Russia-linked hackers breached Signal and WhatsApp accounts belonging to government officials and journalists through targeted phishing campaigns, according to a warning issued by Dutch intelligence earlier this month. The Dutch Military Intelligence and Security Service, known as MIVD, attributed the operation to Russia-backed groups and said the attackers had likely gained access to sensitive communications. The disclosure has prompted Signal to issue a scam warning to its users and raises hard questions about how even encrypted platforms can be exploited when human judgment fails.
Dutch Intelligence Exposes the Campaign
The Netherlands became the first Western government to publicly detail this specific operation when MIVD disclosed that Russia-backed hackers had breached accounts on Signal and WhatsApp belonging to officials and journalists. The agency assessed that the hackers had likely gained access, a careful but pointed phrasing that signals high confidence without claiming full certainty about the scope of compromised data.
What makes this disclosure significant is the target selection. Officials and journalists are among the most security-conscious user groups on encrypted messaging platforms. They are routinely briefed on digital risks, often use hardened devices, and in some cases work with professional security teams. If phishing techniques can fool people who regularly handle classified or sensitive material, ordinary users face an even steeper challenge recognizing and resisting similar attacks.
The breach did not exploit a flaw in Signal or WhatsApp’s encryption protocols. Instead, it targeted the people using those tools, a distinction that matters for understanding where the real vulnerability sits. End-to-end encryption can be mathematically sound while still being undermined by a well-crafted message that persuades a target to click, tap, or approve something they should not.
How Phishing Bypasses Encryption
End-to-end encryption protects messages in transit between devices. It ensures that service providers, network operators, and third parties cannot read message contents as they move across the internet. It does not protect a user who is tricked into handing over login credentials, linking a new device to their account, or clicking a malicious link that grants an attacker session access. That gap between technical security and user behavior is exactly what this campaign exploited.
Phishing attacks against encrypted messaging apps typically work by sending a convincing message, often impersonating a trusted contact, a platform support team, or a government agency. The message might direct the target to a fake login page, ask them to share a one-time code, or prompt them to approve a device-linking request that appears legitimate. Once the attacker gains session access or registers a new device, they can read incoming and outgoing messages in real time without ever breaking the encryption itself.
The MIVD warning did not specify the exact phishing method used in this campaign, but the pattern fits well-documented techniques that Russian intelligence units and affiliated groups have refined over the past several years. Rather than investing in speculative attempts to defeat cryptography, they focus on the predictable weaknesses of hurried, distracted, or overconfident users.
This approach is cheaper and more reliable than trying to crack encryption mathematically. It also scales efficiently: a single convincing phishing template can be sent to dozens or hundreds of targets, and only one successful click is needed to compromise an account. For intelligence agencies with the resources to craft highly personalized lures, drawing on social media, public records, and prior breaches—the success rate can be disturbingly high.
Signal Responds, WhatsApp Stays Quiet
Signal moved quickly after the Dutch disclosure. The company issued a scam warning to users and stated that its systems “have not been compromised and remain robust.” Signal also said it was taking reports of such activity “very seriously,” language that acknowledged the threat while drawing a clear line between platform security and individual account takeovers.
That distinction is technically accurate but limited in its reassurance. When a state-backed hacking group successfully accesses accounts on your platform, telling users the underlying code is intact does not address the practical damage already done. Compromised accounts of officials and journalists can yield intelligence on diplomatic negotiations, source identities, military planning, and policy deliberations, none of which are recoverable once exposed. Even if the breach is contained, the mere possibility that conversations were monitored can chill future communications and erode trust in the medium.
WhatsApp, the other platform named in the MIVD disclosure, has not publicly commented on the breach based on available reporting. That silence is notable given WhatsApp’s ownership by Meta and the company’s history of taking aggressive legal action against surveillance firms that targeted its users. Whether WhatsApp is conducting its own investigation, coordinating quietly with governments, or simply deferring to official statements for attribution remains unclear from the sources describing the incident.
Why Encrypted Apps Keep Drawing State Hackers
The targeting of Signal and WhatsApp by Russian-linked groups is not random. These platforms have become default communication tools for diplomats, defense officials, journalists covering conflict zones, and activists operating under authoritarian pressure. Their adoption surged after revelations about mass surveillance programs, and both apps are regularly recommended by security researchers as safer alternatives to standard SMS, unencrypted email, or social media messaging.
That widespread adoption among high-value targets is precisely what makes these platforms attractive to intelligence services. Breaking into a single Signal account belonging to a defense ministry official or a senior diplomat could yield more actionable intelligence than months of traditional signals interception. Access to a journalist’s account might reveal confidential sources, travel plans, or embargoed stories that point to future policy moves.
The encrypted nature of the communications also means that once access is lost, there is no easy way to audit what was read or exfiltrated. Unlike traditional wiretaps or network-level surveillance, which can sometimes be reconstructed from logs, a compromised endpoint on an encrypted app leaves a far lighter forensic footprint. That ambiguity benefits the attacker, who can quietly monitor conversations for as long as their access persists.
Russian cyber operations have a long history of targeting communication platforms used by adversaries, from email providers to social networks to government systems. The apparent shift toward encrypted messaging apps represents an adaptation to the security improvements that drove targets away from more vulnerable channels in the first place. As more official and journalistic business migrates into encrypted chats, the incentive to compromise those endpoints only grows.
The Limits of Encryption as a Shield
A persistent misconception is that end-to-end encryption makes a conversation impenetrable. In practice, encryption protects only one layer of the communication chain. The endpoints (meaning the devices and accounts of the people in the conversation) remain exposed to social engineering, malware, physical device theft, and credential reuse. This campaign is a clear example of attackers choosing to go around the encryption rather than through it.
Most coverage of the MIVD disclosure has understandably focused on the geopolitical angle: Russia targeting Western officials and media. But the more durable lesson applies to anyone who relies on encrypted messaging for sensitive communication. Encryption is a necessary condition for secure messaging, not a sufficient one. Users who treat Signal or WhatsApp as inherently safe without practicing basic phishing hygiene are leaving a door open that no amount of cryptographic strength can close.
That hygiene is not exotic. It includes verifying unexpected messages that ask for codes or approvals, being wary of urgent requests that try to rush a decision, avoiding links from unknown or untrusted senders, and regularly checking which devices are linked to an account. For officials and journalists, it may also mean separating personal and professional communications across different numbers or devices, and promptly reporting any suspicious activity to security teams.
The Dutch warning and Signal’s response underscore a broader reality. As encrypted apps become infrastructure for political, diplomatic, and journalistic work, they will remain prime targets for state-backed hackers. Technical improvements to encryption and app design can reduce some risks, but they cannot eliminate the human element that phishing exploits. For users who depend on these tools, the lesson is not to abandon them, but to pair strong encryption with equally strong skepticism about what appears on screen.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
