Signal Warns Users of Scam Attempts Following Hacker Targeting of Officials
Signal has issued a warning to its users to be vigilant against scams after Dutch intelligence revealed that high-profile users of the secure messaging app were targeted by hackers.
On Monday, Dutch cybersecurity agencies reported that a Russia-backed campaign had targeted individual users of both Signal and WhatsApp.
The campaign involved hackers impersonating support staff to obtain information that would allow them to access accounts or hijack devices linked to those accounts. Targets included Dutch officials, military personnel, and civil servants, as part of what was described as a "global" operation.
Signal stated that its systems remain secure but emphasized that it is taking reports of such malicious activity very seriously.
The campaign was uncovered by Dutch intelligence agencies, specifically the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD).
In a press release, these agencies described the operation as a "large-scale global cyber campaign" aimed at individuals of interest to the Russian state, including government officials and journalists.
"It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted," said Simone Smit, AIVD director-general.
Signal reiterated this position in a series of posts on X, affirming that its systems "have not been compromised and remain robust."
They explained that the attacks were carried out through sophisticated phishing campaigns designed to deceive users into sharing information such as SMS codes or Signal PINs, which would grant attackers access to user accounts.
Phishing attacks typically involve criminals attempting to persuade users to disclose passcodes, financial information, or personal details by impersonating customer support agents, friends, family members, or celebrities.
In the campaign identified by Dutch intelligence, hackers pretended to be Signal Support representatives in an effort to obtain account details from users.
When creating a Signal account, users are prompted to secure it with a PIN code, which the company advises should never be shared with anyone.
Signal also cautioned users against sharing verification codes sent to their phone numbers.
WhatsApp has issued similar guidance, advising users not to share the six-digit codes used to secure their accounts.
Additionally, WhatsApp recommends that users take extra precautions, such as blocking messages or calls from unknown contacts.
Human Factors in Security Breaches
Signal emphasized that while technical protections are in place, "user vigilance" remains the most effective defense against phishing attempts.
"Security features are being weaponised against the users," said Muhammad Yahya Patel, cybersecurity advisor at security firm Huntress.
He explained to the BBC that whereas hackers previously sought vulnerabilities in software code, they now focus on "human bugs" — the ways in which users interact with applications.
Patel noted that convenient features such as allowing users to access their accounts on multiple devices via QR codes or regain access using text verification codes have become primary attack vectors exploited by criminals.
He advised users to regularly review devices linked to their accounts in settings to ensure no unauthorized access to their messages.
Patel also cautioned that using an app with end-to-end encryption (E2EE) does not guarantee complete security.
E2EE, which protects messages on Signal and WhatsApp, ensures that only the sender and receiver can read the content of messages.
"This type of encryption can't protect the account and device if it becomes compromised," Patel said.
Dutch intelligence services believe Russia targeted Signal because its reputation as a highly secure app has made it popular among officials seeking secure communication.
However, they noted that this popularity also makes Signal an "ideal place for malicious actors" to attempt to capture sensitive information.
"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information," said MIVD director Peter Reesink.
for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? here.
