Dutch Intelligence Warns of Russian State Campaign Hijacking Signal and WhatsApp Accounts of Government Officials Worldwide
The Dutch intelligence services AIVD and military intelligence service MIVD have issued a joint advisory warning that Russian state hackers are conducting a large-scale campaign to hijack Signal and WhatsApp accounts belonging to senior government officials, military personnel, civil servants, and journalists worldwide.
Dutch government employees have already been targeted and in some cases compromised. The intelligence services assess that the campaign has probably already given the attackers access to sensitive information.
Attack Techniques
The campaign targets individual users through social engineering rather than exploiting vulnerabilities in the messaging platforms themselves. The primary techniques include:
Fake Signal support chatbot — attackers pose as a Signal support bot to trick users into revealing verification codes and PIN numbers, which are then used to take over accounts
Linked devices abuse — attackers exploit Signal and WhatsApp's legitimate "linked devices" feature to connect an additional device to the victim's account. Once linked, the attacker can silently read all incoming messages and access group chat conversations without the victim's knowledge
Verification code phishing — standard social engineering to obtain the SMS or in-app verification codes needed to register a victim's phone number on a new device
What Attackers Gain
Once an account is compromised, the attackers can:
- Read all incoming messages in real time
- Access conversations in group chats — potentially exposing discussions among multiple officials
- Monitor communications without triggering encryption warnings, since the linked device is treated as a legitimate session
The intelligence services stressed that the messaging platforms themselves have not been compromised. "The threat concerns the accounts of individual users," said AIVD director-general Simone Smit.
Signal's Reputation as a Target
Signal is a primary target precisely because of its reputation as a secure communications platform. Its widespread adoption within governments for encrypted messaging makes compromised Signal accounts particularly valuable for intelligence collection.
However, both AIVD and MIVD emphasized that encrypted messaging apps are not appropriate channels for classified, confidential, or sensitive government information — regardless of their encryption capabilities.
"Chat applications such as Signal and WhatsApp, even though they have end-to-end encryption, are not channels for classified, confidential or sensitive information," said MIVD director vice-admiral Peter Reesink.
Indicators of Compromise
The intelligence agencies identified several signs that an account may have been compromised:
- Duplicate accounts in group chats with slightly different display names — indicating a hijacked account has been cloned
- Unfamiliar members appearing in group chats without being added by known participants
- Display names suddenly changing to "Deleted account" — a tactic attackers use to avoid suspicion after taking over an account
- Unknown linked devices appearing in Signal or WhatsApp's device management settings
Defender Recommendations
- Audit linked devices immediately — check Signal (Settings → Linked Devices) and WhatsApp (Settings → Linked Devices) for any unrecognized sessions and remove them
- Enable registration lock — activate Signal's registration lock PIN to prevent account takeover even if an attacker obtains the verification code
- Never share verification or PIN codes — Signal and WhatsApp support will never ask for these via chat
- Monitor group chats — watch for duplicate accounts, unfamiliar members, or display name changes that could indicate a compromised participant
- Enforce government communications policy — classified and sensitive discussions should use approved secure communications systems, not consumer messaging apps
- Brief officials on social engineering — the campaign relies entirely on user manipulation; awareness is the primary defense
