Germany’s security agencies have put out a warning about an ongoing phishing campaign that’s going after some pretty high-profile targets – politicians, military personnel, diplomats, and journalists across Germany and Europe. What makes this interesting is that the attackers aren’t using malware or exploiting any vulnerabilities in Signal itself. Instead, they’re manipulating the app’s own features to hijack accounts.
The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) released a joint advisory explaining how this works, and it’s a good reminder that social engineering is still one of the most effective attack methods out there.
How The Scam Works
The attackers are pretending to be “Signal Support” or using fake chatbot accounts called “Signal Security ChatBot” to message potential victims. The pitch is classic phishing: they claim there’s a problem with your account and you’ll lose all your data unless you hand over your PIN or the verification code you just received via SMS.
If someone falls for it and gives up their PIN, the attackers can register that phone number on a device they control. This gives them access to the victim’s profile, settings, contacts, and block list. They can’t see old messages, but they can read everything that comes in after that point and send messages as the victim. The real user gets locked out of their account, and the fake “support” account then tells them to just register a new one.
There’s another variant of this attack that uses Signal’s device linking feature. Victims are tricked into scanning a QR code, which links their account to an attacker’s device. This one’s sneakier because the victim keeps access to their account and has no idea anything’s wrong. Meanwhile, the attackers can see their messages from the last 45 days and monitor everything going forward.
It’s Not Just Signal Issue
The German authorities pointed out that this same approach could easily work on WhatsApp, since it has similar device linking and PIN features as part of its two-step verification. So this isn’t really a Signal-specific problem. It’s about users being tricked into giving away access to their accounts.
The real concern here is what happens after an account gets compromised. It’s not just about reading someone’s private chats. If you get access to a journalist’s or diplomat’s Signal account, you can see their entire network, read group conversations, and potentially compromise other people by impersonating the original victim.
Who’s Behind This?
No one has officially been attributed this campaign yet, but the tactics line up with what we’ve seen from Russian threat groups like Star Blizzard, UNC5792 (also tracked as UAC-0195), and UNC4221 (UAC-0185). Microsoft and Google’s Threat Intelligence Group reported on similar operations from these groups early last year.
It’s also worth noting that Gen Digital documented another campaign called GhostPairing back in December 2025, where criminals were using WhatsApp’s device linking feature to take over accounts for fraud and impersonation.
How to protect yourself – On Signal or WhatsApp
If you’re using Signal (or WhatsApp), there are a few things you should do:
- Turn on Registration Lock. This is the big one. It stops anyone from registering your phone number on another device without your PIN. Go into Settings > Account > Registration Lock and enable it.
- Don’t talk to support accounts. Signal doesn’t have support accounts that message you directly. If someone claiming to be Signal Support contacts you, it’s a scam. Full stop.
- Never give out your PIN. Signal will never ask you for your PIN in a message. If anyone asks for it, they’re trying to steal your account.
- Check your linked devices regularly. Go into Settings > Linked Devices and make sure you recognise everything on the list. If you see something you didn’t authorise, remove it immediately.
Conclusion Note
This is a good reminder that even privacy-focused apps like Signal can’t protect you if you hand over the keys to your account. The technology is solid, but social engineering still works because it targets the human element.
If you’re someone who might be a target – journalist, activist, government worker, or anyone handling sensitive information – treat any unexpected message with suspicion, even if it looks official. Enable every security feature available, and check your linked devices regularly.
You can read more details about this in the original report from The Hacker News.