Signal phishing campaign compromises Signal groups of German politicians, BSI and BfV warn
Signal phishing campaign targets German politicians’ Signal groups; BSI and BfV warn of eavesdropping as federal prosecutors probe since mid-February 2026.
A Signal phishing campaign has allowed unknown actors to read messages in private Signal groups used by German politicians and officials, federal security agencies warned this week. The Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundesamt für Verfassungsschutz (BfV) sent a detailed security notice to party leaders and parliamentary offices describing broad compromises. Authorities say the campaign has been active for months and that the federal prosecutor’s office opened investigations in mid-February 2026.
Security agencies send comprehensive alert
The BSI and BfV circulated a 20-page security advisory to parliamentary factions and party headquarters outlining methods of compromise and mitigation steps. The notice warns that attackers have been able to read messages in multiple Signal groups, in some cases for extended periods. Recipients were urged to audit account settings, review access controls, and coordinate with IT specialists to determine potential exposures.
High-profile accounts among those affected
Investigations and reporting have identified several high-profile targets, including senior politicians and former intelligence officials. Among those named publicly is Bundestag President Julia Klöckner, whose membership in at least one compromised chat group was reported; the account of Chancellor Friedrich Merz has not been shown to be compromised. Former BND deputy Arndt Freytag von Loringhoven also had contacts accessed, illustrating that the campaign reached individuals with significant security-relevant networks.
Phishing techniques exploit human vulnerabilities
Security authorities describe two primary social-engineering methods used to seize Signal accounts rather than malware-based intrusions. In one variant, victims receive messages purporting to be from Signal support and are asked to disclose their PIN, which enables attackers to take over accounts. In another, users are invited into chat groups and prompted to scan a QR code that grants attackers a secondary access path, sometimes allowing weeks of undetected reading and impersonation. Once an account is controlled, attackers can read messages, download media and present as the user within chats.
International scope and suspected state actors
BSI and BfV assess the operation as a coordinated international wave targeting decision-makers across politics, military, administration, journalism and business. Intelligence warnings from the Netherlands and the United States have linked similar campaigns to cyber actors with ties to Russian services, and German officials say the country is being targeted intensively given its geopolitical role. Security politicians have characterized Germany as a particular focus for hostile cyber activity, reflecting concerns over hybrid influence and espionage.
Political communications and operational risk in Berlin
End-to-end encrypted messengers such as Signal and Threema are widely used in Berlin for intra-party coordination, office communication and exchanges between politicians and journalists. While encryption protects message content from interception at network or server level, the takeover of individual accounts undermines those protections by allowing attackers to read messages directly. Officials warn that beyond content, metadata such as who communicates with whom and how frequently is a valuable intelligence target that can be exploited for strategic insights.
Uncertainty over scale and calls for clearer responsibilities
Authorities estimate a three-digit number of affected accounts in Germany, but the true scope remains uncertain because many victims may not yet realize they were compromised. The BfV has recommended that party leaderships work with IT teams to verify and tighten security measures, while members of parliament have called for a thorough after-action review to trace information flows between agencies. Some lawmakers argue for structural reforms and clearer federal authority for cyber defense to streamline responses to cross-cutting incidents.
The federal prosecutor’s office confirmed it launched an inquiry in mid-February 2026 on suspicion of espionage, and security services continue to investigate who is behind the campaign and how long eavesdropping persisted in each case. In the meantime, parties and offices are being urged to change affected credentials, enable available protections such as disappearing messages, and conduct comprehensive audits of Messenger use to limit further exposure.
