Signal Hijacking Is Real — Here's How to Protect Yourself
Germany's intelligence agencies just issued a warning about Signal account hijacking. The attacks use social engineering, not malware. Here's what to do.
Germany's intelligence agencies issued a warning this week: state-sponsored attackers are hijacking Signal accounts of politicians, diplomats, journalists, and military officers across Europe.
The attacks don't use malware. They don't exploit technical vulnerabilities. They just convince people to hand over their accounts through social engineering.
If you use Signal (or WhatsApp), this matters.
What's Actually Happening
Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have been tracking a campaign targeting high-profile individuals. The attackers have two main approaches, and both abuse legitimate Signal features rather than breaking anything.
Attack #1: The Fake Support Message
You receive a message claiming to be from Signal's support team. There's an urgent security warning — your account may be compromised, suspicious activity detected, something that demands immediate action.
The attacker asks you to share your Signal PIN or an SMS verification code "to secure your account." If you comply, they register your account on their device. You get locked out. They get everything — your chats, your contacts, your conversation history.
Attack #2: The QR Code Trick
This one is sneakier. Signal (and WhatsApp) let you link your account to multiple devices — your phone, your laptop, a tablet. It's genuinely useful.
To pair a new device, you scan a QR code. Attackers have figured out how to weaponize this.
They'll convince you to scan a QR code for some plausible reason. Maybe it's "required for security verification" or part of "completing your profile." Once you scan it, you've just given their device permanent access to your account.
The disturbing part: you stay logged in normally. Your app works fine. You have no idea someone else is reading every message you send and receive.
Why This Matters for Regular People
"I'm not a diplomat or politician" — I hear you. But these techniques don't stay exclusive for long.
Once attackers prove a method works on high-value targets, it spreads. The QR code pairing technique was first observed in Russian state-sponsored operations. It's now being used by regular cybercriminals for fraud and account hijacking.
Your Signal conversations might not contain state secrets, but they probably contain enough to impersonate you convincingly. Scammers could message your contacts asking for money. They could harvest your social graph. They could read your personal conversations and use that information for targeted attacks.
If you run a business, communicate with clients over Signal, or simply want your private conversations to stay private — this concerns you.
How to Protect Yourself
Here's what you should do right now. It takes about three minutes.
1. Enable Registration Lock
This is the single most important protection. Go to:
Signal → Settings → Account → Registration Lock → Enable
When active, anyone trying to register your phone number with Signal needs your PIN — not just the SMS verification code. Without the PIN, the registration fails.
Warning: If you forget your PIN and lose access to your phone, you'll be locked out of your own account for 7 days. Make sure you remember it.
2. Check Your Linked Devices
Right now, open Signal and go to:
Settings → Linked Devices
You should see a list of every device connected to your account. If there's anything you don't recognize — a "Chrome" from a city you've never been to, a device you don't own — that's a problem. Remove it immediately.
Make this a regular habit. Check every few weeks.
3. Ignore "Support" Messages
Signal will never contact you through the app. There is no Signal support account that messages users directly. If you receive a message claiming to be from Signal's team, it's fake.
Don't respond. Don't share codes. Don't scan QR codes.
Block and report the sender.
4. Be Skeptical of QR Code Requests
QR codes are everywhere now — restaurants, payments, authentication apps. We've been trained to scan them without thinking.
If anyone asks you to scan a QR code for "security verification" or "account confirmation" over a messaging app, stop. Legitimate security processes don't work this way.
The only time you should scan a device-linking QR code is when you're setting up your own new device, on a screen you navigate to yourself.
5. Verify Contact Identity for Sensitive Conversations
Signal has a "Safety Number" feature that lets you verify you're actually talking to who you think you're talking to. For important contacts — family, close friends, colleagues — verify these numbers in person.
Go to a conversation → Tap their name → "View Safety Number"
Compare the number with your contact's device directly. If the numbers don't match, something's wrong.
What About WhatsApp?
WhatsApp has the same device-linking feature, which means it's vulnerable to the same QR code attack.
The protections are similar:
- Enable two-step verification: Settings → Account → Two-step verification
- Check linked devices regularly: Settings → Linked Devices
- Don't respond to messages claiming to be from "WhatsApp Support"
Meta does have an official support channel, but it doesn't randomly message users about security issues.
The Bigger Picture
These attacks work because they exploit trust and urgency — not technology. The attackers don't need to hack Signal's servers or break encryption. They just need you to believe their story for 30 seconds.
This is true for most "hacks" that affect regular people. The technical defenses are strong. The human defenses are the weak point.
A few habits make a real difference:
Question urgency. Legitimate security processes give you time to think. If something demands immediate action and doesn't let you verify through another channel, that's a red flag.
Verify through separate channels. If "Signal support" contacts you, go to Signal's website directly and check if that's even possible. (Spoiler: it's not.)
Treat your account like a key. Your messaging app is the key to conversations, relationships, and trust. PINs, verification codes, and QR code scans should be treated with the same caution as your bank password.
The German intelligence agencies chose to make this warning public because the attacks are working. People are falling for them. The techniques are spreading.
Take three minutes today. Enable Registration Lock. Check your linked devices. Make it harder for someone to read your messages tomorrow.