Russian government-linked hackers are carrying out a global campaign targeting users of Signal and WhatsApp, according to Dutch intelligence agencies. The campaign focuses particularly on government officials, military personnel, and journalists, and relies mainly on phishing and social engineering techniques to gain access to accounts.
The warning was issued Monday by the Defence Intelligence and Security Service and the General Intelligence and Security Service. The agencies said the activity is part of a “large-scale global” hacking effort conducted by Russian state actors.
Phishing Attacks Target Signal Accounts
According to the report, attackers impersonate Signal’s support team and contact users directly. Messages sent to targets warn of supposed suspicious activity, potential data leaks, or attempts to access the user’s private information.
If the target responds, the attackers request a verification code sent via SMS. The hackers themselves trigger the request for the verification code through Signal’s login system.
Victims may also be asked to provide their account PIN. With the SMS verification code and PIN, attackers can register a new device and phone number linked to the victim’s account.
The attackers can then impersonate the user and potentially access their contacts. At the same time, the victim is locked out of their account.
The Dutch intelligence report noted that victims can regain access by re-registering their number. Because Signal stores message history locally on the user’s phone, past messages may still appear after the account is restored.
The agencies warned that this could create a false sense of security for victims.
“Because Signal stores the chat history locally on the phone, a victim can regain access to that history after re-registering,” the report said. “As a result, the victim may assume that nothing is wrong.”
Signal does not provide technical support directly through its messaging application.
When a new device is linked to a Signal account, that device normally cannot access older messages stored on the user’s original device.
Signal did not respond to requests for comment on the report. However, the company posted guidance on social media advising users never to share SMS verification codes or account PIN numbers.
QR Code And Link-Based Attacks
The intelligence agencies also reported that hackers are attempting to compromise accounts by persuading victims to scan malicious QR codes or click on links.
In some cases, the attackers claim the QR code or link is required to join a messaging group. Instead, scanning the code connects the attacker’s device to the victim’s account.
These methods are used across both Signal and WhatsApp.
WhatsApp Linked Device Exploitation
In attacks targeting WhatsApp, hackers attempt to exploit the platform’s “Linked devices” feature. The function allows users to connect their account to additional devices such as laptops or tablets.
If victims scan a malicious QR code or follow instructions provided by attackers, they may unknowingly link the attacker’s device to their account.
Unlike Signal, a linked WhatsApp device may have access to past messages stored in the account.
Victims may not notice the compromise immediately because the account remains active on their phone and they are not logged out.
Meta spokesperson Zade Alsawah said WhatsApp advises users never to share the six-digit verification code used for account access.
The company also pointed users to its help centre for guidance on identifying suspicious messages and managing linked devices.
Limited Official Comment On The Campaign
Laurens Bos declined to provide additional details about the hacking campaign.
The Russian Embassy in Washington DC did not respond to requests for comment.
The Dutch intelligence agencies noted that several of the tactics described in the report have previously been linked to Russian government hackers during cyber operations connected to the war in Ukraine.
Featured image credits: Pexels
For more stories like it, click the +Follow button at the top of this page to follow us.