Russian State Hackers Target Dutch Officials in Sophisticated Signal and WhatsApp Account Hijacking Campaign

Dutch intelligence warns of Russian state-sponsored phishing targeting Signal and WhatsApp to monitor government and military communications via account takeovers.

By: AXL Media

Published: Mar 9, 2026, 5:42 PM EDT

Source: The information in this article was sourced from BleepingComputer

State Sponsored Espionage Compromises Encrypted Channels

A sophisticated cyber espionage operation linked to Russian state actors has successfully penetrated the personal communications of Dutch government employees, journalists, and military officials. According to a joint advisory from the Netherlands Defence Intelligence and Security Service, MIVD, and the General Intelligence and Security Service, AIVD, the attackers are not breaking the underlying encryption of apps like Signal or WhatsApp. Instead, they are employing advanced phishing and social engineering tactics to manipulate legitimate authentication features. This allows the threat actors to gain total control over user accounts, effectively turning secure messaging platforms into tools for covert surveillance.

The Mechanics of the Fake Support Bot Gambit

One of the primary vectors identified in this campaign involves the deployment of a fraudulent Signal Security Support Chatbot. This automated adversary contacts victims with urgent warnings of suspicious activity, directing them to undergo a verification procedure to prevent a data leak. To complete this fake security check, the user is prompted to provide their SMS verification code and Signal PIN directly within the chat interface. Once these credentials are surrendered, the attackers register the account on their own hardware, effectively locking the legitimate user out while gaining access to their entire contact network and future incoming communications.

Exploiting Device Linking for Real Time Surveillance

Beyond direct account takeovers, the Dutch intelligence services highlighted a secondary, more stealthy method involving the abuse of device-linking functionality. In these instances, hackers send malicious QR codes or links disguised as invitations to join exclusive chat groups or professional networks. When a victim interacts with these prompts, they unknowingly authorize the attacker’s computer or tablet as a linked device. Because this method does not always trigger a logout on the primary phone, the breach can remain undetected for months, during which time the Russian operatives can read chat histories and monitor live conversations in real time.