German security officials have warned that a Russia-linked phishing campaign compromised hundreds of Signal accounts inside the country, part of a broader operation that the FBI and the Cybersecurity and Infrastructure Security Agency say has breached thousands of accounts worldwide. The warning, which surfaced in April 2026 through German government channels, follows a joint public advisory published by the FBI’s Internet Crime Complaint Center and CISA on March 20, 2026, titled “Russian Intelligence Services Target Commercial Messaging Application Accounts.”
The campaign targets journalists, activists, and government workers who depend on Signal’s end-to-end encryption for sensitive conversations. It does not break Signal’s cryptography. Instead, it exploits the way people use the app, turning a legitimate convenience feature into a surveillance tool.
How the attack works
The FBI-CISA advisory describes two primary techniques. The more novel one abuses Signal’s linked-device feature, which normally lets users pair their phone account with a desktop or tablet. Attackers send phishing messages containing a malicious QR code or a fraudulent device-linking invitation. When a target scans the code or clicks the link and approves the pairing, the attacker’s device begins receiving a real-time copy of every incoming and outgoing message. No password reset is triggered. No obvious alert appears on the victim’s phone.
The second technique is more conventional. Targets receive messages crafted to look like legitimate Signal notifications or security alerts, directing them to spoofed login pages where credentials and verification codes are harvested. The FBI’s resource page on spoofing and phishing describes this category of social engineering in detail.
What makes both techniques especially dangerous is that end-to-end encryption can create a false sense of total security. Encryption shields messages while they travel between devices, but it offers no protection once an attacker has been granted device-level access through a phishing trick.
The linked-device abuse vector is not entirely new. Google’s Threat Analysis Group reported in February 2025 that Russian-aligned threat actors were already exploiting Signal’s device-pairing feature to monitor the communications of Ukrainian military personnel and others. The FBI-CISA advisory confirms the technique has since expanded well beyond that initial target set.
What Germany has flagged
The joint U.S. advisory does not single out Germany by name. However, the FBI-CISA document states that the campaign “has resulted in unauthorized access to thousands of individual accounts” and describes the operation as targeting users across multiple countries. German officials have separately indicated that hundreds of Signal accounts within the country were affected. Germany’s Federal Office for Information Security (BSI), which routinely coordinates with international partners on threats of this kind, is the most likely institutional source for that figure, though neither the BSI nor Germany’s domestic intelligence service (BfV) has published a formal advisory with a confirmed account count as of May 2026.
The “hundreds” figure circulating in European press coverage should therefore be treated as an estimate drawn from official briefings rather than a verified institutional dataset. Still, the scale is consistent with the FBI-CISA assessment that the campaign has compromised thousands of accounts globally across multiple messaging platforms, with Signal as a primary target.
What remains unclear
Several important questions are unresolved. The U.S. advisory attributes the operation broadly to “Russian Intelligence Services-associated actors” without naming a specific agency such as the GRU, SVR, or FSB. That distinction matters: different Russian services operate with different methods, target priorities, and levels of aggression, and without a more precise label, researchers cannot easily map this campaign onto known threat groups.
The advisory also does not describe what the attackers did with intercepted messages. Whether data was exfiltrated to Russian servers, used for real-time surveillance, or fed into influence operations is unknown. No victim-impact data has been released, leaving a significant gap in understanding the real damage.
Timing is another open question. The advisory does not specify when the campaign began or confirm whether it is still active. Its present-tense language suggests the operation has not been fully disrupted, but it stops short of declaring active exploitation as of the publication date. Signal has not publicly commented on whether it has introduced additional safeguards around the linked-device feature since the Google TAG report in 2025.
What Signal users should do now
The single most effective step is to audit linked devices immediately. Open Signal, go to Settings, tap “Linked Devices,” and remove any entry you do not recognize. That action severs an attacker’s access on the spot.
Beyond that, CISA’s mobile security guidance, referenced in the joint advisory, recommends several additional measures:
- Enable a registration lock (Signal PIN) to prevent unauthorized re-registration of your number.
- Never scan a QR code or approve a device-pairing request that arrives through an unsolicited message, even if it appears to come from Signal itself.
- Use strong screen locks and biometric authentication on all devices where Signal is installed.
- Treat unexpected “security alert” messages with suspicion. Signal does not send in-app prompts asking users to verify their accounts through external links.
Organizations that rely on Signal for sensitive work should go further: establish policies for regular linked-device reviews, train staff to recognize phishing patterns like those described in the FBI’s spoofing guidance, and report suspected compromises to a nearby FBI field office or through IC3.
Why this campaign matters for encrypted messaging trust
Signal’s user base is not random. It includes war correspondents, human rights workers, political dissidents, and government staff who chose the app precisely because they assumed it offered stronger protection than email or SMS. A phishing operation that compromises thousands of accounts in that population carries consequences that extend well past ordinary cybercrime. Even if only a fraction of victims handled sensitive material, the potential for exposing sources, revealing location data, or mapping entire social networks is substantial.
At the same time, the campaign is a reminder that encryption is necessary but not sufficient. Every technique documented in the advisory depends on persuading a human to approve a rogue device or surrender a credential. The threat is social engineering, not a cryptographic breakthrough. For anyone who depends on secure messaging, the lesson is blunt: the weakest link is not the algorithm. It is the moment you tap “approve” without thinking twice.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
