German domestic security agencies issued an advisory about a sophisticated, state‑sponsored phishing campaign that hijacks Signal accounts without malware by abusing account recovery and device‑linking flows. Authorities warned the low‑barrier technique targets diplomatic, military and media figures across Europe and urged tightening of multi‑factor safeguards.

German domestic security agencies jointly warned on Feb. 7, 2026 about a sophisticated phishing campaign attributed to a state‑sponsored actor that compromises Signal accounts without deploying malware. According to the advisory, attackers exploit legitimate account‑recovery and device‑linking processes—using social engineering and intercepted one‑time codes—to add devices or re-register accounts, enabling account takeover and covert surveillance. The tactic reportedly requires relatively low technical sophistication but careful operational tradecraft, and it has been used against diplomatic, military, and media targets across Europe. Agencies emphasized that standard device‑level protections alone may not prevent these flows if recovery channels and secondary MFA methods are weak or exposed. The advisory recommends that high‑value individuals and organizations strengthen device verification, adopt hardware-based multi‑factor authentication where supported, restrict account recovery options, and verify linked devices through out‑of‑band channels. Authorities also advised incident reporting and coordinated investigations to trace infrastructure and contain further abuse, and they highlighted the evolving threat landscape as encrypted messaging platforms remain attractive targets for state and criminal actors seeking covert access to communications.