Russian Hackers Target WhatsApp and Signal in Global Espionage Campaign

A sophisticated Russian espionage operation is systematically hijacking accounts on encrypted messaging platforms. Dutch intelligence services have exposed a global campaign where state-backed hackers are targeting government employees, military personnel, and journalists.

The goal is simple: bypass the end-to-end encryption of Signal and WhatsApp by stealing the accounts themselves. Once inside, attackers can read private conversations and impersonate trusted contacts.

How the Russian Account Hijacking Works

The attacks are clever and multi-pronged. One primary method involves impersonation. Hackers send messages pretending to be a ‘Signal Support’ chatbot. The message claims suspicious activity on the user’s account and urgently requests their SMS verification code or Signal PIN.

Signal has been unequivocal in its warning. “Signal Support will *never* initiate contact to ask for your verification code or PIN,” the company stated. If anyone asks for these codes, it is definitively a scam.

Another technique exploits the ‘linked devices’ feature. Attackers trick victims into scanning a malicious QR code or clicking a link, which grants the hacker access to the messaging account from their own device. This method was previously used against Ukrainian officials.

Why Encrypted Apps Are Still Vulnerable

End-to-end encryption protects message content in transit, but it cannot protect against account takeover. If a hacker gains control of your account, they effectively become you within the app. They see all your messages and can communicate with your contacts.

“Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” warned Vice-Admiral Peter Reesink, director of the Dutch Military Intelligence and Security Service (MIVD).

Security experts note a fundamental mismatch. “Third party consumer-oriented platforms like Signal and WhatsApp are ultimately not developed with state-level usage in mind,” explained Ben Clarke, SOC manager at CybaVerse. They lack the stringent protocols of bespoke government systems, making them attractive targets for well-resourced nation-state actors.

How to Spot and Stop an Account Takeover

Dutch intelligence (AIVD and MIVD) has published clear guidance for high-risk users. Vigilance within group chats is critical. Check if any contact appears twice in your group member list—this duplication could signal a malicious actor has cloned an account.

If you see this, contact the group administrator. They should remove both identical-looking accounts, allowing the legitimate user to request re-entry. Also, watch for sudden display name changes, like a contact’s name switching to ‘Deleted Account.’ A notification of such a change is a major red flag.

The core defense is simple: never, under any circumstances, share your SMS verification code or app-specific PIN with anyone. No legitimate support service will ever ask for them.

This campaign is a stark reminder. The strongest lock is useless if someone steals your key. For sensitive communications, the platform’s trustworthiness is just as important as its encryption.