synchronized to the attacker’s terminal in real time — the victim remains logged in and sees no sign of compromise.
- In the WhatsApp variant, attackers can also read past message history, unlike the Signal variant which captures only new messages from the moment of linking.
- One documented case: Russian military hackers linked Signal accounts from battlefield-captured devices to their own systems for exploitation.
Method 2 — Impersonating Support to Steal Verification Codes
A second, more aggressive method involves impersonating official app support to steal credentials outright. An account named “Signal Support”, “Signal Security Support Chatbot”, or similar fabricated identity contacts the target via in-app messages, SMS, or social media, warning of a “suspicious login attempt” or a required “security upgrade.”
⚠ What Happens If You Share Your Code
If you provide your SMS verification code or PIN, attackers can immediately re-register your account on their own device — locking you out entirely, reading all new messages, impersonating you to contacts, and launching further phishing attacks using your trusted identity.
Signal confirmed on X: “Signal Support will never initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN.” Any such request is fraudulent, without exception.
“It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.”
— Simone Smit, Director-General, AIVD (Dutch General Intelligence and Security Service)
Who Is Being Targeted
This is a precision espionage operation, not an indiscriminate criminal scheme. Targeted individuals include:
Confirmed Target Categories
- Government officials and civil servants — national and regional level, across multiple countries
- Military and defense personnel — including Ukrainian battlefield personnel (exploiting emergency contexts to lower vigilance)
- Diplomats and policy advisors — particularly those handling sensitive negotiations or classified briefings
- Journalists and researchers — especially those covering Russia, defense, or geopolitics
- Think tank staff and NGO workers — who serve as indirect conduits to high-value information networks
The geographic scope spans Europe — with confirmed victims among Dutch government employees — to multiple regions globally. French authorities separately documented attacks on officials and business leaders across France.
The reason these apps are being targeted is not despite their encryption — it is because of it. Signal and WhatsApp are widely used by officials and military personnel precisely because they are considered secure. Attackers exploit the false confidence this creates.
“Chat applications like Signal and WhatsApp, despite having end-to-end encryption, are not channels for classified, confidential, or sensitive information.”
— Vice Admiral Peter Reesink, Director, MIVD (Dutch Military Intelligence and Security Service)
Attributed Threat Actors
The official Dutch and U.S. advisories do not formally attribute the campaign to a specific Russian intelligence agency or hacking group. However, prior research by Microsoft and Google Threat Intelligence has linked the same tactics to several Russia-aligned clusters:
| Actor | Also Known As | Known Specialization |
|---|---|---|
| UNC5792 | UAC-0195 | Tampering with Signal group-chat invitation links to embed malicious QR codes; tracked by Ukraine’s CERT-UA |
| UNC4221 | UAC-0185 | Targeting Ukrainian military via fake military app pages; linked to the Signal linked-device technique |
| Star Blizzard | — | Long-running phishing campaigns against Western government and policy targets; linked by Microsoft research |
| APT44 | Sandworm (GRU) | Previously reported linking hijacked Signal accounts to battlefield-captured devices for dual online/offline exploitation |
Note: Attribution in the table is based on prior reporting by Google and Microsoft, not the official Dutch or U.S. government advisories.
Warning Signs Your Account May Be Compromised
Because attackers do not change your password or lock your main device after a linked-device hijack, many victims only discover the breach when sensitive information surfaces elsewhere. Watch for these red flags:
🔍 Signals of a Compromised Account
- Duplicate contacts in group chats — the same person appearing twice, possibly under a slightly different or identical name, may indicate an attacker’s linked account shadowing the group.
- Unknown accounts in group chats — accounts with names like “Deleted account” or strange identifiers that joined automatically via group link.
- Unrecognized devices in your linked-device list — any entry in Signal’s “Linked Devices” or WhatsApp’s “Associated Devices” that you don’t recognize.
- Unexpected account re-registration messages — if you receive an SMS code you did not request, someone may be attempting (or may have attempted) to re-register your account.
- Contacts reporting strange messages from you — a sign that an attacker is impersonating you after a full account takeover.
How to Protect Yourself: Official Guidance
The following steps are drawn directly from AIVD, MIVD, FBI, CISA, and the apps’ own security advisories. For anyone in a sensitive role, these should be treated as immediate action items — not optional precautions.
-
Audit your linked devices right now In Signal: Settings → Linked Devices. In WhatsApp: Settings → Linked Devices. Remove every device you do not personally recognize. Schedule a repeat check at least every 90 days. Consider disabling WhatsApp’s “Auto Login” feature for secondary devices.
-
Never share your SMS verification code or PIN with anyone Neither Signal nor WhatsApp will ever ask for your code via message, SMS, email, or social media. Any such request — however official it looks — is an attack. Verify through the app’s own settings page, never through an inbound message.
-
Never scan QR codes you did not initiate yourself Only scan device-linking QR codes when you are already inside the app’s official device-linking menu and you started the process. Refuse all QR codes sent to you via email, web pages, chat messages, or documents — regardless of how legitimate they appear.
-
Enable Registration Lock on Signal Signal Settings → Account → Registration Lock. This requires your PIN to re-register your number on a new device, blocking full account takeovers even if an attacker obtains your SMS code.
-
Enable two-step verification on WhatsApp WhatsApp Settings → Account → Two-Step Verification. This adds a six-digit PIN required at re-registration, making account takeovers significantly harder.
-
Manage your group chats Group admins should regularly audit membership and remove unrecognized or duplicate accounts. Disable the “Join via Link” option where possible, especially for sensitive groups. If your account has been compromised, leave all groups immediately and contact members through verified channels to establish new groups.
-
Do not use Signal or WhatsApp for classified information Both AIVD/MIVD and CISA are unambiguous: end-to-end encryption does not make these apps safe for classified, confidential, or sensitive government information. Use dedicated secure government communication systems for such material.
The Broader Picture
This campaign is part of a documented pattern of Russian intelligence services targeting Western communications infrastructure — not by breaking the technology, but by exploiting the humans who use it. As the FBI noted in its advisory, the campaign may evolve to deploy malware against victims as tactics mature.
Critically, Signal’s infrastructure has not been compromised, and neither has WhatsApp’s. The encryption works. What this campaign demonstrates is that no amount of cryptographic sophistication can protect an account whose owner has been socially engineered into handing it over.
As CISA once recommended highly targeted individuals use Signal for sensitive communications — and as this attack exploits that very recommendation — the episode serves as a reminder that security tools and security practices must advance together. The strongest encryption in the world offers no protection against an authorized login.
“These attacks, like all phishing, rely on social engineering. While we build robust technical safeguards, user vigilance is ultimately the best defence against phishing.”
— Signal, official statement, March 2026
Primary Sources
References & Further Reading
- AIVD / MIVD Joint Advisory — Dutch intelligence agencies, March 9, 2026
- FBI / CISA Joint Public Service Announcement — March 20–24, 2026
- ANSSI / C4 Advisory — French National Cybersecurity Agency, March 2026
- TechCrunch — “Russian government hackers targeting Signal and WhatsApp users, Dutch spies warn” (March 2026)
- The Hacker News — “FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks” (March 2026)
- Malwarebytes Blog — “Signal and WhatsApp accounts targeted in phishing campaign” (March 2026)
- The Record (Recorded Future) — “Kremlin hackers attempting to compromise Signal, WhatsApp accounts globally” (March 2026)
- Help Net Security — “Russian hackers crack into officials’ Signal and WhatsApp accounts” (March 2026)
