Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Social Engineering
Governments Have Long Warned About Kremlin Social Engineering Hacks
David Meyer •
April 28, 2026
Image: C. Nass/Shutterstock
Signal is defending the security of its systems following a series of phishing attacks that took place on the encrypted messaging platform, and that reportedly compromised members of the German government including the president of the country’s parliament.
See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime
The government said Russia was probably behind the attack, which falls into a pattern that has been apparent for more than a year. Signal said Monday that it will make such attacks less viable.
As far back as February 2025, Google security researchers warned that Russian military intelligence hackers were targeting Ukrainian Signal users with social engineering attacks, sending them malicious QR codes that abuse the app’s linked devices function. The codes are often presented as group chat invites, and successful attacks provided access to the victims’ messages on the attacker’s device (see: Ukrainian Signal Users Fall to Russian Social Engineering).
With remarkable prescience, Google said it anticipated that “the tactics and methods used to target Signal will grow in prevalence in the near term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.” Sure enough, Der Spiegel reported last week that Bundestag President Julia Klöckner – weeks earlier seen talking to the press about how the institution needs to stay secure against cyberattacks – had become the highest-profile victim in the German government. Chancellor Friedrich Merz’s phone was subsequently checked by security services, since he was in a Signal group chat with Klöckner.
No compromise was found. Other victims reportedly included housing minister Verena Hubertz and education minister Karin Prien.
Non-profit investigative outlet Correctiv first reported the attack the German broadside a month ago, naming Arndt Freytag von Loringhoven, a former vice-president of the German foreign intelligence service, as a victim. As a matter of policy, the government has not confirmed any of the victim identities.
Correctiv’s report laid out evidence of multiple links between the German campaign and Russia, including the use of Russian “bulletproof hosting” provider Aeza – which has been sanctioned by both the United States and United Kingdom – and that of the Russia-linked Defisher phishing tool.
In a lengthy statement posted to X on Monday, Signal took great pains to dispel mischaracterizations of what had happened: “First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not ‘hacked’ – in that our encryption, infrastructure and the integrity of the app’s code was not compromised.”
The platform went on to say that such social-engineering attacks plague “any mainstream messaging app once it reaches the scale of Signal,” and promised “a number of changes to help hinder these kinds of attacks” in the coming weeks.
“For the time being, please stay vigilant against phishing and account takeover attempts,” Signal added. “Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).”
Germany’s Federal Office for the Protection of the Constitution piggybacked on the post, directing people to a previously published pamphlet on what to do if targeted.
“The government assumes that the phishing campaign against the Signal messaging service was controlled from Russia,” a BSI spokesman told ISMG. However, he declined to comment on Der Spiegel’s report that 300 people had been affected in Germany.
The spread of the Signal attacks in Europe comes at a time when officials in the region are already becoming wary of the app, largely due to the fact that it is American.
As Politico reported this month, governments in several countries have been rolling out homegrown secure messaging systems in an effort to step away from apps they can’t control such as Signal and WhatsApp. “Everyone in Europe is getting more and more awake on sovereignty,” Brandon De Waele, the head of the Belgian agency providing that country’s app, told the publication.
Some of these efforts pre-date the current sovereignty push, which has been inspired by the second Trump administration’s apparent antagonism towards Europe. The German defense ministry’s IT services provider, BWI, released a secure messaging app called BundesMessenger – based on the armed forces’ in-house solution – for the benefit of public administration workers back at the end of 2023.
Warnings about Russian social media attacks against Signal users have percolated across Europe with mounting intensity since Google first warned users about the tactic, including within Germany. The Federal Office for Information Security in February said it had received intelligence about “a likely state controlled cyber actor,” trying out phishing attacks against “high-ranking individuals in politics, the military and diplomacy,” as well as investigative journalists in Germany and Europe.
Dutch intelligence services reported in March that members of their government were duped by similar attacks over Signal and WhatsApp – they explicitly laid the blame at the Kremlin’s door. French cyber authorities also published a warning.
Across the Atlantic, the FBI and Cybersecurity and Infrastructure Security Agency said last month that “cyber actors associated with the Russian Intelligence Services” were behind the global wave of attacks, including those on current and former U.S. officials.