German cybersecurity authorities have issued a high-alert warning about an ongoing phishing campaign that is targeting the Signal messaging accounts of high-ranking individuals, including politicians, military personnel, diplomats and investigative journalists across Germany and Europe. The advisory comes from Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) and highlights the increasing use of social engineering techniques to hijack secure communications — without malware.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Attackers Exploit Legitimate Messaging App Features
According to the joint advisory, the attackers are not exploiting software bugs or spreading malicious code. Instead, they are blending social engineering with legitimate features of Signal — a privacy-focused messaging platform — to deceive victims into granting access to their accounts.
In one variant of the attack, the adversaries impersonate official Signal support — using names such as “Signal Support” or “Signal Security ChatBot” — and send messages claiming a fake security issue. The goal is to create a sense of urgency that convinces the victim to share their Signal PIN or SMS verification code. With this information, the attackers can register the Signal account to a device and phone number they control, effectively locking the legitimate owner out while gaining full access to messages and contacts.
In another variation, attackers exploit Signal’s device-linking feature, which allows an account to be connected to multiple devices (such as phones, tablets and computers). By tricking a target into scanning a malicious QR code, attackers silently add their own device to the victim’s Signal account, giving them continued access to one-to-one chats, group conversations and contact lists — often without the victim realizing their communications are being monitored.
No Malware Needed — Just Deception
A defining feature of this campaign is that no malware is used, and no direct vulnerabilities in the Signal application are exploited. Instead, attackers leverage social engineering to obtain legitimate cryptographic credentials — such as verification codes or PINs — from users themselves. This allows them to bypass traditional security protections and assume control of Signal accounts using built-in platform functions.
Officials emphasised that such tactics are especially dangerous because they misuse trusted features of the app, making detection harder and enabling attackers to capture highly sensitive private communications that could compromise not just individual users but entire professional or diplomatic networks.
Who’s Being Targeted and Why It Matters
The attacks reportedly focus on individuals whose communications carry high value — such as government officials, military leaders, diplomats and journalists — because hijacking these accounts can allow attackers to:
- Access confidential private conversations
- Monitor professional or political planning
- Reconstruct contact networks for further social engineering or intelligence gathering
- Impersonate targets to mislead associates or spread disinformation
Although the advisory describes a likely state-sponsored threat actor, authorities cautioned that cybercriminals and other malicious groups could replicate the same techniques, as the attack vectors do not require advanced technical exploits beyond social engineering and deception.
Similar Tactics Could Affect Other Messaging Platforms
German authorities also noted that while the current campaign is focused on Signal, similar device-linking and verification workflows exist in other messaging apps — including WhatsApp — which could make users of those platforms vulnerable to analogous attacks if similar social engineering tactics are used.
Official Guidance: How Users Can Protect Their Signal Accounts
To defend against these evolving threats, the advisory recommends that Signal users — especially high-risk individuals — adopt stringent security practices:
- Do not respond to unsolicited messages claiming to be from “Signal Support”; the platform never initiates support contact from inside the app.
- Never share your Signal PIN or SMS verification codes with anyone over chat.
- Enable the ‘Registration Lock’ feature in Signal (Settings > Account) to prevent unauthorized re-registration of your number.
- Only scan QR codes when you personally intend to link your own device.
Regularly review the list of linked devices under Settings > Linked Devices and remove any unknown or unexpected entries promptly.
These steps can help ensure that even if attackers obtain sensitive codes through social engineering, they are blocked from registering a device or establishing unauthorized access.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
