Hackers are targeting Signal users in a new phishing campaign designed to steal recovery keys for encrypted chat backups, raising concerns for activists, journalists, dissidents, and other high-risk users who rely on the messaging app for secure communication.
Attackers are trying to steal Signal users’ chat backups by pretending to be the app’s support team.
Hackers pretend to be Signal Support
The attack works by exploiting trust in Signal’s name.
TechCrunch reported that Washington Post analyst Josh Rogin posted a screenshot of a message in which hackers pretended to be Signal’s support team and warned that the target’s backed-up chats and media were at risk of permanent loss due to a sync issue.
The fake message told the target to share the recovery key used to access online backups, claiming that doing so would link the existing backup to the account. The message appeared to come from an account called Signal Support, but was actually part of a phishing attempt.
Rogin warned users not to follow the instructions and said several anti-Chinese Communist Party activists had received the same malicious message.
Access Now saw similar messages
The campaign may be broader than one activist community.
Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline, said two people had shared similar messages with him. Al-Maskati said the two people were not Chinese activists, suggesting that the campaign may be targeting other communities or that different groups of hackers are using the same strategy.
AI Weekly also highlighted that two separate victims submitted near-identical phishing messages, describing the operation as coordinated rather than opportunistic.
The exact impact remains unclear. Al-Maskati said stealing a victim’s recovery key is only one step in the attack because hackers would still need to take over the victim’s account.
Why backup keys matter
The phishing campaign is dangerous because it targets old messages, not only active accounts.
Previous campaigns against Signal users often tried to hijack accounts and impersonate victims, but those attacks did not give hackers access to older messages because Signal does not transfer past chats to a newly registered device.
This campaign is different because backup recovery keys can unlock a user’s online backup archive. Signal backup recovery keys can unlock full encrypted message history, which could expose years of past conversations if stolen and successfully used.
Signal launched Secure Backups last year as an opt-in feature that lets users upload account contents to Signal’s servers in encrypted form. The backups are encrypted with a recovery key that Signal says is never shared with its servers and never leaves the user’s device.
Signal shared that without the unique recovery key, no one, including Signal, can read, decrypt, or restore data in a Secure Backup Archive.
Signal says it will not ask for recovery keys
Users have a simple way to identify the scam.
Signal says it will never contact users first and will never ask for a registration code, PIN, or recovery key. That means any message claiming to be from Signal Support and asking for a recovery key should be treated as malicious.
Signal has also publicly warned about this type of attack before. The organization warned users last month about fake Signal support messages.
Signal did not respond to request for comment.
Phishing bypasses encryption by targeting users
The campaign shows a familiar problem in secure messaging: attackers may not need to break encryption if they can trick users into handing over the keys.
Signal’s end-to-end encryption is designed to protect conversations from outsiders, but phishing attacks go around that technical protection by manipulating the person using the app. For high-risk users, including journalists, activists, dissidents, and human rights workers, a stolen recovery key could expose old conversations, documents, photos, and sensitive contacts.
The safest response is to ignore any message asking for a Signal PIN, registration code, or recovery key. Users should also store recovery keys securely, use Registration Lock, and treat unsolicited support messages as suspicious.
For Signal users, the lesson is clear: encryption protects the message, but the recovery key protects the archive. Once that key is shared with the wrong person, the strongest encryption cannot undo the mistake.
