ANALYSIS: When Moscow Reads Your Messages — Signal and WhatsApp Compromised by Russian Hackers

Profiles That Reveal a Strategy

The list of targeted profiles cited in the Dutch alert is not insignificant. In fact, upon closer inspection, it reveals a coherent and methodical intelligence doctrine. Government officials are, of course, at the top of the list of priority targets—foreign ministries, defense agencies, and security policy coordinators. These are classic, expected targets—ones that could almost be described as routine in the world of cyberespionage. But the explicit inclusion of journalists on the list of targeted victims reveals something deeper and, in a way, even more troubling. By targeting journalists, Russian operators are not merely seeking to obtain raw information. They are seeking to identify sources. To map out networks of contacts. To understand how information circulates even before it is published, so they can neutralize it, counter it, or divert it.

We need to understand what this means in practical terms. A journalist whose Signal account is compromised does not merely lose their privacy. They lose the ability to protect their sources—those people who trust them, sometimes at the risk of their own safety, to pass on information in the public interest. A whistleblower in Russia, Belarus, or any other authoritarian context who contacts a journalist via Signal believing they are protected may find themselves exposed without even knowing it. The consequences could be imprisonment. They could be worse. This is not alarmism. It is the documented reality of what the FSB does to those it identifies as threats.

When journalists are targeted, it’s not just individuals who are targeted. The very possibility of truth is targeted. The ability of democratic societies to tell themselves what is really happening in the world is under attack.

The Strategic Expansion of the Attack Surface

What also emerges from the analysis of these attacks is the deliberate expansion of the attack surface. Russia no longer focuses solely on the most obvious and best-protected targets—those with dedicated cybersecurity teams, classified communication protocols, and hardened devices. It now targets these individuals’ personal communications—the conversations they have on their personal phones, outside of official channels. That’s where defenses are down. That’s where the most valuable information sometimes circulates: an informal remark about a decision in the works, the sharing of a sensitive document among trusted colleagues, or last-minute coordination before an official meeting. The Netherlands is likely not the only country to have detected these activities. It may simply be the first to have chosen to speak about them publicly.

The QR Code as a Trojan Horse

Understanding the precise mechanics of these attacks is essential to grasping just how harmful they are. Both Signal and WhatsApp allow users to link an existing account to new devices by scanning a QR code. This feature is legitimate, convenient, and widely used—particularly for accessing messages from a desktop computer. The process is designed to be simple: you open the app on your phone, go to settings, select “Linked Devices,” and scan the QR code displayed on the screen. Simple, seamless, intuitive. It is precisely this simplicity that hackers have turned into a weapon. By generating their own QR codes—codes that, once scanned, link the victim’s account to a device under their control—they’ve used the security feature as a vector for intrusion. The irony is chilling.

The distribution methods for these malicious QR codes were many and varied. These included fake invitations to Signal groups, designed to look exactly like legitimate invitations, and phishing messages mimicking official communications from government organizations or NGOs. Fraudulent web pages faithfully replicating the Signal Desktop interface, asking users to scan a code to “verify their identity” or “secure their account.” In every case, the graphical and contextual sophistication of these decoys was high enough to deceive individuals who were otherwise trained in digital vigilance. This detail is important: these attacks did not target naive people or those unfamiliar with technology. They targeted seasoned professionals. And they worked.

There is no shame in falling for an operation designed by state intelligence services with unlimited resources and decades of expertise. The shame, however, lies with those who fund these operations from the Kremlin.

Silent persistence—the trap that remains open

Once access is gained via the fraudulent QR code, the compromise is silent and persistent. The app on the victim’s phone continues to function normally. Messages are displayed, sent, and received. Nothing is disrupted. Nothing indicates the intrusion. Meanwhile, on the hackers’ device, every incoming and outgoing message is duplicated in real time. Access only stops if the victim manually checks their list of “linked devices” and revokes any unrecognized access—a check that the vast majority of users never perform, or perhaps once a year at best. This means that some of the compromises documented in this Dutch alert may have lasted for weeks, or even months, before being detected. Imagine the volume of information collected silently during all that time.

A Trust-Based Security Model—and Its Limitations

Signal is the darling app of the digital privacy community. Endorsed by Edward Snowden and used by security researchers, lawyers, activists, and investigative journalists around the world, it has become a symbol of resistance against mass surveillance. Its source code is open source—open to public scrutiny—and its encryption protocol is universally recognized as one of the strongest in existence. What this attack reveals is not a weakness in its encryption. It is not a breach in its code. It is a limitation inherent in any security system that relies on human action: multi-device functionality, however legitimate and useful it may be, creates an attack surface that social engineering can exploit. And social engineering is precisely the arena in which Russian intelligence services have excelled for decades.

It would be unfair to hold the Signal Foundation entirely responsible for these compromises. The app, in fact, responded quickly to these revelations by strengthening its alerts for newly linked devices and improving the visibility of device management within its interface. But the question remains: in a world where state actors have virtually unlimited resources to design highly targeted phishing operations, no app—no matter how well-designed—can guarantee absolute security if the user does not maintain active and constant vigilance. This is an immense burden to place on individuals whose primary job is not cybersecurity.

Signal hasn’t failed. It’s our conception of digital security that has failed—that comfortable belief that technology can substitute for vigilance, that the app can think for us, that the digital padlock can replace human judgment.

The Impossible Balance Between Usability and Security

The multi-device feature is not a superfluous luxury. It meets a real, documented, and widespread need. Journalists work simultaneously on their phones and computers. Government employees need to access their communications from multiple devices. Researchers finalize their work on dedicated machines. Removing this feature in the name of security would render the app unusable for a large portion of its most legitimate users—and push them toward less secure alternatives. This is the classic trap of “security through inconvenience”: the more you make something difficult to use, the more people seek workarounds that further compromise their security. The challenge, therefore, is to make securing this feature as intuitive and transparent as possible, without removing it.

Two billion users, one vulnerability

While Signal is the app of choice for digital security experts, WhatsApp is the app of the global general public. Two billion active users. Entire governments coordinating their actions via WhatsApp groups. Lawmakers exchanging draft legislation. Embassies communicating with their citizens. NGOs organizing their humanitarian work in the field. The compromise of government officials’ WhatsApp accounts by Russian hackers is not just a threat to the individuals involved. It is a threat to the integrity of entire decision-making processes. And the vulnerability exploited here is structurally identical to that of Signal: the WhatsApp Web feature, which also relies on a QR code scanning mechanism to link new devices. The attack surface differs in scale—it is astronomically larger—but the exploitation vector is the same.

What sets WhatsApp apart from Signal in this context is the nature of its users. Signal is primarily adopted by people who already have a culture of digital security—they’ve heard of end-to-end encryption, and they generally understand why this app is preferable to others. WhatsApp users, on the other hand, are often far less aware of these issues. They use the app because everyone else does. They don’t think in terms of attack vectors or malicious QR codes. This lack of digital literacy makes them considerably more vulnerable to the sophisticated phishing techniques that Russian hackers have deployed.

There is something profoundly unequal about this digital war: the attackers have years of training, entire teams, and all the time in the world. The victims, on the other hand, have just a phone and the naive belief that the app takes care of their security for them.

Meta and the Question of Institutional Responsibility

Meta, WhatsApp’s parent company, was quick to respond to the Dutch revelations by pointing out that its app’s end-to-end encryption remains intact—which is technically accurate but politically unsatisfactory. The question isn’t whether the encryption works. The question is whether Meta is doing enough to protect its users from social engineering techniques that bypass this encryption. More visible alerts when linking new devices, mandatory two-factor authentication for this process, and real-time notifications for any access from an unrecognized device: these are all measures that cybersecurity experts have long been calling for. Pressure from official government warnings, such as those from the Netherlands, could finally accelerate these improvements. Cynicism, however, compels us to note that this external pressure has often been necessary to get major platforms to take action.

A well-documented, systematic, and openly embraced doctrine

To fully understand this operation, it is essential to view it within the broader context of Russia’s hybrid warfare doctrine. This doctrine, developed and theorized within the Russian military and intelligence apparatus since at least the 2000s, is based on a fundamental principle: adversaries can be weakened, destabilized, and influenced without direct recourse to conventional military force. Cyberwarfare, disinformation, influence operations, economic sabotage, and digital espionage constitute the instruments of a permanent war, waged below the threshold that would trigger a direct military response. General Valery Gerasimov, Chief of the General Staff of the Russian Armed Forces, articulated this vision in an article that has become famous as the “Gerasimov Doctrine,” although this label oversimplifies a more complex reality. What is certain is that Russia treats the digital domain as a permanent strategic battlefield—not as a last resort, but as a space for daily engagement.

This operation against Signal and WhatsApp is part of a long list of documented operations attributed to Russian groups: the hacking of the U.S. Democratic Party in 2016; the devastating cyberattacks against Ukrainian infrastructure before and during the 2022 invasion; the intrusion into the British Electoral Commission’s computer systems; repeated attempts against European institutions; and disinformation campaigns via networks of fake social media accounts. Each time, the same logic applies: to undermine, divide, and weaken democratic societies from within, exploiting their openness and freedoms as vulnerabilities.

Russia isn’t trying to win a war in a single day. It seeks to wear down our democracies, erode our trust in our institutions, and sow doubts about our own systems—one intercepted message at a time, one network of sources destroyed at a time, one election undermined at a time.

The Ukraine Context as a Catalyst

It would be naïve not to note that the intensification of Russian cyberespionage operations targeting personal communications coincides exactly with the escalation of the conflict in Ukraine and the increase in Western support for Kyiv. Since the start of the full-scale invasion in February 2022, the flow of sensitive information between Western allies has skyrocketed. Emergency meetings are coordinated, arms shipments are organized, and strategies are discussed—sometimes, inevitably, through less formal communication channels than official encrypted lines. Government officials who use Signal or WhatsApp to coordinate responses to the Russian invasion are targets of obvious strategic interest to Moscow. Compromising these communications could potentially allow Moscow to anticipate decisions, identify internal divisions within allied coalitions, or pinpoint key actors to influence.

A Political Decision, Not Just a Technical One

Issuing a public alert of this kind is never a trivial decision for a government. Intelligence and cybersecurity agencies typically gather information on adversarial operations over long periods before deciding—or choosing not to—make them public. Several factors go into this calculation: not revealing one’s own detection capabilities, protecting ongoing operations, and not compromising sensitive intelligence partnerships. When a country decides nonetheless to issue an official alert, it is generally because the threat is deemed serious and widespread enough that raising public awareness outweighs these operational considerations. The Dutch NCSC—the National Cyber Security Center of the Netherlands—obviously weighed these factors before issuing its statement. The decision to do so indicates that the scale of the detected compromises was sufficient to justify the political risk of explicitly pointing the finger at Russia.

The unique institutional context of the Netherlands must also be taken into account. As the host country of the International Criminal Court, the International Criminal Tribunal for the Former Yugoslavia, and the OPCW, The Hague has long been a priority target for Russian intelligence operations. In 2018, the Dutch Military Intelligence Service (MIVD) had already foiled an attempt by Russian GRU agents to conduct physical espionage against the OPCW. The Netherlands therefore has direct and painful experience with Russian methods—and it has clearly decided that public transparency was an appropriate response to this new digital escalation.

The Netherlands did not merely issue a technical warning. They took a strong political stand. They said, clearly, to the world: we know what you’re doing, and we refuse to remain silent.

The Alert and Its Practical Limitations

As important and courageous as it is, the Dutch alert faces significant practical limitations. It informs professionals who are already aware of the issue—cybersecurity experts who will read about it in specialized publications, and government officials who will receive memos from their superiors. But it struggles to reach the millions of ordinary Signal and WhatsApp users who do not read NCSC bulletins and do not know what a “linked device” is. Mass awareness remains the weak link in any cybersecurity strategy—a structural problem that governments readily acknowledge but struggle to resolve effectively. Issuing alerts is not enough. The platforms themselves must take responsibility and proactively strengthen their protective measures.

Protecting Sources: An Absolute Necessity

The deliberate targeting of journalists in this operation deserves special attention and explicit condemnation. The protection of journalistic sources is not a professional privilege or a union demand. It is a fundamental principle of any functioning democracy. Whistleblowers can only provide information in the public interest if they are certain that their identities will be protected. Investigative reporters in conflict zones can only work with the assurance that their local contacts will not be exposed. Journalists covering authoritarian regimes can only operate if their communications remain out of reach of repressive agencies. When a state intelligence operation targets journalists’ personal communications, it directly undermines this fundamental mechanism. It does not merely target individuals; it targets the entire ecosystem of a free press.

The implications are immense and often underestimated in media coverage of these events. A journalist whose Signal account is compromised while investigating sensitive topics related to Russia—oligarch corruption, human rights violations in Ukraine, disinformation networks—may not only see their investigation exposed before publication; they may also see their sources identified and put at risk. In some contexts, this can mean arrest, arbitrary detention, or worse. This is not alarmist speculation. It is the documented result of similar compromises in authoritarian contexts. Russia uses information obtained by its intelligence services to target journalists and dissidents—a fact established by press freedom organizations such as Reporters Without Borders and the Committee to Protect Journalists.

Every compromised journalist’s Signal account is a potentially compromised source, a potentially sabotaged investigation, a potentially suppressed truth. Those who order these operations know exactly what they are doing. And that is precisely why they do it.

Silence as a Weapon of Preventive Censorship

There is an often-overlooked aspect to the analysis of these operations: their deterrent effect. Even without active compromise, the mere awareness that one’s personal communications may be monitored by foreign intelligence services is enough to alter behavior. Potential sources hesitate to make contact. Journalists self-censor their messages, even private ones. Government officials avoid transmitting certain information electronically. This effect of paralysis and self-censorship is, in a way, just as valuable to Russian operators as the concrete information they may collect. A press that self-censors out of fear of surveillance is a less effective press—and that is exactly the desired result.

NATO and the EU Confront the Cyber Threat

The Dutch warning does not come out of an institutional vacuum. NATO officially recognized cyberspace as a full-fledged operational domain at the 2016 Warsaw Summit and has since developed significant collective cyber defense capabilities. NATO’s Cooperative Cyber Defense Center of Excellence, based in Tallinn, Estonia, regularly produces analyses and recommendations on cyber threats posed by state actors. The European Union, for its part, has strengthened its regulatory framework with the NIS2 Directive and the European Union Agency for Cybersecurity (ENISA). These structures exist, they function, and they produce useful intelligence. But they struggle to delve into the personal communications of millions of individuals—this is structurally outside their mandate and capabilities.

The most directly actionable institutional response remains one that involves the technology platforms themselves. Diplomatic pressure on Meta and the Signal Foundation to strengthen their defenses against attacks via linked devices is likely more effective in the short term than government cybersecurity programs that will take years to take effect. The problem is that such pressure sometimes conflicts with other objectives—notably the requests for access to encrypted communications that certain governments themselves make to the platforms in the name of national security. This presents a fundamental contradiction that few policymakers are willing to acknowledge publicly.

Governments cannot simultaneously demand that platforms weaken their encryption for their own security services and complain that foreign services are exploiting those vulnerabilities. Consistency demands a choice: either we defend strong encryption for everyone, or we accept that everyone—including adversaries—can exploit it.

The Limits of a Purely Technical Response

When faced with technical threats, there is a natural temptation to seek exclusively technical solutions. Improving alerts, strengthening two-factor authentication, developing mechanisms to detect suspicious devices, and training users to regularly check their linked devices: all these measures are useful, necessary, and must be implemented. But they are not enough. Because the threat is not fundamentally technical—it is human. The Russian hackers did not break an algorithm. They tricked humans. And as long as humans have to make decisions—scanning a code, clicking on a link, granting access—there will be an exploit vector available to actors who are patient, sophisticated, and well-funded enough to design convincing decoys. The response must therefore be as much about culture and education as it is about technology. A culture of digital hygiene—as systematic and ingrained as physical security protocols in government agencies—is the only truly robust defense in the long term.

Practical Steps to Protect Yourself

Faced with such a well-documented and serious risk, there are a few concrete steps that anyone using Signal or WhatsApp in a sensitive professional context should take. The first and most immediate step: check the list of devices linked to your accounts right now. On Signal, this option is found under Settings → Linked Devices. On WhatsApp, it’s under Settings → Linked Devices. If you see a device you don’t recognize, revoke its access immediately. This check should become a routine—weekly for professionals at risk, monthly at a minimum for everyone else. The second step: enable the registration screen lock on Signal, which requires an additional PIN to link a new device. This feature exists but is underutilized. It likely would have prevented several of the compromises documented in the Dutch alert.

The third measure, perhaps the most important: cultivate a culture of systematic skepticism toward any unsolicited request to scan a QR code. No legitimate organization will ask you to scan a QR code received via message to “secure” or “verify” your account. Given the current threat landscape, this type of request is almost certainly a phishing attempt. If you have any doubts, do not scan the code. Contact the purported sender directly through its verified official channels. This simple rule, once internalized and applied systematically, is the most effective defense against the techniques documented in this alert. The fourth measure: enable two-factor authentication (2FA) on these apps, using a PIN separate from the one on your phone. And finally, for journalists and professionals at risk: consider compartmentalizing—using dedicated devices for the most sensitive communications, separate from personal devices.

Cybersecurity isn’t just for computer scientists and spies. It concerns every journalist who protects a source, every public official who coordinates a sensitive policy, and every citizen who refuses to let their private conversations become the property of a foreign authoritarian regime. The first act of resistance is to check your connected devices. Now.

The Responsibilities of Employers

The burden of digital hygiene cannot rest solely on individuals. Organizations that employ journalists, civil servants, researchers, or any other professionals likely to be targeted have a clear institutional responsibility. Regular training on phishing threats and best practices for secure communications. Clear protocols defining what types of information can be shared via which platforms. Access to cybersecurity resources for employees whose personal phones are used for work purposes. Rapid response procedures in the event of a suspected breach. These measures exist in large government agencies and major corporations—but they are often absent or insufficient in newsrooms, small NGOs, and law firms specializing in human rights. Yet it is often these actors that Russian intelligence services target first.

A Threat That Goes Beyond Technology

This hacking operation targeting Signal and WhatsApp by Russian-backed hackers—documented and exposed by the Netherlands—is far more than just another cybersecurity incident to add to an ever-growing list. It is a wake-up call. A wake-up call to the fragility of our communication tools at a time when Russia’s hybrid warfare is reaching operational maturity. It reveals the yawning gap between the sophistication of the threats and the response of the individuals and organizations that are their targets. It reveals the persistent naivety with which our societies cling to the illusion that technology can protect us without us having to make the slightest effort to stay vigilant. And it is a sign—perhaps the most troubling one—of how a free press and democratic communication have become full-fledged targets of war—not collateral damage, but deliberately targeted strategic objectives.

The response to this threat cannot be solely defensive and reactive. It must be structural. It requires that technology platforms fully assume their responsibility to protect their users—not just on paper in their privacy policies, but in the concrete design of their interfaces and security mechanisms. It requires allied governments to share intelligence on these threats more extensively and coordinate their responses with a level of coherence that Russian operations lack. It requires media and human rights organizations to invest in the training and digital infrastructure of their teams with the same seriousness they apply to their other resources. And it requires each of us—ordinary users of messaging apps—to practice a minimum of active digital hygiene—not out of paranoia, but out of basic civic responsibility.

Democracy isn’t defended only at the ballot box and in parliaments. It’s also defended in your phone’s settings. It’s defended in the decision to check your connected devices. It’s defended in the refusal to scan a suspicious QR code. Small actions, on a large scale, that make the difference between a society that allows itself to be infiltrated and one that resists.

The last line of defense—and it’s up to us

Ultimately, this is the story of a war being waged without a formal declaration, without recognizable uniforms, without mapped front lines. A war whose battlefields lie in every civil servant’s pocket, in every journalist’s phone, and on the servers of every app we use daily. Russia realized before we did that this war was decisive. It is investing in it massively, methodically, and patiently. The question is no longer whether we will have to defend ourselves in this arena—that much is obvious. The question is whether we will finally treat this threat with the seriousness it deserves, or whether we will continue to lament security breaches after the fact, send out technical alerts that no one reads, and hope that the next victims will be more vigilant. The alert from the Netherlands is a gift. Use it.

Signed, Jacques Pj Provost