Full Report
Dutch spies flag large-scale campaign to hijack secure messaging accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally – not by cracking encryption, but by simply tricking people into handing over the keys.…
Analysis Summary
# Threat Actor: Unnamed Russian-linked Cyber Campaign
## Attribution & Identity
- **Actor Identification:** Russian-linked hackers (unspecified group).
- **Aliases:** None explicitly listed in the report, though the activity is attributed to Russian interests by Dutch intelligence.
- **Associated Associations:** Linked to Russian state interests by the Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD).
## Activity Summary
According to a March 2026 report by Dutch intelligence, a "large-scale" Russian cyber campaign is active globally. The operation focuses on account takeover (ATO) of secure messaging platforms rather than technical exploitation of encryption protocols. The threat actors utilize social engineering via the messaging apps themselves to deceive high-value targets into surrendering account access.
## Tactics, Techniques & Procedures
- **Social Engineering & Phishing:** Attackers contact targets directly via chat messages to solicit security verification codes or PINs.
- **Impersonation:** Attackers impersonate legitimate support entities, specifically a "Signal support bot," to request verification data.
- **Abuse of "Linked Devices":** Attackers exploit the feature that allows multiple devices to be connected to a single account. By linking their own device to the victim’s account, they can mirror messages in real-time (MITRE ATT&CK T1098.005).
- **Session Hijacking/Account Takeover:** Once the six-digit verification code is obtained, the actor logs into the account from a remote device, effectively bypassing end-to-end encryption by becoming the "legitimate" user.
## Targeting
- **Sectors:** Government, Defense, Media/Journalism.
- **Geography:** Global, with specific confirmation of activity in the Netherlands.
- **Victims:**
- Dutch government employees.
- Journalists.
- Military personnel.
## Tools & Infrastructure
- **Malware:** Not applicable; the campaign relies on social engineering and native app features.
- **Platforms Exploited:** Signal and WhatsApp.
- **Infrastructure:** Use of deceptive chat profiles and bot accounts within the messaging ecosystems.
## Implications
This campaign demonstrates a shift from "hard" cryptographic attacks to "soft" human-centric exploitation. By gaining account access, Russian intelligence secures a "god-view" of private communications, group chats, and contact lists. This poses a severe strategic risk as officials often use these apps for informal but sensitive discussions, mistakenly believing the encryption protects them from account-level compromise.
## Mitigations
- **User Education:** Never share six-digit registration codes or security PINs with anyone, including entities claiming to be "support."
- **Two-Step Verification:** Enable an additional PIN/password (Separate from the SMS code) to prevent unauthorized device registration.
- **Account Monitoring:** Regularly review "Linked Devices" in Signal and WhatsApp settings to ensure no unauthorized devices are connected.
- **Identify Indicators of Compromise (IoC):** Monitor for strange account behavior, such as contacts appearing twice or numbers showing as "deleted account."
- **Policy Restrictions:** Official guidance from MIVD states that commercial messaging apps should not be used for classified or highly sensitive information.