German Authorities Alert: Signal Phishing Attacks Targeting High-Profile Individuals
Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have jointly issued a warning about a sophisticated phishing campaign targeting users of the Signal messaging app. This campaign is believed to be orchestrated by a state-sponsored entity and primarily focuses on high-ranking individuals in politics, the military, diplomacy, and investigative journalism across Germany and Europe.
The attackers employ social engineering tactics by impersonating Signal Support or a support chatbot named Signal Security ChatBot. They initiate direct communication with potential victims, urging them to provide their PIN or verification code received via SMS, under the pretense of preventing data loss. Once the victim complies, the attackers can register the account on a device they control, gaining access to the victim’s profile, settings, contacts, and block list. Although the stolen PIN does not grant access to past conversations, it allows the attackers to intercept incoming messages and send messages posing as the victim.
In an alternative method, the attackers exploit Signal’s device linking feature by tricking victims into scanning a QR code. This grants the attackers access to the victim’s account, including messages from the past 45 days, on a device they manage. In this scenario, the victim remains unaware that their chats and contact lists are compromised.
The BfV and BSI caution that while the current campaign targets Signal users, similar tactics could be employed against WhatsApp users, given the app’s comparable device linking and two-step verification features. Unauthorized access to messenger accounts not only exposes confidential communications but also poses a risk to entire networks through group chats.
Although the exact perpetrators remain unidentified, similar attacks have been linked to Russia-aligned threat groups such as Star Blizzard, UNC5792 (also known as UAC-0195), and UNC4221 (also known as UAC-0185), according to reports from Microsoft and Google’s Threat Intelligence Group. In December 2025, Gen Digital detailed a campaign named GhostPairing, where cybercriminals exploited WhatsApp’s device linking feature to hijack accounts, likely for impersonation or fraud.
To protect against such threats, users are advised to:
– Avoid interacting with unsolicited support accounts.
– Never share their Signal PIN via text message.
– Enable Registration Lock to prevent unauthorized registration of their phone number on another device.
– Regularly review and remove any unknown linked devices.
This development coincides with the Norwegian government’s accusations against Chinese-backed hacking groups, including Salt Typhoon, for infiltrating several organizations in Norway by exploiting vulnerable network devices. Additionally, Russia has been called out for closely monitoring military targets and allied activities, while Iran has been accused of surveilling dissidents.
The Norwegian Police Security Service (PST) highlighted that Chinese intelligence services attempt to recruit Norwegian nationals to access classified data. These recruits are then encouraged to establish their own networks by advertising part-time positions or approaching individuals via LinkedIn. The PST also warned that China systematically exploits collaborative research and development efforts to bolster its security and intelligence capabilities. Notably, Chinese law mandates that software vulnerabilities identified by Chinese researchers be reported to authorities within two days of discovery.
Furthermore, the PST noted that Iranian cyber threat actors compromise email accounts, social media profiles, and private computers belonging to dissidents to gather information about them and their networks. These actors possess advanced capabilities and are expected to continue developing their methods for increasingly targeted and intrusive operations against individuals in Norway.
These disclosures follow an advisory from CERT Polska, which assessed that a Russian nation-state hacking group called Static Tundra is likely behind coordinated cyber attacks targeting more than 30 wind and photovoltaic farms, a private manufacturing company, and a large combined heat and power plant supplying heat to nearly half a million customers in Poland.
