Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants, according to a warning issued Monday bythe Netherlands' intelligence and military security agencies, the AIVD and MIVD.
The campaign reveals a fundamental security paradox: the very encryption that makes these apps attractive to officials provides no protection once an attacker gains account access.The goal isn't to defeat the apps' end-to-end encryption, but to take over the accounts themselves and quietly read whatever conversations are inside.
The attackers' method is remarkably straightforward.The attackers approach targets directly via chats and persuade them to share security verification codes or PINs, and in some cases, the attackers reportedly impersonate a Signal support bot to make the request look legitimate.The hackers can trigger those codes by starting the normal registration process using the target's phone number; Signal and WhatsApp automatically send a verification code to any number entered during account registration.
The campaign has already snared victims, including people working inside the Dutch government, with the Russian hackers having likely gained access to sensitive information.The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.
Beyond impersonation, attackers employ a second technique.Another method takes advantage of the 'linked devices' function within Signal and WhatsApp; once an account has been successfully compromised, the hackers can read incoming messages, including messages in the victim's chat groups.
A critical insight from Dutch intelligence addresses a common misconception about encrypted messaging.The Russian campaign does not exploit any technical vulnerabilities of the messaging services; the attackers instead make malicious use of legitimate security features of the apps.According to AIVD Director-General Simone Smit, it is not the case that Signal or WhatsApp as a whole have been compromised, with individual user accounts being targeted.
The vulnerability exposes a gap in government communications security. Officials favour these apps because they offer strong encryption, but intelligence agencies now warn this trust is misplaced for classified work.As MIVD Director Vice-Admiral Peter Reesink stated: "Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."
To help users identify compromises,the AIVD and MIVD have published a Cyber Advisory explaining how to identify and respond to attacks.The advisory recommends that users check group chats for suspicious or duplicate accounts and warn that attackers may rename hijacked accounts, for example to "Deleted account", to avoid detection.
The Dutch cybersecurity advisory offers detailed guidance for users. The AIVD's official statement provides additional context on the campaign.
The campaign underscores a principle security professionals have long emphasised: encryption protects data in transit, not at rest. A message encrypted end-to-end gains no protection if an attacker can read it from an unlocked account. Governments relying on consumer messaging apps for sensitive communications now face an uncomfortable reckoning about the gap between theoretical security and operational reality.