Dutch Intelligence Warns of Signal and WhatsApp Account Hijacking Attacks Targeting Officials and Journalists

Home » News
Yash Shield
News
Reading time icon 5 min. read

Calendar icon Published on

Dutch intelligence agencies have issued a warning about an ongoing phishing campaign that attempts to hijack Signal and WhatsApp accounts. The attacks reportedly target government officials, military personnel, journalists, and other individuals who may handle sensitive information.

According to the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD), attackers use social engineering and phishing tactics to trick victims into revealing authentication codes or linking their accounts to attacker-controlled devices. Once attackers gain access, they can monitor messages, impersonate victims, and potentially obtain confidential information.

Authorities believe the campaign is linked to Russian state-sponsored hacking groups, highlighting the growing interest in compromising encrypted messaging platforms used by government and media organizations.

The intelligence agencies say the attacks do not exploit weaknesses in Signal or WhatsApp encryption. Instead, attackers manipulate legitimate authentication features and rely on deception to gain access to accounts.

Signal confirmed that it is aware of the phishing activity and warned users to remain cautious when receiving messages that request verification codes or account credentials.

How the Signal phishing attack works

One of the primary techniques used in the campaign involves impersonating official support services.

Attackers send phishing messages that appear to come from a “Signal Security Support Chatbot.” The message claims suspicious activity has been detected on the victim’s account and asks the user to complete a verification process.

The victim then receives an SMS verification code. The phishing message instructs the user to send that code back to the attacker. Once the attacker receives the code and the user’s Signal PIN, they can register the account on their own device and take full control.

This method allows attackers to:

  • Register the victim’s Signal account on another device
  • Change the phone number linked to the account
  • Access contacts and incoming messages
  • Monitor group conversations
  • Send messages while impersonating the victim

Dutch intelligence officials warned that victims may not immediately realize their account was compromised.

Signal stores chat history locally on the device. If a victim creates a new account using the same phone number, the old messages may still appear on the device. This can create the impression that nothing unusual happened, even though attackers may still have access.

QR code device-linking attacks on messaging apps

A second technique identified in the advisory abuses the device-linking feature available in both Signal and WhatsApp.

This feature normally allows users to connect additional devices such as laptops or tablets so they can access messages across multiple platforms.

Attackers send victims a malicious QR code or a link that appears to invite them to join a chat group or connect with another user. When the victim scans the code, it silently links the attacker’s device to the victim’s messaging account.

Unlike full account takeovers, victims usually remain logged into their accounts. This makes the attack more difficult to detect.

Once linked, attackers may be able to:

  • Read incoming messages in real time
  • Access parts of the chat history
  • Monitor group chats
  • Send messages from the victim’s account

Security researchers say this method has become increasingly popular because it relies entirely on legitimate app functionality.

Example of Signal phishing campaign Source: Signal

Messaging phishing campaigns are increasing

Phishing attacks targeting messaging platforms have grown in recent years. Threat actors often focus on applications like Signal and WhatsApp because they are widely used by journalists, government officials, activists, and corporate executives.

Security reports from multiple organizations previously documented similar campaigns that abused device-linking features to spy on victims’ communications.

In some cases, attackers distribute malicious QR codes through email, social media messages, or fake support notifications.

The Dutch intelligence agencies said the current campaign demonstrates how phishing and social engineering remain effective even when communication platforms use strong encryption.

Signs that a messaging account may be compromised

Users should watch for suspicious activity that may indicate unauthorized access.

Common warning signs include:

  • Unexpected login notifications
  • Unknown linked devices in account settings
  • Messages sent from the account without the user’s knowledge
  • Verification code requests that were not initiated by the user

Regularly checking linked devices and removing unknown sessions can help prevent long-term account monitoring.

Security recommendations from Dutch intelligence agencies

The MIVD and AIVD released several recommendations to help users protect their messaging accounts.

Key precautions include:

  • Never share SMS verification codes or account PINs with anyone
  • Avoid scanning QR codes from unknown sources
  • Verify suspicious messages through another trusted communication channel
  • Regularly check linked devices and remove unfamiliar ones
  • Avoid sharing sensitive or classified information on messaging platforms unless approved

Users who believe their account may be compromised should immediately log out of unknown devices and enable additional security settings where available.

Quick comparison of the attack methods

Attack methodHow it worksPotential impact
Phishing verification codeVictim sends SMS code and PIN to attackerFull account takeover
Device linking QR codeVictim scans malicious QR codeAttacker reads messages and monitors chats
Social engineering messagesFake support messages or alertsVictim unknowingly grants access

Key security practices for Signal and WhatsApp users

  • Enable additional account security features such as PIN protection
  • Avoid interacting with unsolicited support messages
  • Confirm unexpected requests with the official service
  • Check linked devices frequently
  • Update messaging apps regularly

FAQ

Are Signal and WhatsApp encryption systems compromised?

No. Security agencies say the encryption and infrastructure of both platforms remain secure. The attacks rely on phishing and social engineering rather than technical vulnerabilities.

Who is being targeted in these attacks?

The campaign primarily targets government officials, military personnel, journalists, and individuals who may handle sensitive communications.

How can attackers access messages without hacking the apps?

Attackers trick victims into sharing authentication codes or scanning malicious QR codes that link the attacker’s device to the victim’s account.

Can attackers read old messages?

Access depends on the method used. Device-linking attacks may allow monitoring of conversations and sometimes partial chat history.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages