State Hackers Are Hijacking Signal Accounts of Politicians and Journalists

The Warning

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint advisory in February 2026 warning of a sophisticated phishing campaign targeting Signal and WhatsApp accounts. The targets are not ordinary users. The campaign is aimed at members of the Bundestag, senior defense officials, diplomats, and prominent investigative journalists across Germany and Europe.

What makes this campaign particularly dangerous is what it does not use: no malware, no exploits, no technical vulnerabilities. The attackers contact targets directly through the messaging apps themselves, impersonating the platform's support team or automated support chatbot. The social engineering is convincing enough that experienced security professionals have fallen for it.

How the Attack Works

The attackers send a message through Signal or WhatsApp that appears to come from the platform's support team. The message typically claims there is a security issue with the target's account and asks them to verify their identity or re link their device. The target is directed to follow steps that ultimately give the attacker access to their account.

The key mechanism involves Signal's linked devices feature. When a target follows the attacker's instructions, they unknowingly link the attacker's device to their Signal account. From that point forward, every message the target sends or receives is also delivered to the attacker in real time. The target sees no indication that anything has changed.

This technique is devastatingly effective because it bypasses end to end encryption entirely. The encryption is still working, but the attacker's device is now a legitimate endpoint. Signal's encryption protects messages in transit, but it cannot protect against an authorized device at the receiving end.

Why Journalists Are Prime Targets

For journalists, the consequences of account compromise go far beyond personal privacy. Investigative reporters routinely use Signal to communicate with confidential sources, whistleblowers, and informants. A compromised journalist account gives attackers access not just to the journalist's messages but to the identities and communications of everyone who trusted that journalist enough to contact them through a secure channel.

The German news outlet Netzpolitik reported that numerous journalists were specifically targeted in the campaign. For reporters covering sensitive topics like national security, intelligence operations, or organized crime, a compromised Signal account could put sources in physical danger.

This is not hypothetical. Journalists working in conflict zones, covering authoritarian regimes, or investigating powerful institutions regularly receive threats. Their sources often face imprisonment or worse if identified. An attacker who can silently read a journalist's Signal messages has the ability to identify and target those sources without the journalist ever knowing.

The Russian Connection

While Germany's advisory did not formally attribute the campaign, Dutch intelligence agencies released a parallel warning that Kremlin affiliated hackers were attempting to compromise Signal and WhatsApp accounts globally. The Dutch agencies stressed that the attacks target individual accounts and do not indicate any breach of the messaging platforms themselves.

The campaign fits a well documented pattern of Russian intelligence operations against European political and media targets. APT28, also known as Fancy Bear and linked to Russia's military intelligence agency GRU, has a long history of targeting journalists and politicians across Europe. The German government previously attributed a 2015 hack of the Bundestag to the same group.

Signal confirmed the phishing attacks targeting government officials and journalists but emphasized that its platform security remains intact. The attacks exploit human trust, not technical flaws.

How to Protect Yourself

The German advisory includes specific defensive recommendations that apply to all Signal and WhatsApp users, not just high profile targets:

• Never follow instructions from messages claiming to be from Signal or WhatsApp support. Neither platform contacts users through their own messaging service for account verification.
• Regularly check your linked devices list in Signal Settings and remove any devices you do not recognize.
• Enable a PIN or registration lock on your Signal account to prevent unauthorized re registration.
• Be suspicious of any request to scan a QR code or follow a link related to your messaging account security.
• If you receive a suspicious support message, report it through the official app and do not engage with the sender.

Encryption protects the channel. It does not protect against being tricked into handing over the keys. In a world where state sponsored attackers have shifted from breaking encryption to bypassing it through social engineering, the human element remains the weakest link in any secure communication system. The FBI and CISA have since confirmed that these tactics have escalated into a global campaign compromising thousands of accounts.