Russian State-Backed Hackers Target WhatsApp and Signal Accounts in Global Espionage Campaign
Russian state-linked cyber actors have launched a large-scale campaign to hijack WhatsApp and Signal accounts, primarily targeting government officials, military personnel, diplomats, and journalists. The attacks, first detected in late 2024, exploit trusted features of the messaging platforms rather than vulnerabilities in their encryption.
For WhatsApp, hackers trick victims into scanning a malicious QR code or clicking a link under the guise of joining a group. Instead of adding the user to a chat, the action grants attackers full access to the account, allowing them to read messages undetected while the victim remains unaware. On Signal, attackers impersonate the platform’s "Security Support" chatbot, convincing users to share SMS verification codes enabling them to register the victim’s account on their own device.
Dutch intelligence agencies (MIVD and AIVD) confirmed the campaign’s origins, warning that high-value targets including journalists from German outlets like Zeit, Correctiv, and netzpolitik.org have been compromised since at least November 2024. While neither WhatsApp nor Signal’s underlying security was breached, the attacks leverage social engineering to bypass protections.
Swiss authorities, including the Federal Intelligence Service (SRC), noted the campaign reflects a broader shift toward mobile-focused espionage. The Swiss federal administration mandates Threema Work for sensitive communications but does not outright ban WhatsApp on official devices. However, officials emphasize caution with unsolicited messages, as legitimate services like Signal will never request verification codes or PINs via in-app messages.
The incidents underscore the growing threat to widely used encrypted platforms, particularly when attackers exploit human trust rather than technical flaws.
Source: https://www.blick.ch/fr/monde/cyberattaque-la-russie-pirate-whatsapp-et-signal-id21776412.html
WhatsApp cybersecurity rating report: https://www.rankiteo.com/company/whatsapp.
Signal Messenger cybersecurity rating report: https://www.rankiteo.com/company/signal-messenger
"id": "WHASIG1773347242",
"linkid": "whatsapp., signal-messenger",
"type": "Cyber Attack",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Government',
'location': 'Global',
'name': 'Government Officials',
'type': 'Individuals'},
{'industry': 'Defense',
'location': 'Global',
'name': 'Military Personnel',
'type': 'Individuals'},
{'industry': 'Diplomacy',
'location': 'Global',
'name': 'Diplomats',
'type': 'Individuals'},
{'industry': 'Media',
'location': 'Global (including Germany: *Zeit*, '
'*Correctiv*, *netzpolitik.org*)',
'name': 'Journalists',
'type': 'Individuals'}],
'attack_vector': ['Social Engineering',
'Malicious QR Codes',
'Phishing (Impersonation of Support Chatbot)'],
'customer_advisories': 'Users advised to verify unsolicited requests for '
'verification codes or QR scans and enable two-step '
'verification.',
'data_breach': {'sensitivity_of_data': 'High (government, military, '
'diplomatic, journalistic '
'communications)',
'type_of_data_compromised': 'Messaging account access, '
'confidential communications'},
'date_detected': '2024-11',
'date_publicly_disclosed': '2024',
'description': 'Russian state-linked cyber actors have launched a large-scale '
'campaign to hijack WhatsApp and Signal accounts, primarily '
'targeting government officials, military personnel, '
'diplomats, and journalists. The attacks exploit trusted '
'features of the messaging platforms rather than '
'vulnerabilities in their encryption. For WhatsApp, hackers '
'trick victims into scanning a malicious QR code or clicking a '
'link to grant attackers full access to the account. On '
"Signal, attackers impersonate the platform’s 'Security "
"Support' chatbot to obtain SMS verification codes and "
'register the victim’s account on their own device.',
'impact': {'brand_reputation_impact': 'Erosion of trust in encrypted '
'messaging platforms',
'data_compromised': 'Messaging account access, sensitive '
'communications',
'identity_theft_risk': 'High (account takeover)',
'operational_impact': 'Compromised confidential communications for '
'government, military, and media personnel',
'systems_affected': ['WhatsApp', 'Signal']},
'initial_access_broker': {'entry_point': ['Malicious QR codes',
"Impersonation of Signal's "
"'Security Support' chatbot"],
'high_value_targets': ['Government officials',
'Military personnel',
'Diplomats',
'Journalists']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Encrypted messaging platforms are vulnerable to social '
'engineering attacks despite strong technical protections. '
'Users must verify unsolicited requests for verification '
'codes or QR scans, even from seemingly legitimate '
'sources.',
'motivation': 'Espionage',
'post_incident_analysis': {'root_causes': 'Exploitation of human trust via '
'social engineering (QR codes, '
'phishing) rather than technical '
'vulnerabilities in WhatsApp or '
'Signal.'},
'recommendations': ['Avoid scanning unsolicited QR codes or clicking links in '
'messages.',
'Never share SMS verification codes or PINs with anyone, '
'including in-app support chatbots.',
'Use platforms like Threema Work for highly sensitive '
'communications where mandated.',
'Enable additional security features (e.g., two-step '
'verification) on messaging apps.',
'Educate high-risk users (government, military, media) on '
'social engineering tactics.'],
'references': [{'source': 'Dutch Intelligence Agencies (MIVD, AIVD)'},
{'source': 'Swiss Federal Intelligence Service (SRC)'},
{'source': 'German Media Outlets (*Zeit*, *Correctiv*, '
'*netzpolitik.org*)'}],
'response': {'communication_strategy': 'Advisories issued by Dutch (MIVD, '
'AIVD) and Swiss (SRC) intelligence '
'agencies'},
'stakeholder_advisories': 'Dutch and Swiss intelligence agencies have issued '
'warnings to government and high-risk individuals.',
'threat_actor': 'Russian State-Backed Hackers',
'title': 'Russian State-Backed Hackers Target WhatsApp and Signal Accounts in '
'Global Espionage Campaign',
'type': 'Espionage, Account Hijacking'}