Russian hackers used Signal app to deceive targets, German officials say

German intelligence authorities have identified a sustained Russian state-sponsored campaign that compromised Signal accounts belonging to approximately 300 ...

What Happened

German intelligence authorities have identified a sustained Russian state-sponsored campaign that compromised Signal accounts belonging to approximately 300 individuals in Germany's political sphere, including senior government ministers, military personnel, and journalists.
The attackers exploited Signal's legitimate "linked devices" feature — a tool that allows a single Signal account to be used across multiple devices simultaneously — to silently link victim accounts to attacker-controlled devices.
The attack method involved social engineering: hackers posed as Signal technical support staff, sent warnings of alleged suspicious activity or data leaks, and prompted victims to enter their PIN codes or scan a QR code, which in effect linked the attacker's device to the victim's account.
Once linked, the attackers gained real-time access to ongoing conversations, past message history, address books, shared documents, and photographs — without the victim's knowledge.
Germany's domestic intelligence service (BfV) and cybersecurity authority (BSI) had issued a public warning in February 2026 about the campaign, attributing it to a likely state-controlled cyber actor; federal prosecutors began a preliminary investigation from mid-February.

Static Topic Bridges

End-to-End Encryption and its Limitations

End-to-end encryption (E2EE) is a communication security technique in which data is encrypted on the sender's device and can only be decrypted by the intended recipient's device. No intermediary — including the service provider, network operators, or government agencies — can access message content in transit. Signal, developed by the non-profit Signal Foundation, uses the Signal Protocol, which is widely regarded as the gold standard for E2EE in messaging applications.

The Signal Protocol was developed by Open Whisper Systems in 2013 and uses a combination of the Double Ratchet Algorithm, the X3DH key agreement protocol, and the Sesame algorithm for multi-device support.
Forward secrecy is a key property: each message is encrypted with a unique key, so compromising one message does not expose others.
Signal's encryption protects data in transit and at rest on devices — but it does not protect against attacks that target the endpoint (the device or account itself).
The Russian campaign exploited this distinction: the encryption was never broken; instead, the attacker legitimately linked their own device to the victim's account, bypassing E2EE entirely.

Connection to this news: The attack demonstrates that E2EE alone does not guarantee communications security — the "linked devices" attack vector circumvents encryption by gaining authenticated access to the account itself, highlighting that human factors and authentication mechanisms are equally critical.

State-Sponsored Cyber Espionage and Hybrid Warfare

State-sponsored cyber espionage refers to hacking operations conducted by or on behalf of a nation-state to gather intelligence, disrupt adversaries, or conduct psychological and influence operations. Russia, China, North Korea, and Iran are among countries identified by Western intelligence agencies as conducting systematic state-sponsored cyberattacks. These operations form part of what analysts call "hybrid warfare" — the blending of conventional, irregular, and cyber means to achieve strategic goals below the threshold of open conflict.

Russia's primary cyber threat actors identified by Western agencies include APT28 (Fancy Bear), APT29 (Cozy Bear), and Sandworm — all assessed to operate under Russian military intelligence (GRU) or the FSB.
Hybrid warfare tactics include disinformation, cyber infiltration, economic coercion, and support for proxy actors, without triggering a formal military response.
The Budapest Convention on Cybercrime (2001) is the primary international treaty on cybercrime, though Russia has not ratified it.
India's national cyber defence framework includes CERT-In (Computer Emergency Response Team – India), the National Cyber Security Policy (2013), and the National Cyber Security Coordinator in the NSC Secretariat.

Connection to this news: The targeting of German political figures using a popular civilian messaging app illustrates the expanding surface area of hybrid warfare — exploiting commercial digital infrastructure for intelligence gathering during a period of heightened geopolitical tension.

Social engineering refers to psychological manipulation techniques that trick individuals into divulging confidential information or performing actions that compromise security. Phishing is the most common form — it uses deceptive communications (email, messages, calls) that impersonate trusted entities to harvest credentials or install malware. Spear phishing is a targeted variant directed at specific high-value individuals.

The Signal campaign is classified as a spear-phishing operation: highly targeted, impersonating a trusted platform (Signal itself), and leveraging personalised deception.
Multi-Factor Authentication (MFA) and physical security keys (FIDO2/WebAuthn) are the strongest defences against credential phishing.
NCSC (National Cyber Security Centre) guidelines globally recommend that sensitive government communications use dedicated, hardened communication platforms rather than civilian messaging apps.
India's IT Act, 2000 (amended 2008) under Sections 66C and 66D addresses identity theft and impersonation through computer resources, which would cover social engineering attacks.

Connection to this news: The Russian campaign against Signal accounts is a textbook spear-phishing operation that succeeded not by breaking encryption but by deceiving users — underscoring that user awareness and authentication hygiene are as important as technical security measures.

Key Facts & Data

Approximately 300 Signal accounts in Germany's political sphere were compromised.
Targets included senior government ministers, military personnel, and journalists.
Germany's BfV and BSI issued a warning in February 2026 attributing the campaign to a likely state-controlled actor.
Attack method: Exploited Signal's "linked devices" feature via social engineering (fake support messages and QR code scans).
Federal prosecutors in Germany began a preliminary investigation from mid-February 2026.
The Signal Protocol uses the Double Ratchet Algorithm and X3DH key agreement for end-to-end encryption.
Similar warnings were issued by the Netherlands' MIVD and AIVD about a "large-scale global" campaign targeting Signal and WhatsApp.