Russian Hackers Are Targeting Signal and WhatsApp Users Right Now
If you use Signal or WhatsApp — especially for sensitive communications — you need to read this. Dutch intelligence agencies have issued an urgent warning about a large-scale, ongoing hacking campaign run by Russian state actors targeting messaging app users around the world. Government officials, military personnel, and journalists are the primary targets, but the threat extends far beyond those groups.
 |
| Credit: Matthias Balk/picture alliance / Getty Images |
What Dutch Intelligence Just Revealed About the Russian Hacking Campaign
On Monday, the Netherlands' two top intelligence bodies — the Defence Intelligence and Security Service and the General Intelligence and Security Service — published a detailed warning about what they describe as a "large-scale global" operation. The campaign is not using traditional malware or software exploits. Instead, Russian hackers are relying on phishing and social engineering — manipulating real people into handing over their own account credentials.
This distinction matters enormously. No software vulnerability needs to be patched. The weak point being exploited is human trust. And that makes this attack far more difficult to defend against with conventional cybersecurity tools.
How the Signal Phishing Attack Actually Works
The Signal attack is particularly deceptive in its simplicity. Hackers pose as Signal's official support team and send direct messages to targets, warning them of suspicious activity, a potential data leak, or unauthorized attempts to access their private conversations. The message looks legitimate. The urgency feels real. And that's exactly the point.
If the target takes the bait, the hackers request two critical pieces of information: the SMS verification code that Signal sends when registering a new device, and the user's account PIN. Here's the catch — the hackers themselves trigger the SMS verification request from Signal's own system. They are essentially using Signal's infrastructure against its own users. Once they have both codes, they register a new device under the target's phone number, effectively cloning the account.
Why Victims Often Don't Realize Their Account Has Been Compromised
This is where the attack becomes especially insidious. After the hackers take over, the original user can re-register their number and regain access. Because Signal stores chat history locally on the device, the conversation history reappears when they log back in. Everything looks normal. The victim may reasonably assume nothing happened — and that assumption, as Dutch intelligence explicitly warned, could be dangerously wrong.
The attacker may have already read sensitive messages, noted contacts, or positioned themselves to impersonate the victim to others in their network. The breach can be invisible to the person who experienced it. That invisibility is a feature of the attack, not a bug.
One Critical Thing Signal Users Need to Know
Signal does not provide support through the app itself. Full stop. If you ever receive an in-app message from someone claiming to be Signal's support team, it is not legitimate. This is true regardless of how official the message looks or how alarming the warning sounds.
Signal responded to the threat by sharing public guidance urging users to never share their SMS verification code or account PIN with anyone, under any circumstances. These two pieces of information are the keys to your account. Protecting them is non-negotiable. No legitimate service — Signal included — will ever ask for them.
WhatsApp Users Are Also in the Crosshairs
While the Signal attack method has been detailed most specifically, Dutch intelligence made clear that the campaign also targets WhatsApp users. The same principles apply: social engineering, impersonation, and manipulation designed to extract account credentials without raising immediate suspicion.
Both apps are end-to-end encrypted, which means the hackers are not breaking the encryption itself. They are going around it entirely — targeting the human on the other end of the conversation rather than the technology protecting the messages. It is a reminder that the strongest encryption in the world cannot compensate for a successful phishing attack.
Who Is Being Targeted — and Why It Matters to Everyone
Dutch intelligence identified government officials, military personnel, and journalists as the primary targets of this campaign. These are people whose private communications carry significant national security value. Compromising their Signal or WhatsApp accounts could expose sources, reveal strategic information, or enable further infiltration of secure networks.
But the implications reach beyond high-profile targets. Campaigns like this rarely stay contained. The techniques being used here — fake support messages, verification code theft, PIN harvesting — are straightforward enough to be replicated by other threat actors or scaled to broader populations. Understanding how this attack works is relevant to anyone who relies on encrypted messaging for private or professional communication.
How to Protect Your Signal and WhatsApp Accounts Right Now
There are concrete steps you can take immediately to reduce your risk. First, enable a registration lock or account PIN within your messaging app settings, and do not share that PIN with anyone. Second, treat any unsolicited message claiming to be from an app's support team as a red flag — verify through official channels before taking any action.
Third, be extremely cautious about any message that creates urgency around your account security, requests a verification code, or asks you to click a link to confirm your identity. These are hallmarks of social engineering. The goal is to make you act quickly before your skepticism kicks in. Slow down. Verify independently. And when in doubt, do nothing until you are certain the communication is legitimate.
Finally, regularly review the linked devices on your Signal or WhatsApp account. Both apps allow you to see which devices are currently registered to your number. If you spot a device you do not recognize, remove it immediately and change your PIN.
State-Sponsored Hacking Is Evolving
What makes this campaign notable is not just who is behind it, but how they are operating. Russian state actors are choosing precision social engineering over brute-force technical attacks. This shift reflects a broader trend in sophisticated hacking operations: the most effective intrusions often bypass technology entirely and target people instead.
For everyday users, this is the most important takeaway. Your threat model may not include nation-state hackers specifically — but the techniques being used here are not exclusive to state actors. Protecting yourself against this kind of attack means developing healthy skepticism about unexpected messages, understanding what legitimate app support actually looks like, and treating your account credentials as the highest-value security assets they truly are.
The warning from Dutch intelligence is timely and important. The response to it should be practical and immediate.
