German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists

Source: The Hacker News

Ravie Lakshmanan
Feb 07 2026 – Threat Intelligence / Cyber Espionage

Overview

Germany’s Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz – BfV) and the Federal Office for Information Security (BSI) issued a joint advisory warning of a malicious cyber‑campaign likely carried out by a state‑sponsored threat actor. The campaign targets high‑ranking individuals in politics, the military, diplomacy, and investigative journalists in Germany and across Europe by phishing them over the Signal messaging app.

“The focus is on high‑ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe,” the agencies said. “Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks.”
— Verfassungsschutz advisory (Feb 6 2026)

What makes this campaign different?

• No malware is delivered and no vulnerability in Signal is exploited.
• The attackers weaponise legitimate Signal features to obtain covert access to a victim’s chats and contact lists.

Attack chain

1. Impersonation – Threat actors pose as “Signal Support” or a chatbot called Signal Security ChatBot and contact potential victims.
2. Social engineering – They demand a Signal PIN (or a verification code received via SMS) and threaten data loss if the request is ignored.
3. Account takeover – If the victim complies, the attackers register the account on a device they control, gaining access to the profile, settings, contacts, and block list.
   • The stolen PIN does not reveal past conversations, but it lets the attacker capture incoming messages and send messages as the victim.
4. Further manipulation – The compromised user, now locked out of their original account, is instructed (still by the fake support chatbot) to register a new account.

Alternative infection sequence

• The attackers exploit Signal’s device‑linking feature.
• Victims are tricked into scanning a malicious QR code, which links the attacker’s device to the victim’s account.
• The victim retains access to the account, unaware that the attacker can read messages from the past 45 days and monitor ongoing chats.

Broader implications

• While the current focus is on Signal, the same technique can be applied to WhatsApp, which also supports device linking and PIN‑based two‑step verification.
• Successful messenger‑account access can expose group chats, potentially compromising entire networks.

Attribution

The actors behind the campaign are still unknown, but the tactics resemble those used by several Russia‑aligned threat clusters:

• Star Blizzard – The Hacker News, Jan 2025
• UNC5792 (aka UAC‑0195) and UNC4221 (aka UAC‑0185) – The Hacker News, Feb 2025

In December 2025, Gen Digital reported a related campaign called GhostPairing, where cyber‑criminals abused WhatsApp’s device‑linking feature to hijack accounts and impersonate users.
Details: The Hacker News, Dec 2025

Recommendations

Related geopolitical context

The Norwegian Police Security Service (PST) recently accused Chinese‑backed hacking groups—including Salt Typhoon—of compromising Norwegian organisations by exploiting vulnerable network devices. PST also warned that Russia is closely monitoring military targets and allies, while Iran is surveilling dissidents.

“Chinese intelligence services attempt to recruit Norwegian nationals to gain access to classified data, encouraging them to build ‘human source’ networks via job‑board ads or LinkedIn outreach.”
— PST threat brief

Image credit: The Hacker News