Russian state-sponsored hackers are going after encrypted messaging apps. Not by breaking the encryption itself, but by exploiting the humans using them. Dutch intelligence agencies issued a stark warning this week that operatives linked to Moscow are actively targeting Signal and WhatsApp accounts used by government officials, defense industry workers, and others involved in aid efforts to Ukraine.
The alert comes from the Netherlands’ Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD), as reported by Engadget. The agencies specifically identified the threat actors as Russian military intelligence — the GRU — using social engineering tactics rather than sophisticated zero-day exploits. The approach is deceptively simple. Attackers send phishing messages or malicious QR codes that, when scanned, link the victim’s account to a device controlled by the hackers. Once linked, every message the target sends or receives is mirrored in real time to the attacker.
This isn’t theoretical. It’s happening now.
The Dutch warning follows a February advisory from Google’s Threat Intelligence Group, which documented Russian-aligned threat actors abusing Signal’s “linked devices” feature — a legitimate function that lets users access their account across multiple devices. Google’s research identified clusters of activity tied to groups it tracks as UNC5792 and UNC4221, both assessed to be operating in support of Russian intelligence objectives. The technique involves crafting QR codes that appear to be legitimate Signal group invites or device-pairing prompts but actually link the victim’s account to an attacker-controlled device.
Signal responded to Google’s findings by releasing updates that add friction to the device-linking process, including additional authentication steps and notifications when a new device is linked. But the Dutch agencies are making clear the threat extends beyond Signal to WhatsApp and potentially other messaging platforms with similar multi-device features.
The target list is telling. According to the MIVD and AIVD, the hackers are focused on individuals connected to Ukraine-related defense and diplomatic work. That includes government employees, defense contractors, NGO workers, and anyone in the supply chain supporting Ukrainian military efforts. The agencies noted that Russian intelligence services have “a high and continued interest” in Western aid to Ukraine, and compromising the private communications of people coordinating that aid provides significant intelligence value.
So why messaging apps? Because that’s where the real conversations happen. Encrypted messengers have become the default communication channel for sensitive coordination, particularly among officials who understand email isn’t secure enough. Ironically, the trust people place in end-to-end encryption may make them less vigilant about other attack vectors — like a convincing QR code from what appears to be a trusted contact.
The social engineering angle matters. These aren’t brute-force attacks. The GRU operatives are crafting pretexts tailored to their targets, often impersonating known contacts or embedding malicious links within contexts that feel natural. A fake Signal group invite for a Ukraine coordination meeting. A WhatsApp message that appears to come from a colleague. The attacks exploit trust, not code.
And they’re effective. The Dutch agencies wouldn’t issue a public warning if this were a marginal threat. The fact that two separate intelligence services coordinated on this advisory signals genuine concern about the scale and success rate of these operations.
For security professionals and anyone in the target demographics, the mitigation advice is straightforward but bears repeating. Regularly audit linked devices in Signal and WhatsApp settings — if you see a device you don’t recognize, remove it immediately. Don’t scan QR codes received via messages, even from known contacts, without verifying through a separate channel. Enable registration lock and PIN features where available. And treat any unexpected invitation to join a group or link a device with suspicion.
There’s a broader lesson here too. Encryption protects the channel. It doesn’t protect the endpoint. If an attacker can trick you into giving them access to your account, the strongest encryption in the world won’t help. The GRU clearly understands this, and they’re industrializing the approach.
The Dutch advisory also fits a pattern. Western intelligence agencies have grown increasingly vocal about Russian cyber operations over the past year, particularly as the war in Ukraine grinds on and the intelligence stakes around Western military aid continue to rise. The UK’s NCSC, CISA in the United States, and now Dutch intelligence have all issued warnings about Russian targeting of communication platforms and collaboration tools used by government and defense personnel.
One more thing. This isn’t just a government problem. Defense contractors, journalists covering Ukraine, humanitarian workers, and even researchers studying the conflict are all potential targets. If your work touches Ukraine in any meaningful way, assume you’re on someone’s list. Act accordingly.


WebProNews is an iEntry Publication