A state-sponsored phishing campaign of unprecedented scale is actively targeting the accounts of high-profile individuals on both Signal and WhatsApp, according to a joint advisory from Dutch intelligence agencies. The attack exploits a fundamental privacy design choice in Signal, making the deception particularly effective against users who rely on the app’s anonymity for their security.
The peace of mind offered by end-to-end encrypted messaging has a critical vulnerability, and nation-state actors are exploiting it. Two Dutch intelligence agencies have formally declared that Russia is “engaged in a large-scale global attempt” to take over accounts on Signal and WhatsApp through sophisticated phishing operations. This isn’t a scattered effort; it’s a coordinated campaign that has already successfully compromised Dutch government employees and is predicted to expand to journalists and other “persons of interest” to the Russian government.
The Target: Why Signal and Why Now?
Signal is not just another messaging app; it is the gold standard for operational security, widely used by the Ukrainian military, activists, and security professionals precisely because its encryption protocol, the Signal Protocol, is designed to be mathematically unbreakable, even against future quantum computers. Its nonprofit structure and minimal data collection further cement its reputation as a trusted tool for sensitive communications. This very reputation makes it a prime target. Compromising a Signal account provides an adversary with a high-value, trusted channel into a target’s private life and work.
The campaign specifically impersonates official support accounts, a tactic that leverages user trust in the platform itself. The advisory notes attackers use names like “Signal support” to solicit credentials or two-factor authentication codes—the very keys to an account.
The Core Vulnerability Exploited: Anonymity by Design
This attack works because of a deliberate privacy feature. To prevent contact harvesting and protect user anonymity, Signal does not display users’ phone numbers to each other by default. While this is a privacy victory, it creates a perfect storm for phishing. If you receive a suspicious message from “Signal support,” you cannot quickly verify the sender by checking the associated phone number in your contacts, a common sanity check on platforms like WhatsApp or SMS. The malicious account appears with a plausible name and a hidden number, making the ruse harder to detect immediately.
- The Phishing Vector: Messages appear to come from official support.
- The Goal: Trick users into providing login details or 2FA codes.
- The Enabler: Signal’s design hides sender phone numbers, removing a quick verification layer.
A Pattern of Escalating Warnings
This Dutch advisory is the latest and most severe in a series of alerts that form a clear pattern of escalation:
- February 2026: Germany’s domestic intelligence agency (Bundesamt für Verfassungsschutz) issued a similar warning about phishing attempts targeting high-profile Signal users in German military and political circles.
- 2025: Google’s Threat Analysis Group publicly stated it identified Russian state-backed actors phishing Signal accounts linked to the Ukrainian military, predicting the tactic would broaden.
- Signal’s Own Acknowledgment: The company confirmed on social media awareness of targeted attacks resulting in account takeovers of officials and journalists, sharing an example phishing message with its user base.
The campaign also extends to WhatsApp, which, with over 3 billion monthly users, presents a vastly larger attack surface. However, WhatsApp’s business model and larger user base make it a perennial target for spyware and phishing, as noted in Meta’s own disclosures about combating commercial spyware merchants.
Immediate Action for Users and Administrators
While the threat is sophisticated, the defense begins with disciplined user behavior. The agencies’ warning implicitly confirms that social engineering remains the weakest link.
- Never Share Codes: No legitimate platform employee will ever message you asking for your SMS verification code, password, or PIN. This is the single most important rule.
- Verify Sender Independently: If you receive an unexpected “support” message, do not engage within the app. Close the chat and independently contact official support through a verified channel on their official website.
- Enable All Available Security: Use a strong, unique PIN for your Signal account (separate from your phone’s lock screen) and ensure two-factor authentication is enabled on your linked email and any other recovery methods.
- Organizational Guidance: For entities with high-risk personnel (government, journalism, NGOs), this advisory mandates immediate security briefings. Assume targeted attempts are incoming and implement mandatory verification steps for any support-related communications.
The Bigger Picture: Cyber as a Front in Hybrid Warfare
This campaign fits squarely into the Kremlin’s doctrine of hybrid warfare, where cyber operations target critical civilian and government infrastructure to achieve strategic objectives below the threshold of traditional military conflict. Compromising the communications of government officials and journalists provides intelligence for influence operations, blackmail, and strategic deception. The targeting of a secure, privacy-focused app like Signal signals a desire to penetrate the most protected channels, not just the most popular ones.
The fact that the advisory comes from Dutch agencies, following Germany’s lead, indicates a shared intelligence assessment among Western allies about the scope and origin of this threat. It is a clear signal that the digital front lines extend into the private messaging apps used by billions.
For senior technologists, security officers, and at-risk individuals, understanding the precise mechanics of this attack is the first step in defense. The integration of encrypted apps into daily life cannot come at the expense of vigilant security hygiene. The playbook has changed: trust in the platform’s encryption is absolute, but trust in any inbound message must be conditional. This incident underscores that the most robust cryptographic systems can be defeated by a well-crafted social engineering prompt, a vulnerability that no app update can patch.
For the fastest, most authoritative analysis of breaking cybersecurity threats and what they mean for your digital safety, onlytrustedinfo.com delivers the urgent context you need, direct from our technology desk. Our mission is to transform alerts into immediate, actionable expertise. Read more of our security coverage to stay ahead of evolving threats.
