What Actually Happened on April 22, 2026 #
On Wednesday, April 22, 2026, an unusually dense sequence of security- and surveillance-policy events moved in parallel through Germany and Brussels:
-
Federal Cabinet, morning: Adoption of a new bill for suspicionless retention of IP addresses for three months — Germany’s third attempt after both the Federal Constitutional Court and the European Court of Justice had struck down two earlier versions. The new version explicitly extends access beyond criminal prosecution to the domestic intelligence service (Verfassungsschutz), customs, and tax authorities. Lead ministers: Justice Minister Stefanie Hubig (SPD) and Interior Minister Alexander Dobrindt (CSU).1
-
Federal Ministry of Defence, same day: Defence Minister Boris Pistorius (SPD) presented the “Strategy for National and Alliance Defence” — the Federal Republic’s first formal military strategy. It designates Russia as the “primary threat” and projects Bundeswehr growth to 460,000 personnel.2
-
EU Council, same day: Formal adoption of the 20th Russia sanctions package (energy, military-industrial complex, crypto, additional financial institutions) plus a €90 billion Ukraine loan and preparation for opening Accession Cluster 1 “Fundamentals”.3
-
Spiegel exclusive, same day: The Signal account of Bundestag President Julia Klöckner (CDU) had been compromised via a phishing campaign. The CDU executive-committee chat with Chancellor Friedrich Merz was affected. BfV: “alarm”. Attribution: “Russia”.4
Four events, one day, one narrative. The first three are political decisions with consequences running into years. The fourth is a headline that rhetorically delivers exactly the threat picture against which the first three require little further explanation.
This is not a conspiracy. It is timing — and in politics, timing is not coincidence, it is craft.
Two Legs — One Holds, One Wobbles #
The Klöckner story rests on two separate levels that appear in reporting as one:
Level 1 — the campaign is real. Russia-aligned actors have been running a phishing campaign against Signal users since at least 2025. Google Threat Intelligence Group (GTIG, formerly Mandiant) published its report “Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger” on February 19, 2025, with concrete technical details, indicators, and cluster attributions (UNC5792, UNC4221, APT44/Sandworm).5 The method is not a break of Signal’s encryption. It abuses the legitimate “Linked Device” feature: the target scans a QR code or hands over a verification PIN at the request of an alleged “Signal support” — and the attacker gains a second linked device that reads all incoming messages. Zero-day, CVE, protocol flaw: none of the above. It is social engineering against a documented feature.
Level 2 — the specific Klöckner attribution is thin. The Spiegel report rests on anonymous “security circles” and the 20-page BfV warning of April 17, 2026.6 The publicly accessible portion of that warning does not name a specific actor but speaks of a “likely state-directed cyber actor”.7 The attribution to APT28/Fancy Bear/GRU Unit 26165 appears in the Spiegel text and follow-up press rhetorically — through references to the 2015 Bundestag hack, the 2023 SPD hack, the 2024 DFS hack — not through published forensic indicators that would link Klöckner’s concrete case to GTIG infrastructure. The 20 pages of BfV material are not public. Nobody outside Spiegel has seen them.
The global campaign is documented; whether Klöckner is concretely affected is not publicly established — no forensic artefact, no IoC link to her account, no independent second source besides the Spiegel report. The CDU spokesperson only confirmed to Spiegel an “affected chat group” — that is something different from “the President’s account was compromised”. That is the point at which honest reporting would pause and ask.
The German Tech Press Did Not Ask #
On April 23 and 24, 2026, we systematically checked which German trade publications had done their own reporting on the Klöckner story. The result is sobering:
| Publication | Own reporting | Spiegel/AFP echo | GTIG Report Feb 2025 mentioned? |
|---|---|---|---|
| heise online (Apr 23) | no | yes | no |
| netzpolitik.org (Apr 23) | minimal (journalist victims) | mostly | no |
| ZDFheute (AFP, Apr 23) | no | yes | no |
| Tagesspiegel (AFP, Apr 22) | no | yes | no |
| golem.de | not found | — | — |
| iX, c’t, t3n, Wirtschaftswoche | not found | — | — |
| Tagesschau/ARD | not found | — | — |
| FAZ, SZ, Zeit, TAZ | not found | — | — |
Fourteen months after the Google/Mandiant report that had laid out the exact linked-device phishing methodology with indicators and cluster attributions, not a single German trade outlet references this report in its Klöckner coverage. No one asks: does the BfV attribution match the GTIG clusters, or is another operation running? No one asks: why did it take twelve months from the Google notice to the first BSI/BfV warning in Germany, and fourteen to Klöckner’s case? No one asks: why is a Bundestag President using a consumer Signal account on a consumer device at all for communication with the Chancellor in a party executive-committee chat?
Instead: wire journalism. Spiegel has exclusive. AFP turns it into a news ticker. Tagesspiegel, ZDFheute, heise, Berliner Zeitung adopt with minimal rewording. A 20-page BfV analysis that could probably answer precisely those questions remains sealed — the content flows selectively into a magazine with a clearly identifiable intelligence-service briefing relationship.
The pattern is not new. The 2023 SPD hack: Spiegel was the outlet. The 2024 DFS air-traffic-control incident: Spiegel was the outlet. The 2024 Bundeswehr Taurus WebEx wiretap: technically the Spiegel group — although there the material came from a Russian source and Spiegel provided verification. German intelligence-service leaks about high-profile cyber incidents have in recent years effectively always gone through the same channel. This is not an indictment of individual editors; it is a structural observation about distribution architecture.
And the pattern is not limited to cyber incidents. On March 19, 2026, the same publisher released the cover story “You virtually raped me” about Collien Ulmen-Fernandes and her ex-husband Christian Ulmen — on the same day on which Ulmen’s lawyer Christian Schertz sent his press-law notification letter.8 Within 72 hours, political demands for tougher “digital violence” laws, a ready-made Campact campaign, Tagesthemen TV appearances and a scheduled protest followed. The 2013 context of the Ulmen TV show “Who wants to f*ck my girlfriend”, which Spiegel itself had framed back then as a cultural phenomenon, was absent from the 2026 cover story entirely.9 The victim’s own self-correction — “I was better off before I filed the complaint” — was delivered a month later by the Süddeutsche Zeitung in an interview, not by the publisher that ran the cover story.10 By then the legislative agenda was long since set.
A publisher whose editorial diligence most recently showed itself like this — coordinated cover-story timing, suppressed background context, outsourced self-correction — is the same publisher on whose anonymous “security circles” we are now supposed to ground a national data retention debate. Nobody has to allege malice; it is in the archives.
The Historical Echo: 2015 #
There is one cleanly documented precedent for the combination “Bundestag hack headline plus data retention decision”:
May 2015: Hack of the Bundestag network. Attribution APT28/GRU, later reinforced by a BKA arrest warrant for Dmitriy Badin (May 2020). The attribution has not been revised.
May 27, 2015: Three weeks after the hack became public, the cabinet adopted the new data retention law. Digitale Gesellschaft at the time called the procedure “overrun tactics”.11
October 16, 2015: Bundestag passes the data retention law, later struck down by the ECJ.
Three weeks in 2015. Same day in 2026. That is an acceleration of the pattern, not a break.
Important: this pattern is not universal. In the 2024 Taurus wiretap case — also a high-resonance Russia-cyber event — no immediate surveillance-legislation push followed.12 The debate focused on arms exports (Taurus delivery) and service misconduct. Correlation between a Russia headline and a data-retention push is therefore not automatic — but it now appears for the second time, and the second time the timing is no longer “in the weeks after”, but “on the same morning”. That is a fact a reporter can note without risking conspiracy allegations.
What Else Is in the Pipeline #
The April 22 data-retention bill was not a solitaire. It sits in a pipeline that produces a clear situational picture:
-
BND Act amendment (ministerial draft January 12, 2026): bulk content analysis of international telecommunications, six-month retention, active hacking authorities including covert residential break-ins to plant state trojans, expansion of DE-CIX internet-exchange access.13
-
Cybersecurity Enhancement Act (Interior Ministry draft February 25, 2026): offensive “Active Cyber Defence” authorities for BKA/BSI/Federal Police, including shutting down, redirecting, and deleting third-party systems; DNS-redirection orders to registrars.14
-
National Chat Control: after the EU Chat Control failure in March 2026, Chancellor Merz announced a national implementation.
-
Federal Police state-trojan draft law: consultation in the current quarter.
A package. Four building blocks for expanding state authorities in the digital space. One headline demonstrating the threat. One day.
The Real Story Nobody Writes #
The Klöckner story does contain a tangible scandal — it just doesn’t sit where the Spiegel framing places it. The actual scandal is the operational security failure at the highest level of the state:
- A Bundestag President conducts security-relevant communication on a consumer messenger (Signal, US-operated, not a government system approved by the BSI).
- The communication apparently runs on a consumer device, not on an officially segregated phone with hardware-level protection.
- There are apparently no hardware tokens (FIDO2 keys, YubiKey, etc.) in use that would structurally neutralize phishing PINs.
- The CDU executive-committee chat with the Chancellor runs in the same system.
And then the half-sentence that appears in the Spiegel report as reassurance and is in truth the second scandal: “An examination of his smartphone, unlike Bundestag President Klöckner’s, apparently revealed no anomalies.” BfV staff went to the Chancellor and searched his smartphone for Signal compromises. That is the unspoken confirmation: Friedrich Merz too uses consumer Signal on a consumer device for CDU executive-committee communication. Were he on an officially segregated BSI crypto-phone with a government-approved messenger, that device would not be the obvious search object for a Signal phishing investigation. The story is therefore not just about the Bundestag President. It is about the Chancellor who uses the same system for the same communication — and whose examination “this time” turned up nothing. This time. In reporting, this finding does not appear as an OpSec scandal in its own right. It appears as a soothing footnote.
This practice has grown over years. The warnings are old. BSI and BfV have published guides — the most recent on April 17, 2026, one week before the Klöckner incident.15 Their implementation in the highest political bodies is what deserves forensic and parliamentary scrutiny. Instead what arrives is: “Russia did it, we need more authorities.”
That is the structural displacement embedded in this story: a failure of state OpSec practice is redrafted into a justification for expanding state OpSec authority. Those who could not secure the device are now to be granted access to citizens’ IP addresses. Those who did not prevent the phishing are now to be allowed to break into homes covertly to plant state trojans. The causal link is denied rhetorically, but the framing implies it.
What Isn’t True — But Is Circulating Anyway #
A note for readers continuing their own research on this story: while verifying the factual basis we repeatedly encountered hallucinated details that do not exist in reputable sources and trace back to AI-generated content-farm texts:
- An alleged “CVE-2026-27491” as a “Signal WebSocket zero-day” — the CVE is real, but it affects Discourse, not Signal.16 The Signal link is a fabrication by the site archyde.com.
- An alleged forensic analysis by the Chaos Computer Club in the Klöckner case — the CCC has published nothing on this.
- An alleged statement by Meredith Whittaker (Signal Foundation) about a “sandboxed Rust-based UI framework” — not locatable.
- An alleged Signal Desktop 6.40.0 patch in response — not locatable.
These phantoms circulate. Citing them means citing hallucination.
Conclusion: Who Wins, Who Loses #
The global phishing campaign is documented — through the Google GTIG report of February 2025, with indicators and cluster attributions. Whether Klöckner’s Signal account was concretely compromised has to this day not been independently confirmed. It is the claim of a publisher resting on anonymous “security circles” and a confidential BfV memo that only they have seen. The CDU spokesperson confirmed, on Spiegel’s request, a “chat group with executive-committee members affected” — not Klöckner’s account, not the scope, not the timeframe, not even whether the President herself was active in that chat group. No public IoCs, no forensics, no independent second source. None of that makes the staging any less staged that was built from this unverified claim on cabinet day.
On April 22, 2026, a publisher with a demonstrable supply relationship to German intelligence services delivered a headline that fit precisely with a cabinet decision on legislation that the Federal Constitutional Court and the ECJ had already struck down twice. Nobody outside Spiegel has seen the 20 pages of BfV material. Nobody has independently verified the attribution. Nobody in the German trade press has even referenced the Google report that has been public for 14 months. The question is not whether this is coincidence — the question is why this structure has worked through the same cascade since 2015 and nobody calls it by its name.
Winners: BfV, BND, BKA, BSI — expanded authorities, larger budgets, more access. The Interior Ministry, which receives a legislative tailwind it could not have generated by ordinary policy means. The Spiegel publishing group — as primary distributor of state situational awareness against promises of source anonymity, without any duty to verify. The security-policy realignment, which receives its rhetorical cover precisely on the day of its unveiling.
Losers: Every holder of a German IP address whose connection data will be retained without concrete suspicion for three months over the coming years. Every person whose home the BND will be allowed to enter covertly to plant a state trojan. Every journalist who contacts sources over DE-CIX. Every digital communication relationship that will fall under national chat control once it is pushed through.
And the Bundestag President — about whose concrete compromise pathway nothing solid is known, but who according to Spiegel’s account supposedly handed out a phishing PIN — keeps her consumer Signal installation on a consumer device. No hardware token, no security-audit mandate for the CDU executive committee, no parliamentary report on Bundestag OpSec. The alleged failure is not addressed. The authorities are.
This is not bread and circuses. It is a division of labour. A publisher supplies the stage. A coalition supplies the laws. An apparatus receives the tools. Each step is individually traceable and individually deniable. The sum of the steps is what nobody names.
We do.
Sources #
-
Federal Government of Germany, “Cabinet adopts suspicionless retention of IP addresses”, April 22, 2026 — https://www.bundesregierung.de/breg-de/aktuelles/kabinett-ip-adressen-2422604 ↩︎
-
Federal Ministry of Defence, “Strategy for National and Alliance Defence”, April 22, 2026 — https://www.bmvg.de/de/presse/strategie-zur-landes-und-buendnisverteidigung-6093690 ↩︎
-
Council of the European Union, sanctions timeline — https://www.consilium.europa.eu/en/policies/sanctions-against-russia/timeline-sanctions-against-russia/ ; Euronews on the Zelensky speech April 23, 2026 — https://www.euronews.com/my-europe/2026/04/23/ukraine-needs-full-not-symbolic-membership-in-the-eu-zelenskyy-says ↩︎
-
Tagesspiegel/AFP, “Hacker attack on Bundestag President Klöckner’s mobile phone”, April 22, 2026 — https://www.tagesspiegel.de/politik/nachrichtendienste-vermuten-russland-dahinter-hackerangriff-auf-das-handy-von-bundestagsprasidentin-klockner-15512291.html ; ZDFheute/AFP, April 23, 2026 — https://www.zdfheute.de/politik/signal-hack-phishing-russland-spd-kloeckner-100.html ↩︎
-
Google Threat Intelligence Group, “Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger”, February 19, 2025 — https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger ↩︎
-
netzpolitik.org, “Attack on politics and journalism: Signal phishing against Julia Klöckner successful”, April 23, 2026 — https://netzpolitik.org/2026/attacke-auf-politik-und-journalismus-signal-phishing-gegen-julia-kloeckner-erfolgreich/ ↩︎
-
BSI, “Phishing via Signal: BSI and BfV publish guide”, April 17, 2026 — https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/2026/Leitfaden-Signal-Phishing_260417.html ; BfV short notice April 17, 2026 — https://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/DE/2026/2026-04-17-bsi-sicherheitshinweis-signal.html ↩︎
-
See our own chronology: Fernandes/Ulmen — Cover story and lawyer’s letter on the same day ↩︎
-
Ibid. — section “What Spiegel knew in 2013”. ↩︎
-
SZ interview with Collien Ulmen-Fernandes, April 2026: “I was better off before I filed the complaint” — documented in Fernandes/Ulmen — Deepfakes, campaign, legislative push ↩︎
-
Digitale Gesellschaft, “Cabinet adopts data retention — overrun tactics”, May 27, 2015 — https://digitalegesellschaft.de/2015/05/kabinettsbeschluss-vds/ ; Wikipedia, “Cyberattacks on the German Bundestag” — https://de.wikipedia.org/wiki/Hackerangriffe_auf_den_Deutschen_Bundestag ↩︎
-
Wikipedia, “Taurus wiretap affair” — https://de.wikipedia.org/wiki/Taurus-Abh%C3%B6rfall ↩︎
-
netzpolitik.org, “Mass surveillance and hacking: BND to receive powerful new tools”, January 12, 2026 — https://netzpolitik.org/2026/massenueberwachung-und-hacking-der-bnd-soll-neue-maechtige-instrumente-bekommen/ ↩︎
-
netzpolitik.org, “Draft law for strengthening cybersecurity — Dangerous offensive”, February 25, 2026 — https://netzpolitik.org/2026/gesetzentwurf-zur-staerkung-der-cybersicherheit-gefaehrliche-offensive/ ↩︎
-
heise online, “Signal phishing warning — Trigger likely attack on Julia Klöckner”, April 23, 2026 — https://www.heise.de/en/news/Signal-phishing-warning-Trigger-likely-attack-on-Julia-Kloeckner-11268773.html ↩︎
-
NIST National Vulnerability Database, CVE-2026-27491 (affects Discourse, not Signal) — https://nvd.nist.gov/vuln/detail/CVE-2026-27491 ↩︎
