Skip to main content
Emerging Threats

Russia Targets Signal Users in Germany with Social Engineering Hacks

European cityscape with technology hint, person walking in distance.

"First, it's important to be precise when it comes to critical infrastructure like Signal. Signal was not 'hacked' - in that our encryption, infrastructure and the integrity of the app's code was not compromised," Signal said in a lengthy statement posted to X.

The message came as German officials and independent reporters disclosed a wave of social‑engineering attacks on the encrypted messaging app Signal that targeted members of the German government. German authorities have said Russia was "probably" behind the campaign, and Signal has defended its technical integrity while warning that the attacks exploit user trust rather than a flaw in its encryption or infrastructure.

Signal's statement, mitigation steps, and user guidance

Signal drew a clear line between an app compromise and a social‑engineering campaign: its encryption, infrastructure and app code remained intact, the company said. It also framed the incidents as a class of problem that affects "any mainstream messaging app once it reaches the scale of Signal," and promised "a number of changes to help hinder these kinds of attacks" in the coming weeks.

Signal urged users to remain vigilant: "For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock)." The platform said it would take technical and user‑facing steps to make the tactics used by attackers less viable.

The QR‑code social‑engineering technique described by Google

Public details about the attack technique trace back to Google researchers. In February 2025 Google warned that Russian military intelligence hackers had targeted Ukrainian Signal users with social engineering that relied on malicious QR codes abusing Signal's linked‑devices function. The codes were often presented as group chat invites, and successful attacks provided "access to the victims' messages on the attacker's device," Google wrote.

Google also forecasted that "the tactics and methods used to target Signal will grow in prevalence in the near term and proliferate to additional threat actors and regions outside the Ukrainian theater of war." The German incidents are consistent with that prediction: researchers and reporters say the same QR‑code approach surfaced in attacks affecting European officials.

Evidence cited linking the campaign to Russia

Investigative reporting from Correctiv and follow‑up coverage by outlets including Der Spiegel laid out multiple technical and infrastructure links to Russian actors. Correctiv reported use of a Russian "bulletproof hosting" provider named Aeza — a provider that, the article notes, has been sanctioned by both the United States and the United Kingdom — and identified the Russia‑linked Defisher phishing tool in the campaign.

Germany's Federal Office for the Protection of the Constitution and the Federal Office for Information Security have said they received intelligence pointing to "a likely state controlled cyber actor" trying phishing attacks against "high‑ranking individuals in politics, the military and diplomacy," as well as investigative journalists. A BSI spokesman told ISMG: "The government assumes that the phishing campaign against the Signal messaging service was controlled from Russia." Outside Germany, Dutch intelligence publicly blamed the Kremlin for similar Signal and WhatsApp attacks, French cyber authorities issued warnings, and the FBI and Cybersecurity and Infrastructure Security Agency said "cyber actors associated with the Russian Intelligence Services" were behind a global wave of attacks.

Who inside Germany was affected

Reporting tied the campaign to figures at the center of German politics and administration. Der Spiegel reported that Bundestag President Julia Klöckner had been targeted — a high‑profile case given her recent public comments about the need for institutional cybersecurity — and that Chancellor Friedrich Merz's phone was subsequently checked by security services because he had been in a Signal group chat with Klöckner; no compromise was found.

Other individuals reported as victims included housing minister Verena Hubertz and education minister Karin Prien. Correctiv earlier named Arndt Freytag von Loringhoven, a former vice‑president of the German foreign intelligence service, as a victim. The government, as a matter of policy, has not confirmed the identities of victims and a BSI spokesman declined to comment on a Der Spiegel number that 300 people had been affected.

How technologists, policymakers, and end users are responding

  • Technologists and security teams: Signal signalled forthcoming technical changes to blunt the QR‑code and linked‑device phishing vector; Germany's own BundesMessenger — released by the defense ministry's IT services provider BWI at the end of 2023 — remains a domestic alternative already in use for public administration workers.
  • Policymakers and regulators: The campaign has added momentum to a broader European sovereignty push away from apps "they can't control," a trend Politico captured with Brandon De Waele's comment that "Everyone in Europe is getting more and more awake on sovereignty."
  • End users and officials: National agencies have circulated advisories and pamphlets (the BSI directed people to its existing guidance), while Signal and other authorities have urged users to enable registration locks and refuse any requests for verification codes or PINs from accounts claiming to be support.

The incident illustrates how a simple piece of social engineering — a QR code presented as a chat invite — can put sensitive conversations at risk even when an app's encryption remains sound. With multiple European governments and international agencies pointing to the same patterns and infrastructure, the coming weeks will test whether platform mitigations and heightened vigilance can interrupt a campaign that security researchers warned in February 2025 would spread beyond Ukraine.

Source: govinfosecurity.com