DUTCH intelligence agencies MIVD and AIVD warn of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts used by government and military officials. The alert says targets include Dutch government employees, with officials noting that journalists may also be at risk, as attackers trick users into revealing verification codes or exploit Signal’s linked devices feature to hijack accounts.
The campaign involves impersonation of Signal Support and the use of malicious QR codes to link victims’ accounts to attacker-controlled devices, enabling real-time eavesdropping on conversations. The alert also highlights that Russia-linked actors target end-to-end encrypted messaging to access sensitive government communications, and that only individual accounts are targeted, not the platforms themselves.
According to the Dutch intelligence alert, Russia-linked groups such as UNC5792 (overlapping with UAC-0195) and APT44 are involved in phishing campaigns and in abusing the linked devices technique to compromise accounts. The report notes that in February 2025 Google Threat Intelligence Group researchers warned of Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence.