Dutch intelligence agencies — the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) — have warned about a coordinated cyber campaign conducted by Russian-backed hackers targeting accounts on the messaging platforms Signal and WhatsApp. The operation primarily focuses on government officials, military personnel, and journalists, suggesting a deliberate attempt to gain access to sensitive communications and intelligence.
According to the Dutch intelligence services, attackers are not exploiting vulnerabilities in the platforms’ encryption systems. Instead, they rely on social engineering techniques to manipulate users into revealing security verification codes or linking unauthorized devices to their accounts. By impersonating support services such as “Signal Support,” hackers convince victims to disclose authentication codes or PIN numbers, allowing attackers to gain control over private accounts and group chats.
The campaign reflects a broader pattern in which Russia uses cyber operations as part of its hybrid warfare strategy against Western states. Access to private communications allows Russian intelligence services to monitor political discussions, analyze contact networks, and gather information related to policy decisions, including issues such as military support to Ukraine. In addition to intelligence collection, such operations may enable influence activities, including the selective leaking or manipulation of private messages to discredit officials, journalists, or institutions.
This cyber campaign demonstrates how Russia increasingly combines cyber espionage with information operations to influence political processes and public opinion in Europe. By targeting individuals rather than technological infrastructure, attackers can bypass strong encryption and exploit human vulnerabilities.
For European governments, the incident highlights the growing importance of digital hygiene and user awareness in protecting sensitive communications. While secure messaging platforms remain technically robust, the security of communications ultimately depends on how users manage authentication codes, connected devices, and suspicious messages. Strengthening cyber awareness, implementing two-factor authentication, and regularly monitoring account activity are therefore critical steps to reduce the risk of similar attacks in the future.
The Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service of the Netherlands (MIVD) have warned that Russian-backed hackers have launched a global cyber campaign aimed at gaining access to Signal and WhatsApp accounts used by officials, military personnel, and journalists.
“Russian hackers have likely obtained access to confidential information. Targets and victims of the campaign include employees of the Dutch government and journalists,” the intelligence services said.
Cyberattacks against private communications are increasingly used by Russia as a tool of hybrid warfare against Western states to gather intelligence and influence political processes. In chats initiated by hackers, users are persuaded to disclose security verification codes and PIN codes, giving attackers access to personal accounts and group chats.
Hackers most often disguise themselves as a Signal Support chatbot to encourage victims to reveal verification codes, allowing them to gain control of the accounts. Another method involves exploiting the “linked devices” feature in Signal, which allows an external device to be connected to an account and gain access to correspondence.
Russia systematically uses cyber operations as a tool of hybrid warfare against EU countries. In addition to traditional attacks on critical infrastructure, the Kremlin increasingly targets the personal devices of officials, military personnel, and journalists.
By gaining access to private messaging accounts, Russian intelligence services can intercept communications, analyze contact networks, and collect valuable information.
The hacking campaign targeting Signal and WhatsApp users is linked to Russia’s broader strategy in the war against Ukraine and its confrontation with the West. Access to communications of government officials and journalists allows Russian intelligence services to collect intelligence on political decisions, military assistance to Ukraine, and other sensitive matters.
Such attacks may also be used to search for compromising materials that could later become instruments of political pressure or information operations. In this way, Moscow seeks to influence decision-making processes and public opinion in the Netherlands and other European countries.
These operations also create opportunities for information and disinformation campaigns. By obtaining access to private chats, Russian intelligence services may leak fragments of conversations or manipulate them. Such materials can be used to discredit politicians, journalists, or government institutions. Cyber espionage thus becomes a tool for influencing domestic politics in European countries.
Despite the scale of the cyber campaign, there is no evidence that the Signal and WhatsApp platforms themselves have been technically compromised. In most cases, attackers gain access not by breaking encryption systems but by manipulating users and stealing verification codes.
This means that the threat affects individual accounts rather than the infrastructure of the services. Such tactics allow Russian hackers to bypass security systems and achieve their objectives through the human factor.
Signs of account compromise may be subtle, but some indicators should raise concern. For example, if contacts appear twice in the contact list or certain numbers appear as “deleted accounts,” this may indicate interference in the system. Such anomalies often occur after an external device gains access to the account.
Therefore, users should regularly check their security settings and the list of connected devices.
Despite the strong encryption of Signal and WhatsApp, account security ultimately depends on user behavior. One of the most common methods of hacking is obtaining the six-digit verification code or PIN through phishing or deception.
Sharing such codes with third parties allows attackers to gain access to all chats and contacts. For this reason, cybersecurity experts emphasize that these codes should never be shared with other individuals or chatbots.
Given the growing cyber threat landscape, governments and users should pay greater attention to digital hygiene. Important measures include activating two-factor authentication, setting PIN codes in messaging applications, and regularly checking connected devices.
Users should also avoid clicking suspicious links or interacting with fake support services. Only a combination of technological protection and user awareness can significantly reduce the risk of such attacks.
Likely Perpetrators Behind the WhatsApp and Signal Attacks in the Netherlands
Most Probable Actor: APT28 (Fancy Bear)
APT28
Affiliation
APT28 operates under Russia’s military intelligence service, the Main Directorate of the General Staff (GRU).
Why APT28 is the leading suspect
APT28 specializes in:
- phishing campaigns
- credential harvesting
- targeting government officials and journalists.
These methods match the tactics described by the Dutch intelligence agencies.
APT28 has repeatedly targeted:
- NATO governments
- European ministries
- journalists and political elites.
Their operations often focus on access to communications rather than system destruction, making messaging platforms attractive targets.
Possible Supporting Actor: Sandworm
Sandworm
Affiliation
Sandworm is another unit of the GRU.
Typical activity
Sandworm usually conducts:
- disruptive cyber operations
- infrastructure attacks.
Examples include:
- Ukraine power grid cyberattack
- NotPetya cyberattack.
Likelihood
Sandworm is less likely to be the primary actor in this type of espionage campaign but may participate in broader coordinated cyber operations.
Alternative Possibility: APT29 (Cozy Bear)
APT29
Affiliation
APT29 is linked to Russia’s foreign intelligence service, the Foreign Intelligence Service (SVR).
Known operations
The group conducted:
- the SolarWinds cyberattack.
APT29 typically conducts long-term stealth espionage against government networks rather than large-scale social engineering campaigns targeting messaging apps.
Attribution Probability
| Actor | Affiliation | Probability |
| APT28 (Fancy Bear) | GRU | High |
| Sandworm | GRU | Medium |
| APT29 (Cozy Bear) | SVR | Low–Medium |
Strategic Purpose of the Campaign
The campaign likely serves several intelligence objectives:
- Access to government communications
Hackers can monitor discussions among officials and journalists. - Mapping political networks
Contact lists reveal who communicates with whom. - Intelligence on Ukraine policy
European decisions regarding military aid and sanctions may be discussed in private chats. - Information operations
Stolen messages could later be leaked or manipulated to discredit officials.
Strategic Context
The Netherlands is a frequent target of Russian cyber operations due to:
- its NATO membership
- its support for Ukraine
- its role in investigations into Russian activities such as the MH17 shootdown.
This makes Dutch officials and journalists attractive targets for Russian intelligence.
✅ Bottom line:
The most plausible actor behind the attacks on Signal and WhatsApp accounts in the Netherlands is APT28 (Fancy Bear), a GRU-linked cyber espionage group, operating as part of Russia’s broader hybrid warfare strategy against European governments.
If you want, I can also prepare a short intelligence-style section explaining how Russian hackers technically compromise Signal accounts (linked devices, SIM swapping, QR hijacking) — which would strengthen your analysis even more.
How Russian Hackers Technically Compromise Signal Accounts
Executive Overview
Signal’s end-to-end encryption architecture is considered highly secure, and there is no evidence that Russian cyber groups can break its cryptographic system directly. Instead, attackers focus on exploiting the human factor and account-management features to gain unauthorized access.
Russian cyber operations linked to groups such as APT28 typically rely on social engineering, authentication code theft, and device linking to hijack accounts without compromising Signal’s encryption itself.
Verification Code Phishing
Method
Signal accounts are tied to a phone number and require a six-digit verification code during login.
Attackers attempt to obtain this code through social engineering.
Typical techniques include:
- impersonating Signal support or security alerts
- sending messages claiming an account problem
- requesting the victim to share the verification code.
Once attackers obtain the code, they can register the Signal account on their own device, effectively taking control of it.
2. Linked Devices Exploitation
Method
Signal allows users to connect additional devices (such as desktops or tablets) using the “Linked Devices” feature.
Hackers exploit this feature by:
- persuading victims to scan a malicious QR code
- secretly linking an attacker-controlled device.
Once linked, attackers gain:
- real-time access to conversations
- visibility into contacts and group chats.
The victim’s phone may continue functioning normally, making the breach difficult to detect.
SIM-Swap Attacks
Method
Attackers convince a mobile operator to transfer the victim’s phone number to a new SIM card controlled by the attacker.
Once the phone number is hijacked:
- attackers request a new Signal verification code
- the code is sent to the hijacked SIM card
- attackers register the Signal account on their device.
This technique allows complete takeover of the account.
Fake Chatbots and Support Accounts
Method
Hackers impersonate official support services.
Example scenario:
- a victim receives a message from an account claiming to be “Signal Support”
- the attacker claims suspicious activity has been detected
- the victim is asked to confirm a verification code or PIN.
In reality, this information grants attackers full access to the account.
Malware on Personal Devices
In some advanced operations, attackers deploy malware on a victim’s device.
This can allow them to:
- capture screenshots of conversations
- record keystrokes
- access Signal data stored on the device.
However, this method is less common than social engineering because it requires more technical resources.
Contact Network Exploitation
Once hackers access a Signal account, they often move laterally by:
- messaging the victim’s contacts
- requesting security codes from them as well
- spreading the compromise through trusted networks.
This technique allows attackers to infiltrate entire communication networks of officials or journalists.
Why These Attacks Work
The key vulnerability lies not in Signal’s encryption but in user behavior.
Attackers exploit:
- trust in contacts
- lack of cybersecurity awareness
- urgency created by fake security alerts.
This allows hackers to bypass strong encryption systems without attacking them directly.
Indicators of a Compromised Signal Account
Users should watch for warning signs such as:
- unknown devices appearing in the Linked Devices list
- contacts appearing duplicated
- messages sent without the user’s knowledge
- login alerts or verification code requests they did not initiate.
How to Prevent Signal Account Compromise
Recommended security measures include:
- enabling Signal PIN protection
- activating two-factor authentication where available
- never sharing verification codes
- regularly checking Linked Devices settings
- avoiding suspicious QR codes or support messages.
Strategic Implication
Cyber campaigns targeting Signal users illustrate a broader shift in modern cyber espionage: attackers increasingly target people rather than technology.
Even the most secure encrypted platforms remain vulnerable if attackers can manipulate users into granting access.For governments and journalists, protecting secure communications therefore requires both technological security and strong digital hygiene practices.
