Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 07, 2026 · 5 min read

Germany Warns State Hackers Are Hijacking Signal Accounts—No Malware Needed

German intelligence agencies issued an urgent warning about coordinated phishing attacks targeting secure messaging apps. The attackers use social engineering to take over accounts without exploiting any software vulnerabilities.

Smartphone with Signal app and shadowy hand representing account hijacking

The Attack: Social Engineering, Not Hacking

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint security advisory this week warning of coordinated phishing attacks targeting secure messaging apps. What makes this campaign notable is that attackers are not exploiting software vulnerabilities or deploying malware. Instead, they are manipulating people.

The agencies identified two primary attack methods:

Method 1: Fake Support Impersonation

Attackers send messages pretending to be Signal support, warning targets of fake security issues with their accounts. Victims are then tricked into sharing their Signal PIN or SMS verification codes. Once obtained, attackers register the victim's account on their own device, locking out the legitimate user entirely.

Method 2: Malicious QR Code Linking

This method is more insidious. Attackers convince targets to scan a QR code that appears to be a group invite, security verification, or official Signal pairing request. In reality, scanning the code links the victim's account to an attacker controlled device.

The result: every message the victim sends or receives is silently duplicated to the attacker in real time. The victim has no idea their conversations are being monitored, and Signal's end to end encryption is effectively bypassed without breaking the underlying cryptography.

Who Is Being Targeted

According to the advisory, the campaign is specifically targeting high value individuals including:

  • High ranking politicians
  • Military officers
  • Diplomats handling sensitive negotiations
  • Investigative journalists working on national security stories

The attacks have been observed across Germany and throughout Europe. While the advisory does not officially attribute the campaign, security researchers have previously linked similar Signal exploitation techniques to Russian intelligence operations.

Why Signal's Linked Devices Feature Is the Weak Point

Signal's linked devices feature is designed for convenience, allowing users to access their messages across multiple devices simultaneously. However, this same feature has become a target for exploitation.

Once an attacker links their device to a victim's account through the QR code method, they receive all future messages in real time. Unlike traditional account takeovers, the victim remains logged in and may not notice anything unusual. Most users rarely check their list of linked devices.

Security researchers at Google's Threat Analysis Group have documented similar campaigns exploiting this feature since early 2025, attributing some attacks to Russian APT groups UNC4221 and UNC5792.

How to Protect Yourself

German authorities recommend several protective measures:

  • Enable Registration Lock. Go to Settings > Account > Registration Lock and enable it with a strong PIN. This prevents anyone from registering your phone number on another device without the PIN.
  • Never respond to alleged support messages. Signal does not contact users through the app. Any message claiming to be from Signal support is fraudulent. Block and report these accounts immediately.
  • Review your linked devices regularly. Go to Settings > Linked Devices and examine every entry. Remove any device you do not recognize. If you have never intentionally linked a device, the list should be empty except for your phone.
  • Be suspicious of QR codes. Do not scan QR codes from untrusted sources, even if they appear to be Signal group invites or security verifications. When in doubt, verify through a separate channel before scanning.

The Bigger Picture

This campaign demonstrates that attackers targeting secure communications do not need sophisticated exploits. Social engineering remains one of the most effective weapons, particularly against high value targets who may be overconfident in their encrypted messaging security.

For journalists, activists, and anyone communicating sensitive information, the lesson is clear: end to end encryption only protects the channel. If attackers can trick you into giving them access, no amount of cryptography will save you.