German security officials believe Russian intelligence is behind a phishing campaign aimed at senior politicians who use Signal for confidential government communications, according to reports from Berlin that align with a stark warning issued by U.S. federal agencies in March 2026. The FBI and the Cybersecurity and Infrastructure Security Agency disclosed that cyber actors tied to Russian intelligence services had already breached thousands of Signal accounts worldwide, exploiting the very trust that makes encrypted messaging apps attractive to political leaders.
The campaign marks a pointed escalation in Russia’s long-running effort to penetrate European political networks. For Germany, which has been a primary target of Russian cyber operations since the 2015 hack of the Bundestag attributed to the GRU-linked group APT28, the threat carries particular weight. Signal has become a default channel for coalition talks, defense discussions, and diplomatic back-channels in Berlin and other European capitals. If those conversations can be siphoned through social engineering rather than code-breaking, the platform’s encryption guarantees become irrelevant.
What the U.S. government has confirmed
The most concrete evidence comes from a joint public service announcement published by the FBI’s Internet Crime Complaint Center and CISA on March 20, 2026. Designated Alert Number I-032026-PSA, the bulletin names Signal explicitly and attributes the operation to “cyber actors associated with Russian Intelligence Services.” That phrasing is unusually direct. U.S. agencies more commonly refer to “advanced persistent threats” or “nation-state actors” without specifying a country, so the decision to name Russia signals high confidence in the underlying intelligence.
The PSA describes two distinct attack methods. The first uses fake login screens that mimic Signal’s verification process, tricking targets into entering authentication codes or PINs. The second delivers malware through malicious links, giving attackers persistent access to a device and every conversation on it. Both methods bypass encryption entirely by compromising the human endpoint rather than the cryptographic protocol.
Supporting guidance from the FBI details how spoofing and phishing tactics forge sender identities to appear trustworthy, while CISA has published a separate framework for stopping phishing attacks at their earliest phase, emphasizing rapid reporting and user awareness as the first line of defense.
The German dimension
Berlin’s involvement in this story rests on thinner ground than the U.S. alert. No primary statement from Germany’s Federal Office for the Protection of the Constitution (BfV), the Federal Intelligence Service (BND), or the Federal Office for Information Security (BSI) has been published confirming a formal attribution to Russian intelligence. German media reports describe the suspicion as coming from security circles in Berlin, and the assessment tracks closely with the FBI and CISA findings, but alignment is not the same as independent verification.
Key details remain undisclosed. Which politicians were targeted, how many German accounts were affected, and whether any compromise succeeded are all unanswered. The U.S. PSA quantifies the global toll at thousands of breached accounts but does not break down the geographic distribution. Whether Germany is a primary focus or was swept up in a broader dragnet is not established in any publicly available document.
Germany’s vulnerability, however, is well documented. The 2015 Bundestag intrusion, attributed by German authorities to APT28 (also known as Fancy Bear, a unit of Russia’s GRU military intelligence), resulted in the theft of roughly 16 gigabytes of data, including emails from members of parliament. In the years since, German intelligence officials have repeatedly warned that Russian cyber operations are intensifying against European political targets, particularly around elections and major policy debates over Ukraine and NATO.
Why encrypted apps are now a prime target
Russian-linked cyber operations have shifted over the past several years from large-scale infrastructure attacks and bulk data theft toward precision targeting of the communication channels political elites actually use. Encrypted messaging apps represent an ideal target: compromising a single account can yield months of private conversations without triggering obvious alarms, especially when access is obtained through stolen credentials rather than visible malware.
The logic is straightforward. End-to-end encryption protects messages in transit, but it cannot protect a user who hands over login credentials to a fake verification screen or installs software that gives an attacker direct access to the device. The security of any encrypted platform ultimately depends on the security of the people and devices at each end of the conversation. Phishing campaigns like the one described by U.S. authorities exploit exactly that gap, turning familiarity with a trusted app into an entry point for espionage.
For European governments, the implications extend beyond individual accounts. If attackers can silently monitor Signal groups used for real-time policy coordination, they gain access not just to what leaders are saying but to how decisions are being made, which arguments are winning, and where internal disagreements create leverage. That kind of intelligence is far more valuable than a single leaked document.
What potential targets should do now
Anyone who uses Signal for work that could interest a foreign intelligence service should take immediate steps to harden their account. The process takes less than five minutes and directly counters both attack methods described in the FBI and CISA alert:
- Open Signal’s settings and review every linked device. Remove any session you do not recognize.
- Enable registration lock with a strong PIN to prevent unauthorized re-registration of your number.
- Treat any unexpected verification prompt, QR code request, or login screen as a potential attack. Verify it through a separate, trusted channel before responding.
- Report suspicious messages to your organization’s security team or to law enforcement rather than engaging with them directly.
These measures will not stop a determined intelligence service from trying, but they close the specific doors this campaign has been walking through.
Whether Berlin will formally name Russia as the threat actor
The most important signal in the coming weeks will be whether German authorities issue their own formal advisory. A public statement from the BfV or BSI naming Russia would confirm the attribution independently of U.S. intelligence and likely trigger a diplomatic response. The absence of such a statement could mean Berlin is still investigating, or that it prefers to handle the matter through quieter channels.
Also worth monitoring is whether the campaign expands to other encrypted platforms. The FBI and CISA alert focuses on Signal, but the phishing techniques it describes, fake login screens and malware-laden links, are platform-agnostic. WhatsApp, Telegram, and other messaging services used by government officials across Europe could face similar operations. For now, the confirmed threat is specific and well-documented. The question is whether it stays that way.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
