Blog & Articles

How Attackers Hijack Signal and WhatsApp Accounts Without Your Password

by Rebecca Sutton
by Rebecca Sutton

A Signal phishing attack does not need to crack encryption. It does not require a zero-day exploit or access to your phone. It just needs you to scan a QR code, or type an account code into the wrong form. Then the attacker walks straight in. Russia’s intelligence services built exactly this campaign. Ukraine’s SSU and the FBI disclosed it on 27 June 2026.

The Two Techniques Behind These Signal Phishing Attacks

Signal and WhatsApp both allow users to link additional devices to a single account. This is the feature that lets you use the desktop app alongside your phone. It is also the vector that attackers exploited.

In the first technique, attackers sent a malicious QR code to the target. The code looked like a real link request or security check. Scanning it connected the attacker’s device to the victim’s account. From that point, messages went to both devices at the same time. The victim saw nothing unusual.

In the second technique, attackers sent SMS messages posing as the app’s support team. Those messages asked for PINs, account codes or two-step codes, framing the request as a routine security check. Anyone who handed them over gave attackers full account access.

According to the FBI’s IC3 advisory, the campaign compromised thousands of accounts. Primary targets were government and military officials, but the techniques work on any account where the holder can be deceived.

Why These Attacks Bypass Encryption

Signal’s encryption is end-to-end. Messages are encrypted on your device and decrypted only on the recipient’s device. No third party can read them in transit. That guarantee holds.

Yet the guarantee only covers messages in transit. It says nothing about who controls the account sending them.

But these attacks did not break that guarantee. They moved around it. By linking a device first, attackers put themselves inside the encryption boundary. Their device was treated as a real recipient, so it received every message too.

So the app was not broken. The account access behind it was compromised. Switching apps solves nothing if the same Signal phishing attack technique works there too.

How to Check Whether Your Account Has Been Compromised

Start with linked devices. In Signal, go to Settings and select Linked Devices. Review every entry. If you see a device you do not recognise, tap it and remove it. In WhatsApp, the same list lives under Settings > Linked Devices.

This check takes two minutes. Yet most users have never opened this menu. It should be part of any quarterly review, and it matters most for anyone handling sensitive data.

Also look at session activity where the app shows it. WhatsApp shows the last active date for each linked device. A device with activity from an odd time or location needs checking now, not at the next review cycle.

What to Change in Your Settings

Signal has a feature called Registration Lock. When on, it blocks the most common Signal phishing attack method: re-registering an account to a new device. Without it, someone with your phone number and a code can take over your Signal account entirely. Enable it under Signal Settings > Account > Registration Lock.

Set a PIN that mixes letters and numbers rather than a four-digit code. The IC3 advisory also recommends this. A short numeric PIN is much easier to guess if an attacker has partial access.

Enable message expiration for sensitive group chats. Because old messages in a breached account give attackers a lot more to work with, shorter lifetimes reduce the damage if someone gets in.

What Your Team Needs to Understand

No messaging platform sends unsolicited texts asking for an account code. If a team member gets a message claiming to be from Signal or WhatsApp support, asking for a PIN or code, that is a phishing attempt. Do not share the code under any circumstances.

Train staff to treat unexpected QR codes with the same care they apply to links in email. A QR code is just a link in a different format. If you would not click a suspicious URL, do not scan an unexpected QR code either.

Finally, group chat membership is worth reviewing. The SSU advisory, reported by The Record, noted that attackers used breached chats to send malicious files to other members. If an account appears in a work group and no one knows who added it, contact the supposed holder directly. Do not assume it will resolve itself.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

What a Good Penetration Test Report Looks Like (and How to Spot a Weak...

Penetration Test Frequency: When Annual Testing Isn’t Enough

Internal vs External Penetration Testing: What Each Covers and When You Need Both

Cyber Essentials and Penetration Testing: What Your Business Actually Needs

What Is a Vulnerability Assessment? A Plain English Guide

Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Penetration Test Cost UK: Why the Cheapest Quote Usually Costs More

Which Type of Penetration Test Does Your Business Actually Need?

What to Budget for a Penetration Test in the UK: A Buyer’s Guide

What Is Penetration Testing? How It Works and Why It Matters