BERLIN – Lawmakers from Germany’s Social Democratic Party (SPD) have been targeted in a series of sophisticated phishing attacks conducted via the Signal messaging app, exposing the persistent vulnerabilities of European political institutions to state-sponsored cyber espionage.
The breach represents a critical flashpoint in the ongoing “hybrid war” between Russia and the European Union, where the objective is often the infiltration of sensitive diplomatic channels rather than the wholesale destruction of digital infrastructure. As Western governments shift their most sensitive communications to end-to-end encrypted (E2EE) platforms, intelligence agencies have pivoted from attempting to break the encryption itself to exploiting the human element through social engineering.
“Based on what we know so far, a small number of parliamentarians from our faction have been affected by these attacks,” a party spokesman confirmed to the AFP news agency on Thursday, adding that the SPD was “working closely with the security services and supporting enquiries fully.”
The campaign appears to be part of a wider effort to map and compromise the communication networks of the German Bundestag. Security services in Germany and allied nations have issued warnings for several months regarding attempts to hijack Signal accounts belonging to diplomats, civil servants, journalists, and military personnel. These operations are widely believed to originate from Russian intelligence services.
“Hybrid attacks on parliamentary processes are a constant threat,” the SPD spokesman stated. “We are constantly adapting our security apparatus in order to permanently guarantee the integrity of our communications.”
Beyond the immediate targets, the episode raises questions about whether parties in the Bundestag are adequately enforcing internal security policies and federal guidelines for handling official communications. The Bundestag’s own IT rules, as well as recommendations from Germany’s Federal Office for Information Security (BSI), already urge parties and parliamentary groups to treat private messaging apps as potential weak links in the protection of legislative deliberations and constituent data.
Targeting the Political Core
The scope of the campaign suggests a strategic focus on high-level decision-makers and the informal channels through which real-time political bargaining often occurs. On Wednesday, Spiegel news magazine reported that Germany’s parliamentary speaker, Julia Klöckner, was among the targeted individuals. Klöckner is reportedly a member of several Signal groups containing senior Christian Democrat (CDU) politicians, including party chief and German Chancellor Friedrich Merz. While a spokesman for Klöckner would neither confirm nor deny the report, the targeting of such a central node in the parliamentary communication network indicates an attempt to gain broad visibility into inter-party coordination.
Because parliamentary speakers and party leaders sit at the intersection of committee work, coalition talks, and legislative scheduling, access to their private messaging channels could give foreign operatives early insight into Germany’s negotiating positions on European Union policy, defense commitments, and sanctions debates.
Despite the SPD’s confirmation, a wider admission of the breach across the Bundestag remains elusive. Spokespeople for the Green Party and the far-right Alternative for Germany (AfD) stated they were unaware of any incidents, while the CDU and the Left Party declined to comment.
This fragmentation in reporting is common in cyber-espionage cases, where political entities often hesitate to acknowledge compromises to avoid signaling weakness or admitting to the use of non-government-sanctioned communication tools for official business. It also complicates the work of cybersecurity authorities, who rely on timely disclosure to trace attack patterns and recommend countermeasures across all parliamentary groups.
The Mechanics of Social Engineering
The attacks did not involve a technical exploit of Signal’s underlying protocol. Instead, the attackers employed phishing-a method of deceiving users into voluntarily relinquishing access to their accounts, typically by exploiting trust in familiar workflows and contacts.
The tactics identified in these incidents include:
- PIN Theft: Tricking users into revealing their account registration PINs through fraudulent prompts that appear to come from the service provider or an internal IT desk.
- Device Linking: Inducing users to scan a malicious QR code, which allows the attacker to link the victim’s account to a secondary device controlled by the operative, silently mirroring all future communications.
- Impersonation: Mimicking official support or trusted contacts, often with spoofed profile pictures and names, to create a sense of urgency and pressure targets into bypassing normal verification steps.
Signal, a non-profit organization favored by politicians for its minimal metadata collection and robust encryption, has emphasized that its security architecture remains intact. The platform maintains that its support staff will never contact users via in-app messaging, SMS, or social media, nor will they request confirmation codes or PINs.
“The best defense against phishing attempts is ‘user alertness,'” Signal stated regarding the ongoing threats.
The German government has sought to codify such basic hygiene in its own rules for digital security. The BSI’s binding rules for federal IT security, laid out under the authority of the Federal Office for Information Security Act, require agencies to train staff on social-engineering risks and to use strong authentication mechanisms for sensitive systems. While members of parliament occupy a special constitutional status and are not strictly part of the federal administration, the same principles apply to their staff and party infrastructure.
The Strategic Shift to Endpoints
The targeting of Signal users underscores a broader trend in global cyber warfare. Because E2EE ensures that messages are encrypted from the sender to the receiver, intercepting data “in flight” is virtually impossible for most intelligence agencies. Consequently, state actors have shifted their focus to “endpoint compromise”-the phones, laptops, and identities of the people using these apps.
By gaining access to the device or the account credentials themselves, attackers can read messages in plain text before they are encrypted or after they are decrypted on the recipient’s screen. For Russian operatives, gaining access to a single high-ranking official’s Signal account can provide a window into the private deliberations of an entire governing coalition, including early drafts of legislation, negotiating mandates ahead of EU Council meetings, and internal polling data that shape policy timing.
The German Federal Office for Information Security (BSI) has repeatedly urged government employees to utilize only certified, government-approved communication tools, yet the agility and privacy of apps like Signal continue to make them the preferred choice for the political class. The Social Democrats themselves emphasize internal digital security on their official channels, including guidance for staff and members on secure communication and data handling.
On its service pages, the party frames such measures as part of “making society together,” underscoring that digital resilience is now embedded in its organizational culture.
[SPD Service]
German security services continue to monitor the situation as part of a larger effort to harden the state’s digital defenses against foreign interference. For lawmakers, the episode is likely to intensify debates over whether informal encrypted messaging can still be tolerated for sensitive political work-or whether the Bundestag must move more decisively toward secure, state-managed platforms that trade convenience for institutional control.
Related reading
