The Signal Phishing Alert: German Agencies Warn of Advanced Account Hijacking

Government Advisory: Phishing Threat on Signal

German security agencies (BfV and BSI) have issued an alert about a new phishing campaign hitting the Signal messaging app. They say this campaign appears state-backed and is aimed at high-ranking individuals diplomats, military officers, investigative journalists and other senior figures. Notably, no malware or software flaw is exploited; instead, attackers use social engineering combined with Signal’s own features. The advisory notes that the attackers’ goal is to covertly access victims’ private chats (both one-on-one and group) and their contact lists.

The Fake Support Chat Scam

In one version of the attack, scammers pose as Signal’s support or “security” team. They send a realistic-looking alert to the user. Under the threat of alleged account loss, the victim is tricked into revealing their personal Signal PIN or an SMS verification code. Once the attacker has that code, they re-register the Signal account on a device they control and immediately lock out the real user. From there, the attacker gains full control: they can read incoming messages, send new messages as the victim, and harvest the contact list.

QR Code Trick: Linking Your Device

In another version, the attacker exploits the linked device option. The attacker tricks the target into scanning a malicious QR code, which is claimed to be a security check. The result is that the attacker’s device is linked to the target’s account, allowing the attacker to see all their recent conversations. The target is not aware of the linked device, as they are not checking the Signal account’s linked device list. The attacker is aware of the conversations, as they are linked.

Beyond Signal: Threats on Messaging Apps

The German bulletin emphasizes that Signal is not the only target. Any app with similar linking or PIN protections can be abused in the same way. For example, the advisory specifically calls out WhatsApp’s device-pairing and PIN features as vulnerable. Security researchers report that Russian-linked hacking groups (e.g. “Sandworm”) have already used fake QR pairing on Signal and WhatsApp to hijack accounts.

Ukraine’s CERT likewise linked nearly identical phishing schemes to Russian cyber actors targeting WhatsApp. Criminal gangs have even popularized the technique in scams like “GhostPairing,” where victims are lured into pairing an attacker’s device to their WhatsApp account. In every case, the attackers end up with covert access to private chats and contact lists.

Protection Steps: Secure Your Messaging Account

In order to avoid these tricks, it is advisable to follow the following precautions:

• Ignore unsolicited support messages: Never respond to unsolicited support messages claiming to be from the support team of Signal. The support team will never initiate conversations with users. If you receive any unsolicited message claiming to be from the support team, immediately block the account.
• Never share your PIN or SMS code: The PIN and SMS code used to register with the Signal application should not be shared with anyone. The support team will never ask you to share your PIN and SMS code in the application. Sharing these with hackers would be like giving them access to your account.
• Enable Registration Lock (PIN): In the settings of the Signal application, enable the Registration Lock PIN feature. This feature will require the PIN to be entered when registering with the application on any other device, preventing hackers from registering with the application on their devices.
• Review linked devices regularly: Periodically check Settings → Linked Devices in Signal. If you see any unfamiliar devices listed, revoke their access. Removing unknown sessions will immediately cut off any hidden attacker devices.

Following these steps and remaining vigilant about unexpected messages can greatly reduce the risk of an account hijacking on Signal or similar messaging apps.

Conclusion: Secure Messaging Is Still a Human Security Problem

Germany’s warning on Signal account hijacking highlights a modern reality, attackers do not need malware or zero day exploits to access private communications. They only need a believable message, a stolen verification code, or a QR scan that links a hidden device to the victim’s account. 

Why This Threat Matters

This campaign targets high value roles and turns trusted security features into attack paths.

• Fake support chats pressure victims into sharing a Signal PIN or SMS verification code, attackers then re register the account and lock out the user 
• QR based device linking can silently mirror conversations if victims do not review linked devices 

Why Everyone Is Vulnerable

This is not limited to Signal. Any platform with device pairing and account protection flows can be abused the same way. The risk scales because the attacker wins at the moment of trust, before any security tool sees a payload. 

Where Xcitium Changes the Outcome

If you have Xcitium, this attack would NOT succeed.

With Xcitium Cyber Awareness Education and Phishing Simulation in place, QR based deception and fake support pressure lose their leverage because users are trained and conditioned to pause, verify, and refuse high risk requests.

• Suspicious support outreach is treated as a red flag, not an instruction
• PIN and verification code requests are recognized as takeover attempts
• QR pairing prompts are challenged before any device is linked
• The attacker’s advantage disappears at the human decision point 

Protect the Accounts That Protect Everything

Secure messaging fails when verification is socially engineered. Train for the moment attackers exploit, then enforce habits that stop the takeover before it starts.