Russian Cybercriminals Target Signal and WhatsApp Accounts of High-Value Individuals in Large-Scale Phishing Operation
Published
Key Takeaways
- High-Value Targets: A Russian cybercriminal campaign is actively targeting Signal and WhatsApp accounts of government officials and military personnel worldwide.
- Accounts Hijacking: Attackers use phishing and social engineering to trick victims into sharing verification codes or PINs, bypassing end-to-end encryption.
- Ongoing Campaign: Dutch intelligence agencies have issued a cybersecurity advisory warning that the campaign may already have compromised sensitive information.
A large-scale Russian phishing campaign compromises secure messaging applications Signal and WhatsApp, specifically targeting high-value individuals such as dignitaries, military personnel, and civil servants. Unlike attacks that attempt to break encryption protocols, this campaign focuses on social engineering, according to intelligence agencies AIVD and MIVD in the Netherlands.
Russian hackers are directly contacting targets within Signal and WhatsApp, often impersonating official support channels, such as the Signal Support chatbot, to persuade them to divulge their account verification codes and PINs.
Secure Messaging Account Compromise
MIVD and AIVD have confirmed that this campaign has already successfully compromised accounts and possibly accessed sensitive information of Dutch government employees and assert that other persons of interest to the Russian government may possibly be targeted by this campaign, such as journalists.
“It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted,” Director-General of the AIVD Simone Smit has stated.
The primary vector for this secure messaging account compromise is direct user manipulation. Once an attacker obtains a victim's credentials, they can register the account on a new device, granting them full access to conversations and contacts, the agencies warned.
Another technique involves abusing the "linked devices" feature. By tricking a user into scanning a malicious QR code, attackers can link their own device to the victim's account, allowing them to access communications in real time.
Cybersecurity Threats and Mitigation
This Russian phishing campaign highlights significant cybersecurity threats related to account takeover, even on platforms with strong end-to-end encryption. The Dutch AIVD and MIVD have stressed that while these apps are secure for transit, they should not be used for classified or highly sensitive communications.
Users are strongly advised to never share their verification codes or PINs with anyone and to be suspicious of any unsolicited requests for account information, even if they appear to come from a legitimate source.
Last week, Microsoft issued a critical security alert regarding an escalating campaign in which threat actors use OAuth redirect abuse to compromise government and public sector organizations. In December, the DOJ seized a stolen password database and domain to stop account takeovers.
In August 2025, a PRC-nexus espionage campaign targeted diplomats with web traffic hijacking to deliver malware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular