Russian Hackers Are Hijacking Signal and WhatsApp Accounts — Without Breaking Encryption

March 10, 2026

Russian Hackers Are Targeting Signal & WhatsApp Accounts

Signal and WhatsApp are trusted by millions of people worldwide — government officials, journalists, executives, and activists — precisely because of their end-to-end encryption. That trust, it turns out, is exactly what attackers are now exploiting.

A campaign linked to Russian state-sponsored threat actors has been actively compromising messaging accounts belonging to high-value targets in Europe and beyond. The attacks are not technically sophisticated in the traditional sense: no encryption was broken, no zero-day exploited. Instead, attackers manipulate users directly — a reminder that the weakest point in any security system is rarely the software.

According to a joint warning from the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD), the attackers may already have gained access to confidential communications.

“The Russian hackers have likely gained access to sensitive information,” the agencies said.

This post breaks down exactly how these attacks work, who is at risk, and what organizations relying on consumer messaging apps need to do now.

What Dutch Intelligence Agencies Said About the Signal and WhatsApp Attacks

In a joint advisory, the Dutch AIVD and MIVD warned that Russian-linked hackers have likely already obtained access to confidential communications. The agencies confirmed that Dutch government employees and journalists were among those targeted — a significant disclosure that underscores both the breadth and the purposefulness of the campaign.

The warning is notable for what it does not say: the agencies did not claim the platforms themselves were breached. The vulnerabilities exploited are not in Signal's or WhatsApp's code. They are in human behavior.

When an intelligence service states that sensitive information has "likely" been accessed, that language reflects high confidence. Organizations that dismiss this as a problem for other people are misreading the threat.

Why Encrypted Messaging Apps Are Now Prime Espionage Targets

A decade ago, sensitive professional conversations happened over email or in person. Today, they happen on messaging apps. Signal and WhatsApp have effectively replaced email for fast, informal — but often critically sensitive — communication among professionals.

This shift has not gone unnoticed by threat actors. A single compromised messaging account can expose:

Ongoing private conversations and decision-making discussions

The full contact network of a high-value individual

Group chat memberships — revealing organizational relationships

Shared documents, images, voice notes, and location data

The metadata of who communicates with whom, and how often

For intelligence operations, this is extraordinarily valuable. Gaining access to a journalist's Signal account may reveal confidential sources. Access to a diplomat's WhatsApp could expose negotiating positions.

This is why the campaign specifically targets government officials, journalists, and security researchers — not random consumers.

How the Attacks Work: A Step-by-Step Breakdown

Understanding the attack mechanics is critical for anyone responsible for organizational security. These are not random opportunistic attacks — they are carefully targeted operations.

Step 1: Target Selection and Research

Attackers identify individuals who hold or discuss information of intelligence value. Social media profiles, conference speaker lists, public databases, and previous data breach records are all used to build detailed dossiers. This research phase makes subsequent phishing attempts far more convincing.

Step 2: Impersonation and Trust Building

The attacker contacts the target while posing as a trusted entity. Common personas include messaging platform support staff, journalists, professional colleagues, or cybersecurity researchers. The message typically references something real — a recent news event, a shared contact, or a plausible security concern — to establish credibility quickly.

Step 3: The Phishing Lure

Two primary techniques have been observed in this campaign:

1. Verification Code Theft: The victim is directed to a fake login page or asked to share the one-time verification code sent to their phone. Sharing this code allows the attacker to register the account on a new device.

2. Malicious QR Code Linking: Both Signal and WhatsApp allow users to link additional devices via a QR code scan. Attackers send victims a QR code disguised as a security verification step. When scanned, the attacker's device is silently added as a linked device on the victim's account.

Step 4: Silent, Persistent Access

This is what makes the attack particularly dangerous. The victim's account continues to function normally on their own device. They receive and send messages as usual. Meanwhile, the attacker's linked device mirrors all incoming messages in real time. Unless the victim specifically checks their linked devices list, the compromise may go undetected for weeks or months.

The encryption was never broken. The attacker simply became an authorized participant in the victim's account — which is functionally the same as breaking it.

The Endpoint Compromise Problem: Why Encryption Isn't Enough

End-to-end encryption protects the transmission of messages between devices. It is a genuine and important security feature. But it has a fundamental limitation: encryption cannot protect a message once it has been decrypted at a legitimate endpoint.

If an attacker gains access to a device or account that is already authorized to decrypt messages, they can read everything. This is called endpoint compromise, and it is one of the most significant unsolved problems in applied cryptography for organizational use cases.

For organizations, this has direct implications. Using Signal or WhatsApp for sensitive internal communication means that security depends entirely on:

Every individual user's ability to recognize phishing attempts

Every device linked to every account being legitimate and uncompromised

Every user proactively monitoring their own account security

This is not a reasonable security posture for an enterprise or government organization. Consumer messaging apps were not designed with organizational security controls in mind. They lack centralized device management, anomaly detection, access revocation, or compliance logging — all of which are standard requirements in enterprise security environments.

Warning Signs: How to Detect a Compromised Messaging Account

Account compromise through linked devices or session hijacking is difficult to detect because the app continues to appear and function normally. However, several signs may indicate unauthorized access:

Unfamiliar devices listed under Settings > Linked Devices (Signal) or Linked Devices (WhatsApp)

Verification code SMS messages arriving without you initiating a login

Messages appearing as "read" before you have opened them

Contacts reporting receiving strange messages or links from your account

Unexpected logouts from the application on your primary device

Notifications for activity you did not perform

If any of these signs appear, the immediate response should be: remove all linked devices, revoke all active sessions, enable a registration lock or PIN, and notify relevant contacts that the account may have been compromised.

What Individuals Should Do Right Now

Whether or not you believe you have been targeted, the following steps significantly reduce exposure:

1. Audit Your Linked Devices Immediately

Open Signal or WhatsApp settings and review every device currently linked to your account. Remove anything you do not recognize or no longer use. This takes less than two minutes and eliminates any existing unauthorized access via this vector.

2. Enable Registration Lock

Signal's Registration Lock requires a PIN to re-register your number on a new device. WhatsApp offers a two-step verification PIN. Both add a meaningful barrier against unauthorized account takeover. Enable them now if you haven't.

3. Never Share Verification Codes

No legitimate platform, service, or support team will ever ask you to share a one-time verification code via message. If anyone — regardless of how convincingly they are impersonating a colleague or support representative — asks for your verification code, it is an attack. End the conversation.

4. Verify Unusual Requests Out-of-Band

If a contact sends an unexpected request — particularly one involving security, verification, or clicking a link — verify it through a separate channel (a phone call, a different app, or in person). Attackers exploit the implicit trust of receiving a message from a known contact.

5. Be Skeptical of QR Codes in Security Contexts

A QR code sent to you as part of a "security check" or "verification process" for a messaging app should be treated with immediate suspicion. Legitimate platforms do not proactively send QR codes for you to scan via external messages.

Why Organizations Cannot Rely on Consumer Messaging Apps for Sensitive Communication

The fundamental challenge is not that Signal and WhatsApp are poorly built — they are not. The challenge is that they were designed for individuals, not organizations. The security model assumes a single user managing their own account. It does not include the controls that organizations require.

When a company or government agency uses consumer messaging apps for sensitive internal communication, they inherit all of the platform's individual-account security model — along with all of its limitations. There is no ability to:

Centrally monitor or audit which devices are connected to employee accounts

Remotely revoke access when an employee leaves or a device is compromised

Detect anomalous access patterns that might indicate compromise

Enforce authentication policies across the organization

Maintain communication logs for compliance or incident response purposes

Prevent data exfiltration through personal device links

A single employee falling for a QR code phishing attempt can give an attacker persistent access to that employee's internal conversations — and potentially, through those conversations, insight into other employees and sensitive decisions. The organization has no visibility into this, no way to detect it, and no automated means to stop it.

The question for organizations is not whether consumer messaging apps have good encryption. They do. The question is whether encryption alone is sufficient for organizational security. It is not.

How RealTyme Addresses What Consumer Messaging Apps Cannot

RealTyme is a secure communication platform designed specifically for organizations that need more than consumer-grade messaging security. The key differences are structural, not cosmetic.

Controlled Device and Identity Management

Unlike consumer apps where any device can be linked by scanning a QR code, RealTyme provides centralized control over which devices can access organizational communications. Administrators can verify, approve, and revoke device access — eliminating the attack vector exploited in this campaign.

Strong Authentication Architecture

RealTyme enforces organization-wide authentication policies, ensuring that access to sensitive communications requires verified identity — not just possession of a phone number. This directly addresses the verification code theft technique used by attackers.

Real-Time Access Monitoring and Revocation

If an account shows signs of compromise, or if an employee departs, access can be revoked immediately and organization-wide. There is no equivalent capability in consumer messaging apps.

Designed for Compliance and Incident Response

Organizations operating in regulated environments or with security obligations require audit trails and governance over their communications. RealTyme provides this; Signal and WhatsApp do not.

The attacks described in this post are sophisticated in their social engineering but not in their technical execution. They succeed because consumer apps give individuals, but not organizations, the tools to prevent them. RealTyme is built on the premise that organizational security requires organizational controls.

The Takeaway: Encryption Is Necessary, But Not Sufficient

The Russian-linked campaign targeting Signal and WhatsApp accounts is not an encryption failure. It is a demonstration that encryption, however strong, cannot compensate for absent organizational security controls.

The organizations and individuals most at risk are those who have assumed that using an encrypted app is equivalent to having a secure communication policy. It is not. Secure communication requires the right technology — and the right controls around that technology.

For journalists, government employees, and security researchers: audit your linked devices, enable registration locks, and treat any verification request with skepticism.

For organizations: evaluate whether a consumer messaging app is the right tool for conversations that matter.

Encryption protects the wire. Secure communication platforms protect the conversation — including the people having it.

Protect Your Organization's Sensitive Communications

If your team uses Signal, WhatsApp, or other consumer messaging apps to discuss anything sensitive, the vulnerabilities described in this post apply to you. RealTyme helps organizations move from consumer-grade convenience to enterprise-grade security — without sacrificing the speed and ease of modern messaging.

Request a demo and see how RealTyme can secure your organization's communications

or download our guide: Secure Messaging for Government Agencies.

Frequently Asked Questions

Was Signal actually hacked in this attack?

No. Signal's encryption and infrastructure were not breached. Attackers did not break Signal's code — they manipulated individual users into granting access to their accounts through phishing and fake QR codes. The platform itself remains cryptographically secure; the vulnerability is in human behavior, not the software.

How can I check if my Signal or WhatsApp account has been compromised?

Open your app settings and navigate to Linked Devices (Signal) or Linked Devices (WhatsApp). Any device you don't recognize should be removed immediately. Also check whether messages are appearing as read before you've opened them, or whether contacts are reporting unusual messages from your account.

Can hackers read Signal messages if they hijack your account?

Yes. If an attacker successfully links their device to your Signal account, they can read messages after they are decrypted on the account. The encryption protecting messages during transmission remains intact, but the attacker becomes an authorized participant in the conversation.

What is the difference between end-to-end encryption and endpoint security?

End-to-end encryption protects messages while they travel between devices — nobody intercepting the transmission can read them. Endpoint security protects the device or account where messages are decrypted and read. This attack bypasses encryption entirely by compromising the endpoint: once an attacker is linked to your account, they read messages after decryption, just like you do.

Are government agencies and journalists allowed to use Signal or WhatsApp for official communication?

Policies vary by country and organization, but many government bodies explicitly prohibit or discourage using consumer messaging apps for official or sensitive communication — precisely because of the lack of centralized oversight, audit trails, and access controls. The AIVD/MIVD advisory targeting Dutch government employees suggests some officials were using these platforms despite the risks.

What is the difference between Signal and an enterprise secure messaging platform like RealTyme?

Signal is built for individuals and gives each user control over their own account security. Enterprise platforms like RealTyme add an organizational layer: administrators can centrally manage which devices have access, enforce authentication policies, revoke access instantly, and maintain audit logs. When an employee is compromised or leaves, an organization using RealTyme can act immediately. An organization using Signal cannot.

Can RealTyme replace Signal for organizational use?

Yes. RealTyme is designed as a drop-in replacement for consumer messaging apps in professional and government environments — offering the speed and convenience of modern messaging with the security controls that organizations actually require. Unlike Signal, it is built around the assumption that security must be managed at the organizational level, not left to individual users.