Hackers launched a new phishing campaign this week targeting Signal users — specifically journalists, anti-Chinese Communist Party activists, and human rights workers — with fraudulent text messages designed to steal the 64-character recovery keys that decrypt their entire encrypted message archives. Unlike previous attacks that seized only future messages, this technique reaches backward through time: anyone who surrenders the key and loses account control hands attackers a complete, decryptable record of every conversation, photo, and document ever backed up to Signal's servers.
The campaign was first publicly flagged on Wednesday, May 27, by Washington Post analyst Josh Rogin, who posted a screenshot of the phishing text to X and warned that multiple anti-Chinese Communist Party activists had already received it. Mohammed Al-Maskati, director of Access Now's Digital Security Helpline — an organization that investigates cyberattacks against journalists, dissidents, and human rights workers — confirmed to TechCrunch that two additional people, neither of whom were Chinese activists, reported receiving the same message. That breadth, Al-Maskati noted, suggests the campaign may be targeting more communities than the initial reports indicate, or that multiple hacker groups have adopted the same playbook.
Signal president Meredith Whittaker said in a statement to TechCrunch: "We're working on mitigations here, and monitoring."
How Fake Support Texts Steal Signal Backup Keys
The attack exploits a psychological gap between how users expect a support interaction to work and how Signal's security architecture actually operates. The phishing text arrives from an account named "Signal Support" — a name any user can freely choose, since Signal does not verify profile names — and opens with an urgent warning: the victim's account data faces "permanent loss due to a sync issue." It then provides step-by-step instructions directing the target to navigate to Settings → Backups → Configure → View Recovery Key, copy the 64-character key, and paste it directly into the chat. The message closes with a threat: failure to comply "may result in losing access to your account and all stored data."
Security researchers at Malwarebytes identified several red flags visible in the phishing text: a "Name not verified" label under the sender, repeated threats of data loss, and the request to paste a key into a chat — something Signal Support would never do.
That key is the only mechanism by which Signal's Secure Backups archives can be decrypted. Signal introduced Secure Backups in September 2025, giving users an opt-in way to store encrypted copies of their message history on Signal's servers. The system uses a "zero-knowledge" architecture: the 64-character recovery key is generated and stored exclusively on the user's device and is never transmitted to Signal's servers. Signal cannot decrypt those archives. An attacker who obtains that key — and who simultaneously gains control of the victim's Signal account — can download and decrypt the full backup archive, gaining access to months or years of private communications in a single step.
For Malwarebytes researchers, that retroactive access is what distinguishes this attack from every prior Signal phishing campaign. Earlier operations aimed to hijack an account going forward — effective for monitoring future messages and impersonating a contact, but blind to anything said before the takeover. Recovery-key theft closes that gap entirely.
Signal Encryption Unbroken, but Human Trust Remains Hackable
The campaign belongs to a pattern that security agencies have been warning about throughout 2026: attackers are not attempting to break Signal's encryption — they are walking around it by compromising the human on one end of the conversation. In March 2026, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory stating that Russian intelligence-linked hackers had compromised thousands of accounts across commercial messaging platforms, with Signal as a primary target. The agencies stated in that advisory that "phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant, including end-to-end encryption."
Earlier in 2026, German and Dutch security authorities separately documented state-linked Signal phishing campaigns using a different technique — QR codes and device-linking requests — that targeted politicians, senior military officers, diplomats, and journalists. Among the confirmed victims were former BND vice president Arndt Freytag von Loringhoven and Kremlin critic Bill Browder. Local media estimated approximately 300 accounts were compromised in those waves. The shift to recovery-key theft represents a tactical evolution: where device-linking gave attackers visibility into future messages, backup-key theft gives them the past as well.
Signal anticipated this attack vector. The company publicly warned about impersonation attempts in April 2026 — roughly a month before this wave of texts appeared — and on May 12, 2026, rolled out new in-app security features that include a "Name not verified" notice on new contacts, an additional confirmation step when accepting message requests, and explicit reminders that Signal will never ask for registration codes, PINs, or recovery keys. Whittaker said further protections are in development.
Read more: Pentagon Issues Urgent Warning About Signal App Amid Russian Hacking Threat—Beware of Phishing Links
How to Tell Real Signal Support From Hackers
Signal's policy on user contact is unambiguous: the organization will never reach out to users first, and will never ask for a registration code, PIN, or recovery key through any channel. Any message claiming to be from Signal Support and requesting any of those credentials is fraudulent, regardless of how convincingly it reproduces Signal's branding.
Al-Maskati noted that the attack requires a second step beyond key theft — the hackers must also gain control of the victim's account before they can download and decrypt the backup archive. That means anyone who surrendered a recovery key but has not yet experienced an account compromise has a window to act.
Security researchers recommend the following steps for all Signal users, with particular urgency for journalists, activists, diplomats, and others with sensitive contacts:
- Treat every unsolicited support message as a scam. Legitimate support for Signal does not arrive as a chat message asking for codes, keys, or passwords. If you receive an account warning, open the app directly rather than following any instructions in the text.
- Never share your recovery key, PIN, or registration codes. These credentials are the only mechanisms through which an attacker can impersonate you or access your backups.
- Enable Registration Lock in Signal settings. This requires your Signal PIN before your account can be re-registered on a new device, adding a critical layer of friction against account takeover.
- Consider enabling disappearing messages. Auto-deletion limits how much content is exposed if an attacker does obtain archive access at a later date.
- Confirm unusual requests out of band. If you receive an alarming message about your Signal account, reach the apparent sender by telephone or through a separate trusted channel before taking any action.
Frequently Asked Questions
What is Signal's backup recovery key, and why do hackers want it?
Signal's backup recovery key is a 64-character string generated on your device when you enable Secure Backups. It is the only way to decrypt the encrypted message archive that Signal stores on its servers, and it never leaves your device under normal use. If a hacker obtains the key and also gains control of your Signal account, they can download and fully decrypt your entire message history — every past conversation, photo, and file — rather than only monitoring future messages.
Will Signal ever ask me to share my recovery key, PIN, or verification code?
No. Signal has stated explicitly that it will never contact users first and will never ask for a registration code, PIN, or recovery key through any channel, including in-app messages, SMS, or social media. Any message claiming to be from Signal Support and requesting any of those credentials is a phishing attempt from malicious actors, not from Signal.
How do I protect my Signal account from phishing?
Enable Registration Lock in Signal's settings — this prevents an attacker from re-registering your account on a new device without your PIN. Treat every unsolicited support message as fraudulent by default. Never paste a recovery key into any chat. If you receive an account warning, navigate to Signal's settings directly rather than following instructions in an external message. Consider enabling disappearing messages to limit your historical exposure.
How does this Signal phishing attack differ from earlier ones?
Previous Signal phishing campaigns used QR codes or device-linking requests to add a hacker's device to a victim's account, giving them access to future messages only. This new campaign specifically targets the Secure Backups recovery key, which unlocks the entire encrypted message archive — including conversations, photos, and documents from before the attack. That retroactive access makes recovery-key theft significantly more damaging than prior account-hijacking techniques.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
