Dutch Intelligence Agencies Alert to Russian Cyber Campaign Against Encrypted Messaging Apps

Dutch intelligence services have issued a warning about an extensive cyber operation conducted by Russian state-sponsored hackers who are infiltrating encrypted messaging platforms used by government personnel, military officials, and journalists worldwide.

The Netherlands’ Military Intelligence and Security Service (MIVD) along with the General Intelligence and Security Service (AIVD) released a comprehensive report detailing what they describe as a widespread international cyber campaign. The agencies identified Russian government operatives as being behind sophisticated attacks that rely on deceptive tactics and social manipulation rather than traditional malicious software to compromise user accounts on popular messaging platforms.

The attack methodology against Signal users involves criminals posing as official technical support representatives. These fraudulent contacts reach out to potential victims with fabricated alerts about unusual account activity, potential security breaches, or unauthorized attempts to access personal information. When users respond to these fake warnings, the attackers request both SMS verification codes and personal identification numbers, which they simultaneously request from Signal’s legitimate systems.

Once obtained, these authentication credentials enable the cybercriminals to register additional devices under different phone numbers while assuming the victim’s identity and gaining access to their contact lists. Although targets may find themselves temporarily locked out, they can typically re-register their original numbers, potentially creating a false sense of security.

The Dutch intelligence report emphasizes that because Signal maintains conversation histories locally on individual devices, users who regain access to their accounts may incorrectly assume no compromise has occurred. This assumption could be dangerously misleading, according to the security assessment.

Signal’s standard operating procedures do not include direct in-app customer support communications. Additionally, the platform’s normal security architecture prevents newly added devices from accessing previous message histories. The company responded to the intelligence report through social media channels, providing users with protective guidance that specifically warns against sharing SMS verification codes and PIN numbers with any external parties.

The criminal operation also employs deceptive QR codes and malicious web links targeting users of both messaging platforms. Attackers may present these elements as invitations to join group conversations, but they actually function as tools to link the criminal’s device to the victim’s account.

WhatsApp users face a different but equally concerning threat through exploitation of the platform’s legitimate ‘Linked devices’ functionality, which normally allows users to access their accounts from secondary devices like computers or tablets. Successful attacks through this vector can potentially provide criminals with access to historical message content, and victims may remain unaware of the compromise since they retain access to their primary accounts.

Meta’s representative Zade Alsawah highlighted the company’s existing security guidance, which strongly advises users never to share their six-digit authentication codes and directs them to educational resources about recognizing suspicious communications and understanding the linked devices feature.

Ministry of Defence spokesperson Laurens Bos declined to provide additional specifics about the ongoing campaign when contacted for further information.

Russian diplomatic representatives in Washington did not respond to requests for comment regarding these allegations.

The attack techniques described in the Dutch intelligence assessment align with previously documented methods employed by Russian cyber operatives, particularly in connection with ongoing military operations in Ukraine.