Threat Insight

Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users

The Dutch intelligence and security service AIVD has issued a warning of a large global campaign where Russian cyber espionage actors target users of Signal and Whatsapp to get access to their messaging accounts. The Russian campaign is focused on persuading users to divulge their security verification- and pincodes, allowing the hackers to gain access to the users’ Signal or WhatsApp accounts. [1]

  • Insight

The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes. The hackers can then use these codes to take over the user’s account. Another method used by the Russian actors takes advantage of the ‘linked devices’ function within Signal and WhatsApp.

At least three Russian threat actors have been linked to this campaign, including the GRU cyber warfare unit known as GRU unit 74455, “Seashell Blizzard” or “Sandworm”. According to AIVD, potential victims include government employees and journalists.

Note that neither the Signal or Whatsapp apps have been hacked. The attack consits of social engineering that tricks the user to let the threat actor gain access to their accounts. It is likely that this campaign has been going on for a considerable time. A similar campaign was reported by Truesec in February 2025 and was also attributed to GRU. [2]

Recommendations

“Sandworm” is most known for their destructive cyber warfare operations, but they have also been involved in cyber espionage and so-called “hack-and-leak” operations where sensitive information is stolen and manipulated to discredit persons and governments.

In their alert, AIVD also published recommendations for how to detect if someone in a Signal group may have been impersonated by someone that has gained access to their account information. [1] The makers of Signal have also published information on how to avoid being tricked by these threat actors. According to Signal they do not use a chatbot that seeks out users unsolicited and will never ask for pin codes if they contact users. [3]

Truesec recommends all users of these apps to familiarize themselves with these recommendations, especially if they belong in any of the listed categories of potential victims.

References

[1] https://english.aivd.nl/latest/news/2026/03/09/russia-targets-signal-and-whatsapp-accounts-in-cyber-campaign
[2] https://soc.truesec.app/TS-ThreatInsight-2025-9
[3] https://x.com/signalapp/status/2031038277604585785

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.