7JUN

Signal, WhatsApp hit by three states

3 min read

10:08UTC

Russia's FSB, China's APT31 and Iran's IRGC are all running the same trade against journalists, lawyers and politicians. NCSC and Dutch AIVD advised passkeys plus a device audit.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three state services converging on the same civil-society vector makes messaging-app compromise a standard intelligence technique.

The UK National Cyber Security Centre (NCSC) and the Dutch General Intelligence and Security Service (AIVD) issued joint advisories on 31 March and 9 March 2026 warning that state-linked actors are targeting the Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes and contact impersonation ¹. The named clusters span three adversary states: Russia's Federal Security Service (FSB) running the operation known as Star Blizzard, China's APT31, and the Iranian Islamic Revolutionary Guard Corps (IRGC). A QR code linked in a message, scanned on a phone, can add an attacker's device as a linked Signal or WhatsApp session; contact impersonation through a spoofed voice or typed identity gets the target to send that QR on in the first place.

Three unrelated services arriving at the same attack vector is a tradecraft signal. Messaging apps have become the collection target because they now sit outside the corporate email perimeter where most monitoring lives. A journalist's Signal conversations with a source, a barrister's WhatsApp group with a client, a member of parliament's encrypted chat with a constituent, all carry the material that traditional lawful-intercept once got from telephone taps. The mitigation both agencies recommend, passkeys plus a device audit on every linked session, is specific and actionable in a way that generic state-threat advisories rarely are. A passkey is a cryptographic key bound to the user's device that replaces the password and cannot be phished; device audits on Signal and WhatsApp are done from the app's own "linked devices" menu.

Deep Analysis

In plain English

Signal and WhatsApp allow you to use your account on more than one device. If you get a new phone, for example, you scan a QR code to link it. This is a legitimate feature. Russian, Chinese, and Iranian intelligence services have been exploiting this feature by tricking politicians, lawyers, journalists, and academics into scanning malicious QR codes, linking the attacker's device to the target's account. The victim keeps using their messaging apps normally while the attacker can also read all their messages in real time. The UK's NCSC and the Dutch intelligence service AIVD issued a joint warning about this. The recommended defences are switching to passkeys instead of passwords and regularly checking the list of linked devices in your Signal and WhatsApp settings to remove any you do not recognise.

Deep Analysis

Root Causes

Signal and WhatsApp's legitimate multi-device feature allows a user to scan a QR code displayed by any additional device to link it as an authorised second client. Both platforms implemented this to compete with iMessage and other multi-device ecosystems. The feature has no built-in alert mechanism that clearly distinguishes a legitimate second-device link from a malicious one; the notification sent to the primary device is easily missed.

The target population that intelligence agencies are trying to protect (lawyers, journalists, politicians) is exactly the population least likely to have completed advanced security configuration (passkeys, linked-device auditing) on their personal messaging accounts, because their training is in their professional domain, not operational security.

What could happen next?

Risk
Malicious QR-code device-linking requires no technical exploit and no zero-day purchase; it scales to any actor with social engineering capability, which means the threat extends well below the nation-state tier.
Consequence
Signal and WhatsApp will face regulatory and civil-society pressure to implement more prominent linked-device notifications and audit logging following the NCSC-AIVD advisory, following the precedent of Apple's Lockdown Mode introduction after Pegasus exposure.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2016 WhatsApp account compromise of Bahraini human rights activist Ahmed Mansoor, documented by Citizen Lab, which used an iOS zero-day to plant Pegasus rather than a messaging-app device-linking technique.

The QR-code linking approach documented in the 2026 NCSC-AIVD advisory requires no zero-day; it exploits a legitimate feature of Signal and WhatsApp (the ability to link a second device) through social engineering. The technical barrier to this attack is dramatically lower than the 2016 Pegasus model.

Counter-parallel: The 2022 Conti ransomware group's internal chat leak, via a Ukrainian researcher who joined the group and leaked its Jabber logs, demonstrated that even sophisticated threat actors are not immune to social-engineering approaches to messaging access. The attack documented in the NCSC-AIVD advisory inverts this: the sophisticated actor uses social engineering to access the communications of a non-technical target rather than the other way around.

Consensus view: Citizen Lab at the University of Toronto, which tracks state-sponsored targeting of civil society, documents that the shift from spearphishing email to messaging-app QR code and device-linking abuse reflects a calculated response by state actors to end-to-end encryption: rather than breaking the encryption, attackers add their own device as an authorised second device on the victim's Signal or WhatsApp account, gaining access to all future and recent messages without decrypting the transport layer.

Counter-view: The AIVD's public advisory focuses on Western civil-society targets, but Chinese cybersecurity firm Qi An Xin assessed in 2025 that FSB Star Blizzard and APT31 also conduct identical QR-linking operations against non-Western journalists and activists, particularly in Central Asian states and Hong Kong, and that the threat is not limited to NATO-adjacent targets as Western advisories imply.

Key tension: Whether passkeys plus device audit is a realistic mitigation for the non-technical target population (politicians, academics, lawyers) that these agencies are trying to protect, or whether the mitigation gap between technical recommendation and non-technical adoption will sustain the attack's effectiveness indefinitely.

Sources:NCSC UK

Mentions:NCSC →AIVD →FSB Star Blizzard →APT28 →Islamic Revolutionary Guard Corps (IRGC) →Meta →Facebook Messenger →Russia →China →Iran →Bahrain →NATO →Prima →Toronto →Intel →Hong Kong →FSB →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

NCSC UK· 17 Apr 2026

Read original →

Causes and effects

This Event

Signal, WhatsApp hit by three states

Three unrelated state services converging on the same civil-society attack vector suggests messaging-app compromise has become a standard intelligence-collection method.

Led to

FIRESTARTER implant survives every Cisco firewall patch

NCSC FIRESTARTER advisory repeats the attribution-output pattern established by the NCSC APT28 advisory in ID:2548, using the same co-signed format.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.