Dutch intel warns governments off Signal and WhatsApp
Photo by Jan van der Wolf on Pexels
Dutch intelligence services AIVD and MIVD say a large-scale Russian-linked campaign is hijacking Signal and WhatsApp accounts using six digit verification codes and device linking features. The services warned these consumer apps "should not be used as channels" for official communication, after similar alerts from Germany’s BfV and BSI, and Australia’s conclusion in March 2025 that consumer messengers expose sensitive data, according to multiple reports including Element Blog and The Register.
Until now, many public sector teams leaned on WhatsApp or Signal for speed under the assumption that end to end encryption equaled safety. The new guidance makes a harder point. If the attacker becomes the endpoint through social engineering, encryption does not help.
This is not a crypto break, it is an account takeover problem
Attackers are impersonating support, tricking targets into sharing one time codes, or abusing the apps’ link device features to silently add a second client. Once linked, messages flow to the attacker without tripping content protections. The Dutch services describe a sustained campaign targeting government employees, journalists, and military personnel. The vector is simple, scalable, and hard to detect inside consumer apps.
Element characterizes these tools as "insecure by design" for official use. You do not need to agree with the phrasing to see the operational gap. Consumer messengers prioritize virality and convenience, not organization wide controls or rigorous identity binding. That trade off is acceptable for family chats. It is reckless for state work.
Policy implications for EU buyers
This is, functionally, a policy decision by security authorities. When national services say not to use apps, procurement and risk teams must act. Acceptable use policies should be updated to prohibit consumer messengers for any official or sensitive thread, including crisis response and interactions with contractors. Training must shift from “do not click suspicious links” to a concrete rule: no verification codes, no device links, no exceptions.
Migration is the hard part. Moving away from WhatsApp or Signal introduces friction, new apps, and account management. That is the price of control. EU teams have viable options that align with data sovereignty goals, including Element, Wire, and Threema. Each requires rollout planning, onboarding, and policy tuning. The upside is clear accountability over identities, devices, and retention, which consumer apps do not provide to institutions.
The real question is timing. Germany has already raised flags. The Netherlands raised them again on Monday. If you handle public sector communications or critical infrastructure coordination, treating this as a Q2 task is the safer bet than waiting for a breach locally.
Why This Matters
If your department or supplier network still runs official chats on WhatsApp or Signal, you now carry a documented takeover risk. Move sensitive threads to an EU controlled platform like Element or Wire, and write policy that bans device linking and code sharing for work accounts. For municipal IT or emergency services, this is not theoretical. It is the difference between controlling an incident channel and briefing an adversary in real time.
Sources
Share this article
Products Mentioned
Timing is an office suite from Europe designed to streamline your time management with automatic tracking and project-based categorization. It meticulously logs your work hours, allowing you to focus on productivity while it handles the details. With features like detailed reporting and analytics, Timing provides insights into your work patterns, helping you optimize your workflow. Key differentiators include GDPR-compliant data handling and EU-hosted data storage, ensuring that your information is secure and sovereign. This makes Timing particularly appealing to European businesses and freelancers who prioritize data privacy. The software integrates seamlessly with popular task management tools and offers customizable tracking settings to fit diverse work styles. Offline tracking capability ensures that your time is accurately captured, even without an internet connection. Timing is ideal for professionals and teams who require precise time tracking and reporting to manage projects effectively. While specific pricing details are not provided, Timing offers a flexible model to accommodate different user needs. By choosing Timing, users benefit from robust privacy protections and the assurance of EU data sovereignty.
Telegram is a messaging application developed in the United States, designed to facilitate communication through text, voice, and video. It offers a range of features including secret chats with self-destruct timers, cloud-based storage for messages, and the ability to share files up to 2 GB. Users can also create and join channels for broadcasting messages to an unlimited audience, and participate in group chats that support up to 200,000 members. Telegram is equipped with bots for automation and interaction, and provides customizable themes and stickers to enhance user experience. The app is targeted at individuals and groups seeking a versatile communication platform. It is important to note that Telegram stores user data in the United States, making it subject to US data laws such as the CLOUD Act and FISA 702. Telegram is free to use, with optional premium features available through a subscription model.
DeepSeek is an artificial intelligence and language model developed by DeepSeek AI, a company based in the United States. Designed to enhance reasoning capabilities and facilitate multi-language support, DeepSeek offers a range of functionalities including code generation and long context windows. The product is available under a freemium pricing model, allowing users to access basic features for free while offering premium options for more advanced needs. DeepSeek is particularly suited for developers, researchers, and organizations seeking advanced AI-driven language processing tools. It is important to note that user data is stored in the United States and is subject to U.S. data laws such as the CLOUD Act and FISA 702, which may have implications for data privacy and security.
Slack is a messaging application developed by Salesforce, designed to facilitate communication and collaboration within teams and organizations. It offers a platform where users can create real-time collaboration channels, share files with version control, and integrate various project management tools. Slack is known for its customizable workflow automation and AI-powered message suggestions, which aim to enhance productivity and streamline communication. The application supports cross-application integrations, allowing users to connect with other tools they use daily. Additionally, Slack provides searchable message history and secure guest access for external partners, making it suitable for both internal and external communications. The primary users of Slack include businesses, project teams, and organizations looking for a centralized communication platform. It is important to note that Slack is a US-based product, and user data is stored in the United States, subject to US data laws such as the CLOUD Act and FISA 702. Slack operates on a freemium pricing model, offering basic features for free with additional functionalities available through paid plans.
Element is a secure messenger and collaboration platform built on the Matrix open protocol, developed by Element (formerly New Vector) in London, UK. It provides end-to-end encrypted messaging, voice/video calls, and bridging to other platforms (Slack, Teams, WhatsApp). Element is used by the French government, German military (Bundeswehr), and NATO for secure communications. Organizations can self-host for complete data sovereignty, or use Element's managed hosting.
Stoat (formerly Revolt, rebranded in October 2025) is an open-source, privacy-focused messaging platform built in the UK. It provides a familiar Discord-like experience with servers, channels, voice chat, and rich media sharing — but with full GDPR compliance and EU data hosting. Stoat is fully self-hostable, giving communities and teams complete control over their data. It features fine-grained role-based permissions, end-to-end encryption, and does not require a phone number or real name to register. Ideal for privacy-conscious communities looking for a feature-rich alternative to Discord.
Threema is a Swiss encrypted messenger founded in 2012 by Manuel Kasper in Pfäffikon, Switzerland. Unlike most messaging apps, Threema requires no phone number or email to register — users get a random Threema ID, enabling truly anonymous communication. All messages, calls, and files are end-to-end encrypted, and metadata is minimized by design. Threema is fully open source and has been independently audited. It's widely adopted in German-speaking countries and used by the Swiss government and military.
.png)
Wire is a secure collaboration platform founded in 2012 by Janus Friis (Skype co-founder) and headquartered in Zug, Switzerland. It offers end-to-end encrypted messaging, voice/video calls, and file sharing for teams. Wire is open source, independently audited, and used by government agencies and enterprises across Europe for classified communications. It supports self-hosted deployment for organizations requiring full data sovereignty.
Ready to Switch to EU Alternatives?
Explore our directory of 400+ European alternatives to US tech products.
Browse Categories