Signal Phishing Attack Targets Politicians: Experts Debate Messenger Security Shift

German authorities are investigating a sophisticated phishing campaign targeting high-ranking politicians, military personnel, and journalists via the encrypted messaging app Signal. The attacks, which have compromised hundreds of accounts, are suspected to originate from Russian state-linked cyber actors, according to official statements and investigative reports. The breach has reignited debates over digital security practices among public figures and the vulnerabilities of widely trusted communication platforms.

Phishing Campaign Exploits Signal’s Trusted Reputation

The phishing attacks impersonated Signal’s official support team, sending messages to users warning that their accounts were at risk. Victims were instructed to enter a PIN, open a malicious link, or scan a QR code—actions that granted attackers access to their accounts. Once compromised, hackers could read messages, view contacts, and even impersonate the account holder in chat groups.

A government source told Agence France-Presse (AFP) that the campaign was “presumably run from Russia,” though German officials have not yet made a formal public attribution. The Federal Prosecutor’s Office confirmed a preliminary investigation into the attacks, which began in mid-February 2026, citing suspicions of espionage. The investigation remains ongoing, with no official confirmation of the perpetrators’ identities.

Among the confirmed victims is Julia Klöckner, a prominent figure in Germany’s Christian Democratic Union (CDU) and former federal minister. While the full list of affected individuals has not been disclosed, German media outlets, including Der Spiegel, reported that approximately 300 Signal accounts belonging to political figures were compromised. Konstantin von Notz, a member of parliament and deputy chief of the intelligence oversight committee, warned that the true number of victims could be higher, as many cases may remain unreported.

Digital Forensics Point to Russian Involvement

Investigative journalism outlet Correctiv uncovered digital evidence linking the attacks to Russian state hackers. Their analysis identified dozens of domains likely used in the campaign, with digital traces connecting the phishing attempts to previous cyber operations targeting Ukraine and Moldova. While German and Dutch intelligence agencies have attributed the attacks to “state-sponsored cyber actors” and “Russian state hackers,” respectively, no direct evidence has been publicly released to support these claims.

The U.S. Federal Bureau of Investigation (FBI) later corroborated these suspicions, naming “cyber actors associated with the Russian Intelligence Services” as the likely perpetrators. However, like their European counterparts, the FBI did not provide detailed evidence to substantiate the attribution. Security experts have noted that the tactics used in the Signal phishing campaign align with known Russian cyber espionage methods, which often exploit social engineering to gain access to sensitive communications.

Security Experts Warn of Broader Implications

The breach has raised alarm among cybersecurity professionals, who warn that the attack could have far-reaching consequences for political and military communications. “Heads are exploding,” an unnamed security expert told NPR, describing the potential fallout from the compromise of high-level discussions. While Signal’s core encryption technology remains unbreached, the phishing attacks highlight the human vulnerabilities in even the most secure platforms.

Signal, long considered one of the most secure messaging apps, has seen increased adoption among politicians and journalists in recent years, particularly after privacy concerns led many to abandon platforms like WhatsApp. The app’s end-to-end encryption ensures that messages cannot be intercepted in transit, but phishing attacks bypass these protections by tricking users into surrendering access to their accounts.

In response to the attacks, German security agencies have reissued warnings about phishing risks, urging users to verify the authenticity of any unsolicited messages, even those appearing to come from official support channels. Experts recommend enabling Signal’s registration lock feature, which requires a PIN to re-register an account, as an additional layer of protection against unauthorized access.

Political Fallout and Calls for Stronger Safeguards

The attacks have sparked concerns about the integrity of political communications in Germany, particularly as the country remains a frequent target of cyber operations linked to Russia. Since Moscow’s full-scale invasion of Ukraine in 2022, Western officials have reported an uptick in cyberattacks and disinformation campaigns aimed at destabilizing European governments. The Signal phishing campaign appears to be the latest in this trend, with potential implications for national security and diplomatic relations.

Konstantin von Notz, the intelligence oversight committee deputy, expressed frustration over the lack of clarity surrounding the attacks. “At present, no one can say with any certainty whether the integrity of MPs’ communications is still guaranteed,” he told AFP. The incident has prompted calls for stricter security protocols among government officials, including mandatory cybersecurity training and the adoption of hardware-based authentication methods.

For now, the investigation continues, with German authorities working alongside international partners to identify the full scope of the breach and prevent further compromises. While no classified information has been confirmed as leaked, the incident serves as a stark reminder of the persistent threats facing digital communications in an era of state-sponsored cyber warfare.

What Users Can Do to Protect Themselves

• Enable Registration Lock: Signal’s registration lock feature requires a PIN to re-register an account, making it harder for attackers to hijack accounts even if they obtain a verification code.
• Verify Unsolicited Messages: Never enter codes, click links, or scan QR codes from unsolicited messages, even if they appear to come from Signal support. Official communications from Signal will never ask for sensitive information via the app.
• Use Two-Factor Authentication (2FA): While Signal does not support traditional 2FA, users can enable additional security measures, such as a screen lock for the app, to prevent unauthorized access.
• Monitor Account Activity: Regularly check Signal’s “Linked Devices” section to ensure no unauthorized devices are connected to your account.
• Report Suspicious Messages: Signal allows users to report phishing attempts directly through the app, helping the platform identify and block malicious actors.

The Signal phishing attacks underscore the evolving nature of cyber threats, where even the most secure platforms can be compromised through social engineering. As governments and individuals grapple with these risks, the incident serves as a critical reminder that digital security is not solely a technological challenge—it is also a human one.