Dutch Intelligence Warning: Russian State Actors Targeting Signal and WhatsApp
Do Son 
In a significant Cybersecurity Advisory released in March 2026, the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) issued a joint alert regarding a “large-scale global attempt to compromise Signal and WhatsApp accounts”.
The campaign specifically targets dignitaries, civil servants, and military personnel, though researchers deem it probable that journalists and other persons of interest to the Russian government are also at risk.
What makes this campaign particularly dangerous is that it does not rely on technical exploits or malware. Instead, the attackers “utilise legitimate security functions of the apps in combination with social engineering techniques”.
The advisory details two primary modes of attack:
- Account Take-over: Attackers pose as official support teams. As the advisory notes:”The victim receives a message purportedly from the Signal Security Support Chatbot, claiming for example that suspicious activities have been observed in the victim’s account”. The attackers then trick the user into sharing an SMS verification code and their Signal PIN, allowing them to link the account to a new phone number and gain full access to contact lists and messages.
- Linked Devices & QR Codes: Using malicious invitations to join chat groups, actors persuade victims to scan a QR code. This seemingly innocent action “actually links the actor’s device to the victim’s account,” providing full access to all chats and history.
Victims of an account take-over can often re-register their number and regain access to their local chat history. Because the app appears normal, “the victim may assume that nothing is wrong”. The Dutch services warn this is a false sense of security, as the attacker may still be active or have already exfiltrated sensitive data.
The MIVD and AIVD stress that Signal and WhatsApp themselves have not been compromised; the issue lies in the manipulation of individual accounts. To stay safe, the advisory offers several key recommendations:
- Never send classified or sensitive information via these apps; only use organization-approved tools.
- Verify Support: “Signal’s customer services will never contact you directly via a Signal message, neither will they ask you for your verification codes”.
- Audit Devices: Regularly check “Linked devices” in your app settings and delete any unknown entries immediately.
- Enable Protections: Activate Registration Lock in Signal and consider using Disappearing Messages to limit the data available if a compromise occurs.
“The loss of an account is irreversible and can lead to lasting damage,” the advisory warns. If you suspect you have been targeted, inform your contacts via a different channel—such as a phone call or email—to prevent further spread of the campaign.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
