Recent security warnings have raised concerns about a wave of attacks targeting users of encrypted messaging platforms such as Signal and WhatsApp. While headlines often suggest these apps have been “hacked,” the reality is different: the encryption protecting messages remains intact.
Instead, attackers are exploiting human behavior through social engineering and phishing techniques to gain control of accounts.
According to several reports, the latest wave of attacks is most likely being carried out by Russian state actors. However, such an attribution is difficult, if not impossible, to make.
Encryption was not broken
Signal and WhatsApp both use strong end-to-end encryption, which ensures that messages can only be read by the sender and the recipient.
Because of this, attackers are focusing on a simpler path: taking over user accounts instead of breaking the encryption itself. Once they gain access to the account, they can read messages and monitor conversations just like the legitimate user.
Methods used in the Signal and WhatsApp attacks
The attacks targeting Signal and WhatsApp primarily relied on manipulating the user and convincing them to reveal authentication information like the Signal Security PIN or registration SMS. These methods focused on gaining access to the user account rather than attacking the messaging platform itself.
‘Account take-over’ – SMS verification code manipulation
The most important method used in these attacks involves the SMS verification process used when logging into messaging apps.
When a user attempts to access their messaging account from a new device, the platform sends a one-time verification code via SMS to confirm the user’s identity. This code acts as a temporary login credential.
Attackers exploited this process by initiating a login attempt using the victim’s phone number. The victim receives the legitimate verification code via SMS, but the attacker then contacts the victim and tricks them into sharing the code.
The process typically works as follows:
- The attacker enters the victim’s phone number into the messaging app login system.
- The service sends a verification code via SMS to the victim’s phone.
- The attacker sends a message pretending to be technical support, a colleague, or another trusted source.
- The victim is asked to confirm or forward the code for “security verification.”
- The attacker uses the code to complete the login and take control of the account.
Because the code is valid for a short time, the attacker must convince the victim to share it quickly.
Linked devices and QR codes
Another method involves abusing the device linking feature available in messaging platforms.
Signal and WhatsApp allow users to connect additional devices such as laptops or desktop computers by scanning a QR code. Attackers may send malicious QR codes or links and convince victims to scan them under the pretense of security verification or account updates.
If the victim scans the code, the attacker’s device may become linked to the account. This allows the attacker to monitor conversations and access messages remotely without immediately alerting the victim.
Signal by default
Impersonation through Direct messages
Attackers also rely on impersonation tactics when communicating with victims. They may pose as:
- messaging platform support teams
- coworkers or supervisors
- trusted contacts
This impersonation builds credibility and increases the likelihood that the victim will comply with requests such as sending verification codes or scanning QR codes.
The role of social engineering
Social engineering is the backbone of these attacks. Instead of relying on technical vulnerabilities, attackers manipulate people into giving away access.
Common social engineering techniques include:
Impersonation
Attackers pretend to be:
- messaging platform support teams
- coworkers or supervisors
- trusted contacts whose accounts may already be compromised
This creates a sense of legitimacy and urgency.
Urgency and fear
Messages often claim that action must be taken immediately to prevent account suspension or data loss. This pressure pushes victims to act quickly without verifying the request.
Trust exploitation
In some cases, attackers first compromise one account and then use it to message friends, colleagues, or group members. Because the request appears to come from someone familiar, victims are more likely to comply.
Why these attacks are effective
These techniques work because they target human behavior rather than software vulnerabilities. Even the strongest encryption cannot prevent a user from voluntarily sharing authentication codes or login details.
Messaging apps rely on quick verification processes, which makes them convenient but also creates opportunities for manipulation if users are not cautious.
How users can protect their accounts
To reduce the risk of account hijacking, users should follow several best practices:
- Never share verification codes received via SMS with anyone
- Do not click links in unsolicited emails or messages
- Verify suspicious requests directly with the sender through another channel
- Regularly review linked devices in messaging app settings
- Activate Registration Lock in Signal via: Settings -> Account -> registration lock -> toggle the switch.
- It is important to remain alert to messages that appear to be sent by Signal. The Signal customer service department never makes direct contact via a Signal message.
- If a user discovers that their account has been compromised, they should inform all their contacts via another channel.
- Users can check for compromised contacts themselves. If a contact appears twice in a Signal chat group or has an unusual name, it may be compromised.
- Where possible, use a username rather than a phone number or utilize the option to hide your phone number. Hiding your phone number from an actor reduces your device’s attack surface and hinders phishing attacks and account takeovers.
- Consider activating the Disappearing Messages feature. If your device or messaging app account is compromised, this will prevent the hacker from accessing your entire chat history.
These attacks highlight a broader trend in cybersecurity: attackers increasingly rely on psychological manipulation rather than technical exploits.
With more and more people using encrypted messaging for sensitive communication, it’s important to understand these threats and spot manipulation tactics.
