• Posted by: Eng. Donya Bino
• February 07, 2026

Germany Warns of Signal Phishing Targeting Politicians & Journalists

Germany's domestic intelligence agency (BfV) and cybersecurity authority (BSI) have jointly warned of an active phishing campaign targeting high-profile individuals via Signal, the privacy-focused messaging app. The goal of this operation is to target high profile individuals from the political, military, diplomatic, and investigative journalism communities throughout Germany and Europe.

The distinguishing feature of this operation is the level of simplicity to execute social engineering attacks as opposed to using exploitations or malware; This is accomplished by impersonating "Signal Support" or a fake chatbot called "Signal Security ChatBot," and contacting the victim directly by stating there is an urgent account issue, the victim’s information may be compromised and the only way to protect it is to provide the registration PIN or the SMS code.

If the victim does, the attacker can then register the victim’s phone number on a device they control, giving the attacker full access to the following:
1. Profile information
2. Settings
3. Contacts
4. Blocked contacts

The attacker will not have access to any previous messages but will be able to see any new messages that are sent to that phone, and will also be able to send new messages using the victim’s identity. The real user loses access to their account until they regain control.

A second variant tricks users into scanning a QR code for "device linking" (Signal's legitimate multi-device feature). In this case, the victim keeps using their account normally, unaware that the attacker now sees chats, including the previous 45 days of history on their own linked device.

The agencies note that similar tactics work against WhatsApp (which also supports device linking and two-step verification PINs), and warn that compromised messenger accounts can expose entire networks through group chats, shared documents, or forwarded sensitive information.

Although protecting your Signal account is easy, doing so takes a lot of vigilance:
1. Never give your Signal registration PIN or the verification code to anyone claiming to be providing assistance.
2. Make sure you have Registration Lock enabled in the app settings (this will prevent people from registering any new devices without your PIN).
3. Check the list of linked devices in Signal -> Settings -> Linked Devices regularly, and remove anything you do not recognize.
4. By default, treat any unsolicited "support" messages (especially if the sender claims to be urgent) as suspicious.
5. If you can, turn off SMS-based two-factor authentication (2FA), and use either application-based or hardware 2FA tokens.

Attribution remains unconfirmed in the German advisory, but the technique mirrors campaigns previously linked to Russia-aligned actors such as Star Blizzard (Microsoft), UNC5792 / UAC-0195, and UNC4221 / UAC-0185 (Google Threat Intelligence). A parallel WhatsApp-focused operation called GhostPairing was detailed by Gen Digital in late 2025.

The warning arrives amid broader European threat landscape updates:
1. Norway's PST accused China-linked groups (including Salt Typhoon) of exploiting vulnerable network devices to breach organizations, while highlighting recruitment attempts via LinkedIn and job boards to build human-source networks. PST also noted Iran's persistent targeting of dissidents through compromised email and social media.
2. Poland's CERT Polska attributed coordinated attacks on more than 30 wind/solar farms, a manufacturing firm, and a major CHP plant to the Russian group Static Tundra. All victims had internet-exposed FortiGate VPN interfaces without MFA enabled.

These incidents underscore a persistent reality: even the most secure apps can be undermined by convincing impersonation, and network edge devices remain soft targets when basic hardening (MFA, no WAN exposure) is skipped.

Source: The Hacker News