Dutch intelligence says Russian state hackers are targeting Signal and WhatsApp users by going after their accounts instead of trying to break the apps themselves.
The warning lands on an uncomfortable point for anyone who relies on encrypted chat: strong privacy features do not help much after an attacker gets control of the account.
According to a joint notice from the Dutch General Intelligence and Security Service and Military Intelligence and Security Service, the campaign has targeted dignitaries, government officials, military personnel, and other people of interest.
The agencies say the activity is global in scope, and they are not suggesting that Signal or WhatsApp themselves have been compromised.
How the attacks work
In the Dutch cybersecurity advisory, attackers are described as posing as trusted contacts or support staff to persuade targets to share SMS verification codes or Signal PINs. Another method abuses the linked-devices feature, tricking a victim into scanning a QR code or clicking a malicious link that connects the attacker’s device to the account.
Instead of trying to intercept protected traffic, attackers focus on the person using the app and the steps required to sign in, verify identity, or connect a new device. Once an attacker links a device or takes over an account, they may be able to read incoming messages, watch group chats, and contact other people while appearing legitimate.
The Dutch agencies also said these operations do not rely on malware or unknown flaws in the messaging apps. That makes the campaign a reminder that secure communication can still fail through account abuse, even when the app’s core protections remain intact.
Why this matters for users
The lesson for users is straightforward: end-to-end encryption is only one part of the security picture. It protects messages in transit, but it cannot protect an account after someone has been tricked into giving up access.
Similar account-centered risks have appeared in other recent messaging threats, including a WhatsApp account hijack campaign built around fake meeting links and the “GhostPairing” technique that abuses WhatsApp’s device-linking flow.
The Dutch advisory recommends checking linked devices, distrusting unsolicited support messages, avoiding unknown QR codes and suspicious group invites, and warning contacts through another channel if an account may be compromised.
Device security matters, too, especially as mobile threats continue to evolve and vendors push urgent patches such as Google’s March 2026 Android security update that fixed 129 vulnerabilities.
Also read: More than 1 billion Android phones are still exposed when users miss security updates, showing why device hygiene matters alongside encrypted messaging.
