German security agencies have issued a joint warning regarding a sophisticated phishing campaign on Signal that targets high-ranking political, military, and journalistic figures. The attack uses social engineering and deceptive device-linking tactics to hijack accounts, allowing state-sponsored actors to monitor communications and compromise broader professional networks.

German intelligence and cybersecurity offices recently alerted the public to a malicious campaign likely orchestrated by state-sponsored hackers targeting prominent individuals in diplomacy and the military. Unlike traditional cyberattacks that rely on malware or software bugs, this operation manipulates Signal's legitimate features to gain unauthorized access to private chats and contact lists. By posing as official support accounts or security chatbots, the attackers trick victims into revealing sensitive verification codes or scanning fraudulent QR codes.

Once a victim is deceived, the threat actors can register the account on their own hardware or link a secondary device to the profile. This allows them to intercept incoming messages and impersonate the user, often without the victim realizing their privacy has been breached. While the current focus remains on Signal, experts warn that similar techniques are easily adaptable to other platforms like WhatsApp, which utilize nearly identical registration and device-linking protocols.

Evidence suggests this activity aligns with tactics used by various Russia-linked threat groups that have previously targeted European infrastructure and government officials. Similar campaigns, such as the GhostPairing operation, have demonstrated how easily account-linking features can be weaponized for impersonation and fraud. These developments highlight a growing trend where human error and social manipulation are prioritized over technical exploits to bypass modern encryption.

The warning arrives amidst a broader surge in state-sponsored cyber activity across Europe, involving intelligence efforts from China and Iran as well. Reports from Norway and Poland indicate that these actors are not only targeting individual communications but also infiltrating critical infrastructure and research institutions through vulnerable network devices. These coordinated efforts often aim to recruit human sources or monitor dissidents and military movements through digital surveillance.

To mitigate these risks, security officials urge users to enable registration locks and regularly audit their linked devices within messaging apps. They emphasize that legitimate support teams will never request a PIN or verification code via chat. As state actors continue to refine these intrusive methods, maintaining strict digital hygiene and skeptical communication habits remains the most effective defense against account takeovers.

Source: German Agencies Warn of Signal Phishing Targeting Officials and Media