Germany’s top security agencies issued an urgent warning yesterday regarding a sophisticated cyber espionage campaign targeting high-ranking officials and journalists across Europe.
The Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) revealed that state-sponsored hackers are hijacking Signal accounts to spy on private communications.
The joint advisory, released February 6, identifies the primary targets as military personnel, diplomats, politicians, and investigative journalists.
Unlike traditional hacks that use malware or exploit software bugs, this campaign relies entirely on “social engineering”, tricking victims into using legitimate features against themselves.
The “Fake Support” Trap
The first attack method involves hackers posing as “Signal Support” or a “Signal Security ChatBot.”
Fake Support – Source: Germany Govt
They contact targets directly within the app, claiming suspicious activity or a data leak has occurred on the victim’s device.
To “fix” the problem, the fake support bot asks the user to verify their identity by sending a PIN code.
If a victim shares this six-digit code, the hackers immediately register the victim’s phone number on a new device they control.
This locks the legitimate user out of their own account while giving the attackers complete control to impersonate the victim in future chats.
The Silent QR Code Spy
The second method is more subtle and allows hackers to spy on chats without locking the user out.
Attackers use a plausible pretext, such as a request to join a group or verify a device, to trick the victim into scanning a QR code.
Technically, this QR code is a “device linking” request. When a victim scans it, they inadvertently authorize the hacker’s tablet or computer to link to their account.
Once connected, the attacker can silently read all new messages and view chat history from the past 45 days.
This access often persists for weeks because the victim’s phone usually continues to work, masking the intrusion.
Authorities believe a “state-controlled cyber actor” is behind the campaign, given the specific focus on high-value intelligence targets rather than financial theft.
The goal appears to be espionage, involving the mapping of social networks and the interception of sensitive political and military discussions.
Because the attacks use valid Signal features rather than viruses, they bypass most antivirus software.
Security officials urge all users to check their “Linked Devices” list in Signal settings immediately and never to share verification PINs with anyone, even accounts claiming to be support staff.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Linked to State Actors Target Signal Messages of Military Officials and Journalists appeared first on Cyber Security News.
