Germany's top security agencies have issued an urgent warning about sophisticated phishing attacks targeting high-profile users of the Signal messaging app. The campaign, believed to be orchestrated by state-sponsored actors, specifically focuses on politicians, military personnel, diplomats, and investigative journalists across Germany and Europe.
The Growing Threat to Secure Communications
The Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz or BfV) and the Federal Office for Information Security (BSI) have jointly released an advisory highlighting a particularly insidious attack method that doesn't rely on malware or software vulnerabilities. Instead, threat actors are exploiting the legitimate features of Signal itself to gain unauthorized access to users' private communications and contact networks.
"The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe," the agencies stated. "Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks."
How the Attack Works
The attack methodology demonstrates sophisticated social engineering tactics. Threat actors impersonate Signal support staff or create fake support chatbots named "Signal Security ChatBot" to initiate direct contact with potential victims. These impersonators then pressure targets into providing their Signal PIN or SMS verification codes, warning them of imminent data loss if they fail to comply.
Once a victim shares their PIN, the attackers can register the account on a device under their control. This grants them access to the victim's profile settings, contact lists, and block lists. While the stolen PIN doesn't provide access to historical conversations, it enables attackers to intercept all incoming messages and send messages while impersonating the victim.
The legitimate account holder loses access to their account and is subsequently instructed by the fake support bot to register for a new account, often without realizing they've been compromised.
Alternative Attack Vector: Device Linking
German authorities have also identified a second attack method that exploits Signal's device linking functionality. In this scenario, victims are tricked into scanning a QR code that links their account to a device controlled by the attackers. This method is particularly dangerous because it grants access to the victim's messages from the previous 45 days, and crucially, the victim continues to have access to their account without immediately realizing it has been compromised.
This stealth approach allows threat actors to conduct long-term surveillance of their targets' communications and social networks without detection.
Broader Implications and Similar Threats
Security experts warn that while Signal is currently the primary focus, the attack methodology can be easily adapted to target WhatsApp users, as the platform incorporates similar device linking and PIN features as part of its two-step verification system.
"Successful access to messenger accounts not only allows confidential individual communications to be viewed, but also potentially compromises entire networks via group chats," BfV and BSI emphasized in their joint statement.
Historical data suggests multiple Russia-aligned threat groups have employed similar tactics. Microsoft and Google Threat Intelligence Group have previously documented campaigns by groups tracked as Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185) using comparable techniques.
Additionally, Gen Digital reported in December 2025 on a campaign codenamed GhostPairing, where cybercriminals exploited WhatsApp's device linking feature to hijack accounts for impersonation and fraud purposes.
Protection Measures
German authorities recommend several critical security measures to protect against these attacks:
- Never engage with support accounts - Signal support will never contact users directly through the app
- Never share your Signal PIN - Legitimate support staff will never ask for PINs or verification codes
- Enable Registration Lock - This crucial feature prevents unauthorized users from registering your phone number on another device
- Review linked devices regularly - Periodically check your linked devices list and remove any unknown or suspicious entries
The Broader Geopolitical Context
This warning comes amid heightened concerns about state-sponsored cyber operations targeting European infrastructure and officials. Norway recently accused Chinese hacking groups, including Salt Typhoon, of compromising multiple organizations by exploiting vulnerable network devices. The Norwegian Police Security Service (PST) also highlighted systematic attempts by Chinese intelligence services to recruit Norwegian nationals to access classified information.
Meanwhile, CERT Polska attributed coordinated attacks on Polish energy infrastructure—including wind farms, photovoltaic facilities, and power plants—to the Russian nation-state group Static Tundra, which exploited poorly secured FortiGate VPN devices.
Conclusion
The German agencies' warning underscores the evolving nature of cyber threats, where sophisticated attackers are increasingly targeting secure communication platforms not through technical exploits, but through social engineering and abuse of legitimate features. As encrypted messaging apps become essential tools for journalists, politicians, and other high-value targets, vigilance and adherence to security best practices have never been more critical.
Organizations and individuals alike must recognize that no platform is immune to compromise when users can be manipulated into handing over access credentials. The human element remains the weakest link in even the most secure systems.
Source: The Hacker News - German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists