Germany Warns of Signal Phishing Targeting Officials

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint security advisory warning that state-sponsored attackers are targeting high-profile individuals through the Signal messaging app. The campaign focuses on politicians, military officials, diplomats, and investigative journalists across Germany and Europe.

The attacks don't exploit vulnerabilities in Signal itself. Instead, they abuse the app's legitimate device-linking feature to hijack accounts without malware or technical exploitation—pure social engineering.

How the Attacks Work

German authorities identified two primary attack methods:

Fake support messages: Attackers impersonate Signal support staff, sending messages that claim the victim's account requires verification. The messages request PIN codes or recovery information that lets attackers register the victim's phone number on their own devices.

Malicious QR codes: Attackers send QR codes that appear to link to group chats, contact cards, or other legitimate Signal features. Scanning these codes actually triggers Signal's device linking, giving attackers a synchronized copy of the victim's account on their device. Every message the victim sends or receives then appears on the attacker's linked device as well.

Neither method requires installing malware or exploiting software bugs. Signal's device linking is designed to let users add tablets or secondary phones. Attackers simply trick victims into adding attacker-controlled devices instead.

High-Value Target Selection

The campaign's focus on politicians, military personnel, diplomats, and journalists signals a state-backed intelligence operation. These targets have access to sensitive communications—policy discussions, military planning, diplomatic negotiations, and investigative research. Compromising their Signal accounts provides ongoing visibility into conversations that targets believe are private and encrypted.

The BfV didn't attribute the campaign to a specific nation-state, but the target profile aligns with Russian intelligence collection priorities in Europe. We've tracked similar patterns in APT28's operations against Eastern European targets, though those campaigns used malware delivery rather than account hijacking.

Why Signal?

Signal's reputation for security makes it attractive to people with sensitive communications—exactly the people intelligence services want to monitor. The app's end-to-end encryption protects message content from interception in transit. But if attackers can link their device to a victim's account, they receive messages directly from Signal's servers, bypassing encryption entirely.

This is a classic pattern in security: attackers don't break the encryption, they work around it. For additional context on social engineering techniques attackers use to bypass technical controls, see our guide to social engineering tactics.

Protection Recommendations

German authorities recommend several defensive measures:

Never respond to supposed support messages: Signal's actual support team doesn't contact users through the app to request verification codes or account information. Block and report these messages.

Enable registration lock: Signal's registration lock feature requires your PIN to register your phone number on a new device, preventing attackers from hijacking your number even if they obtain your verification code.

Review linked devices: Open Signal settings and check the linked devices section regularly. Remove any devices you don't recognize.

Scrutinize QR codes: Before scanning any QR code, consider where it came from and what it claims to do. If you didn't request a device link, don't scan a code that creates one.

Enable screen lock: Use Signal's screen lock feature to require authentication before the app opens, adding a layer of protection if your device is physically compromised.

Broader Implications

The campaign demonstrates how attackers adapt to targets' security choices. As more security-conscious users adopt encrypted messaging, intelligence services develop techniques to compromise those platforms without breaking encryption.

Similar campaigns have targeted WhatsApp, Telegram, and other encrypted messengers. The common thread isn't platform-specific vulnerabilities—it's social engineering that convinces targets to compromise their own accounts. Our analysis of shadow campaigns targeting 37 countries showed comparable tactics using messaging platforms for initial access.

For organizations with staff who might be targeted—government agencies, defense contractors, media organizations, NGOs—user education is the primary defense. Technical controls can't prevent someone from willingly scanning a malicious QR code. Awareness training can.