The Apps Are Encrypted. Your Login Code Still Isn’t a Magic Shield.
People love saying WhatsApp and Signal are safe because they use end-to-end encryption. That part is true. It is likewise incomplete. Encryption protects message content in transit. It does not protect a user who hands the keys to a burglar.
That is the ugly lesson in the latest warning from the Netherlands’ General Intelligence and Security Service, better known as AIVD. The agency says Russian state-backed hackers are running a large-scale global cyber campaign to hijack WhatsApp and Signal accounts by tricking users into giving up login authentication codes. The targets reportedly include dignitaries, military personnel, civil servants, and Dutch government employees.
This is not some cinematic zero-day attack with neon graphics and a hoodie-wearing hacker whispering in Cyrillic. It is something far more annoying and far more common: social engineering. The attackers are not cracking the apps. They are exploiting people and legitimate account features.
That matters because it changes the story from “Is the app secure?” to “Can the user be fooled?” And in cybersecurity, humans are the softest target in the room.
What’s Happening & Why This Matters
Russian Hackers Are Targeting Accounts, Not Breaking Encryption
The Dutch intelligence advisory says Russian hackers are targeting WhatsApp and Signal accounts on a global scale by persuading users to reveal their authentication codes. The campaign allegedly targets sensitive users, especially those with government, military, or diplomatic relevance.
That detail matters because it shows intent. This is not spam aimed solely at random consumers. The campaign appears focused on accounts likely to contain politically useful conversations, confidential contacts, and operational information. If a hostile actor gains access to one phone account, the prize is not only messages. It may include contact networks, metadata, trust relationships, and opportunities for follow-on attacks.
The AIVD also makes a point that deserves more attention: the campaign does not exploit technical flaws in the messaging apps themselves. Instead, it abuses legitimate security features built into the apps.
That is both comforting and irritating. It is comforting because there is no evidence here that Signal or WhatsApp encryption has collapsed. It is irritating because the attack works anyway.
Old-School Phishing in a New Costume
According to the advisory, the most commonly observed method is a fake Signal Support chatbot. The attackers impersonate support, claim suspicious activity exists on the account, and tell the user to complete a verification procedure by entering a code. Once the victim sends that one-time code, the attacker can register the account on a second device and gain access.
Signal itself confirmed the threat and shared a screenshot of one such phishing message. The message, posing as a nonexistent “Signal Support Bot,” warned the user about threats to their private data and urged them to enter a verification code into a fake support chat.
The scam works because it imitates a familiar pattern. People are used to security alerts. They see warning language, official-looking names, and urgent instructions, then panic does the rest. The attacker does not need to outsmart encryption. The attacker needs only to outsmart a tired human for thirty seconds.
That is why phishing is such a durable weapon. It scales cheaply, exploits fear, and bypasses all the beautiful cryptography in the world by making the target cooperate.
Signal’s Warning: If Anyone Asks for the Code, It’s a Scam
Signal’s response is refreshingly honest and direct. It says users should never share their verification code. Signal further states that the code is only needed when first signing up for the app. It adds that Signal Support will never contact users via in-app messages, SMS, or social media to request a verification code or PIN. If anyone asks for either, Signal says, it is a scam.
That kind of clarity is useful because security advice often gets wrapped in mushy corporate fluff. Here is the rule: nobody legitimate will ask for your code.
Signal also warns that if both the verification code and the user’s PIN are exposed, the attacker can set up and access the victim’s account on a second phone.
That second-device detail is crucial. Many users think, “Even if somebody gets in, I’ll notice right away.” Maybe. Maybe not. Account compromise often starts quietly. An attacker may read messages, map contacts, and prepare further impersonation attempts before the victim notices anything strange.
A Shared Weak Spot: Linked Devices
The AIVD warns that Russian hackers are abusing the linked devices feature in both Signal and WhatsApp. That feature lets users view chats on a desktop computer or secondary device. It is a useful convenience feature. It is also a ripe target for abuse if a victim can be tricked into authorizing the wrong session.
The security conversation around messaging apps often gets too narrow. People think in terms of “message encryption” and forget about account lifecycle security. But real attackers care about the whole flow: signup, codes, PINs, linked devices, recovery steps, notifications, and the user’s habits around all of them.
Security is never only the lock on the door. It is the open window, the copied key, the delivery entrance, and the friend who waves in the wrong person.
Linked devices are a perfect example. They are not flaws. They are features. But any feature that extends access extends the attack surface.
Why State-Backed Actors Love This Method
The beauty of the method, from the attacker’s rotten point of view, is that it is cheap, low-noise, and scalable.
A state-backed operation does not need to burn expensive malware or risk noisy exploits when simple impersonation works. The target may comply without realizing they have enabled the breach. That keeps the attacker’s footprint small and makes the incident harder to see as a dramatic “hack” in the popular imagination. Yet the outcome can be just as serious.
For intelligence services, messaging accounts are gold. They reveal who is speaking to whom, when, and sometimes from where. Even encrypted chats are useful intelligence once an attacker controls the account endpoint. At that point, the app’s encryption is irrelevant because the messages are visible to the device that belongs, in effect, to the intruder.
That is the nasty little truth many users miss: end-to-end encryption protects the route, not the stolen endpoint.
Government, Military Users are Scams’ Highest Risk
The AIVD specifically says the campaign targets dignitaries, military personnel, and civil servants, with Dutch government employees among the victims. This raises the stakes considerably.
For an ordinary user, an account takeover is bad. For a diplomat, official, or service member, it can become operationally dangerous. Attackers may gain access to confidential discussions, schedules, personal contacts, and trusted networks. They may use the compromised account to message others, increasing the chance of secondary compromise.
This is why government cybersecurity agencies obsess over “simple” threats that ordinary users sometimes dismiss. A fake support message may feel trivial. In the right target set, it is espionage infrastructure.
Exposing the Weakest Link in Secure Messaging
Secure messaging apps have spent years marketing privacy. Fair enough. But privacy marketing can leave some users with the wrong mental model. They start treating the app like an invincible bubble.
It is not.
Apps like Signal and WhatsApp can offer strong message encryption while still leaving room for compromise through account takeover. That does not mean the products are fraudulent. It means security is layered, and users often focus on the most glamorous layer while neglecting the dull ones.
The dull layers win or lose the game more often than the glamorous ones.
Verification codes, PIN discipline, linked-device monitoring, and phishing awareness are not sexy subjects. They are, unfortunately, the exact subjects that decide whether your secure messenger stays yours.
The Lesson: Security Features Can Be Used Against You
The AIVD’s point that attackers are misusing legitimate app security features deserves extra emphasis. Security products increasingly rely on flows such as one-time codes, account recovery prompts, and device linking to make user access easier and safer. But any protective feature can evolve into a weapon in a skilled manipulator’s hands.
This is the recurring tragedy of consumer security design. A feature built for convenience and safety can be inverted by social engineering. The more polished and familiar the process, the easier it is to imitate convincingly.
That does not mean apps should remove these features. It means companies and users both need to understand that usable security is always vulnerable to usable deception.
TF Summary: What’s Next
Russian state-backed hackers are reportedly targeting WhatsApp and Signal accounts using phishing tactics, fake support bots, theft of one-time codes, and abuse of linked-device features. The campaign appears to focus on high-value users such as dignitaries, military personnel, and civil servants, while avoiding technical exploitation of the apps themselves. The bigger lesson is simple and infuriating: strong encryption can still coexist with fragile account security if users are tricked into giving access away.
MY FORECAST: Messaging platforms will tighten warning prompts around linked devices, verification codes, and support impersonation. Governments will try harder to educate high-risk personnel, because this kind of phishing is cheap and effective. Attackers will keep favoring social engineering over expensive technical exploits whenever possible. The next wave of secure messaging defense will focus less on cryptography bragging rights and more on hardening the human side of the login process.
— Text-to-Speech (TTS) provided by gspeech | TechFyle