Hackers Target Signal and WhatsApp Accounts

Russian hackers are phishing Signal and WhatsApp accounts. The Netherlands’ military intelligence service and the domestic intelligence agency issued a joint warning that a large-scale, global campaign aims to hijack accounts belonging to dignitaries, military personnel and civil servants by imitating support chatbots to coax targets into revealing their PINs.

In the Dutch alert, the attackers rely on social engineering more than flashy exploits: fake chat helpers ask for verification codes or PINs, then slip into the victim’s inbox to access incoming messages and breach conversations. The message pattern mirrors tactics reported in other countries, where high-value accounts become the gateway to sensitive geopolitical and security discussions. The warning underscores a familiar reality in modern digital espionage: encryption protects content, but it can’t guard against careless disclosure of access credentials.

The development lands in a broader context: last year, U.S. defense officials urged members not to rely on Signal after similar phishing campaigns targeted the platform. That thread—phishers posing as legitimate support to harvest security codes—highlights a persistent vulnerability in even the most encrypted channels: user psychology. If an attacker can extract a PIN or verification code, end-to-end encryption can still shield the messages, but the attacker now sits on the receiving end of them.

For everyday users, the Dutch alert sounds a cautionary note about scale and targets: you don’t need to be a diplomat to become a stepping stone in a broader intrusion. The attack vector is not a vulnerability in the app’s crypto; it’s a failure chain of social engineering. The “trust” built by legitimate-looking support chats becomes the wedge attackers leverage to unlock private conversations. In other words, the strongest defense isn’t only code; it’s credential hygiene and verification discipline.

Two actionable takeaways emerge for real-world use. First, treat any request for verification codes or PINs with extreme skepticism, especially if the message arrives via an in-app chat that claims to be from official support. When in doubt, verify through official channels—open the app directly and contact support from within the app’s own menu or from the official website, not from a link or chat the attacker sent. Second, turn on available platform defenses that add friction to account access. WhatsApp’s two-step verification and related account-security options should be enabled, and users should resist sharing any codes, even if the request comes with claims of “urgent security issues.” For Signal, use the app’s built-in account protections and avoid linking sensitivities to unverified prompts.

Industry watchers view this as less a flaw in Signal or WhatsApp and more a wake-up call about social engineering in secure messaging. Encryption remains a powerful layer, but threat models now routinely include the human element: targets who disclose secrets under pressure, or attackers who mimic trusted channels with alarming realism. In the near term, expect vendors to emphasize explicit verification prompts and clearer warnings around “support” interactions, while governments push for awareness campaigns that show how to spot phishing attempts in private chats.

The Dutch warning, intertwined with confirmed US advisories, signals a continuing campaign pattern rather than a one-off incident. For individuals, the best risk mitigation is simple: never share codes or PINs, verify through independent channels, and keep platform security features engaged.

Sources

Dutch intelligence services warn of Russian hackers targeting Signal and WhatsApp