Freedom

Poland ditches Signal for state-controlled messenger amid APT campaigns

HyperSinc Intelligence/MAY 20, 2026

Poland's government ordered public officials to abandon Signal for a domestically controlled encrypted messenger, citing APT phishing, a move that prioritizes state control over cryptographic auditability.

Poland ditches Signal for state-controlled messenger amid APT campaigns

4 min read

TL;DR

→Poland's Deputy PM ordered government entities to stop using Signal and switch to state-developed messaging, citing APT phishing campaigns targeting officials.
→The directive replaces an open-protocol, independently audited tool with a closed, government-controlled platform, removing interoperability and external oversight.
→Watch whether other EU states follow Poland's precedent and whether Signal discloses whether the attack vector is Signal-specific or generic social engineering.

On May 18, 2026, Poland's Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski signed an order instructing all public officials and entities within Poland's National Cybersecurity System (KSC) to abandon Signal and migrate to a domestically developed, state-controlled encrypted messenger. The framing was operational security: advanced persistent threat groups linked to hostile foreign intelligence services had been running phishing campaigns against Polish politicians, military staff, and civil servants, attempting to compromise their Signal accounts through social engineering, impersonating Signal support staff, sending fake security alerts, requesting verification codes. The directive does not claim Signal's encryption is broken. It claims the threat model has shifted from network-layer attacks to account-level compromise, and therefore the solution is to replace an open-protocol tool with a closed, state-managed one.

The attacks are real. Poland's national Computer Security Incident Response Teams (CSIRTs) flagged phishing campaigns by APT groups linked to what officials believe are Russian-backed intelligence operations. But here is the critical detail: the attack vector, social engineering, account compromise, credential theft, is not unique to Signal. It is generic to any messaging platform where users can be tricked into revealing their authentication secrets. The fact that Poland's government has chosen to respond by replacing Signal with a state-controlled alternative, rather than by publishing technical indicators (IOCs, malware signatures, phishing domain lists) that would help defenders protect any messenger, reveals the actual priority: control over tools, not defense against threats.

The Polish government has not yet named the specific state-developed messenger or disclosed whether it has been independently audited. The directive references "a leading Polish research organization" as the developer but stops short of technical details, a pattern that mirrors other government encryption mandates: closed implementation, no external review, domestic origin treated as proxy for trustworthiness. This matters because it removes interoperability. Signal uses the Signal Protocol, an open-source cryptographic standard that can be audited, ported, and validated independently. A government messenger, by contrast, becomes an island: users inside the KSC cannot communicate securely with journalists, activists, or international counterparts using non-state tools. The ecosystem fragments. The attack surface shrinks to a single point of failure, the state apparatus itself.

Poland's move arrives at a critical moment for the broader privacy infrastructure. The UK's Office of Communications (Ofcom) has been pressuring Signal over encryption compliance; Canada's Bill C-22 pushed Signal to threaten complete withdrawal from the country in May 2026, warning that mandated encryption backdoors could "allow hackers to exploit vulnerabilities engineered into electronic systems." What Poland has done is sidestep the backdoor fight entirely and simply exclude the open tool from an entire institutional tier. It is a more elegant maneuver, from a state control perspective: no legislative fight, no public encryption debate, just a cybersecurity directive framed as threat response.

Other EU governments are watching. Poland holds outsized influence in EU cybersecurity policy, it chairs sections of both NATO and EU cyber defense bodies. If Germany, France, or the Baltics issue similar directives over the next six months, the pattern will have become doctrine: open-protocol messaging apps are acceptable for general populations but not for state actors. That bifurcation undermines the entire premise of Freedom Tech infrastructure: that the same tools should protect journalists, dissidents, and officials equally. The moment governments carve out institutional exceptions, the market shrinks, funding dries up, and the tool becomes a ghetto for the powerless while the powerful retreat into closed systems.

Signal has not yet issued a public response. When it threatened to leave Canada, it did so through direct communication with the Canadian government and press statements. A similar response here could sharpen the debate: either Poland's CSIRTs disclose whether the attack is Signal-specific (in which case a patch or protocol upgrade might address it) or they admit it is generic phishing (in which case the real problem is user training, not the tool). Watch for that disclosure. Watch whether any EU state follows Poland's lead within six months. And watch Signal's response, whether it accepts the loss of institutional users as inevitable or whether it fights the precedent directly. The encryption math has not changed. But the politics just did.

Key Takeaways

Poland's move is not a cryptographic break, it's a state control play wrapped in operational security language. Open tools are being replaced with closed ones using threat theater as justification.
The attack vector matters enormously but remains undisclosed: if the APT campaigns are generic phishing, any messenger faces the same risk. If Signal-specific, that changes the analysis entirely.
This sets a precedent for EU governments to demand domestic control over messaging infrastructure, fragmenting the interoperable privacy ecosystem that activists and journalists depend on.

What it meansPoland's decision to mandate a state-controlled messenger for all government entities within its National Cybersecurity System removes Signal from an entire tier of institutional users and creates a model for other NATO members to follow, fragmenting the open-protocol privacy ecosystem.

DISCLAIMER

This article is for informational purposes only and does not constitute financial, investment, legal, or tax advice.

SOURCES

← Back to HyperSinc