Dutch Intelligence Warns of Russian State-Sponsored Campaign Targeting Signal and WhatsApp Accounts
Dutch intelligence agencies have uncovered a large-scale Russian state-sponsored campaign targeting Signal and WhatsApp accounts of military, government, and journalist personnel, with some Dutch government employees already compromised.
Dutch intelligence agencies have issued a stark warning about a large-scale Russian state-sponsored campaign targeting the encrypted messaging accounts of military personnel, civil servants, journalists, and other high-value individuals. The joint advisory from the Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), published on March 9, reveals that some Dutch government employees have already fallen victim to the operation.
The campaign specifically targets Signal and WhatsApp accounts, exploiting the very features that make these platforms popular among privacy-conscious users. Attackers are employing multiple techniques to hijack accounts, with the most common method involving impersonation of a 'Signal Support chatbot.' Victims receive unsolicited messages from the fake bot claiming suspicious activity on their account and requesting that they enter their SMS verification code or Signal PIN, a classic phishing tactic adapted for the messaging environment.
Signal has responded forcefully to the campaign, clarifying in a series of social media posts that its support team never initiates contact via in-app messages, SMS, or social media to ask for verification codes or PINs. 'If anyone asks for any Signal related code, it is a scam,' the company emphasized, noting that this warning is already displayed to users during initial signup. The attackers are also abusing the 'linked devices' feature in both Signal and WhatsApp, persuading victims to scan malicious QR codes or click on links that grant the attackers access to their accounts.
The Dutch intelligence services noted that Russian hackers were observed using similar techniques to spy on Ukrainian military and government officials last year, indicating a pattern of escalating cyber operations against adversaries. MIVD director Vice-Admiral Peter Reesink underscored the severity of the threat, stating that despite their end-to-end encryption, messaging apps like Signal and WhatsApp should not be used for classified, confidential, or sensitive information.
To help high-value users protect themselves, AIVD and MIVD have produced guidance on detecting account hijacking attempts. They advise users to check if contacts appear twice in group member lists, which could indicate a cloned account. If out-of-band verification proves inconclusive, group admins should remove both identical-looking accounts so the legitimate user can rejoin. The agencies also warned that attackers may change the display name of compromised accounts to 'Deleted account' to remain unnoticed in chat groups.
Ben Clarke, SOC manager at CybaVerse, noted that the informal use of platforms like WhatsApp means they are unlikely to have been audited by corporate IT security teams. 'Third party consumer-oriented platforms like Signal and WhatsApp are ultimately not developed with state-level usage in mind, and they lack the protocols and stringency that more bespoke systems are designed around,' he said. 'Attacking these third-party channels can be especially lucrative for state actors, who are able to dedicate the time and resources into crafting spear phishing campaigns that are tailored and highly relevant to small groups and specific individuals.'
The advisory serves as a critical reminder that even end-to-end encrypted messaging apps are vulnerable to social engineering and account hijacking, particularly when targeted by sophisticated nation-state actors with the resources to conduct large-scale, tailored phishing campaigns.