Germany Blames Russia for Signal Phishing Campaign Targeting Government Officials

Germany officially attributed a sophisticated phishing campaign targeting Signal users in its political sphere to Russian state actors on 25 April 2026, ending months of coordinated Western intelligence assessment with a public accusation that marks Moscow’s willingness to target encrypted government communication channels.

The campaign compromised at least 300 Signal accounts belonging to German politicians, civil servants, diplomats, and journalists, according to Kyiv Independent citing Der Spiegel. Targets included parliament speaker Julia Kloeckner, senior CDU members, and BND Vice President Arndt Freytag von Loringhoven, whose account was hijacked in February-March 2026. German prosecutors launched a formal espionage investigation on 24 April, one day before Berlin’s public attribution.

“The federal government is assuming that the phishing campaign targeting the Signal messaging service was presumably run from Russia,” a German government source told France24. The statement followed similar attributions by Dutch Intelligence on 9 March and FBI Director Kash Patel’s March disclosure that Russian intelligence-linked actors were targeting messaging services including Signal.

Attack Mechanics and Scale

The phishing operation impersonated Signal support staff, requesting security verification codes and PINs from targets to gain account access. According to CORRECTIV, the campaign traces to a tool called “Defisher,” advertised on Russian hacker forums for $690 and linked to control infrastructure used in prior attacks against Ukrainian and Moldovan targets. Digital evidence confirmed Russian origin on 24 March following a technical investigation.

Globally, the campaign resulted in unauthorised access to thousands of accounts, per a 20 March public service announcement from the FBI and CISA. High-intelligence-value targets included dignitaries, military personnel, and civil servants across multiple NATO member states. The Netherlands’ General Intelligence and Security Service (AIVD) described it as “a large-scale global cyber campaign” in its March attribution.

Geopolitical Timing and Strategic Context

The attribution arrives during Germany’s EU Council presidency and sustained NATO-Russia tensions over Berlin’s military aid to Ukraine. Russia has escalated hybrid operations against Germany since 2022, including APT28’s infiltration of routers and election disinformation campaigns in 2025. The Signal operation represents a tactical evolution from narrative manipulation to infrastructure disruption.

“The latest phishing attempt from Russia targeting German politicians and journalists is a wake-up call for all of us,” Marc Heinrichmann, CDU lawmaker and intelligence committee chair, told France24. “What may seem like a harmless message at first glance could, in today’s world, be a targeted espionage attempt by foreign powers.”

Recorded Future linked the campaign to Russia’s Sandworm group, which has previously assisted military forces in exploiting captured battlefield devices to access Signal accounts. German authorities assessed that “given the high-profile target set, current known cases are likely attributable to a state-controlled cyber actor.”

Deterrence Signaling or Escalation Risk

Berlin’s decision to publicly attribute the operation—rather than limit response to quiet diplomatic channels—signals a shift in Western cyber deterrence strategy. The coordinated timeline from Dutch intelligence (9 March) through FBI disclosure (March) to CORRECTIV’s technical investigation (24 March) and Germany’s final statement (25 April) created a unified narrative designed to impose reputational costs on Moscow.

The Signal campaign differs from traditional espionage in its scale and targeting methodology. Rather than selectively compromising individual high-value accounts through tailored operations, the phishing tool’s availability on Russian forums for $690 suggests a capability distributed across multiple threat actors. This democratisation of access to government communications infrastructure raises questions about operational control and attribution confidence.

The attack exploited Signal’s device-linking feature, which allows new devices to be added using verification codes sent to existing installations. Once attackers obtained these codes through social engineering, they gained persistent access to message histories and contacts. Signal has since emphasised that its encryption remains unbroken—the vulnerability lies in user authentication protocols, not cryptographic implementation.

What to Watch

Germany’s formal attribution creates precedent for collective Western response to Russian cyber operations below the threshold of armed conflict. Whether this translates to coordinated sanctions, diplomatic expulsions, or cyber counter-operations will indicate NATO’s willingness to impose costs for encrypted communication targeting. The confirmed compromises likely represent a subset of the final tally as forensic analysis continues.

Russia’s next move will test whether public attribution functions as deterrence or provokes escalation. Moscow has historically responded to cyber accusations with denial and retaliatory operations. The Signal campaign’s success in penetrating government communications suggests Russia views the intelligence gain as worth the diplomatic cost, particularly if Western response remains limited to public statements.

Signal’s adoption as the de facto secure messaging standard for government officials across NATO now faces scrutiny. The platform’s security model assumes users will recognise and reject social engineering attempts—an assumption that 300+ compromised German accounts have proven optimistic. Expect renewed focus on multi-factor authentication requirements and user security training across European government institutions.