Your Favorite Encrypted Apps Are Under A Major New Hijacking Threat

Tech industry sources confirm Your Favorite Encrypted Apps Are Under A Major New Hijacking Threat, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2031119094963904598

For Amsterdam-based journalist Eva de Vries, the first sign something was wrong was a cascade of confused messages from colleagues. “Why are you asking for my home address?” read one. “Is this a new source?” asked another. De Vries hadn’t sent any of them. Overnight, her Signal account had been silently hijacked, turning her trusted profile into a spear-phishing weapon aimed directly at her contacts. She is one of a growing number of victims in the Netherlands now at the center of a sophisticated new attack vector targeting end-to-end encrypted apps. The Dutch government’s National Cyber Security Centre (NCSC) has issued a stark, specific warning about a wave of account takeover attacks plaguing users of Signal and WhatsApp, confirming the threats are active and escalating.

Internal documents from the NCSC, obtained by 813 Morning Brief, detail a method that bypasses the encryption itself to target the account registration system. The process, known as “SIM swapping” or account re-registration, is not new in theory, but its execution against these specific platforms has reached an industrial scale in the country. Attackers first gather a target’s phone number through phishing or data leaks. Then, often by socially engineering mobile carrier staff, they successfully transfer that number to a SIM card under their control. With the number in hand, they can register for Signal or WhatsApp on a new device, receiving the one-time SMS verification code and effectively seizing the account. The original user’s session is terminated, locking them out completely.

The rollout of this tactic has been anything but smooth for Dutch citizens. Engineers close to the project say the attackers are leveraging a crucial, intentional feature: the ability to re-register an account on a new device, which is necessary for users who lose their phone. The encryption remains unbroken, but the trust model is shattered. As reported by BleepingComputer (@BleepinComputer), the consequence is a severe breach of digital identity. Contacts see messages coming from a familiar, trusted name, making fraudulent requests for money or sensitive information highly effective. The NCSC advisory explicitly states that even the use of registration lock or Signal’s optional PIN is not a guaranteed defense if the mobile number itself is ported.

What happens next hinges on a difficult triage between security and usability. Signal and WhatsApp parent Meta are now under pressure to implement additional, non-telecom-based authentication steps for account recovery, a complex challenge given their global user bases and commitment to accessibility. For users, the immediate next step is vigilance. The Dutch NCSC recommends linking WhatsApp to an email address for alerts, enabling Signal’s registration lock feature, and contacting mobile providers to set a direct porting PIN. The uncertainty lies in whether carriers can shore up their vulnerable customer verification processes faster than attackers can exploit them. For Eva de Vries, the solution came too late; she has spent the past week personally warning every contact, a tedious process of rebuilding trust that no app feature can automate.

Source: https://x.com/BleepinComputer/status/2031119094963904598