Portugal's Intelligence Service Warns of Russian-Backed Hacking Campaign Targeting WhatsApp and Signal

Portugal's national intelligence service, the Serviço de Informações de Segurança (SIS), has issued a rare public warning about a global hacking campaign targeting the WhatsApp and Signal accounts of government officials, diplomats, military personnel, and civil society figures across Portugal and allied nations.

The alert, published on 11 March, marks an unusual step for an agency that rarely comments publicly on active intelligence threats. SIS said the campaign seeks to trick users "into sharing sensitive data, such as passwords" to gain access to private and group conversations as well as shared files.

Simple Tricks, Serious Consequences

The attack method is deceptively simple. Targets receive a message urging them to click a link or scan a QR code. Rather than breaking the apps' encryption, the link silently adds the attacker's device to the victim's account through the built-in "linked devices" feature available in both Signal and WhatsApp.

Once linked, the attacker can read all messages in real time while the victim continues using the app normally, with few obvious signs that anything is wrong. Verification codes, PINs, and device-linking functions are all exploited in variations of the attack.

SIS was careful to note that the attacks "do not mean that WhatsApp or Signal have been compromised." Instead, hackers are "exploiting potential careless use by individuals relying on the end-to-end encryption of the two applications" — suggesting that the apps' strong security reputation may itself be a vulnerability, lulling users into lower vigilance.

Dutch Intelligence Points to Russia

While SIS did not identify the responsible state, Dutch intelligence agencies were more direct. The AIVD and MIVD — the Netherlands' civilian and military intelligence services — separately confirmed a parallel global campaign and attributed it to Russian-backed hackers. The Dutch agencies said the hackers have "likely gained access to sensitive information."

Security researchers at Malwarebytes described the methods as "not technically sophisticated" and warned they "can easily be copied by non-state actors or ordinary cybercriminals." The campaign, the firm noted, "relies entirely on human behaviour."

How to Protect Yourself

The practical countermeasures are straightforward:

• Only scan QR codes or click device-linking prompts when you have initiated the process yourself from within the app's settings
• Treat any message asking you to "verify your device" or "secure your data" through an external link as a social-engineering lure
• Regularly review linked devices in both Signal and WhatsApp settings, and remove any device you don't recognise
• Watch for warning signs such as unusual group memberships, duplicate contacts, or entries showing "deleted account"

SIS said it issued the alert "to help the public prepare for cyberattacks," signalling that officials view the threat as extending well beyond government circles. With methods this accessible, the concern is not only that state actors are using them now, but that the playbook is already available to anyone willing to try.