Cybercriminals are executing a sophisticated phishing campaign aimed at Signal users, impersonating the app’s support team to extract backup recovery keys. These keys grant access to users’ encrypted chat histories, posing a significant threat to privacy.
The attack initiates with a message sent directly within the Signal app from an account labeled “Signal Support.” The message warns of a potential loss of chats and media due to a synchronization issue, urging recipients to share their 64-character recovery key to resolve the problem. This key, if obtained, allows attackers to decrypt and access the user’s entire message archive.
According to Cyber Security News, the campaign was first publicly identified when Washington Post analyst Josh Rogin shared a screenshot of the fraudulent message on May 27, 2026. Rogin cautioned users to disregard the message and noted that numerous anti-CCP activists had received similar phishing attempts.
Access Now’s Digital Security Helpline confirmed that journalists, dissidents, and activists are the primary targets of this campaign. Multiple victims reported receiving nearly identical phishing messages, indicating a coordinated effort rather than isolated incidents.
Signal’s Secure Backups feature encrypts user data, with the recovery key serving as the sole means to decrypt and access these backups. By obtaining this key, attackers can download and decrypt the full message history stored on Signal’s servers.
The phishing messages are meticulously crafted to appear legitimate, arriving from an account named “Signal Support” and conveying a sense of urgency. This approach exploits users’ trust in the app’s security, making the scam particularly effective.
Security researchers at Malwarebytes highlighted that after obtaining the recovery key, attackers must still gain access to the Signal account to complete the takeover. However, acquiring the key is a critical step toward full account compromise.
Given the targeted nature of this campaign, especially against activists and journalists, it underscores the importance of vigilance. Users should be wary of unsolicited messages requesting sensitive information and verify any such communications through official channels.
Signal has emphasized that it will never request users’ recovery keys or personal information via in-app messages. Users are advised to enable two-factor authentication and remain cautious of unexpected messages, even within trusted applications.
This incident highlights the evolving tactics of cybercriminals who now exploit trusted platforms to deceive users. It serves as a reminder of the necessity for continuous awareness and skepticism toward unsolicited requests for sensitive information.
Source: Cyber Security News
