Russian state-sponsored hackers are running a global campaign to compromise Signal and WhatsApp accounts belonging to government officials, military personnel, diplomats, and journalists, according to a public advisory from Dutch intelligence agencies that reveals how even encrypted messaging can be vulnerable to social engineering.
The operation, disclosed Monday by the MIVD and AIVD (Dutch military and domestic intelligence services), targets high-value individuals including government dignitaries, armed forces members, civil servants, and journalists. Dutch government employees have already been compromised, suggesting this is an active and successful campaign rather than just an emerging threat.
What makes this interesting from a technical perspective is that the attackers aren't exploiting vulnerabilities in Signal or WhatsApp themselves. Both platforms use the Signal Protocol, an end-to-end encryption system that's considered cryptographically sound. Breaking that encryption would require computational resources that even nation-state actors likely don't have.
Instead, the Russians are using social engineering—the oldest trick in the book, and still one of the most effective.
Here's how it works. Attackers trigger a legitimate verification code by initiating account registration with the victim's phone number. Then they impersonate customer support, convincing the target to share that verification or PIN code. The victim thinks they're securing their account. In reality, they're handing over the keys.
The second technique leverages the apps' "linked devices" feature. Attackers persuade users to scan malicious QR codes or click suspicious links, which grants access to the victim's chats and message history on a device the attacker controls. Once that device is linked, the attacker can read everything—past and future messages—because the encryption protects messages in transit, not messages on a device that's been granted legitimate access.
Dutch intelligence director Simone Smit was careful to clarify that "individual user accounts are being targeted" rather than the platforms themselves. That's an important distinction, because it means this isn't a vulnerability that Signal or WhatsApp can patch. The apps are working as designed. The problem is that humans can be tricked into granting access.
