Hackers Launch Phishing Campaign Targeting Signal Users' Encrypted Backups

Hackers are targeting Signal users with a new phishing campaign designed to steal their chat backups, according to research shared by Washington Post analyst Josh Rogin and security experts at Access Now. The attackers impersonate Signal's support team, sending fraudulent messages claiming that users' backed-up chats and media are "at risk of permanent loss due to a sync issue." The phishing messages instruct recipients to share their recovery keys—the credentials needed to access encrypted online backups—with the attackers, warning that "failure to do this may result in losing access to your account and all stored data."

The campaign has targeted multiple groups, including anti-Chinese Communist Party activists and other communities, suggesting either a widespread operation or multiple hacking groups employing the same strategy. Mohammed Al-Maskati, director of Access Now's Digital Security Helpline, confirmed that at least two people unaffiliated with Chinese activism have reported receiving similar malicious messages, indicating the attacks may have broader scope than initially apparent.

This phishing approach represents a new variation on recent Signal-targeting attacks. While previous campaigns attempted to hijack accounts directly to impersonate users, this strategy specifically targets backup recovery keys. Accessing these keys is a crucial intermediate step for attackers seeking to view victims' historical messages, photos, and documents—data that would not be available to someone who simply re-registered the victim's account on a new device. Signal's Secure Backups feature, launched last year, encrypts all account contents with a recovery key that the company states never reaches its servers and never leaves users' devices.

Signal has explicitly warned users that the company will never initiate contact to request recovery keys, registration codes, or PINs. Any message claiming to be from "Signal Support" is fraudulent. The organization previously issued public warnings about this category of attack and offers optional security features such as Registration Lock to protect against account hijacking via phone number exploitation.

It remains unclear how many users have fallen victim to the campaign. Security experts note that stealing recovery keys is only the first step; attackers must still successfully take over the victim's account to access the encrypted backups.