Signal Backup Recovery Keys Targeted in New Phishing Attack Campaign

Cybersecurity researchers and digital rights advocates are warning of a new phishing campaign targeting Signal users, in which attackers attempt to steal recovery keys used to restore encrypted chat backups.

The campaign came to light after Washington Post analyst Josh Rogin shared a screenshot on Wednesday showing a fraudulent message sent through Signal. In the message, attackers impersonate Signal’s support team and falsely claim that a user’s chat backups and media files are at risk of permanent loss due to a synchronisation issue. The fake support message instructs recipients to provide their recovery key, claiming the code is required to reconnect their existing backup archive to their account. The message warns that failing to do so could result in the loss of access to stored conversations and account data.

According to Rogin, several activists critical of the Chinese Communist Party have received malicious messages. However, the campaign may not be limited to one group.

Mohammed Al-Maskati, director of Access Now’s Digital Security Helpline, said that at least two individuals outside the Chinese activist community had reported receiving similar messages. This suggests the operation could be targeting a broader range of users or that multiple threat actors may be employing the same tactic.

At this stage, it remains unclear how successful the campaign has been. Al-Maskati explained that obtaining a victim’s recovery key is only one component of the attack. Threat actors would still need to compromise the victim’s Signal account before gaining access to the backup data.

Signal President Meredith Whittaker acknowledged the issue, stating that the company is monitoring the situation and working on potential mitigations.

Like many social engineering attacks, the campaign relies on convincing users to voluntarily hand over sensitive information. In this case, attackers are exploiting trust by impersonating Signal’s official support team.

Signal has repeatedly emphasised that it never initiates conversations with users and will never request registration codes, PINs, or backup recovery keys. Any message claiming to come from “Signal Support” and requesting such information should therefore be treated as fraudulent.

The organisation publicly warned users about similar scams last month, but the latest campaign differs from previous attempts by specifically targeting Signal’s Secure Backups feature.

Earlier phishing operations primarily sought to hijack user accounts and impersonate victims. In many cases, attackers aimed to gain access to contacts or communicate with others while posing as the account owner. However, those methods generally did not provide access to historical messages because Signal’s architecture prevents old conversations from automatically appearing on newly registered devices.

Attackers can sometimes take over accounts through phone number hijacking or SIM-swapping techniques. To help defend against these threats, Signal offers optional protections such as Registration Lock, which prevents a phone number from being linked to another device without the user’s PIN.

Accessing older messages requires an additional step: obtaining the encrypted backup archive and the recovery key needed to decrypt it.

Signal introduced Secure Backups last year as an optional feature that allows users to store encrypted copies of their chats, media, and account data on Signal’s servers. These backups are protected using a unique recovery key that Signal says is never transmitted to its servers and never leaves the user’s device.

The company advises users to store the recovery key securely, either in a password manager or in a physical location such as a notebook.

“Without your unique recovery key, no one — including Signal — can read, decrypt, or restore any of the data in your Secure Backup Archive,” the company has stated.

As a result, restoring a backup on a new device requires the user to download the encrypted archive and unlock it using the recovery key. Anyone who obtains that key could gain access to highly sensitive historical conversations, documents, and media if they also compromise the associated account.

Signal has since reiterated its warning and urged users never to share recovery keys, PINs, or registration codes with anyone claiming to represent the company.