Skip to Content

How Can You Protect Your WhatsApp and Signal Accounts from QR Code Scams?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » How Can You Protect Your WhatsApp and Signal Accounts from QR Code Scams?

Are Hackers Using Fake Signal Support Bots to Steal Your Account?

The Threat Landscape

State-sponsored actors, specifically Russian GRU agents, are executing targeted hijacking operations against WhatsApp and Signal users. This campaign primarily targets journalists, military personnel, and government officials. The Dutch intelligence service recently confirmed these operations targeting state employees. Hackers rely entirely on social engineering rather than exploiting technical vulnerabilities within the applications.

Fake Security Support Messages

Attackers send a direct message posing as a “Signal Security Support Chatbot.” They falsely warn the user about a potential data breach or suspicious account activity. The fraudulent bot then requests the user’s SMS verification code and personal PIN. Providing these details gives the attacker complete control over the account. The attacker quickly transfers the profile to an external phone number.

The victim eventually re-registers their original phone number. Because the local chat history remains visible on their device, the victim often assumes the account is secure. Meanwhile, the attacker silently monitors all incoming and outgoing messages.

Malicious Group Invitations

The second method uses malicious QR codes disguised as standard group chat invitations. Scanning this code automatically links the attacker’s device to the victim’s messaging account. The victim retains normal access to the application and rarely notices the intrusion. This linked-device feature allows continuous, undetected surveillance of private communications.

The Architecture of the Threat

Cybersecurity expert Lukasz Olejnik emphasizes the permanent nature of these compromises. Signal lacks a central administration system to protect user privacy. This decentralized structure prevents the company from remotely deactivating a compromised account. Attackers leverage this specific design choice to ensure long-term access. Once an account transfers to a hostile number, recovery is practically impossible.