Germany Accuses Russia of Signal Phishing Attacks Targeting Politicians
Germany's government has accused Russia of orchestrating a large-scale and sophisticated phishing campaign targeting the Signal messenger accounts of high-ranking German officials, with an estimated 300 accounts compromised — including those of government ministers, parliamentarians, military personnel, and journalists. The attacks represent a significant escalation in Russia's ongoing cyber warfare campaign against Western democracies, raising urgent questions about the security of encrypted communications platforms used by government officials across Europe.
German security services detected the campaign in mid-February 2026, with government sources pointing to a "state-controlled cyber actor" as the perpetrator. One of the most prominent publicly identified victims was Julia Klöckner, the President of the German Bundestag, whose compromised phone gave attackers potential access to a Signal group chat including other senior CDU executive board members. The attacks did not break Signal's end-to-end encryption — instead, they exploited the platform's "Linked Devices" feature through sophisticated social engineering, tricking users into scanning malicious QR codes that silently linked their accounts to attacker-controlled devices.
Background
Russia has been accused of conducting a sustained campaign of cyber attacks, disinformation, and hybrid warfare against Western countries, particularly since the full-scale invasion of Ukraine in 2022. Germany, as the largest European provider of military aid to Ukraine, has become a primary target. Previous Russian cyber operations against Germany include the 2015 hack of the Bundestag by the GRU-linked group APT28 (Fancy Bear), which accessed data from multiple parliamentary offices including that of then-Chancellor Angela Merkel. Intelligence agencies have observed a near-tripling of Russian hybrid attacks in 2024-2025, blending cyber intrusions with physical sabotage including energy infrastructure targeting and arson attacks attributed to individuals recruited by Russian intelligence.
The Signal phishing campaign aligns with Russia's formal military doctrine of "information confrontation" — a strategy that integrates technical cyberattacks with psychological operations, propaganda, and disinformation to achieve strategic geopolitical goals without engaging in conventional warfare. The doctrine is executed by a complex ecosystem of state intelligence agencies including the GRU, FSB, and SVR, as well as proxy hacktivist groups that maintain plausible deniability for the Kremlin.
Key Developments
The attack methodology was sophisticated and targeted. Victims received messages on Signal appearing to originate from official platform support, creating a sense of urgency and instructing them to scan a QR code to "secure" their account. Scanning the malicious code activated Signal's Linked Devices feature, granting attackers real-time, persistent access to all past and future messages, the victim's address book, group memberships, and shared media — without the user's knowledge. The attackers could also impersonate victims by sending messages from their accounts, enabling further spread of the campaign.
The German government's public attribution of the attacks to Russia is a significant diplomatic step, reflecting growing confidence in Western intelligence agencies' ability to identify the source of cyber operations. As Germany's Federal Office for Information Security (BSI) has documented, APT28 and related Russian state actors have been responsible for a series of attacks on German democratic institutions over the past decade.
Why It Matters
The Signal phishing attacks highlight a critical and often overlooked vulnerability: even the most secure encryption is rendered ineffective when the human element is compromised. For UK and Irish politicians and officials who use Signal and similar platforms, the German case serves as a stark reminder of the importance of robust cyber security practices and awareness of social engineering tactics. The attacks also underscore the broader threat posed by Russian cyber operations to European democratic institutions — a threat that has intensified dramatically since the invasion of Ukraine and shows no signs of abating. As the UK's National Cyber Security Centre has warned, state-sponsored phishing campaigns targeting government officials represent one of the most significant and persistent cyber threats facing Western democracies.
Local Impact
For the UK and Ireland, the German case carries direct lessons. Both countries have significant numbers of politicians, civil servants, journalists, and activists who rely on Signal for secure communications, and both have been identified as targets of Russian hybrid operations. The UK's National Cyber Security Centre has previously warned of Russian state-sponsored cyber activity targeting UK political institutions, and the Irish government has been investing in its own cyber security capabilities in response to the growing threat. The incident is likely to prompt a review of cyber security practices among European governments and a renewed focus on protecting the communications of elected officials, with particular attention to the human factors that sophisticated state actors are increasingly exploiting.
What's Next
Germany is expected to raise the issue through diplomatic channels and with European Union partners, and the incident is likely to accelerate EU-wide efforts to strengthen the cyber security of government communications. Signal has previously issued guidance on protecting accounts from linked device attacks, and governments across Europe are expected to issue updated security advisories to officials. The broader question of how democratic institutions can protect themselves against state-sponsored social engineering campaigns — where the target is human trust rather than technical systems — will be a defining challenge for European security services in the years ahead.
