Dutch intelligence agencies AIVD and MIVD say Russian state-linked hackers are conducting a global campaign to take over individual Signal and WhatsApp accounts used by senior officials, military personnel, civil servants, diplomats, journalists and others of interest to Moscow. The agencies report that attackers rely chiefly on phishing and social‑engineering tactics rather than exploiting software vulnerabilities in the messaging platforms.

According to the agencies, the attackers impersonate support staff or a Signal “support” chatbot and message targets with warnings about suspicious activity or alleged data leaks to obtain six‑digit SMS verification codes and Signal PINs. They then use those codes to register a new device or phone number and take control of the account, which can allow them to read current and past messages and join or monitor group chats. Attackers also seek to bind their devices by tricking users into scanning malicious QR codes or clicking links that add a linked device.

The campaign exploits linked‑devices or account‑linking features in both WhatsApp and Signal to add secondary devices such as laptops or tablets, which can permit remote reading of messages while victims remain logged in and unaware. Investigators warned that local chat history on a phone can appear intact after re‑registration, potentially misleading victims about unauthorized access. Compromised accounts have reportedly been renamed or duplicated in group chats, and duplicate or slightly altered identities in groups — or sudden name changes to entries such as “Deleted account” — are cited as signs of takeover.

Dutch officials stressed that the messaging services themselves have not been compromised as platforms and that the campaign targets individual user accounts. The agencies advised that end‑to‑end encrypted apps like Signal and WhatsApp are not appropriate channels for classified or highly sensitive information. They issued a joint cyber advisory urging users to check group memberships for suspicious or duplicate accounts, verify unusual accounts by email or phone, report concerns to organizational IT security teams, remove compromised accounts from groups, and leave and recreate groups if an administrator appears compromised.

Signal’s official support reportedly does not operate through the app; Signal has advised users not to share SMS verification codes or PINs. Meta said WhatsApp tells users never to share six‑digit codes and directed users to help pages on recognizing suspicious messages and on the Linked Devices feature. Dutch government ministries and the Russian embassy in Washington, D.C., did not provide comment in response to requests mentioned in reporting. The specific information sought by the attackers and the full scope of what was accessed remain unclear.

Original Sources: 1, 2, 3, 4, 5, 6, 7, 8 (aivd) (mivd) (signal) (whatsapp) (journalists)

Actionable information: The article does contain actionable items, but they are short and partly implicit rather than full, step‑by‑step instructions. It tells readers that attackers impersonate Signal support chatbots and ask for verification and PIN codes, that attackers can exploit account‑linking features and rename or clone accounts, and that the advice from the agencies is to check group memberships, verify unusual accounts, report concerns to IT, remove compromised accounts from groups, and leave and recreate groups if an admin is compromised. Those are practical concepts, but the article does not give clear, concrete how‑to steps for a typical reader. It does not explain exactly how to spot a fake support chatbot, how to securely verify an account, where to find the verification or PIN flows to turn off or strengthen, or which account‑linking features are risky and how to audit them. It also does not provide sample messages, screenshots, or precise menu paths a user could follow right away. The resources referenced are generic (a joint advisory by the two agencies) but the article does not quote or link to that advisory text with stepwise instructions, nor does it point to vendor guidance from Signal or WhatsApp.

Educational depth: The piece explains the high‑level mechanics: social engineering via impersonation to capture verification and PIN codes, abuse of account‑linking to monitor remotely, and name/duplication tactics to hide among group members. That is useful for understanding what type of attack this is (targeted account takeover by tricking users, not a cryptographic break in the app). However, it stays at a general level. It does not explain how Signal’s or WhatsApp’s security models work, how registration and device linking actually function, what a verification code versus a registration lock/PIN means, or why these apps remain end‑to‑end encrypted despite takeover of an account on a compromised device. There are no diagrams, examples, or deeper analysis of attacker tradeoffs, indicators of compromise, or mitigation effectiveness. Any numbers or claims are qualitative; no statistics, timelines, or scope metrics are offered or explained.

Personal relevance: The information is relevant to anyone who uses Signal or WhatsApp, because account takeover can expose private messages and group memberships. The agencies singled out high‑risk targets (government, military, journalists), but ordinary users are also at risk from impersonation and social engineering. So while the article emphasizes specific groups, the overall threat could affect a broad audience. That said, its practical relevance is uneven: it raises legitimate concerns, but without concrete steps many readers will know they are at risk but not know what to do next beyond vague cautions.

Public service function: The article carries a public safety message: warning about a specific hostile campaign and urging caution with verification/PIN codes and group membership checks. It performs a service by alerting the public and organizational IT teams that this type of social engineering is active. However, the service is limited because it does not provide detailed guidance, checklists, or direct links to official advisories or vendor remediation pages that would let readers act immediately. For readers who need to protect classified or highly sensitive information, the article does note the agencies’ recommendation that Signal and WhatsApp are not appropriate for classified data, which is a clear policy‑level warning.

Practicality of advice given: The recommended actions—check group membership, verify unusual accounts by email or phone, report to IT, remove compromised accounts, leave and recreate groups—are realistic and broadly doable. But the article does not say how to verify an account safely (what questions to ask, which out‑of‑band channels are acceptable), how to safely remove and recreate a group without leaking history or contacts, or how to detect a renamed or duplicated account programmatically. For many readers, “verify by email or phone” raises questions: use a known number, call back on a previously saved number, or use another channel? The lack of detail reduces the practical usefulness for less technical people.

Long‑term impact: The article highlights an important, persistent class of threats: social engineering and account takeover. That lesson has lasting value and should encourage better personal hygiene around verification codes, device linking, and group administration. But because the article does not suggest longer term protective habits (multi‑factor habits beyond app PINs, organizational policies, regular audits of linked devices, or backup and recovery planning), its usefulness for planning and habit change is limited.

Emotional and psychological impact: The article is likely to cause concern, especially for people in the named groups, because it emphasizes targeted compromise and the ability for attackers to read messages and join groups unseen. It offers a small amount of reassurance by clarifying this is an account takeover, not a cryptographic break, but lacks step‑by‑step guidance that would calm readers and empower them to act. That can leave readers alarmed but unsure what to do next.

Clickbait or sensationalism: The article is alarmist in tone because of the subject matter, but it does not appear to use exaggerated or fabricated claims beyond plausibly serious government statements. The focus on “Russian state‑linked hackers” and named target groups draws attention appropriately for the seriousness of the claim, rather than to sell clicks. Still, because it lacks granular guidance, it risks amplifying fear more than constructive action.

Missed teaching opportunities: The article missed several chances to educate readers. It could have explained the difference between verification codes and registration locks/PINs, shown how to check linked devices and active sessions in Signal or WhatsApp, provided exact steps to verify an account safely (call a known number, confirm a code via an independent channel), given sample wording to use when contacting IT, or linked directly to vendor advisories and the AIVD/MIVD joint advisory. It also could have suggested organizational policies about who may use consumer encrypted apps, how to manage group administration, and how to perform regular membership audits.

Concrete, practical guidance the article failed to provide

If you receive an unexpected message on Signal or WhatsApp asking for a verification code or PIN, treat it as suspicious. Do not forward or read a code aloud; do not paste it into a chat. Verification codes and registration locks are meant to be entered only into the app during a setup you initiated. If you did not start a re‑registration or device link, do not enter the code anywhere.

When someone in a group looks different, seems duplicated, or asks unusual questions, verify them out of band before responding or giving them privileges. Use contact methods you already have saved for that person, such as a phone number from your own address book or an email address you have previously used with them. Do not reply to the suspicious account’s messages to verify identity.

Regularly review and manage linked devices and active sessions in your messaging apps. In Signal, check linked devices in the app’s settings and remove any device you do not recognize. In WhatsApp, view linked devices and log out unknown sessions. Make this a habit, for example by checking once a month.

Enable all optional protections the app provides, such as registration locks or passcodes, and use a strong, unique PIN or passphrase for any app lock. Avoid using the same PIN or password across multiple services. Consider protecting your phone itself with a strong device passcode and biometric locks so attackers cannot easily install or read apps if they temporarily access your device.

If you suspect your account is compromised, tell group administrators and your contacts using a known good channel, remove the compromised account from group chats if you can, and leave and recreate sensitive groups if an administrator is compromised. Change any linked accounts or credentials that might be exposed. Report the incident to your organization’s IT security team or the app provider using official support channels available on their website. Preserve any suspicious messages or codes (screenshots or logs) for investigators, but do not circulate them broadly.

For organizations: create simple rules for what can be discussed on consumer encrypted apps and what requires approved channels. Assign clear procedures for verifying that administrators are who they claim to be and for rebuilding groups after compromise. Train staff to never share verification codes and to report suspected social engineering immediately.

Basic risk assessment to apply now: treat requests for codes, PINs, or device links that you did not initiate as very high risk. Treat messages asking to confirm identity by sending a code as malicious unless you have independently confirmed the request. Treat duplicated or slightly renamed accounts within groups as suspicious until verified. These simple heuristics will catch most social engineering attempts without special tooling.

These steps are general safety practices and do not depend on any specific incident detail. They are meant to give you practical, immediate actions you can use to reduce your risk of account takeover and to respond if compromise is suspected.

"Russian state-linked hackers are trying to take over Signal and WhatsApp accounts worldwide, including accounts belonging to Dutch government officials, military personnel, and journalists." This phrase names a nationality and links it to wrongdoing. It helps readers blame "Russian" actors and frames the threat as state-linked. The wording makes the nationality central so readers see the problem as tied to a nation rather than individuals. That emphasis helped paint the attackers as a political actor instead of leaving the attack more neutral.

"attackers impersonate Signal support chatbots to trick users into handing over verification and PIN codes, allowing the attackers to read messages and join group chats without users’ knowledge." Calling the action "trick users into handing over" uses a strong verb that highlights deceit. It makes the method sound simple and effective without describing how often it succeeds. That word choice increases fear and may overstate ease of success relative to other phrasing.

"The agencies warned that attackers can also exploit account-linking features to monitor accounts remotely and that hacked accounts may be renamed or duplicated to avoid detection." Using "can" here implies capability but not frequency. The sentence mixes possible actions and outcomes without saying how likely they are. That phrasing may lead readers to assume these things are common when the text does not provide evidence of scale.

"AIVD leadership stressed that the campaign targets individual user accounts rather than vulnerabilities in the messaging apps themselves." This contrasts "individual user accounts" with "vulnerabilities" in apps. The structure shifts blame away from the software and onto users. The phrasing protects the apps' reputation by emphasizing the attackers target people, which favors the apps and downplays systemic app risks.

"MIVD leadership advised that end-to-end encrypted apps like Signal and WhatsApp are not appropriate for classified or highly sensitive information." Saying they are "not appropriate" is a strong categorical statement presented as advice from leadership. It frames encrypted apps as insufficient for sensitivity without giving nuance or exceptions. That absolute-sounding language pushes a precautionary stance and helps institutions favor different channels.

"A joint cyber advisory from the AIVD and MIVD urged users to check group memberships for suspicious or duplicate accounts, verify unusual accounts by email or phone, report concerns to organizational IT security teams, remove compromised accounts from groups, and leave and recreate groups if an administrator appears compromised." This long list gives many concrete steps and emphasizes organizational responses. The order and detail make personal and institutional vigilance the clear solution, directing responsibility to users and organizations. The phrasing centers procedural fixes and implies the advice is sufficient, without noting possible limits or burdens.

The text carries a clear underlying emotion of concern and urgency. Words and phrases such as “trying to take over,” “trick users,” “handing over verification and PIN codes,” “read messages,” “join group chats without users’ knowledge,” “exploit,” “hacked accounts,” and “compromised” all convey a strong sense of threat and danger. This fear-oriented language is prominent throughout and serves to warn readers that their private communications and accounts are at real risk. The strength of this emotion is high: the repeated focus on takeover, deception, and compromise signals a serious and active campaign, not a minor or theoretical vulnerability. Its purpose is to create alertness and caution; readers are led to feel worried enough to pay attention to the advisory and follow recommended actions.

Closely tied to concern is an emotion of distrust directed at the attackers and a cautionary stance toward the security of certain tools for sensitive use. Descriptions of attackers “impersonat[ing] Signal support chatbots” and “renamed or duplicated” accounts foster suspicion of unexpected contacts and account changes. The explicit advice from intelligence leadership that “end-to-end encrypted apps like Signal and WhatsApp are not appropriate for classified or highly sensitive information” injects a sober, distrustful tone about relying on these apps for the most critical communications. This distrust is moderate to strong: it balances technical reassurance (apps themselves are not being exploited) with a stern warning about user-level risk. Its function is to shift readers from complacency to prudent skepticism, encouraging them to limit sensitive use and take protective steps.

The text also conveys authority and control through the presence and actions of official bodies, which produces an emotion of reassurance mixed with seriousness. Phrases noting confirmation by “Dutch intelligence agencies,” and the joint “cyber advisory from the AIVD and MIVD,” together with concrete recommended steps, project competence and organized response. This reassurance is moderate: while the warnings are severe, the clear involvement of official agencies and the provision of specific advice give readers a sense that the problem is understood and being managed. The purpose of this emotion is to build trust in the information and prompt compliance with recommended actions by showing that experts are monitoring and guiding the response.

There is an implicit anger or condemning stance toward the attackers. Descriptions that emphasize deliberate deception—“impersonate,” “trick,” “exploit”—cast the hackers’ actions as malicious and blameworthy. This emotion is subtle but present and of low to moderate intensity; it frames the attackers negatively to justify defensive measures and to rally readers to view the campaign as unacceptable. The function of this sentiment is to morally mobilize readers to support protective behavior and to accept restrictions on app usage for sensitive matters.

The text also contains a pragmatic, instructive tone that evokes determination and action. The advisory’s list of steps—checking group memberships, verifying accounts, reporting concerns, removing compromised accounts, leaving and recreating groups—communicates purposeful guidance and encourages proactive behavior. This determination is moderate and practical rather than emotional; it is meant to move readers from worry into concrete action by offering clear, doable responses. The effect is to channel initial alarm into productive steps readers can take to secure accounts.

The writer uses several emotional framing tools to strengthen these feelings. Repetition appears in the continual restatement of risk: takeover, deception, exploitation, and compromise are mentioned in multiple ways, reinforcing the threat and sustaining a heightened emotional response. Specific action verbs—“impersonate,” “trick,” “exploit,” “monitor,” “rename,” “duplicate”—are chosen over neutral nouns, making the danger feel active and immediate rather than abstract. Authority is leveraged by citing official agencies and their leadership, which shifts the reader’s emotional response from mere curiosity to trust in the warning. Contrast is used when the agencies stress that the campaign “targets individual user accounts rather than vulnerabilities in the messaging apps themselves,” a distinction that tempers alarm about software flaws while keeping focus on user-level danger; this comparison shapes emotions by narrowing fear to a controllable domain. The text avoids personal stories, instead relying on concrete procedural advice; this choice channels emotions from anxiety into methodical response. Overall, these tools increase the emotional impact by making the threat vivid, credible, and actionable, steering the reader toward vigilance and compliance with the security recommendations.