Dutch spies warn Russian hackers hijack Signal and WhatsApp accounts

The Netherlands’ civilian and military intelligence services issued a joint warning on March 9 that a large-scale, state-linked Russian cyber operation is actively seizing Signal and WhatsApp accounts worldwide, with explicit targeting of Dutch government officials, military personnel and journalists. The advisory says the campaign uses social-engineering and platform features to bypass end-to-end encryption and gain full control of individual accounts.

Simone Smit, Director-General of the AIVD, emphasized the nature of the threat: "It is not that Signal or WhatsApp as applications are compromised. The threat is directed at accounts of individual users." The MIVD, led by Vice Admiral Peter Reesink, warned that, despite encryption protections, "despite end-to-end encryption, chat apps like Signal and WhatsApp are not suitable for classified or sensitive information."

The agencies described several account-takeover techniques. Hackers impersonate Signal support chatbots to obtain verification and PIN codes, and they exploit WhatsApp’s linked-devices feature to add rogue devices for remote surveillance. Security researchers have also flagged phishing campaigns that deliver fake QR codes for Signal group invites; these illegitimate QR codes can embed JavaScript and enable man-in-the-middle activity to join groups or add unauthorized devices. Once access is obtained, attackers can read messages, participate in group chats undetected and even rename accounts, for example to "Deleted account", to conceal their presence.

Dutch intelligence named a threat actor called Laundry Bear as responsible for prior intrusions and linked it to the broader campaign. The agencies described Laundry Bear as extremely likely to be Russian state supported and said the group is seeking information about Western purchase and production of military equipment and weapons deliveries to Ukraine. Dutch authorities previously disclosed that hackers broke into a police account last year and accessed work-related contact details of all Dutch police officers, an incident that the agencies said sent shockwaves through the force.

Technical corroboration of the methods comes from Google’s threat intelligence work, which identified several Russian-backed clusters targeting messaging apps. Google reportedly tied groups UNC5792, UNC4221 and Sandworm to Signal targeting, and Star Blizzard, also known as UNC4057, to WhatsApp-linked device abuse. Dutch agencies and private analysts say the focus on Signal stems from its reputation and adoption by governments and the Ukrainian military since 2023.

To blunt the campaign, AIVD and MIVD issued concrete mitigation steps: check group chats for suspicious or duplicate accounts; verify any unusual accounts by email or phone; report concerns to your organization’s IT security team; remove compromised accounts from group chats; and remove non-legitimate accounts that enter a group via a captured group link. AIVD chief Erik Akerboom, discussing the decision to expose technical methods used by the attackers, said the disclosure had strategic value: "This limits Laundry Bear’s chances of success and digital networks can be better protected." He added, "This increases our national resilience."

The advisory underscores a shift in espionage: attackers are exploiting convenience and help features built into secure apps rather than cryptographic flaws. For officials, journalists and others handling sensitive material, the Dutch agencies’ guidance is clear: treat consumer messaging apps as vulnerable at the account level and move classified communications to approved, compartmentalized channels.