Russia-linked Signal phishing campaign targets around 300 German officials, military personnel and journalists via linked-device exploit

German authorities are investigating suspected Russia-linked operators who used Signal phishing attacks against approximately 300 accounts belonging to senior officials, military personnel and journalists, AP reported on 28 April 2026. The attack technique exploited Signal’s linked devices feature, using phishing pages impersonating legitimate group invites to link attacker-controlled devices to targets’ accounts, granting persistent read access to message history without triggering obvious security alerts. The campaign is significant for law enforcement digital forensics because it demonstrates active exploitation of encrypted messaging platforms used by security services across EU member states. Investigators are advised to prioritise chat-token artefacts, device-linking events, phishing bot infrastructure and cross-platform account recovery logs to preserve attribution signals and assess message exposure. The campaign illustrates the growing use of messaging platform exploitation as a primary intelligence collection vector against European security services.

In this domain: Europol IOCTA 2026: encryption, proxies, and AI are expanding cybercrime · Winona County ransomware: stolen data released publicly after county refuses to pay, exposing resident and government records · Australian ACSC publishes agentic AI security guidance warning of prompt injection, scope creep and audit trail gaps