Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory warning of a sophisticated phishing campaign targeting users of the Signal messaging app. The operation is believed to be conducted by a state-sponsored threat actor and is aimed at high-ranking figures in politics, the military, and diplomacy, as well as investigative journalists across Germany and Europe.
According to the agencies, the attackers are exploiting Signal’s legitimate features rather than malware or software vulnerabilities. Posing as “Signal Support” or a fake chatbot called “Signal Security ChatBot,” the threat actors contact targets directly and pressure them to share a PIN or SMS verification code under the pretext of preventing data loss. Once obtained, the attackers can register the account on a device they control, gaining access to the victim’s profile, contacts, and settings, and intercepting future messages while impersonating the victim.
In a separate method, victims are tricked into using Signal’s device-linking feature by scanning a malicious QR code. This grants the attackers access to messages from the past 45 days and contact lists, all while the victim continues using the app, unaware their communications are being monitored.
BfV and BSI warned that similar techniques could be applied to other platforms, including WhatsApp, which uses comparable device-linking and PIN-based protections.
While the perpetrators have not been publicly identified, the activity resembles past campaigns attributed to Russia-aligned threat groups such as Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185).