Russia didn’t break Signal. It used the feature you’ve never checked.

What happened

Germany’s domestic intelligence service BfV and federal cybersecurity authority BSI issued a joint warning in February 2026 about a phishing campaign targeting Signal accounts, describing the actor as state-controlled. Federal prosecutors opened an espionage investigation.

On April 26, the German government told press agencies it suspected Russia. Two government ministers, members of parliament, senior military officers, diplomats, and journalists were among the targets. Dutch intelligence had issued a parallel warning in March, describing the same campaign as global in scope and pointing to Russian state hackers targeting Signal and WhatsApp accounts across Europe.

Around 300 accounts were compromised. The investigation continues.

The mechanics

Signal lets you run one account across multiple devices: phone, tablet, desktop. You add a device by scanning a QR code from Signal’s official Linked Devices screen. Once linked, that device receives everything: incoming messages, outgoing messages, stored files.

The attackers built their campaign around this. They sent messages impersonating a Signal security chatbot, warning targets of unauthorised access on their account. The message created urgency. The fix, they said, was to scan a QR code to verify identity and re-secure the account.

The QR code was a device-linking request. Scanning it added an attacker-controlled device to the target’s account. Signal then did exactly what it was designed to do: it delivered every subsequent message to both devices simultaneously.

No exploit. No zero-day. A message, a QR code, thirty seconds.

What encryption protects

Signal’s encryption does what it advertises. Messages between linked devices are encrypted end-to-end, the math is publicly audited, and breaking the cryptography is not a realistic objective for any state actor working in a useful timeframe.

What is realistic is compromising the person who holds the device. One message that looks like a security alert, thirty seconds of attention under pressure, and Signal keeps doing its job: it delivers to both phones, because both phones are now legitimately linked. This is the same shape of failure we have written about elsewhere, where the tool cannot undo what has already happened at the device level. The math holds. The trust model fails.

The list nobody checks

Signal shows every linked device under Settings, then Linked Devices. Each entry has a name and a date. A device the user does not recognise on that list has full access to their account and their message history.

Most Signal users have never opened that screen.

The attack persists until the unauthorised device is removed. A target who checked their linked devices the day after being phished could have ended the access immediately. A target who never checks does not know the access exists, and may not know it ever did. The standard signs of a phone operating under unauthorised access are easy to miss when nothing else looks broken.

Who was targeted

Ministers. Military officers. Diplomats. Journalists. The German and Dutch warnings describe a campaign built around high-value accounts specifically: people whose Signal communications have direct intelligence value to a state actor. The digital security baseline for diplomats and expats in high-risk environments presupposes Signal as a building block, not as the answer.

These are also the people most likely to believe they are already secure because they use Signal. That belief is the entry point. It tracks a pattern we have documented in this niche before: most journalists are compromised before they know it, because the tool gets treated as the conclusion rather than the starting point.

The Dutch warning described the campaign as global. Germany and the Netherlands issued public warnings. That does not bound the campaign geographically.

What to check before you close this tab

Open Signal. Settings. Linked Devices. Every entry there receives your messages in real time. If anything on that list is unrecognised, remove it. Removing a linked device ends its access immediately and permanently. It does not retroactively undo what was already received.

If the list is clear, check it again in two weeks. This takes twenty seconds.

Signal does not have a support chatbot. It does not send security alerts by direct message. It does not ask you to scan a QR code to protect your account. Any message claiming otherwise is the attack.

Frequently asked questions

Was Signal hacked?

No. Signal’s end-to-end encryption was not compromised. The campaign used Signal’s Linked Devices feature, which is legitimate and works as designed. The vulnerability lived in user behaviour, not in the application. The cryptography continued to function correctly throughout the campaign and delivered every compromised message to both the legitimate phone and the attacker’s phone, exactly as a multi-device account is built to do.

How do I know if my account was compromised this way?

Open Signal, go to Settings, select Linked Devices. Any device you do not recognise has had access to your messages. Remove it. Then change your Signal PIN under Settings, Account, Signal PIN. Removing the device ends current access. Changing the PIN raises the cost of any future re-registration attempt against the same account.

Does this affect WhatsApp?

Dutch intelligence specifically included WhatsApp in their warning. WhatsApp has its own Linked Devices feature, which was also targeted in parallel campaigns. The same audit applies: open WhatsApp, go to Settings, select Linked Devices, and remove anything unfamiliar. WhatsApp shows the last time each linked device was active, which makes spotting an unknown session more straightforward than on Signal.

Who should be most concerned?

Anyone whose Signal communications carry value to a sophisticated adversary. Journalists covering security, defence, or government. Lawyers on sensitive cases. NGO workers in contact with sources in conflict zones. Military personnel. Government employees with access to non-public information. The campaign described in the German warning was selective. The exposure surface is not.

---

Signal did not fail. The thirty seconds before scanning an unsolicited QR code did. Both are solvable. One requires checking a list that takes twenty seconds to read. The other requires knowing that Signal will never send a security alert by direct message. Both are worth knowing now.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.