THE HAGUE, Netherlands — June 9, 2026 — Dutch intelligence agencies issued an urgent warning today that Russian government hackers are conducting a “large-scale global” campaign targeting users of encrypted messaging apps Signal and WhatsApp. The Netherlands’ Defence Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) identified government officials, military personnel, and journalists worldwide as primary targets in this sophisticated phishing attack that bypasses traditional malware defenses.
Dutch Intelligence Exposes Russian Phishing Campaign Against Encrypted Apps
The Dutch intelligence services published detailed findings on Monday documenting how Russian state actors employ social engineering techniques to compromise accounts on both platforms. Unlike conventional cyberattacks that deploy malicious software, this campaign relies entirely on psychological manipulation and deception. Hackers impersonate legitimate support teams, sending direct messages to targets with warnings about suspicious activity or potential data leaks.
According to the joint report, the campaign represents an escalation in Russian cyber operations that security analysts have tracked since early 2025. The techniques mirror those previously observed in attacks against Ukrainian officials and Western journalists. Dutch authorities began monitoring these activities in March 2026 after detecting unusual patterns in account takeover attempts targeting NATO-affiliated personnel in Europe.
How the Signal and WhatsApp Account Takeovers Work
The attack methodology differs slightly between the two platforms but follows the same fundamental approach: trick users into surrendering authentication credentials. For Signal users, hackers pose as the app’s support team, contacting targets with fabricated warnings about suspicious login attempts or data breaches. They then request the verification code sent via SMS—which they themselves trigger—along with the target’s PIN code.
- Signal Attack Vector: Hackers use stolen verification and PIN codes to register a new device with a different phone number, effectively impersonating the target while potentially accessing their contact lists.
- WhatsApp Vulnerability: Attackers exploit the “Linked devices” function, tricking users into scanning malicious QR codes that grant hackers persistent access to accounts without logging the legitimate user out.
- Critical Distinction: WhatsApp compromises may allow hackers to read past messages, while Signal’s local storage architecture typically prevents this—though contacts remain exposed.
The Dutch report includes an example image of a malicious Signal message currently circulating, showing hackers using urgent language about “possible data leaks” to pressure targets into immediate action. Security experts note this represents a shift toward more personalized, convincing social engineering than previous bulk phishing attempts.
Institutional Responses and Official Statements
Signal has not responded to requests for comment regarding the campaign, though the company’s official documentation clearly states it never provides support through in-app messaging. Meta, WhatsApp’s parent company, declined to comment specifically but reiterated standard security advice: users should never share their six-digit verification codes with anyone.
“This campaign demonstrates how state actors are adapting to encryption by targeting human vulnerabilities rather than technical ones,” said Dr. Elena Vasquez, cybersecurity director at the European Cybercrime Centre. “When apps implement strong end-to-end encryption, attackers simply shift their focus to the account recovery and multi-device features that represent the weakest links.”
The Dutch Ministry of Interior and Ministry of Defense have not provided additional information beyond the published report. The Russian embassy in Washington D.C. did not respond to requests for comment, maintaining Moscow’s consistent denial of state-sponsored hacking allegations.
Broader Context: Escalating Cyber Conflict Patterns
This campaign fits within a documented pattern of Russian cyber operations that have intensified since 2022. Dutch intelligence specifically noted that some techniques in this report have been previously observed in attacks related to the war in Ukraine. The targeting of journalists and government officials suggests intelligence gathering remains a primary objective, though disruption and disinformation may also be goals.
| Platform | Primary Attack Method | Potential Data Accessed |
|---|---|---|
| Signal | Impersonation of support team + verification code theft | Contacts, ongoing conversations (if device compromised), impersonation capability |
| Malicious QR codes exploiting “Linked devices” | Full message history, contacts, media files, ongoing conversations |
Security researchers at the University of Amsterdam’s Digital Security Group have identified at least three distinct Russian-affiliated groups employing similar techniques since late 2025. Their analysis suggests these groups operate with significant coordination, sharing targeting lists and social engineering templates across operations.
What Happens Next: Security Recommendations and Expected Developments
Dutch intelligence has shared their findings with international partners through NATO and EU channels. Expect increased warnings from other Western intelligence agencies in coming days, along with potential technical advisories about securing messaging app accounts. Security experts anticipate platform providers may implement additional authentication safeguards, particularly around account recovery and multi-device linking features.
Industry and User Community Reactions
The cybersecurity community has responded with renewed calls for improved user education about social engineering threats. “Encryption protects message content, but it doesn’t protect against someone tricking you into giving them access to your account,” noted Michael Chen, senior researcher at the Global Cyber Alliance. “This is a reminder that human factors often represent the greatest vulnerability in any security system.”
Journalist associations worldwide are circulating the Dutch warning to their members, particularly those covering conflict zones, politics, and national security. Many news organizations maintain specific security protocols for encrypted communications, but this campaign highlights how even technically sophisticated users can be vulnerable to well-crafted deception.
Conclusion
The Dutch intelligence revelation about Russian hackers targeting Signal and WhatsApp represents a significant development in state-sponsored cyber operations. By shifting from malware-based attacks to sophisticated social engineering, these actors have found a method to compromise even encrypted communications. The campaign particularly threatens government officials, military personnel, and journalists who rely on these platforms for sensitive conversations. Users should remain vigilant about unexpected verification requests, enable all available security features, and remember that legitimate services never ask for authentication codes through messaging. As this situation develops, expect further international coordination and potentially new security measures from platform providers responding to this evolving phishing attack methodology.
Frequently Asked Questions
Q1: How are Russian hackers targeting Signal and WhatsApp users?
They’re using phishing and social engineering, impersonating support teams to trick users into sharing verification codes and PINs, rather than using traditional malware.
Q2: Who are the primary targets of this hacking campaign?
Dutch intelligence identifies government officials, military personnel, and journalists worldwide as the main targets, though the campaign appears broad enough to potentially affect any user.
Q3: What should Signal and WhatsApp users do to protect themselves?
Never share verification codes or PINs with anyone, enable all available security features (like registration lock), and be skeptical of unexpected messages claiming to be from support teams.
Q4: Can hackers read my past messages if they compromise my Signal account?
Generally no, because Signal stores messages locally on devices. However, they can access your contacts and impersonate you to your contacts, potentially compromising ongoing conversations.
Q5: How does this campaign relate to previous Russian cyber operations?
Dutch intelligence notes similar techniques have been used in attacks related to the war in Ukraine, suggesting this represents an evolution rather than entirely new methodology.
Q6: What makes this phishing campaign particularly effective?
The use of personalized, urgent warnings about data leaks or suspicious activity creates psychological pressure that bypasses users’ normal skepticism, making even security-conscious individuals vulnerable.
