Germany’s Federal Office for the Protection of the Constitution, known as BfV, together with the Federal Office for Information Security BSI, have issued a joint cybersecurity alert regarding an active phishing campaign abusing the Signal messaging platform.
According to the advisory, the campaign is attributed to a likely state-sponsored threat actor and is specifically aimed at politicians, military officials, diplomats, and investigative journalists across Germany and other European countries.
The agencies warned that unauthorized access to secure messaging accounts poses a serious risk, as it can expose sensitive private communications and potentially allow attackers to infiltrate entire professional networks.
Abuse of Legitimate Signal Features
Unlike conventional cyber attacks, this campaign does not rely on malware delivery or the exploitation of software vulnerabilities within Signal. Instead, attackers are misusing legitimate account recovery and device linking features to gain covert access to user accounts.
Threat actors initiate contact by impersonating Signal Support or posing as a chatbot named “Signal Security ChatBot.” Victims are pressured into sharing a PIN or SMS verification code, often under the false claim that failure to do so will result in data loss or account suspension.
Account Takeover Scenarios
If the targeted individual complies and shares the requested information, attackers can register the Signal account on a device under their control. This grants access to the victim’s profile details, settings, contacts, and block list.
While previously sent messages remain inaccessible, attackers can intercept future conversations and impersonate the victim by sending messages from the compromised account. The legitimate user, having lost access, is then instructed to register a new Signal account.
Device Linking Attack Variant
An alternative technique observed in the campaign abuses Signal’s device linking feature. In this scenario, victims are tricked into scanning a malicious QR code, which silently links the attacker’s device to the victim’s account.
This method enables access to up to 45 days of message history, contact lists, and ongoing conversations. Notably, victims often remain unaware of the compromise since they continue using their accounts normally.
Broader Messaging Platform Risk
German authorities cautioned that this attack model is not limited to Signal. Other messaging platforms, including WhatsApp, may also be susceptible due to similar implementations of device linking and two-step verification mechanisms.
The agencies emphasized that compromised messenger accounts can be leveraged to expand attacks through group chats, increasing the scale and impact of espionage operations.
Possible Threat Actor Links
Although the responsible actor has not been formally identified, German agencies noted similarities to past campaigns linked to Russia-aligned threat groups, including Star Blizzard, UNC5792, and UNC4221, as previously reported by Microsoft and Google Threat Intelligence teams.
In December 2025, a separate campaign known as GhostPairing was documented, where attackers abused WhatsApp device linking to hijack accounts for impersonation and fraud.
Recommended Defensive Measures
To reduce exposure, users are strongly advised to avoid interacting with unsolicited support accounts and never share Signal PINs or verification codes via messages.
Enabling Registration Lock is considered a critical protective step, as it prevents unauthorized account registration on new devices. Users should also routinely review linked devices and immediately remove any unknown or suspicious entries.
Wider European Cyber Threat Landscape
The advisory comes amid growing warnings across Europe. Norwegian authorities recently accused Chinese-linked hacking groups, including Salt Typhoon, of breaching multiple organizations by exploiting vulnerable network devices.
Norway also accused Russia of monitoring military and allied activities and Iran of conducting targeted surveillance against dissidents by compromising email accounts, social media profiles, and personal devices.
Separately, CERT Polska attributed cyber attacks on more than 30 wind and solar farms, along with a major heat and power plant, to a Russian state-linked group known as Static Tundra. Investigations revealed exposed FortiGate VPN interfaces lacking multi-factor authentication as a common weakness.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
