Portugal's Spy Agency Issues Rare Warning on WhatsApp and Signal Hacking Campaign

Portugal's national intelligence service issued a rare public warning on Wednesday that foreign state-backed hackers have launched a global campaign to seize control of government officials' WhatsApp and Signal accounts. The alert from the Serviço de Informações de Segurança (SIS) is notable not just for its content, but for the fact that it was made public at all — the agency seldom issues open statements on active intelligence threats.

The campaign targets "government officials, diplomats, military personnel, and civil society members with access to privileged information from Portugal and allied countries," SIS said. But while the warning was directed at high-value targets, the underlying technique is simple enough to threaten anyone who uses these widely adopted messaging platforms.

How the Attack Works

The method is deceptively straightforward. Attackers trick targets into clicking a link or scanning a QR code that silently adds the attacker's device to the victim's account through the "linked devices" feature built into both Signal and WhatsApp. Once connected, the attacker can read messages in real time. The victim continues using their account normally, with few obvious signs that anything is wrong.

SIS was careful to stress that "the attacks do not mean that WhatsApp or Signal have been compromised." The encryption remains intact. What the hackers exploit is human behaviour — the tendency to trust a message that appears urgent or official, the assumption that end-to-end encryption makes the platform inherently safe. As SIS put it, the attackers are "exploiting potential careless use by individuals relying on the end-to-end encryption of the two applications."

In other words, the apps' strong security reputation may itself be the vulnerability, lulling users into lower vigilance.

Russian Attribution

SIS did not publicly identify which foreign state is behind the campaign. Dutch intelligence agencies were less guarded. The AIVD and MIVD, the Netherlands' civilian and military intelligence services, confirmed a parallel global campaign and attributed it to Russian-backed hackers. Security researchers at Malwarebytes, who reported the Dutch findings a day before the SIS statement, described the methods as "not technically sophisticated" and warned they "can easily be copied by non-state actors or ordinary cybercriminals."

That last point is critical. What begins as a state-sponsored operation targeting diplomats can quickly become a template for garden-variety fraud. The technique requires no specialised tools, no zero-day exploits, no deep technical knowledge — just a convincing message and a moment of inattention from the target.

What You Should Do

The countermeasures are equally low-tech. Never scan a QR code or click a device-linking prompt unless you initiated the process yourself from within the app's settings. Any message asking you to "verify your device" or "secure your data" through an external link should be treated as a lure. Both Signal and WhatsApp allow users to review all linked devices in their account settings; checking regularly and removing unrecognised devices is a basic but effective defence.

Unusual group memberships, duplicate contacts, or entries showing "deleted account" may also indicate that an account has been compromised.

Portugal's large and growing community of foreign residents — many of whom rely heavily on WhatsApp for everything from coordinating with landlords to communicating with government services — should pay particular attention. The same platform that makes daily life manageable as a newcomer is also the one being exploited.

SIS said it issued the alert in part "to help the public prepare for cyberattacks," a framing that acknowledges the threat extends well beyond diplomatic circles. In an era when messaging apps have become essential infrastructure for personal and professional life, the distinction between a government target and an ordinary user is thinner than most people realise.