Dutch Intelligence Warns of Global Russian Cyber Campaign Hijacking Encrypted Signal and WhatsApp Accounts

Dutch intelligence warns of a Russian cyber campaign using fake chatbots to hijack Signal and WhatsApp accounts belonging to officials and journalists.

By: AXL Media

Published: Mar 9, 2026, 6:23 AM EDT

Source: The information in this article was sourced from CNA

Coordinated Infiltration of Encrypted Channels

Two major intelligence agencies in the Netherlands, the AIVD and MIVD, have identified a widespread cyber operation orchestrated by Russian-backed actors. The campaign specifically targets Signal and WhatsApp, platforms previously considered secure due to their end-to-end encryption. According to a joint statement released on Monday, the hackers use social engineering to persuade high-profile targets—including government employees and military personnel—to divulge security pins. This access allows malicious actors to bypass encryption protocols by taking over the account identity itself.

Social Engineering via Support Chatbots

The technical execution of the breach relies heavily on deception rather than breaking the software’s underlying code. Attackers frequently masquerade as official "Signal Support" chatbots to initiate conversations with potential victims. Under the guise of security verification, they induce users to share their six-digit authentication codes. Once these codes are provided, the hackers gain full control over the account, including the ability to read historical group messages and monitor real-time communications involving sensitive government business.

Exploitation of Linked Device Features

In addition to direct code solicitation, intelligence officials warned that hackers are exploiting the "linked devices" functionality found in most modern messaging apps. This feature, designed for user convenience across desktops and tablets, provides a back-door for attackers to maintain a persistent presence on an account. The MIVD noted that users should be wary of contacts appearing twice in their lists or accounts suddenly appearing as "deleted," as these are often the primary digital signatures of a compromised account.