Signal Used as an Entry Point in Targeted Phishing Campaigns Across Europe
German cybersecurity and intelligence authorities have issued a joint warning about an active phishing campaign abusing the Signal messaging platform to gain access to sensitive communications. The campaign targets high-value individuals. including political figures, military personnel, diplomats, and investigative journalists in Germany and across Europe.
What makes the activity notable is not a technical flaw in Signal itself, but the deliberate misuse of legitimate platform features. Attackers rely entirely on social engineering and trust manipulation rather than malware or software vulnerabilities.
How the Attack Works
The campaign operates through direct interaction with victims inside the messaging app.
Attackers impersonate Signal support entities. often presenting themselves as “Signal Support” or an automated “Security ChatBot”. Victims are contacted with urgent messages claiming account issues or potential data loss.
Two primary techniques have been observed:
Registration takeover. Victims are pressured into sharing a verification code or PIN received via SMS. This allows attackers to re-register the account on their own device, gaining access to future messages and the contact list.
Device linking abuse. Victims are tricked into scanning a QR code under the pretext of security verification. This silently links an attacker-controlled device, granting access to recent conversations while the victim remains unaware.
In both cases, no malicious links or exploits are used. The attack succeeds by exploiting user trust in a secure platform.
Why This Matters
This campaign highlights a broader shift in cyber-espionage and targeted phishing. Secure platforms are increasingly being used as-is as attack surfaces.
When messages originate inside trusted, encrypted apps, traditional security controls offer little visibility. The compromise of a single messenger account can expose entire professional networks through group chats, contact graphs, and impersonation.
Importantly, this technique is not limited to Signal. Similar account-linking and verification mechanisms exist in other widely used messaging platforms.
DIAMATIX Perspective
From a defensive standpoint, this is another example of living-off-the-platform abuse. The infrastructure behaves exactly as designed. The failure point is not encryption, but identity verification and user decision-making.
Key takeaways for organizations and service providers:
Encrypted messaging apps must be treated as high-value identity assets, not just communication tools.
Security awareness must explicitly cover support impersonation inside trusted platforms, not only email phishing.
Policies should mandate registration locks, periodic review of linked devices, and clear escalation paths for suspected account compromise.
For MSPs and security teams, this reinforces the need to monitor account-level risk, not only endpoint or network indicators.
As attackers increasingly bypass technical defenses by abusing legitimate features, resilience depends on understanding intent. not just infrastructure.
Sources
Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI). Joint advisory on phishing campaigns abusing messaging platforms.
Public documentation and technical analysis of Signal account security features (PIN protection, device linking).
Industry research on Telephone-Oriented Attack Delivery (TOAD) and living-off-the-platform social engineering techniques.
