A nation-state-attributed phishing campaign exploited Signal’s legitimate linked-device feature to gain persistent read access to encrypted communications for German government officials, including the Bundestag President, with hundreds of government accounts reportedly affected. No CVE exists and no cryptographic flaw in Signal was exploited; the attack vector is entirely social-engineering and procedural. Remediation requires manual per-account device audit, not a software patch.