Former Germany’s foreign intelligence VP hit in Signal account takeover campaign
March 16, 2026 
Former BND VP Arndt Freytag von Loringhoven was targeted in a Signal cyberattack, part of a wave hitting officials and politicians in Germany.
A cyberattack targeting Signal and WhatsApp users has hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions.
“He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”
German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts.
In the case of former BND official Arndt Freytag von Loringhoven, attackers used his compromised account to send a malicious link to contacts. He quickly warned them not to open it and deleted his account. Investigators believe the incident is part of ongoing hybrid campaigns linked to Russia. Given Loringhoven’s work on Russian hybrid warfare and his book Putin’s Attack on Germany, he was likely considered a high-value target.
“Signal said the recent incidents were targeted phishing attacks that allowed attackers to hijack accounts of officials and journalists. The company stressed that its encryption and infrastructure were not compromised and remain secure.” Signal wrote on X. “We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously. To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust.”
Signal warned that the attacks rely on social engineering, with attackers posing as trusted contacts or fake support services to trick users into sharing verification codes or PINs. The company stressed it will never ask for these details via messages or social media and urged users to stay vigilant and never share login codes.
In early March, Dutch intelligence agencies (MIVD and AIVD) warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.
“Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees.” reads the alert by Dutch intelligence agencies. “The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.”
Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.
Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stress that apps like Signal and WhatsApp should not be used for classified or confidential information.
The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.
Dutch intelligence agencies recommend Signal users to carefully monitor their group chats for signs of compromised accounts. If a contact appears twice under the same or slightly altered name, this may indicate a compromised account or a victim-created account. Users should report suspicious cases to their organization’s information security team and verify the accounts through alternative channels such as email or phone. Group administrators should remove any unauthorized accounts, after which legitimate members can rejoin. Actor-controlled accounts may change display names, e.g., to “Deleted account,” or join via a shared Group Link, triggering notifications. Users should remain vigilant for unfamiliar members and unusual account behavior. If there is any suspicion that the group administrator has been compromised, it is recommended to leave the chat group and create a new one to ensure the security and integrity of communications within the group.
In February 2025, Google Threat Intelligence Group (GTIG) researchers warned of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculated that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will also be employed in regions outside Ukraine.
Russian hackers exploited Signal’s “linked devices” feature, they used specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.
“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”
Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools for data exfiltration.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, intelligence)
