Dutch intelligence agencies have warned that Russia-linked hackers breached Signal and WhatsApp accounts belonging to government officials and journalists. The alert, directed at Western governments and civil society groups, signals that even encrypted messaging platforms are vulnerable when attackers exploit how users connect their devices rather than the encryption itself. The warning underscores growing concern among European security services about targeted cyber espionage against officials and media.
How the Breaches Targeted Encrypted Apps
The core of the Dutch warning centers on a tactic that sidesteps the strong encryption built into Signal and WhatsApp. Rather than cracking the apps’ cryptographic protocols, the attackers reportedly hijacked accounts by exploiting the device-linking features that let users mirror their messages on secondary devices such as laptops or tablets. According to the Dutch agencies, attackers could hijack accounts by tricking targets into scanning a QR code or clicking a link, allowing an attacker-controlled device to be linked to a victim’s account and potentially view messages sent and received.
This approach is significant because it does not require breaking encryption at all. The victim’s app continues to function normally, and messages still appear end-to-end encrypted on both sides of a conversation. But the attacker’s linked device receives a copy of everything, effectively turning the security feature into a surveillance channel. For officials exchanging sensitive policy discussions or journalists protecting confidential sources, the consequences of such a compromise are severe and immediate.
What makes this technique especially dangerous is that it leaves few traces. Unlike malware infections that security software might detect, a silently linked device operates within the app’s own trust model. Unless a user regularly audits their list of linked devices, the intrusion may persist unnoticed. The Dutch agencies attributed these breaches to Russia-backed hackers who targeted officials and journalists, a pattern consistent with known Russian intelligence operations focused on political and media figures in allied nations.
Why Consumer Messaging Apps Create Risk for Officials
The Dutch warning exposes a tension that Western governments have struggled with for years: officials and journalists increasingly rely on consumer-grade encrypted apps for sensitive conversations, yet these platforms were never designed to withstand targeted state-sponsored attacks. Signal and WhatsApp offer strong protection against mass surveillance and casual interception, but they depend on users following careful security hygiene. When a senior diplomat or defense reporter uses Signal on a personal phone with default settings, they inherit the same vulnerabilities as any other consumer.
Government agencies have recognized this gap. The U.S. Cybersecurity and Infrastructure Security Agency published best practice guidance for mobile communications that explicitly cautions against using consumer messaging apps for classified or sensitive information. That guidance recommends specific mitigations including device security hardening, strong authentication practices, and verification routines for linked devices. The advice amounts to an acknowledgment that encryption alone is not enough when the human layer around it remains soft.
The gap between what these apps promise and what they deliver in a high-threat environment is not a flaw in the software. It is a mismatch between the threat model the apps were built for and the threat model that applies to people targeted by intelligence services. Signal’s developers have repeatedly warned that their app protects message content in transit but cannot defend against a compromised endpoint or a user who falls for social engineering. The Dutch case illustrates that distinction with real-world consequences.
Russia’s Broader Cyber Espionage Pattern
The targeting of encrypted messaging accounts aligns with broader concerns among Western security services about Russian cyber espionage aimed at political and media figures. Groups linked to Russian intelligence services have previously targeted email systems, cloud platforms, and collaboration tools used by government agencies, think tanks, and newsrooms across Europe and North America. The shift toward encrypted messaging apps represents an adaptation: as targets move their most sensitive conversations off email and onto platforms like Signal, the attackers follow.
This evolution matters because it challenges a widespread assumption. Many officials adopted Signal specifically because they believed it offered protection against the kind of email compromises that plagued political campaigns and government agencies in prior years. The Dutch warning suggests that assumption was only partially correct. The encryption works, but the account security surrounding it can be defeated through relatively straightforward social engineering, particularly when targets are not trained to recognize device-linking attacks.
The broader implication is that no single communication tool can serve as a complete defense against a determined state-level adversary. Security depends on layered practices: verifying linked devices, using hardware security keys for authentication, keeping operating systems updated, and treating any unexpected QR code or device-pairing request as a potential attack vector. The hackers in the Dutch case succeeded not because Signal or WhatsApp failed technically, but because the people using them did not treat device management as a security-critical task.
What Officials and Journalists Should Do Now
For anyone in a role that might attract state-sponsored attention, the practical takeaways from the Dutch warning are concrete. First, regularly check the list of linked devices in both Signal and WhatsApp settings. Any device that is not immediately recognizable should be removed. Second, treat QR codes and device-pairing invitations with extreme suspicion, especially when they arrive through unexpected channels or from contacts who may themselves be compromised.
Third, adopt the broader mobile security practices that CISA has recommended. These include enabling the strongest available form of multi-factor authentication on accounts, following device-hardening steps, and keeping device software current to close known vulnerabilities. The Department of Homeland Security also points to the importance of security practices that go beyond individual user behavior, including organizational policies governing which platforms may be used for different categories of information.
The most important shift, though, is conceptual. Encrypted messaging apps provide strong protection for message content, but they are not fortresses. They are tools that require active maintenance and informed use. A journalist who checks their linked devices weekly and questions unexpected pairing requests is far harder to compromise than one who installs Signal and assumes the job is done. The same applies to diplomats, military officials, and anyone else whose communications carry strategic value.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
