Germany Suspects Russia Behind Signal Phishing Campaign Targeting Officials

Germany is treating a phishing campaign against Signal not as a routine cyber nuisance but as a national-security incident, with federal prosecutors examining alleged attacks on the messaging app since mid-February and working from an initial suspicion of espionage. Berlin now suspects Russia was behind the operation, which reached into the political class, the military and journalism, and may have exposed some of the most sensitive conversations in government.

The campaign worked by exploiting trust, not encryption. Targets received messages from a fake Signal security chatbot that warned of suspicious activity and pushed them to act immediately. If they entered a PIN or scanned a QR code, their Signal account could be linked to an external device controlled by the attackers. That would let intruders read old chats, monitor live conversations, and pull in address books and other stored data. Roughly 300 Signal accounts in the political sphere were compromised, according to Der Spiegel’s reporting based on government sources.

German authorities had already been warning about the threat. On February 6, the Bundesamt für Verfassungsschutz and the Federal Office for Information Security said a likely state-sponsored actor was using phishing over messaging apps, with high-ranking targets in politics, the military and diplomacy, along with investigative journalists in Germany and across Europe. The warning underscored a hard truth for officials who rely on encrypted apps for speed and discretion: the secure channel is only as strong as the person approving the login prompt.

The Netherlands then made the threat even more explicit. On March 9, Dutch intelligence services said Russian state hackers were running a large-scale global cyber campaign aimed at Signal and WhatsApp accounts belonging to dignitaries, military personnel, civil servants and some Dutch government employees. The agencies said the apps themselves were not being broken; the attack focused on individual accounts and on users who could be induced to surrender access through linked devices or verification credentials. The Dutch warning sharpened the picture of a cross-border intelligence operation aimed at political and military networks throughout Europe.

A separate warning from the FBI and CISA on March 20 said Russian intelligence-linked actors were targeting commercial messaging applications and had already compromised thousands of accounts worldwide. That broader context makes the German case look less like an isolated intrusion than part of a widening cyber front stretching from Germany to the Netherlands and beyond, with Ukraine, Moldova and the rest of Europe still squarely in the crosshairs. The message from Berlin and its allies is stark: secure communications can still be defeated by the oldest vulnerability in cybersecurity, the human being on the receiving end of the phishing lure.