Russian Hackers Are Silently Reading Your WhatsApp Messages Right Now
Hello, Mauven here.
Yesterday, the Netherlands' two principal intelligence agencies issued a formal public warning. The AIVD, their domestic security service, and the MIVD, their military intelligence counterpart, confirmed that Russian state-sponsored hackers are running what they describe as a large-scale global campaign to compromise Signal and WhatsApp accounts.
Targets include government officials, military personnel, diplomats, and journalists. Dutch government employees have already been affected. Sensitive information has likely already been accessed.
I want to explain precisely why this matters to your small business.
The Attack Does Not Break the Encryption
This is the most important thing to understand first.
Signal and WhatsApp have robust end-to-end encryption. That encryption has not been broken. The apps themselves have not been compromised. Russian hackers did not find a backdoor into the platform.
They found a much simpler route. They went through the person holding the phone.
As AIVD Director-General Simone Smit stated in the official advisory: "It is not that Signal or WhatsApp as applications are compromised. The threat is directed at accounts of individual users."
End-to-end encryption protects your messages in transit between sender and recipient. It provides no protection whatsoever once an attacker is logged in as you.
Two Attack Methods: Both Are Deceptively Simple
The AIVD and MIVD advisory, alongside an earlier February 2026 warning from Germany's domestic intelligence agency (BfV) and federal cybersecurity office (BSI), describes two distinct techniques.
Method One: The Fake Support Bot
The attacker messages the target directly inside Signal or WhatsApp, impersonating official support. The message typically claims there is a security problem with the account: suspicious activity detected, a possible data leak, an attempt to access private data. The target is asked to verify their identity by sharing their six-digit SMS verification code.
The code the target receives is a genuine verification code. Signal or WhatsApp automatically generates it when someone attempts to register that phone number on a new device. The attacker triggered that process. When the target shares the code, the attacker enters it on their own device. Account transferred. Victim locked out.
Signal has publicly confirmed these attacks occurred. Signal's encryption and infrastructure were not breached. Users were simply tricked into handing over the key.
Method Two: The Silent Linked Device
This one is considerably more insidious, because the victim never loses access to their account.
Both Signal and WhatsApp support a legitimate feature allowing users to link their account to multiple devices: a computer, a tablet, a second phone. On WhatsApp, this is called Linked Devices. The process normally requires scanning a QR code.
Attackers send targets a QR code or link disguised as a group invitation, a security verification prompt, or a resource from the app's official website. When the target scans it, they unknowingly link the attacker's device to their account.
The target continues using WhatsApp normally. Their old messages are still there. Nothing appears to have changed. Meanwhile, the attacker's device is silently receiving every new message sent to or from that account, in real time, potentially indefinitely.
Germany's BSI advisory notes that Signal lists all linked devices under Settings, but that users rarely check this. That is a reasonable observation: most people have never opened that menu in their lives.
Why This Is Not Just a Government Problem
The official warnings focus, understandably, on government officials and journalists. High-value targets for a state intelligence operation.
But I want to be direct with you about the UK small business picture.
WhatsApp is the de facto business communication tool for millions of UK SMBs. It is used for client conversations, supplier negotiations, staff coordination, out-of-hours updates. It carries commercially sensitive information, contract discussions, pricing, and personnel matters as a matter of routine.
That information is exactly what a competitor, a criminal gang, or a state-aligned threat actor would find useful. Russian intelligence services are not the only actors who have studied these techniques. Germany's BSI advisory specifically notes that financially motivated criminal groups have already adopted the same methods for fraud and account takeover, in campaigns researchers have named GhostPairing.
The verification code attack requires no technical sophistication. It requires a convincing message and a target who does not know how account registration works. That is not a difficult condition to meet.
The Warning Signs You May Already Be Compromised
The Dutch intelligence advisory identifies several indicators that a WhatsApp account may have been silently linked to an attacker's device:
A contact appearing twice in your address book or group chat list may indicate a hijacked account has been replaced or mirrored. A contact whose number displays as "Deleted Account" unexpectedly may indicate an account that has been taken over and renamed to avoid detection. Unexpected new participants in group chats, particularly ones who arrived via a link rather than a direct invitation, warrant immediate scrutiny.
If you administer a group chat used for business purposes, you should check the member list today.
What You Need to Do
These are specific, verifiable steps. None require technical expertise.
On WhatsApp:
Go to Settings, then Linked Devices. Review every device listed. If you do not recognise a device, or cannot account for when it was added, remove it immediately. On iPhone, tap and hold the device entry to remove it. On Android, tap the entry and select Log Out.
Enable two-step verification. Go to Settings, then Account, then Two-Step Verification. Set a six-digit PIN that is not your banking PIN, not your birthday, and not a number you use elsewhere. You will be asked for this PIN periodically and whenever someone attempts to register your number on a new device.
On Signal:
Go to Settings, then Account, then Registration Lock. Enable it and set a PIN. This prevents anyone from registering your phone number on another device without that PIN, even if they have your SMS verification code.
Go to Settings, then Linked Devices. Check for any device you do not recognise and remove it.
For your staff:
Signal and WhatsApp will never, under any circumstances, send you a message asking for your verification code. Neither will your IT support team, your account manager, or your network administrator. If anyone asks for that code, by any means whatsoever, the correct response is to refuse and report it.
Consider your group chats:
If your business uses WhatsApp group chats for sensitive discussions, consider whether that remains appropriate. The Dutch MIVD director was characteristically direct on this point: "Messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."
For most small businesses, that is the right principle applied to commercially sensitive matters. Contract negotiations, pricing discussions, and personnel decisions do not belong in consumer messaging apps where a social engineering attack is a realistic threat vector.
How to Turn This Into a Competitive Advantage
Most of your competitors have not read this advisory. Most of them have never checked their Linked Devices menu. Most of them have no two-step verification on the WhatsApp account their business depends on.
You can move quickly and position your business as one that takes communication security seriously. That matters in professional services, legal, financial, healthcare, and any sector where clients entrust you with sensitive conversations.
If your business handles client data, confidential instructions, or commercially sensitive communications, the fact that you have audited your messaging accounts and implemented verification controls is a demonstrable security practice. It belongs in your client-facing security credentials, your Cyber Essentials documentation, and your supplier due diligence responses.
Clients increasingly ask about data security. "We have verified all linked devices on our business messaging accounts and enforce two-step verification" is a specific, credible answer. Most of your competitors cannot give it.
How to Sell This to Your Board
The risk in plain language:
Your business communicates sensitive information over WhatsApp. A single staff member receiving a convincing message and sharing a six-digit code could give an attacker persistent, silent access to every message in that account, including client data, financial discussions, and internal operational information.
Under UK GDPR, you have an obligation to protect personal data. If a messaging account containing client information is compromised through a foreseeable and preventable attack, the ICO will want to know what controls you had in place.
The cost of doing nothing:
The remediation steps described above cost nothing and take under ten minutes per device. The cost of a data breach notification, an ICO investigation, and client remediation runs into tens of thousands of pounds at minimum.
The board ask:
Instruct every member of staff who uses WhatsApp or Signal for business communications to complete the verification audit today. Set a deadline. Confirm completion. Document it.
This is not a technology project. It is a five-minute awareness action. The only thing stopping it is the absence of a decision.
What This Means for Your Business
Audit Linked Devices today. On every business WhatsApp and Signal account. Yours, your staff's, and any shared business accounts. Remove anything you do not recognise.
Enable two-step verification on WhatsApp and Registration Lock on Signal. Do this before you finish reading. It takes four minutes.
Brief your staff this week. One simple rule: no one legitimate will ever ask for your verification code. Not Signal. Not WhatsApp. Not your IT provider. Not Mauven. No exceptions.
Review your group chats. Check member lists for unexpected participants. Remove anyone who cannot be verified.
Rethink what belongs on consumer messaging apps. Commercially sensitive negotiations, client data, and personnel matters warrant a more controlled environment. Consider whether Microsoft Teams, a managed Slack workspace, or encrypted business email serves that purpose better.
The encryption was never the vulnerability. The person holding the phone always was. The good news is that the defences are simple, free, and available right now.
| Source | Article |
|---|---|
| AIVD (Dutch General Intelligence and Security Service) | Russia targets Signal and WhatsApp accounts in cyber campaign |
| The Record (Recorded Future News) | Kremlin hackers attempting to compromise Signal, WhatsApp accounts globally |
| The Register | Russian crims phish way into Signal and WhatsApp accounts |
| TechCrunch | Russian government hackers targeting Signal and WhatsApp users, Dutch spies warn |
| Help Net Security | Russian state hackers try to break into Signal and WhatsApp accounts |
| NL Times | Intelligence confirms Russian state hackers targeting Dutch Signal and WhatsApp accounts |
| BleepingComputer | Germany warns of Signal account hijacking targeting senior figures |
| The Record (Recorded Future News) | Germany warns of state-linked phishing campaign targeting journalists, government officials |
| NCSC (UK) | NCSC issues warning over hacktivist groups disrupting UK organisations |