A phishing campaign is hijacking Signal and WhatsApp accounts of officials worldwide. Dutch intelligence agencies AIVD and MIVD issued the warning on March 9, 2026, confirming that Dutch government employees are among the victims. The agencies allegedly attribute the campaign to Russian state hackers and state that attackers "likely gained access to sensitive information."
The campaign does not exploit any technical flaw in Signal or WhatsApp. Attackers approach targets directly via chat, impersonating a Signal support bot, and persuade them to share security verification codes or PINs. Once the code is handed over, the attacker logs into the account and reads all messages, including group chats. End-to-end encryption protects messages in transit but cannot stop an attacker who controls the account itself.
It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.
— said Simone Smit, Director-General of the AIVD
A second attack method abuses Signal's "linked devices" feature. Attackers trick victims into linking an attacker-controlled device to their account, allowing real-time message mirroring. The victim sees no obvious sign of compromise. The attacker receives every incoming message in parallel.
Google Threat Intelligence Group (GTIG) documented the same technique in February 2025. The GTIG report, published on February 19, identified threat clusters tracked as UNC5792 (overlapping with CERT-UA's UAC-0195) and UNC4221 (UAC-0185) that used malicious QR codes disguised as Signal group invites to hijack accounts. GTIG warned at the time that these tactics would "grow in prevalence."
Thirteen months later, the Dutch advisory confirms that prediction. The campaign has expanded to target government officials, civil servants, and journalists in NATO member states. Microsoft Threat Intelligence documented a parallel effort in January 2025, attributing a WhatsApp device-linking phishing campaign to Star Blizzard (also tracked as COLDRIVER and UNC4057). CISA published a dedicated alert on November 24, 2025, warning that messaging app users face growing targeting from both state-sponsored actors and commercial spyware vendors.
Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information.
— said Vice-Admiral Peter Reesink, Director of the MIVD
The Dutch agencies released a cybersecurity advisory with detection guidance. Compromised accounts may show up as duplicate contacts in group member lists, or as members whose display names suddenly change to "Deleted account" without a standard notification. Unknown members joining through group links should be reported to the group administrator. Dutch authorities said they are assisting affected users in securing their accounts.
Meta told The Register that WhatsApp users should never share their six-digit code. Note: Meta is designated as an extremist organization and banned in Russia. Signal did not respond to The Register's inquiry. Signal released hardened updates for Android and iOS in February 2025 following the GTIG report. Josh Lund, Signal's senior technologist, told Politico EU at the time that the updates addressed "the types of social engineering attacks that the report describes."
Signal and WhatsApp users should check their linked devices immediately. Open Settings, then Linked Devices, and remove any entry not recognized. Enable Registration Lock in Signal (Settings, Account, Registration Lock) to block unauthorized re-registration. Never share a verification code or PIN via chat, because Signal does not request codes through in-app messages.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
