Signal, the high-encryption messaging app, has a reputation as a secure messaging platform, which has made it a go-to tool for security experts, government/political officials, and journalists. But that same reputation, according to German agencies, is now being weaponised.
Last week, a group of regulatory bodies in the country warned of phishing attacks aimed at high-profile users.
"The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have received recent intelligence indicating that a likely state-controlled cyber actor is conducting phishing attacks via messaging services such as 'Signal.' The targets are high-ranking individuals in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe," the agencies said in a blog post on Friday.
What makes this campaign more worrying is how little technical sophistication it needs. According to reporting from The Hacker News, there’s no malware involved and no vulnerability in Signal’s encryption. Instead, attackers impersonate “Signal Support” or a fake “Signal Security ChatBot,” contacting targets directly and urging them to hand over a PIN or verification code sent via SMS. The message often warns of imminent data loss if the request is ignored.
If a victim complies, the attackers can register the account, gaining access to contacts, settings, and future messages, and even send messages posing as the victim. Past chats remain inaccessible, but the damage would remain significant. As the agencies put it: “Unauthorised access to messenger accounts not only allows insight into confidential individual communications, but potentially the compromise of entire networks."
In certain cases, the attackers take a more silent route. Victims are tricked into scanning a QR code using Signal’s device linking feature. This gives the attacker access for about 45 days, while the victim continues to use the app, unaware their activity is being monitored.
This shift in tactics hints at a broader partner in state-aligned cyber operations. Rather than burning valuable exploits, attackers are now increasingly abusing legitimate features and human trust. Signal appears to be the main focus for now, but German authorities warn the same techniques could easily be adapted for WhatsApp, which uses similar PIN and device-linking systems.
While Berlin hasn’t publicly named the group behind the campaign, similar methods have previously been linked to Russia-aligned actors such as Star Blizzard and UNC4221. Other governments are seeing related activity. Norway recently accused Chinese and Russian cyber units of targeting critical infrastructure, military networks, and research institutions, while Poland warned of attacks on energy facilities via exposed VPN systems.
Here is how to stay safe
The immediate takeaway for users is straightforward. Signal support will never ask for your PIN. Enabling registration lock, checking linked devices regularly, and ignoring unsolicited “support” messages can shut down this attack entirely.
Ogbonda Chivumnovu
