Suspected Russian phishing via Signal targeted German officials, exploiting trust to access accounts and sensitive political communications.

A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.

According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.

The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.

One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.

Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.

“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.

“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.

“The German government has still not officially attributed the attacks to Russia.”

This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.

Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.

We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”

Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”

Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.

German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.

The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.

This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – German officials, Bundestag)

Germany’s Bundestag President Klöckner was targeted in a Signal phishing attack via a fake CDU group chat.

Germany’s Bundestag President Julia Klöckner has reportedly become the latest European political figure targeted through a Signal-based phishing attack, reported Der Spiegel. The incident is another reminder that even trusted messaging apps can become entry points when attackers go after the person, not the platform.

The attack targeted Klöckner’s phone through a Signal group chat linked to CDU officials. Chancellor Friedrich Merz was reportedly included but not compromised, and at least one other CDU lawmaker was also affected.

“Chancellor Friedrich Merz is also part of the group, although German domestic intelligence reportedly found no evidence his phone had been compromised. Der Spiegel also reported that at least one other CDU lawmaker was affected.” reported Politico.

What makes this case notable is not just the target, but the method. Attackers did not need to break Signal’s encryption. Instead, they appear to have used a phishing-style technique to trick users into revealing sensitive information, including PIN codes. That is a classic example of how cybercriminals often bypass strong technology by exploiting human trust.

The timing is also important. European cybersecurity and intelligence agencies had already warned earlier this month about a campaign in which attackers posed as a fake Signal support chatbot. The goal was simple: lure users into handing over authentication details. Germany’s domestic intelligence service had issued a similar warning in February, which shows that the threat was already known before this incident surfaced.

This matters because Signal has long been viewed as a secure communications tool. The European Commission has recommended since 2020 that officials use it for non-work communication. But secure design does not protect against account takeover, social engineering, or device compromise. If an attacker can get access to the phone number, the verification code, or the PIN, the app’s underlying security can be undermined.

The broader lesson is that messaging apps are only one layer of protection. Security now depends on the entire chain: the device, the account, the recovery process, and the user’s ability to spot deception. A secure app can still be weakened by weak endpoint hygiene, reused credentials, or a convincing fake support message.

For public officials, the risks are even higher. Their communications can expose political strategy, internal discussions, and personal details that attackers can later use for fraud, espionage, or influence operations. That makes identity protection and device hardening just as important as encryption.

Organizations and public bodies should treat this as a warning for their own staff. Any app used for sensitive communication should be backed by strong mobile security controls, phishing awareness, and rapid incident response procedures. Staff should be trained to ignore unsolicited support messages, verify any request through a separate trusted channel, and report suspicious account activity immediately.

There is also a governance issue here. If officials are encouraged to use secure consumer apps for private communication, those apps need to be protected by clear policies on device enrollment, PIN management, and recovery settings. Otherwise, the security benefit is only partial.

The key point is simple: modern attacks often succeed by attacking trust, not encryption. This case shows how a well-designed app can still become part of a compromise when users are deceived into giving away access. For governments and enterprises alike, the answer is not to abandon secure messaging, but to pair it with stronger identity controls, better training, and faster detection of phishing attempts.

In March, a cyberattack targeting Signal and WhatsApp users hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions.

“He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”

German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts.

In the case of former BND official Arndt Freytag von Loringhoven, attackers used his compromised account to send a malicious link to contacts. He quickly warned them not to open it and deleted his account. Investigators believe the incident is part of ongoing hybrid campaigns linked to Russia. Given Loringhoven’s work on Russian hybrid warfare and his book Putin’s Attack on Germany, he was likely considered a high-value target.

Signal warned that the attacks rely on social engineering, with attackers posing as trusted contacts or fake support services to trick users into sharing verification codes or PINs. The company stressed it will never ask for these details via messages or social media and urged users to stay vigilant and never share login codes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)