The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes. The hackers can then use these codes to take over the user’s account. Another method used by the Russian actors takes advantage of the ‘linked devices’ function within Signal and WhatsApp.
At least three Russian threat actors have been linked to this campaign, including the GRU cyber warfare unit known as GRU unit 74455, “Seashell Blizzard” or “Sandworm”. According to AIVD, potential victims include government employees and journalists.
Note that neither the Signal or Whatsapp apps have been hacked. The attack consits of social engineering that tricks the user to let the threat actor gain access to their accounts. It is likely that this campaign has been going on for a considerable time. A similar campaign was reported by Truesec in February 2025 and was also attributed to GRU. [2]
Recommendations
“Sandworm” is most known for their destructive cyber warfare operations, but they have also been involved in cyber espionage and so-called “hack-and-leak” operations where sensitive information is stolen and manipulated to discredit persons and governments.
In their alert, AIVD also published recommendations for how to detect if someone in a Signal group may have been impersonated by someone that has gained access to their account information. [1] The makers of Signal have also published information on how to avoid being tricked by these threat actors. According to Signal they do not use a chatbot that seeks out users unsolicited and will never ask for pin codes if they contact users. [3]
Truesec recommends all users of these apps to familiarize themselves with these recommendations, especially if they belong in any of the listed categories of potential victims.
References
[1] https://english.aivd.nl/latest/news/2026/03/09/russia-targets-signal-and-whatsapp-accounts-in-cyber-campaign
[2] https://soc.truesec.app/TS-ThreatInsight-2025-9
[3]