Russian state hackers are running a global campaign to hijack Signal and WhatsApp accounts belonging to government officials, military personnel, and civil servants. Intelligence agencies across Europe and North America have issued coordinated warnings — but the encryption protecting your messages isn’t the problem.
The Dutch intelligence services MIVD and AIVD published a detailed advisory on March 9, 2026, followed by a joint warning from the FBI and CISA on March 24. The message is consistent: this is a large-scale, easily scalable social engineering operation. And it’s working.
How the Attacks Work
The hackers aren’t breaking Signal’s encryption or exploiting software vulnerabilities. They’re exploiting people.
Fake support chatbots. Attackers impersonate Signal Support in chat conversations, tricking targets into revealing verification codes. Once you hand over that six-digit code, they can take over your account from their own device.
Malicious linked devices. Both Signal and WhatsApp allow you to link additional devices via QR code. Attackers send malicious QR codes through phishing messages or compromised contacts. Scan one, and your messages start flowing to an attacker-controlled device without any visible warning.
SMS interception. The standard login flow sends a verification code via SMS. Attackers trigger a login attempt using your phone number, then use social engineering to convince you to share the code you receive. They might pose as support staff, a trusted contact, or even someone already in your group chats.
As Dutch intelligence officials emphasized: “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted.”
Who Is Being Targeted
The primary targets include Dutch government employees, diplomats, military personnel, and civil servants. But the FBI and CISA warnings make clear this isn’t limited to the Netherlands. The same tactics are being deployed globally against anyone of interest to Russian intelligence.
Journalists, researchers, activists, and executives at sensitive organizations should assume they’re potential targets. The attacks are scalable — once the phishing infrastructure is in place, it costs almost nothing to send another message.
Why the Encryption Still Works
This is where the reporting gets confusing. Headlines about “Signal hacks” and “WhatsApp breaches” suggest the apps themselves are compromised. They’re not.
End-to-end encryption means only you and your recipient can read your messages — not Signal, not WhatsApp, not anyone intercepting traffic in between. That mathematical protection remains intact.
But encryption can’t stop you from voluntarily handing over your account credentials. If you share your verification code with an attacker, encryption doesn’t help. If you scan a malicious QR code and link their device to your account, encryption doesn’t help. The cryptography is working exactly as designed. The vulnerability is behavioral.
What You Should Do Right Now
Enable Registration Lock on Signal. Go to Settings → Account → Registration Lock and turn it on. This requires your PIN to re-register your number on a new device, blocking the most common account takeover method.
Check your linked devices. On Signal: Settings → Linked Devices. On WhatsApp: Settings → Linked Devices. Remove anything you don’t recognize.
Never share verification codes. No legitimate support service will ever ask for these. Not Signal. Not WhatsApp. Not your bank. Anyone asking for a code sent to your phone is trying to steal something.
Use Signal usernames instead of phone numbers. Signal now lets you hide your phone number and share a username instead. This reduces your attack surface significantly.
Verify suspicious requests through a different channel. If someone in a group chat asks you to do something unusual, call them. Email them. Confirm through any channel the attacker doesn’t control.
Watch for duplicate contacts. If you see two accounts with the same name (or nearly identical names) in a group, one is likely an attacker.
Enable disappearing messages. This won’t prevent account takeover, but it limits what an attacker can access if they do get in.
The Bigger Picture
This campaign highlights a fundamental tension in secure communications. The encryption is excellent. The user experience isn’t designed for adversarial conditions.
Signal and WhatsApp were built for ordinary people who want private conversations — not for targets of state-sponsored intelligence operations. The convenience features that make these apps usable (SMS verification, easy device linking, QR code pairing) are exactly what attackers exploit.
There’s no easy fix. You could eliminate SMS verification entirely, but that would lock out users who lose their devices. You could require hardware security keys, but most people won’t use them. Every security improvement trades off against accessibility.
For now, the burden falls on individual users to understand the threat model and configure their apps accordingly. Enable Registration Lock. Don’t share codes. Check your linked devices. The encryption is doing its job — make sure you’re doing yours.
If you work in government, journalism, activism, or any sensitive field, treat these apps as targets rather than refuges. The encryption protects message content. It doesn’t protect your account from social engineering.