Signal Under Attack: Russian-Linked Phishing Campaign Targets European Politicians and Security Officials

A wave of phishing attacks targeting Signal users across Germany and beyond has been traced to Russian-linked infrastructure, with victims including security officials, politicians, and journalists.

Attackers impersonated Signal’s support staff using a profile called “Signal Support”, claiming that the user’s account was at risk and prompting them to enter a code and PIN. Entering those credentials allowed the attackers to take over the account, access contacts, and read incoming messages, CORRECTIV reports.

Among the most prominent victims is Arndt Freytag von Loringhoven, former vice-president of Germany’s foreign intelligence service BND. Bill Browder, the Anglo-American Kremlin critic, has also said he fell victim to a Signal phishing attack in early March. The campaign is broad: the FBI has warned it has compromised thousands of accounts globally.

Germany’s domestic intelligence service BfV and the Federal Cyber Security Authority BSI warned of the attacks in February, attributing them to a “probable state-sponsored cyber actor”. In early March, Dutch intelligence publicly named “Russian state hackers” as the perpetrators. The FBI followed, attributing the campaign to “cyber actors associated with the Russian intelligence services”. None of the agencies published supporting evidence at the time — CORRECTIV’s investigation is the first to uncover concrete technical findings.

Digital Trails Point to Russia

CORRECTIV’s investigation uncovered three factors that in combination point to a coordinated campaign originating in Russia.

First, the infrastructure. After the takeover of Freytag von Loringhoven’s account, his contacts received a fake WhatsApp channel invitation — a link that led investigators to the hosting provider Aeza, a Russian company previously used to run state-sponsored propaganda campaigns and criminal operations. Aeza and its founders have been sanctioned by the US and the UK; notably, no EU sanctions have been imposed so far. Data traffic from the phishing sites also passed through a German partner of Aeza. Across all identified servers, CORRECTIV found 31 websites hosted on Aeza’s infrastructure, including 29 additional suspected phishing domains.

Second, the tool. The phishing sites ran on a programme called “Defisher”, advertised on Russian hacker forums as recently as 2024 for just $690. The tool appears to have been initially developed for cybercriminals before being repurposed for state-adjacent operations. Digital traces suggest the vendor may be a young freelancer based in Moscow. According to IT security circles, hackers with links to the Russian state began integrating Defisher into their operations around a year ago. European and US security services have described two methods currently in use — CORRECTIV focused on the variant deployed in the Freytag von Loringhoven case.

Third, the targets. The campaign was not random — it focused on security officials, politicians, and journalists across multiple countries, pointing to deliberate political targeting rather than opportunistic cybercrime.

A Pattern Across Ukraine and Moldova

The investigation reveals that the current German-focused campaign is not isolated. Between March and June 2025, several of the identified Aeza-hosted domains served fake WhatsApp channel invitations in Ukrainian, with at least four purported group chats titled “Operative Information” set up as lures for Ukrainian targets.

In October 2025, Moldova’s Centre for Strategic Communication and Countering Disinformation reported that state institution employees had received identical fake WhatsApp invitations via Signal – using the exact same websites CORRECTIV independently identified. One particularly telling detail: a page titled “Manifesto Europe 2028 – Moldova”, hosted on the same Aeza IP address, was a clone of a genuine petition by pro-European Moldovan economists and businesses – suggesting the operation was tailored to local political contexts, not simply copy-pasted across borders.

Ukraine’s Computer Emergency Response Team CERT-UA confirmed that the domains matched incidents recorded in Ukraine, with similar attacks documented as early as April 2024. The method also bears similarity to attacks attributed to the group “UNC5792”, which Google analysts have linked to phishing campaigns in Georgia, France, and the United States.

CORRECTIV notes a parallel to Russia’s Doppelgänger disinformation campaign, in which state-linked actors similarly repurposed criminal tools and methods – a pattern Insight News Media has previously documented in detail. The phishing campaign targeting Signal users fits the same blueprint: low-cost, commercially available tools deployed against high-value political targets across multiple countries simultaneously. The EU has since expanded sanctions against Russia specifically over escalating hybrid and cyber threats of this kind — though Aeza, a key node in this operation, remains outside the EU’s sanctions list.