Most journalists are compromised before they know they’re being watched.

This is not speculation. It is the pattern across documented cases in different countries, different threat actors, different kinds of journalism. The entry point is almost never the encrypted messaging app. It is the professional infrastructure that journalists take for granted.

The vectors that actually work

Credential phishing through professional identity. A journalist receives an email that appears to come from a source they have been trying to reach, a press office they have contacted before, or a conference they are attending. The email contains a link. The link leads to a page mimicking a Google Drive login or an Outlook authentication screen. The journalist enters their credentials. The credentials are captured.

This works because journalists have public professional identities. Their email addresses are findable. Their beats are documented. The sources they are likely trying to reach can be inferred from their published work. A targeted phishing attempt does not need to be generic — it can be built around what the journalist is known to be working on right now.

Malicious attachments to press inboxes. Most newsrooms have publicly listed addresses for tips and press contacts. A PDF exploiting a reader vulnerability, or a Word document with a malicious macro, has a reasonable probability of being opened. Journalists receive documents from unknown parties as a normal part of their job. The professional context is the cover. (See: how to communicate with confidential sources safely.)

Compromised accounts used to reach sources. Once a journalist’s email or messaging account is accessed, the adversary has the journalist’s address book, message history, and active source relationships. They can contact sources while impersonating the journalist. This is how source networks get mapped without direct surveillance of the sources themselves.

Fake persona operations. Documented cases involving state-sponsored groups show convincing fake journalist or researcher identities built and maintained over extended periods. A fake contact who offers a story, asks for documents, requests an introduction. By the time the persona is used to extract information, the relationship feels normal. Because it has been, in some respects, for months.

What makes journalists specifically vulnerable

The professional habits that make journalism work are the same habits that create the attack surface. Public contact information. Openness to documents and tips from unknown parties. Broad source networks. Deadline pressure that compresses time available for verification. These are not failures of security practice. They are functional requirements of the job. The adversary builds their approach around them.

What actually changes the exposure

Hardware security keys. A credential phishing attack that captures your password fails if account access also requires a physical hardware key. YubiKey and similar devices are inexpensive and eliminate the most common successful attack vector against journalist accounts.

Device separation. The device used for source communications should not be the device used for social media, general browsing, and professional work that carries a publicly linkable identity. Device separation is more reliable than app separation. (See: build your threat model in 20 minutes.)

Verification practices for document sources. Any document from an unknown or newly established contact should be treated as potentially hostile. Google Drive’s viewer renders the document in a sandboxed browser context rather than a local application. Low friction, genuinely useful for initial review.

Awareness of what published work reveals about what comes next. The adversary reads your published work to construct a picture of your likely sources, your current focus, the contacts you are probably trying to reach. What you publish today shapes what approach is plausible against you tomorrow.

Frequently asked questions

How do journalists get hacked?

The most common vectors in documented cases are credential phishing through fake login pages, malicious attachments to press inboxes, and compromised accounts used to map source networks. The entry point is usually the professional infrastructure, not the encrypted messaging app.

What is a hardware security key and why does it matter?

A hardware security key is a physical USB or NFC token that provides a second factor of authentication that cannot be captured remotely. Even if an adversary captures your password through phishing, they cannot access the account without physical possession of the key. It eliminates the most common form of account compromise against journalists.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.