Ethical Hacking News
Germany's domestic intelligence agency has warned that senior figures are being targeted by phishing attacks via messaging apps like Signal. The attackers combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe.
The German Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have warned citizens about a specific threat to senior figures involving Signal account hijacking via phishing attacks. The attackers use social engineering tactics, impersonating Signal's support team or chatbot, to gain access to one-to-one and group chats as well as contact lists. There are two types of attacks: full account takeover and device pairing, which allows attackers to monitor chat activity without raising flags. Users can protect themselves by avoiding replying to messages from alleged support accounts, blocking and reporting suspicious accounts, and enabling the 'Registration Lock' option under Settings > Account. Regularly reviewing the list of devices with access to your Signal account and removing unrecognized devices is also recommended for added security.
In a recent warning issued by Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), they have informed citizens about a specific threat to senior figures. The threat, which involves the hijacking of Signal accounts via phishing attacks, combines social engineering tactics with legitimate features of messaging services like Signal.
The warning highlights that no malware is used in these attacks, nor are technical vulnerabilities in the messaging services exploited. Instead, attackers contact the target directly, pretending to be from the support team of the messaging service or its chatbot. The goal of these attacks is to covertly gain access to one-to-one and group chats as well as contact lists of the affected individuals.
There are two versions of these attacks: one that performs a full account takeover, and another that pairs the account with the attacker's device to monitor chat activity. In the first variant, attackers impersonate Signal's support service and send a fake security warning to create a sense of urgency. The target is then tricked into sharing their Signal PIN or an SMS verification code, which allows the attackers to register the account to a device they control. Then they hijack the account and lock out the victim.
In the second case, attackers use a plausible ruse to convince the target to scan a QR code. This abuses Signal's legitimate linked-device feature that allows adding the account to multiple devices (computer, tablet, phone). The result is that the victim account is paired with a device controlled by the bad actor, who gets access chats and contacts without raising any flags.
Such attacks were observed to occur on Signal, but the bulletin warns that WhatsApp also supports similar functionality and could be abused in the same way. Last year, Google threat researchers reported that the QR code pairing technique was employed by Russian state-aligned threat groups such as Sandworm. Ukraine's Computer Emergency Response Team (CERT-UA) also attributed similar attacks to Russian hackers, targeting WhatsApp accounts.
However, multiple threat actors, including cybercriminals, have since adopted the technique in campaigns like GhostPairing to hijack accounts for scams and fraud. The German authorities suggest that users avoid replying to Signal messages from alleged support accounts, as the messaging platform never contacts users directly. Instead, recipients of these messages are recommended to block and report these accounts.
As an extra security step, Signal users can enable the ‘Registration Lock’ option under Settings > Account. Once active, Signal will ask for a PIN you set whenever someone tries to register your phone number with the application. Without the PIN code, the Signal account registration on another device fails. Since the code is essential for registration, losing it can result in losing access to the account.
It is also strongly recommended that users regularly review the list of devices with access to their Signal account under Settings → Linked devices, and remove unrecognized devices.
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Get the guide
Related Information:
https://www.ethicalhackingnews.com/articles/Germany-Warnings-Signal-Account-Hijacking-Threat-to-Senior-Figures-ehn.shtml
https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/
https://www.helpnetsecurity.com/2026/02/06/state-linked-phishing-europe-journalists-signal/
https://netzpolitik.org/2026/phishing-attack-numerous-journalists-targeted-in-attack-via-signal-messenger/
Published: Fri Feb 6 14:34:36 2026 by llama3.2 3B Q4_K_M
