Germany Warns of Signal Account Hijacking Targeting Senior Figures

Germany's domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. The attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe.

The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). "A defining characteristic of this attack campaign is that no malware is used, nor are technical vulnerabilities in the messaging services exploited," the two agencies inform.

According to the advisory, the attackers contact the target directly, pretending to be from the support team of the messaging service or the support chatbot. "The goal is to covertly gain access to one-to-one and group chats as well as contact lists of the affected individuals," the agencies state.

Two Attack Variants

There are two versions of these attacks: one that performs a full account takeover, and one that pairs the account with the attacker's device to monitor chat activity.

In the first variant, the attackers impersonate Signal's support service and send a fake security warning to create a sense of urgency. The target is then tricked into sharing their Signal PIN or an SMS verification code, which allows the attackers to register the account to a device they control. Then they hijack the account and lock out the victim.

Attackers impersonating Signal support in direct message Source: BSI

In the second case, the attacker uses a plausible ruse to convince the target to scan a QR code. This abuses Signal's legitimate linked-device feature that allows adding the account to multiple devices (computer, tablet, phone). The result is that the victim account is paired with a device controlled by the bad actor, who gets access chats and contacts without raising any flags.

QR Code Abuse

The QR code pairing technique has been observed in multiple threat campaigns. Last year, Google threat researchers reported that this technique was employed by Russian state-aligned threat groups such as Sandworm. Ukraine's Computer Emergency Response Team (CERT-UA) also attributed similar attacks to Russian hackers, targeting WhatsApp accounts.

However, multiple threat actors, including cybercriminals, have since adopted the technique in campaigns like GhostPairing to hijack accounts for scams and fraud. The German authorities warn that while these attacks were observed on Signal, WhatsApp also supports similar functionality and could be abused in the same way.

Although Signal lists all devices attached to the account under Settings > Linked devices, users rarely check it. This oversight allows attackers to maintain persistent access to compromised accounts without detection.

Protection Measures

The German authorities suggest several protective measures for users:

• Avoid replying to Signal messages from alleged support accounts, as the messaging platform never contacts users directly
• Block and report suspicious accounts that claim to be from Signal support
• Enable the 'Registration Lock' option under Settings > Account, which requires a PIN whenever someone tries to register your phone number with the application
• Regularly review the list of devices with access to your Signal account under Settings → Linked devices, and remove unrecognized devices

Since the registration PIN is essential for account recovery, losing it can result in losing access to the account permanently. Users should store this PIN securely and consider using a password manager for safekeeping.

These attacks highlight the evolving sophistication of social engineering campaigns targeting high-value individuals. By abusing legitimate features rather than exploiting vulnerabilities, attackers can bypass traditional security measures while maintaining plausible deniability. The targeting of senior political, military, and diplomatic figures suggests these campaigns may be part of broader intelligence gathering operations rather than purely criminal activities.