Russian Cybercriminals Targeting WhatsApp and Signal

Dutch intelligence services have issued a warning about a widespread social engineering campaign that appears to be targeting encrypted messaging accounts on WhatsApp and Signal. According to the alert, the campaign is global in scope and has already yielded successful compromises.

The operation reportedly involves a mix of phishing, SIM‑swap fraud and account‑takeover tactics designed to intercept verification codes or trick users into handing over access. Attackers focus on both individual users and business accounts, exploiting common recovery flows that rely on SMS or one‑time codes.

Security experts note that while WhatsApp and Signal use end‑to‑end encryption for message contents, account authentication remains a potential weak point. If an attacker controls the phone number tied to an account, they can often re‑register the messaging client and receive messages and codes intended for the rightful owner.

Recommended defenses include enabling platform‑specific protections such as Signal’s PIN and WhatsApp’s two‑step verification, avoiding SMS‑only recovery where possible, and being wary of unsolicited requests for verification codes. Users are also advised to monitor mobile carrier accounts for signs of SIM changes and to use carrier‑level security features like PINs or account passwords.

Enterprises are urged to audit onboarding and recovery processes that rely on phone numbers, move toward non‑SMS multi‑factor authentication methods, and provide staff training on social engineering tactics. Carriers, too, play a role by strengthening their processes for porting numbers and responding to fraud reports.

As this campaign evolves, messaging platforms, mobile operators and end users will need to harden authentication flows to prevent attackers from turning secure messaging apps into a vector for account takeover and broader fraud.