State-Backed Hackers Target Signal Users in Germany: Phishing Alert

German security agencies are warning of an ongoing phishing campaign targeting individuals with ties to politics, the military, diplomacy, and investigative journalism. The attacks, believed to be state-sponsored, are leveraging the messaging app Signal to compromise accounts and potentially extract sensitive information.

The German Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) issued a joint security advisory on February 6, 2026, detailing the threat. According to the advisory, the attackers are attempting to spy on communications via Signal. Targets include high-ranking officials and journalists in Germany and across Europe.

The phishing attacks take two primary forms. In one scenario, recipients receive a message on Signal disguised as a security alert from Signal’s support team. This message attempts to trick users into revealing their Signal verification code or security PIN, granting the attackers access to the account. Successful compromise allows attackers to not only read current and past messages but also access the user’s contact list.

The second attack vector involves a malicious QR code. Scanning this code connects a device controlled by the attackers to the Signal account, providing them with access to contacts and message history. The security agencies warn that gaining access to messenger accounts can compromise entire networks through group chats and reconstruct sensitive contact structures for further intelligence or criminal activities.

“A successful access to messenger accounts not only enables insight into confidential individual communication, but potentially also the compromise of entire networks via group chats,” the advisory states. “sensitive contact structures can be reconstructed, which could be used for further intelligence and/or criminal measures.”

While the advisory does not explicitly name the nation-state behind the attacks, the tactics align with those previously employed by actors linked to Russian intelligence services. In April 2022, Australian authorities warned of Russian state-sponsored and criminal cyber threats targeting critical infrastructure, including phishing campaigns.

This isn’t the first time Signal has been targeted in sophisticated phishing attacks. Google’s Threat Intelligence Group warned last year of growing attempts to compromise Signal accounts belonging to individuals of interest to Russian intelligence. Those attacks specifically targeted members of the Ukrainian military.

The current campaign builds on a broader trend of increased Russian cyber activity. In May 2025, a CERT-EU Cyber Brief highlighted Russian hackers targeting Dutch critical infrastructure, utilizing a new phishing technique. German intelligence also warned in October 2024 of a “quantitative and qualitative” increase in Russian-sponsored espionage and sabotage attempts within Germany, echoing similar concerns from the UK and Poland.

The attacks also occur against a backdrop of escalating geopolitical tensions and cyber warfare. The Russia-Ukraine conflict has seen a significant increase in cyberattacks from both sides, targeting government entities, defense organizations, and individuals. Trustwave SpiderLabs reported in February 2025 that Russian hacktivist group XakNet executed a large-scale cyberattack against Ukrainian government infrastructures in December 2024, compromising systems and erasing data, including property ownership records and personal identification data.

The targeting of journalists is particularly concerning. Mercenary spyware has been reported in Europe, targeting journalists and activists, and the current Signal phishing campaign adds another layer of risk. The ability to compromise a journalist’s communications could have a chilling effect on investigative reporting and freedom of the press.

The German security agencies’ advisory underscores the importance of vigilance and strong security practices. Users of Signal, particularly those who may be considered high-value targets, should be wary of unsolicited messages and avoid scanning QR codes from unknown sources. Enabling Signal’s optional PIN feature and regularly reviewing connected devices can also help mitigate the risk of account compromise.