Dutch intelligence services AIVD and MIVD warn that Russian state‑backed hackers are running a large‑scale campaign to break into Signal and WhatsApp accounts of high‑value targets.
The targets are said to be senior officials, military personnel, civil servants, and journalists. The attackers are not breaking end‑to‑end encryption or exploiting a vulnerability in the apps themselves. Instead, they rely on proven phishing and social engineering methods to trick users into handing over verification codes and PINs, or to add a malicious “linked device” to their account.
Last year we reported on GhostPairing, a method that tricks the target into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device to the account.
In the cases reported by the Dutch intelligence services, the attackers contacted victims on Signal or WhatsApp while posing as “Signal Security Support Chatbot”, “Signal Support” or a similar official‑sounding account.
The message typically warns about suspicious activity or a possible detected data leak and instructs the user to complete a verification step to avoid losing data or having their account blocked.
Victims are then asked to send back the SMS verification code they just received and/or their Signal PIN.
If the victim complies, the attacker can register the account on a device they control and effectively take it over, receiving new messages and sending messages as the victim.
In a second variant, attackers abuse the “linked devices” feature (Signal’s and WhatsApp’s desktop or other secondary device function). Targets are pushed to click a link or scan a QR code that silently links the attacker’s device to the victim’s account. The victim keeps access as normal, but the attacker can now read along in real time without obvious signs of compromise.
These attacks are not new, but deserve a renewed warning because they rely entirely on human behavior, and understanding how they work makes them easier to stop. The methods used are not technically sophisticated and they can easily be copied by non‑state actors or ordinary cybercriminals.
Because of the current Russian campaigns, AIVD and MIVD say that chat apps such as Signal and WhatsApp are unsuitable for sharing classified, confidential, or otherwise sensitive government information, even though they technically support end‑to‑end encryption.
How to keep your conversations confidential
One specific warning for the targeted users is to use designated apps for sensitive information. Despite dedicated secure systems being available to many of them, some resorted to apps they already knew—Signal and WhatsApp. And to be fair, these apps are safe if you follow a few basic rules:
How to prevent and detect compromised accounts
- Never share verification codes or PIN numbers. Your SMS verification code and PIN are only needed when you install or re‑register the app on a device. They are never legitimately requested in a chat. Any in‑app message, direct message (DM), email, or SMS asking you to send these codes back is a phishing attempt.
- Do not trust “support” accounts in chat. Signal explicitly states that Support will never contact you via in‑app messages, SMS, or social media to ask for your verification code or PIN. Treat any “Signal Support Bot”, “Security Chatbot” or similar as malicious, block and report it and then delete the conversation.
- Be cautious with links and QR codes in chat. Only scan QR codes or click device‑linking links when you yourself are in the app’s device‑linking menu and you initiated the process. If a message pushes you to “verify your device” or “secure your data” via a link or QR, assume it is part of this campaign.
- Regularly review linked devices and group memberships. In Signal and WhatsApp, check the list of linked devices and remove anything you do not recognize. Also keep an eye out for strange group participants or duplicate contacts (for example “deleted account” or a contact that appears twice), which Dutch intelligence services mention as possible signs of account compromise.
- Use built‑in hardening features. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
Use disappearing messages
Both Signal and WhatsApp support disappearing messages, and using them can meaningfully limit the impact of account compromise or device access (though they don’t prevent it completely).
Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.
Signal lets you set a per‑chat timer so that all new messages in that conversation auto‑delete from all devices after the chosen period. You can enable it for 1:1 or group chats and choose from various durations (seconds to weeks), and either party can see it is enabled and change the timer.
WhatsApp also supports disappearing messages with timers per chat (and a default option for new chats). Messages can auto-delete after periods such as 24 hours, 7 days, or 90 days, and newer builds include shorter options like 1 or 12 hours.
You turn it on in the chat info under “Disappearing messages,” then pick the desired timer; only messages sent after enabling it are affected.
For particularly sensitive media or voice messages, WhatsApp also offers “view once” photos, voice messages, and videos that can only be opened a single time before disappearing from the chat.
Enable multi-factor authentication
We’ve written a complete guide on setting up two-step verification on WhatsApp.
To set up two-factor authentication (2FA) on Signal, enable the Registration Lock feature, which requires your set PIN to log in on a new device. Open Signal, go to Settings > Privacy > Registration Lock and turn it on. This ensures that even if someone steals your SIM, they cannot access your account without your personal PIN.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.