Key Findings:

• German security agencies BfV and BSI have issued a joint advisory warning of a malicious cyber campaign targeting high-ranking individuals in politics, military, diplomacy, and investigative journalism in Germany and Europe.

• The campaign involves phishing attacks over the Signal messaging app, aiming to gain unauthorized access to victims' accounts and compromise their confidential communications.

• The attacks do not involve malware or technical vulnerabilities, but instead leverage legitimate features of Signal to steal access credentials and hijack accounts.

• Two attack variants are observed - one that performs a full account takeover, and another that pairs the account with the attacker's device to monitor chat activity.

Background

The German Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have identified a cyber threat campaign targeting high-profile individuals across various sectors in Germany and Europe. The threat actors are suspected to be state-sponsored, though their exact origins remain unclear.

The campaign focuses on gaining access to the Signal messaging accounts of politicians, military officials, diplomats, and investigative journalists through phishing attacks. Rather than exploiting technical vulnerabilities, the attackers leverage the legitimate features of Signal to steal credentials and hijack accounts.

Account Takeover Attacks

In one variant of the attack, the threat actors impersonate the Signal support team and send victims a fake security warning. They then trick the targets into sharing their Signal PIN or an SMS verification code, which allows the attackers to register the account to a device they control. This results in the original user being locked out of their own account.

Device Linking Attacks

The second attack method abuses Signal's device linking functionality, which allows adding an account to multiple devices. The attackers convince the victim to scan a QR code, which pairs the account with a device managed by the threat actors. This grants them access to the victim's chats and contacts without raising any alarms, as the original user retains access to the account.

Potential Expansion to WhatsApp

The security authorities warn that while the current focus of the campaign appears to be Signal, the attack techniques could also be extended to WhatsApp, as it incorporates similar device linking and PIN-based security features.

Threat Actor Attribution

While the identity of the threat actors behind this campaign is not definitively known, similar attacks have been attributed to Russia-aligned hacking groups such as Sandworm, UNC5792, and UNC4221 in the past.

Recommended Mitigations

To protect against these attacks, users are advised to:

• Avoid engaging with alleged Signal support accounts and never share PIN codes or verification codes.

• Enable the "Registration Lock" feature in Signal to prevent unauthorized account registration.

• Regularly review the list of linked devices and remove any unrecognized devices.

• Be cautious when scanning QR codes or linking devices to Signal or other messaging apps.

The German authorities emphasize the importance of these measures, as successful account compromises can not only expose sensitive personal communications, but also potentially jeopardize entire professional networks.

Sources

• https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html

• https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/

• https://www.wilderssecurity.com/threads/germany-warns-of-signal-account-hijacking-targeting-senior-figures.459175/

• https://www.reddit.com/r/cybersecurity/comments/1qxjuac/statebacked_phishing_attacks_targeting_military/