State-Sponsored Hackers Exploit Signal to Spy on Military Officials and Journalists
Germany’s leading security agencies have issued an urgent alert concerning a sophisticated cyber espionage campaign targeting high-ranking officials and journalists across Europe. The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have identified state-sponsored hackers hijacking Signal accounts to monitor private communications.
The joint advisory, released on February 6, 2026, highlights that military personnel, diplomats, politicians, and investigative journalists are the primary targets. Unlike traditional cyberattacks that deploy malware or exploit software vulnerabilities, this campaign relies entirely on social engineering tactics, manipulating victims into compromising their own security.
The Fake Support Deception
In one method, attackers impersonate Signal Support or a Signal Security ChatBot, contacting targets directly within the app. They claim that suspicious activity or a data breach has occurred on the victim’s device and request verification of identity by providing a PIN code. If the victim shares this six-digit code, the hackers immediately register the victim’s phone number on a new device under their control. This action locks the legitimate user out of their account, granting attackers full control to impersonate the victim in future communications.
The QR Code Exploit
Another tactic involves a more subtle approach, allowing hackers to spy on conversations without alerting the user. Attackers use plausible pretexts, such as invitations to join a group or requests to verify a device, to trick victims into scanning a QR code. This QR code functions as a device linking request. When scanned, it authorizes the hacker’s device to link to the victim’s account. Once connected, the attacker can silently read all new messages and access chat history from the past 45 days. This access often persists for weeks, as the victim’s phone continues to function normally, masking the intrusion.
State-Sponsored Espionage
Authorities believe a state-controlled cyber actor is behind this campaign, given the specific focus on high-value intelligence targets rather than financial gain. The objective appears to be espionage, involving the mapping of social networks and the interception of sensitive political and military discussions. Because these attacks exploit legitimate Signal features rather than deploying viruses, they bypass most antivirus software.
Recommendations for Users
Security officials urge all Signal users to take the following precautions:
– Verify Linked Devices: Regularly check the Linked Devices list in Signal settings to ensure no unauthorized devices are connected.
– Protect Verification Codes: Never share verification PINs or QR codes with anyone, even if they claim to be support staff.
– Be Cautious of Unsolicited Messages: Be wary of unexpected messages requesting personal information or actions, especially those claiming to be from official sources.
By remaining vigilant and adopting these security practices, users can better protect themselves against such sophisticated social engineering attacks.
