Dutch intelligence agencies have reported that Russian government hackers are conducting a large-scale global campaign targeting users of Signal and WhatsApp. The Netherlands’ Defence Intelligence and Security Service and General Intelligence and Security Service state that government and military officials, as well as journalists worldwide, are the primary targets.
The agencies accuse Russian state actors of using phishing and social engineering techniques to take over accounts on these messaging apps, rather than deploying malware. In the case of Signal, the hackers pose as the app’s support team. They contact targets directly with warnings about suspicious activity, a possible data leak, or attempts to access private data. If a target engages, the hackers request a verification code sent via SMS—which they themselves trigger from Signal—along with the target’s PIN code.
The hackers then use these codes to register a new device with a new phone number, impersonate the target, and potentially access their contacts. The target is locked out of their account but can re-register their number. Because Signal stores chat history locally on the phone, a victim regains access to that history after re-registering, which may lead them to believe nothing is wrong. The Dutch services stress this assumption could be incorrect. Signal does not provide support directly through the app, and it is important to note that generally, when a new device is added to a Signal account, it does not have access to previous messages.
Hackers are also attempting to trick targets on both apps into scanning malicious QR codes or clicking on malicious links. For example, an actor may send a QR code or link supposedly to add the victim to a chat group, but it actually links the actor’s device to the victim’s account.
Regarding WhatsApp, the hackers are abusing the “Linked devices” function, which allows access from a secondary device like a laptop. If successful, unlike with Signal, they can potentially read past messages. Sometimes the victim may not realize they have granted access, as they do not get logged out of their account. WhatsApp advises users to never share their six-digit code with anyone.
Signal did not respond to a request for comment on the campaign. Meta declined to comment. The Dutch Ministry of Interior and Ministry of Defense did not provide further information. The Russian embassy in Washington D.C. also did not respond to a request for comment.
Some of the techniques described in the Dutch report have been previously known to be used by Russian government hackers in the context of the war against Ukraine.