Russia-backed hackers target Signal and WhatsApp accounts: How the attack works, how to stay safe and more

Dutch intelligence agencies have issued a stark warning regarding a new, highly sophisticated global cyber campaign. Two intelligence agencies in the Netherlands warned earlier this week that Russian-backed hackers are gaining access to Signal and WhatsApp accounts used by officials, military personnel and journalists.

“The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees. The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign,” the Ministry of the Interior and Kingdom Relations of the Netherlands said in a statement.

Here is a breakdown of how the attacks are happening, the warning signs to look out for, and how to stay safe:

How are hackers gaining access to WhatsApp and Signal?

On Signal, the bad actors are said to be masquerading as a legitimate Signal support chatbot in order to trick users into giving up crucial codes that would allow them to take control of the accounts.

The hackers send messages claiming suspicious activity has been detected on the account and urge victims to complete a verification process. During this process, the attackers request an SMS verification code or the user's Signal PIN, which allows them to bypass security locks and fully take control of the account.

“Because Signal stores the chat history locally on the phone, a victim can regain access to that history after re-registering. As a result, the victim may assume that nothing is wrong. The Dutch services want to stress that this assumption could be incorrect,” the report notes.

Another trick uses the QR code and “linked devices” functionality available on both platforms, persuading victims to scan a QR code or click a link.

The report notes that attackers may send malicious links disguised as invitations to join group chats, but this QR code or link instead silently links the attacker's device to the account.

Bad actors can then monitor ongoing conversations and read message histories without the legitimate user immediately noticing.

What do WhatsApp and Signal say?

In a post on X, Signal responded to the report, writing, “Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.”

“These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app,” the company added.

Meanwhile, a Meta spokesperson told TechCrunch that WhatsApp suggests users never share their six-digit code with anyone, and points them to a Help Centre page to help them recognise suspicious messages, as well as a page about the Linked Devices feature.

How to stay safe?

In order to protect yourself from these sophisticated phishing attempts, the report also recommended taking the following safety precautions:

The advisory warns against sending classified or sensitive information via apps like Signal and WhatsApp.

Never share your verification codes: Signal will never contact you via in-app messages or SMS to request your six-digit registration code or account PIN. Block any such messages that ask for your PIN.

Enable two-step verification: On WhatsApp, turn on 'Two-Step Verification' in your account settings. On Signal, enable 'Registration Lock'. This will add an additional layer of security to your account.

Turn on disappearing messages: The experts suggest enabling this feature. In case the device is compromised, this feature should prevent bad actors from gaining access to the entire chat history.