Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials

Summary

German federal prosecutors have been investigating a phishing campaign targeting approximately 300 Signal accounts belonging to high-ranking politicians, military personnel, and journalists since mid-February 2026. The attacks used fake Signal security chatbots to trick users into entering PINs or scanning QR codes, which linked their accounts to attacker-controlled devices, enabling access to chats, conversations, and stored data. German and Dutch intelligence agencies suspect Russian state-controlled actors are behind the campaign, though Germany has not officially attributed the attacks.

Full text

The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said. Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved. The German government has still not officially attributed the attacks to Russia. Germany and other European countries have been under increased pressure from cyberattacks and other malign activity linked to Russia by Western officials since Moscow’s full-scale invasion of Ukraine in February 2022. Around 300 Signal accounts belonging to individuals within the political sphere were compromised in the attacks, German magazine Der Spiegel reported, quoting governmental sources.Advertisement. Scroll to continue reading. There is no official confirmation of the names of the victims. According to Der Spiegel, the targeted users received messages from a fake Signal security chatbot that informed them of suspicious activity on their accounts and asked them to take immediate action. If the user followed the instructions, including entering a PIN or scanning a QR code, their Signal accounts were linked to an external device controlled by the hackers. This allowed the attackers to read past chats, follow ongoing conversations and even see address books and other data stored by the users. In February, Germany’s domestic intelligence service BfV and the federal cybersecurity authority BSI had issued a public warning about such a phishing campaign, saying it was “likely being carried out by a state-controlled cyber actor.” According to the German press agency dpa, German authorities also contacted several politicians personally to warn them such attacks may have happened. In March, Dutch intelligence and security services also warned that “Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants.” Targets include Dutch government employees, the Dutch authorities warned at the time, and journalists may also have been targeted. The Russian embassy in Berlin did not respond to an AP request for comment. Moscow has repeatedly denied ⁠it is spying on other countries. Alexander Graf Lambsdorff, the German ambassador to Russia, was summoned to the Russian Foreign Ministry on Monday morning, dpa reported, regarding alleged contacts between German politicians and terrorist organizations. No connection has been made between the summons and the German media revelations about the Signal phishing attacks. “I will, of course, comply with the summons. I consider it unlikely that the Russian side will be able to substantiate its accusations,” Lambsdorff said in advance. Relations between the two countries have been tense for years. Related: New Sturnus Banking Trojan Targets WhatsApp, Telegram, Signal Messages Related: Russian APT Hits Ukrainian Government With New Malware via Signal Related: How Russian Hackers Are Exploiting Signal ‘Linked Devices’ Feature for Real-Time Spying Written By Associated Press More from Associated Press US Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian SenatorTrump Administration Vows Crackdown on Chinese Companies ‘Exploiting’ AI Models Made in USMost Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief SaysSenate Extends Surveillance Powers Until April 30 After Chaotic Votes in HouseWhite House Chief of Staff to Meet With Anthropic CEO Over Its New AI TechnologyLawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ FollowedSweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy InfrastructureTrump Urges Extending Foreign Surveillance Program as Some Lawmakers Push for US Privacy Protections Latest News Electric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyNo Patch for New PhantomRPC Privilege Escalation Technique in WindowsSpectrum Security Emerges From Stealth Mode With $19 MillionMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakIncomplete Windows Patch Opens Door to Zero-Click AttacksOpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron Hacked Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Fake Signal Security Chatbot

Entities