Russian-Linked Hackers Hijack Signal and WhatsApp Accounts to Spy on Officials and Journalists, Agencies Warn

Russian intelligence-linked hackers are breaking into Signal and WhatsApp accounts used by politicians, government staffers, military personnel, diplomats, and journalists, by tricking people, not cracking encryption.

U.S. and European agencies say the campaign has been ramping up since March, and it’s already working. The core lesson is blunt: end-to-end encryption can protect messages in transit, but it can’t save you if an attacker steals your account.

The operation relies on phishing, messages that impersonate tech support or a trusted contact to coax victims into handing over a one-time verification code or PIN. Once attackers get that code, they can register the account on a new device, lock the real user out, and read whatever the victim can see.

Dutch intelligence says the campaign is global, and already paying off

The Netherlands’ intelligence services, the AIVD (civilian intelligence) and MIVD (military intelligence), describe a worldwide effort targeting Signal and WhatsApp accounts belonging to high-value individuals, including Dutch government employees.

This isn’t random cybercrime, the agencies say. It’s espionage, tailored attacks aimed at people whose contact lists, group chats, and attachments can reveal sensitive relationships and real-world plans.

The Dutch services say the operation appears to have succeeded already, meaning attackers likely accessed sensitive information. They haven’t disclosed what was taken, but the playbook is familiar: pull chat histories, download attachments, map networks of contacts, and glean context about meetings and travel.

Signal’s strong reputation may be part of what makes it attractive. The more an app is viewed as “the safe one,” the more likely users are to trust messages that look like security prompts, and the more valuable the accounts become to a foreign intelligence service.

MIVD Director Vice Adm. Peter Reesink drew a hard line: even encrypted messaging apps are not appropriate channels for transmitting confidential or sensitive information. The risk isn’t the math behind encryption, it’s compromised phones, stolen accounts, and human error.

France warns of a surge in targeted account takeovers

France’s cyber crisis coordination center, known as C4, is also warning about a rise in campaigns aimed at instant-messaging accounts tied to political figures and senior administrators.

The shift is telling: attackers are going after digital identities more than software flaws. If they seize an account, they can dig through message history, or fully impersonate the victim and send messages as them.

That’s where the damage multiplies. Once inside, attackers can message the victim’s contacts in the right tone, with the right context, and push fresh malicious links. In ministerial offices, parliamentary teams, or newsrooms, that can mean quick access to group chats where work plans and sensitive details get shared.

“The trap is the message that looks routine, support, verification, urgency,” said Marc, a consultant who helps public organizations respond to incidents, in the French report. The attacker doesn’t need elite technical skills, he argues; they need to be socially convincing.

French officials also point to an organizational problem: many institutions have normalized WhatsApp and Signal for day-to-day coordination because they’re fast and ubiquitous, without strict rules. If these apps are allowed, they say, agencies need clear guardrails, what can’t be shared, how to verify requests outside the app, and regular training.

FBI and CISA: “Thousands” of accounts may already be compromised

In the U.S., the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s lead civilian cyber defense agency, issued a joint alert about actors tied to Russian intelligence targeting messaging app users, including Signal.

The advisory describes a straightforward strategy: don’t try to defeat encryption; bypass it by taking over the account. That means attacking people, their habits, their reflexes, and their willingness to respond to alarming prompts.

FBI Director Kash Patel said the campaign targets individuals of high intelligence value, including current and former government officials, members of the military, political figures, and journalists. He also said “thousands” of accounts may already have been hacked, underscoring an industrial-scale operation built on reusable phishing scripts and curated target lists.

Federal guidance is basic but effective: treat unexpected messages with suspicion, block and report suspicious accounts immediately, and turn on the security features the apps offer. One common lure, authorities say, is a fake account posing as “Signal Support” warning of a suspicious login and asking the user to reply with a verification code. Hand it over, and the attacker can take the account.

What worries investigators most is what comes next: a compromised account used as a launchpad to reach other high-value targets in real time, advisers, press aides, colleagues, sources, right when decisions are being made and “urgent” messages are most likely to be trusted.

How phishing beats encryption: steal the code, steal the account

Officials across countries are emphasizing the same point: this is not a cryptographic break. The attackers are hunting verification codes, PINs, and other details that let them register an account on a new device.

The most common scenario looks like a security routine. A message claims someone tried to log in, offers a link, and asks the user to confirm a code received by text or inside the app. The victim thinks they’re locking things down, when they’re actually handing over the keys.

Signal has acknowledged it’s aware of targeted attacks that have led to account takeovers, including among public officials and journalists. So far, there’s been no public claim of a major software vulnerability driving the campaign, reinforcing the view that social engineering is doing the heavy lifting.

The fallout can be immediate and personal: a journalist’s compromised account can expose sources; a lawmaker’s can reveal internal strategy; a military member’s can leak schedules and movements. And even when nothing “classified” is shared, the accumulated context, who’s meeting whom, where, and when, can be enough for an adversary to act.

Why Russian-linked spies are targeting WhatsApp and Signal now

WhatsApp and Signal are attractive for the same reason banks attract robbers: that’s where the value is. WhatsApp is dominant in many countries, and Signal is often the go-to when people want a more security-focused option, especially among officials, activists, and reporters.

Dutch intelligence also points to a real-world weakness: these apps are used on the move, airports, trains, taxis, hallways, often with notifications popping up on screens in public. Theoretical security collides with everyday behavior.

Agencies keep repeating the boundary: don’t use these apps for classified information. But in practice, the line between “unclassified” and “sensitive” can blur fast when details pile up, participant lists, meeting locations, timelines, travel plans.

The warnings from the Netherlands, France, and the United States land on the same conclusion: this is a cross-border espionage campaign built for speed and scale, and it spreads through human trust. The defense, officials say, has to be just as coordinated, because contact lists and group chats don’t stop at national borders.