Hackers are targeting Signal users through a new phishing wave that abuses the app’s in-app messaging system to trick victims into revealing backup recovery keys. The campaign uses fraudulent messages appearing to come from “Signal Support” and warns users of imminent data loss, while attempting to steal encrypted chat backups.
Fake Signal Support Messages Create Urgency
Victims receive direct messages from an account named “Signal Support”, which is marked with a “Name not verified” warning and generic safety tips inside the app. The message claims “Action Required: Data Recovery Needed” and says the user’s account data is at risk of permanent loss because of a sync issue.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
The message urges users to act quickly to avoid losing messages and media. It then instructs them to open Signal’s settings, navigate to backups, view their recovery key, copy it to the clipboard and paste it back into the chat.
The text falsely claims this will link the existing backup to the account and warns that failure to comply may result in losing access to stored data. The operation has no connection to Signal’s real support team, and there is no backup sync issue affecting targeted users.
Campaign Targets Secure Backups Feature
Researchers and digital rights organisations said multiple people have received near-identical messages, indicating a coordinated phishing campaign rather than random scam attempts.
According to the report, the attack specifically targets Signal’s Secure Backups feature, which allows users to store encrypted copies of chats and media on Signal’s servers. These backups are protected by a unique recovery key that never leaves the user’s devices.
That key is the only way to decrypt the backup. Anyone who obtains it and has access to the account can download and read the victim’s full message history in plaintext.
Unlike earlier Signal hijacking attacks that focused on stealing registration codes to take over live accounts, this campaign concentrates on archive theft, targeting years of past conversations rather than only future messages.
High-Risk Users Urged to Treat Messages as Malicious
Security experts warned that backups often contain old documents, photos and sensitive discussions that users assume remain safe because they are encrypted on Signal’s infrastructure.
Reports indicate that journalists, dissidents and anti-Chinese Communist Party activists are being disproportionately targeted, suggesting a politically motivated or surveillance-oriented threat actor. Human rights defenders and researchers tracking threats to civil society have also flagged the pattern.
Signal has repeatedly stated that it will never contact users first inside the app and will never ask for registration codes, PINs or backup recovery keys under any circumstances.
Experts recommend treating any in-app chat claiming to be “Signal Support” and requesting sensitive codes or keys as malicious. Users are advised to block and report such accounts, never paste recovery keys, login codes or PINs into a chat window, enable registration lock, use a strong Signal PIN and turn on device-change alerts. Using disappearing messages by default can also reduce the damage if a backup is ever compromised.
