Russia-linked hackers target Signal, WhatsApp of officials globally

Russia-linked hackers are targeting Signal and WhatsApp accounts of government and military officials worldwide, warns Dutch intelligence.

Dutch intelligence agencies (MIVD and AIVD) warn of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

“Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees.” reads the alert by Dutch intelligence agencies. “The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.”

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warns that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stress that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Dutch intelligence agencies recommend Signal users to carefully monitor their group chats for signs of compromised accounts. If a contact appears twice under the same or slightly altered name, this may indicate a compromised account or a victim-created account. Users should report suspicious cases to their organization’s information security team and verify the accounts through alternative channels such as email or phone. Group administrators should remove any unauthorized accounts, after which legitimate members can rejoin. Actor-controlled accounts may change display names, e.g., to “Deleted account,” or join via a shared Group Link, triggering notifications. Users should remain vigilant for unfamiliar members and unusual account behavior. If there is any suspicion that the group administrator has been compromised, it is recommended to leave the chat group and create a new one to ensure the security and integrity of communications within the group.

“To increase resilience against this Russian campaign, MIVD and AIVD have published a Cyber Advisory explaining how to identify and respond to attacks. The advisory also give instructions for Signal users on how to identify potentially compromised contacts.” concludes the alert.

In February 2025, Google Threat Intelligence Group (GTIG) researchers warned of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculated that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will also be employed in regions outside Ukraine.

Russian hackers exploited Signal’s “linked devices” feature, they used specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.

“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”

Russian hackers used malicious QR codes disguised as Signal resources to hijack accounts, targeting military apps and even linking captured devices to their servers.

In some phishing attacks, attackers frequently masked malicious QR codes as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.

In some spear-phishing attacks, attackers embedded the QR codes in phishing pages crafted to appear as specialized applications used by the Ukrainian military.

APT44 (Sandworm) enables Russian forces to link captured Signal accounts to their servers, using battlefield devices for further exploitation.

The alleged Russia-linked cyberespionage group UNC5792 (which partially overlaps with a threat actor tracked as UAC-0195 by CERT-UA) was spotted modifying Signal group invites in phishing campaigns to trick recipients into linking their accounts to attacker-controlled devices.

Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools fordata exfiltration.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signal)