John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Encrypted messaging is only as secure as the thing that connects your account to your devices. And right now, Russian state hackers are going after that exact weak point.
Dutch intelligence agencies dropped a warning this week: Russian state-sponsored hackers are running a global campaign to compromise Signal and WhatsApp accounts. Primary targets are government officials, military personnel, and journalists. But the technique they’re using doesn’t care about your job title.
Here’s how it works. Signal and WhatsApp both let you link additional devices, like your laptop, by scanning a QR code. Attackers get the target to scan a malicious QR code. Could be in a phishing email. Could be on a fake site. Could look like a legitimate invitation. Once scanned, the attacker’s device is linked to your account. They get every message you send and receive from that point forward. In real time.
You get no alert. No notification. No banner saying “someone in Moscow is reading your messages.” The attacker’s device shows up in your linked devices list, but only if you go look.
Most people never look.
This technique first showed up in 2024, targeting Ukrainian military and government officials. What’s new is the scale. The Dutch warning calls this a global campaign. Not limited to Ukraine. Not limited to Europe. And once the infrastructure is built, there’s nothing stopping anyone from targeting regular people too. Your Signal account works the same way whether you’re a defense attaché or a freelancer.
Here’s what to do, and it takes 30 seconds:
Signal: Open the app. Tap your profile icon. Settings. Linked Devices. If anything’s there you don’t recognize, remove it. While you’re at it, turn on Registration Lock under Settings, Account. That stops someone from re-registering your account on a new phone without your PIN.
WhatsApp: Settings. Linked Devices. Same deal. Review and remove anything unfamiliar.
For both: Be extremely careful about scanning QR codes you didn’t ask for. If someone sends you one to “verify your account” or “join a group,” stop. That’s not how either app handles those things.
Here’s the irony. Signal and WhatsApp’s encryption is excellent. The cryptography is solid. But encryption protects messages in transit. It doesn’t protect the endpoints. If an attacker is linked to your account, they’re not breaking encryption. They’re receiving messages as an authorized device. The encryption works perfectly. It’s just working for them too.
People hear “encrypted” and assume “safe.” Encrypted means the pipe is secure. It doesn’t mean the house at either end is locked.
If your job makes your communications valuable to a foreign intelligence service, treat this as a direct and current threat. Audit your linked devices today. Brief your staff.
If you’re a regular person, the risk from Russian state hackers specifically is lower. But the technique is simple, repeatable, and available to anyone. Criminal actors, stalkers, whoever. Good security hygiene here costs you nothing but a few seconds.
Check your linked devices. Turn on Registration Lock. Don’t scan QR codes you didn’t ask for.