Portugal Intelligence Issues Rare Warning on Signal and WhatsApp Hacking Campaign

Portugal's national intelligence service issued a rare public warning Wednesday that foreign state-backed hackers have launched a global campaign to seize control of government officials' WhatsApp and Signal accounts, exploiting human behavior rather than any flaw in the apps' encryption.

The Serviço de Informações de Segurança, known as SIS, said the campaign targets "government officials, diplomats, military personnel, and civil society members with access to privileged information from Portugal and allied countries." The warning, issued from Lisbon on March 11, is notable for its public nature: SIS rarely issues open statements on active intelligence threats.

The attackers, SIS said, seek to trick users "into sharing sensitive data, such as passwords" to gain access to individual and group chats and shared files. The agency was careful to note the attacks "do not mean that WhatsApp or Signal have been compromised," though it did not rule out the possibility. Rather, SIS said hackers are "exploiting potential careless use by individuals relying on the end-to-end encryption of the two applications" — a warning that the apps' strong security reputation may itself be the vulnerability, lulling users into lower vigilance.

SIS did not identify which foreign state is responsible. Dutch intelligence agencies, however, were less guarded. The AIVD and MIVD, the Netherlands' civilian and military intelligence services, separately confirmed a parallel global campaign and attributed it to Russian-backed hackers.

The technical mechanics of the campaign are deceptively simple. Attackers push targets to click a link or scan a QR code that silently adds the attacker's device to the victim's account through the "linked devices" feature built into both Signal and WhatsApp. The victim continues using their account normally while the attacker reads messages in real time, with few obvious signs that anything is wrong. Verification codes, PINs, and device-linking functions are all exploited in variations of the attack, none of which require breaking the apps' end-to-end encryption.

Security researchers at Malwarebytes, who reported the Dutch agencies' findings a day before the SIS statement, described the methods as "not technically sophisticated" and warned they "can easily be copied by non-state actors or ordinary cybercriminals." The campaign, the firm noted, "relies entirely on human behavior."

The practical countermeasures are equally straightforward. Users should only scan QR codes or click device-linking prompts when they have initiated the process themselves from within the app's own settings. Any message that asks you to "verify your device" or "secure your data" through an external link or QR code should be treated as a social-engineering lure. Both Signal and WhatsApp allow users to review all linked devices in their account settings; security guidance recommends doing so regularly and removing any device that is not recognized. Unusual group memberships, duplicate contacts, or entries showing "deleted account" may also indicate that an account has been silently compromised.

SIS said it issued the alert in part "to help the public prepare for cyberattacks," a signal that officials view the threat as extending well beyond the halls of government. With methods this accessible, the concern is not only that state actors are using them now, but that the playbook is already available to anyone willing to try.