TL;DR: On February 6, 2026, Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint advisory warning that state-backed hackers are targeting politicians, military officers, diplomats, and investigative journalists across Europe. The attackers use two methods: impersonating Signal support to steal PINs, or tricking targets into scanning a QR code that silently links an attacker-controlled device to the victim's account. The second method is especially dangerous: victims don't get locked out and may never notice. The attackers get access to the last 45 days of messages, all contacts, and every group chat. German authorities stopped short of naming the country behind it, but Google and Microsoft have previously linked identical techniques to Russian state-aligned groups including Sandworm. Check your linked devices right now: Settings → Linked Devices. Remove anything you don't recognize.
Two Attacks, One Goal: Read Your Encrypted Messages
Signal is the gold standard for encrypted messaging. Journalists use it to protect sources. Diplomats use it for sensitive communications. Activists rely on it to organize without governments listening in. That reputation makes it the perfect target.
The BfV and BSI outlined two distinct attack methods being used right now against high-value targets across Germany and Europe.
Attack 1: "We're From Signal Support"
The attacker sends a Signal message posing as official Signal support. The message warns that the target's account has a security problem. There's urgency: act now or lose your data.
Then comes the ask: share your Signal PIN or the SMS verification code you just received.
If the target complies, the attacker registers the Signal account on their own device. The victim immediately loses access. Signal shows a notification: "Your device is no longer registered." Incoming and outgoing messages stop. The attacker now owns the account: profile, contacts, block list, everything.
This variant is loud. You'll know something's wrong immediately. The second variant is worse.
Attack 2: The Silent QR Code
Signal lets you link additional devices to your account: a laptop, a tablet. It's a legitimate feature. You scan a QR code and the new device syncs your messages.
The attackers weaponized this.
Under some plausible pretext (a meeting invitation, a document to review, a security check) the target is convinced to scan a QR code. That code doesn't open a link. It silently pairs an attacker-controlled device to the victim's Signal account.
Here's what makes it devastating: the victim stays logged in. Messages keep flowing normally on their phone. No error messages. No warnings. Meanwhile, the attacker's device receives a copy of everything: every message sent and received, every group chat, every contact. The last 45 days of message history sync automatically.
As the German agencies put it: "Successful access enables not only insight into confidential one-on-one communications but also potential compromise of entire networks via group chats."
One compromised diplomat's account exposes every colleague in their group chats. One journalist's account reveals their sources.
Who's Behind It
The BfV and BSI called the attackers "likely state-backed" but didn't name a country. The clues aren't subtle.
In early 2025, Google's Threat Intelligence Group documented identical QR-code pairing attacks against Signal users and attributed them to multiple Russian state-aligned groups: Sandworm (Russia's GRU military intelligence), Star Blizzard (FSB-linked), and two groups tracked as UNC5792 and UNC4221. Microsoft separately confirmed Star Blizzard's involvement.
Ukraine's CERT-UA attributed comparable attacks targeting WhatsApp to Russian hackers. In December 2025, security firm Gen Digital identified a campaign called "GhostPairing" that exploited WhatsApp's identical device-linking feature.
The BfV noted a key detail: "No malware is used, nor are technical vulnerabilities in the messaging services exploited." Pure social engineering. The encryption is fine. The humans are the vulnerability.
Who's Getting Targeted
The advisory names four target groups:
- Politicians: Senior political figures across Germany and Europe
- Military officers: Active duty personnel with access to sensitive operational information
- Diplomats: Diplomatic staff whose compromised group chats could expose entire embassy networks
- Investigative journalists: Reporters whose Signal contacts include confidential sources
These are the exact people who chose Signal specifically because they need encrypted communications. The attackers aren't trying to break the encryption. They're going around it.
Signal's Trust Problem
Signal's device-linking feature was designed for convenience. Scan a QR code, and your messages appear on a second device. It's fast, it's simple, and it trusts that you're the one scanning.
That trust is the vulnerability. Signal has no way to distinguish between you linking your own laptop and an attacker tricking you into linking their surveillance device. Once linked, the attacker's device is just another "you," receiving real-time copies of every conversation.
WhatsApp has the same architecture. The BfV and BSI explicitly warned that these attacks apply to WhatsApp too: "comparable risks exist due to similar messaging functionalities."
The uncomfortable reality: the feature that makes encrypted messaging convenient is the same feature that makes it exploitable. No code needs to be broken. No zero-day exploits needed. Just a convincing story and a QR code.
What You Should Do Right Now
Check Your Linked Devices Now
Open Signal → Settings → Linked Devices. If you see any device you don't recognize, tap it and remove it immediately. Do this on WhatsApp too: Settings → Linked Devices. Takes 10 seconds. Do it now before you finish reading this article.
Enable Registration Lock
Signal → Settings → Account → Registration Lock. This requires your PIN to register your account on a new device. Without it, anyone with your phone number and a stolen verification code can take over your account completely.
Never Share Your PIN
Signal will never message you asking for your PIN or verification code. Ever. If someone claiming to be "Signal Support" asks for either, they're an attacker. Block and report them.
Only Scan QR Codes You Initiated
The only time you should scan a Signal QR code is when you're deliberately linking your own device. If someone sends you a QR code for any other reason (a meeting, a document, a "security check") don't scan it.
If you're in one of the target groups (journalist, politician, diplomat, military) make checking linked devices a weekly habit. Set a recurring reminder. It's the only way to catch a silent compromise before too much damage is done.
Encryption Works. Social Engineering Works Better.
Signal's end-to-end encryption hasn't been broken. The math is sound. But encryption only protects messages in transit, between your device and the recipient's device. If the attacker's device becomes one of the recipient's devices, encryption delivers your messages directly to them, perfectly decrypted.
This is the fundamental tension in secure messaging: usability features like device linking make encrypted messaging practical for normal people. They also make it exploitable by sophisticated adversaries who specialize in tricking normal people.
Russia's intelligence services didn't need a zero-day. They didn't need Pegasus or Predator. They needed a convincing pretext and a QR code. That's cheaper, harder to detect, and works against anyone who lets their guard down for a moment.
The lesson isn't to stop using Signal. It's still the best option for encrypted messaging. The lesson is that no technology protects you if you hand the keys to the wrong person. Check your linked devices. Enable Registration Lock. And treat any unsolicited request involving your Signal account as an attack, because it probably is.
References
- BleepingComputer - Germany Warns of Signal Account Hijacking Targeting Senior Figures (February 6, 2026)
- The Hacker News - German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists (February 2026)
- Help Net Security - State-Backed Phishing Attacks Targeting Military Officials and Journalists on Signal (February 6, 2026)
- Cyber Insider - Germany Warns of Signal Account Attacks Targeting High-Profile Figures (February 2026)
- Heise Online - Attack via Signal: BfV and BSI Warn Politicians, Military Personnel, Diplomats (February 2026)
- WebProNews - Signal Under Siege: How Russian-Linked Hackers Are Exploiting the Encrypted Messenger (February 2026)