New Phishing Campaign Targets Signal Users to Steal Encrypted Chat Backups
Cybercriminals have launched a sophisticated phishing campaign specifically designed to trick Signal users into turning over their unique account recovery keys. By impersonating the platform's official support team, the attackers aim to bypass Signal's advanced security architecture to download and decrypt historical user chats, photos, and files.
Anatomy of the Attack
- The Deceptive Message: Targets receive a message from a malicious account named "Signal Support." The text falsely warns the user that their backed-up media and chats are "at risk of permanent loss due to a sync issue."
- The Bait: To resolve the fake technical problem, users are instructed to reply with their unique account recovery key.
- The Ultimate Goal: Unlike older hacking waves that merely hijacked phone numbers to register accounts on new devices (which did not transfer past chat histories), this attack seeks the recovery key. This allows hackers to access and completely read the user's online "Secure Backups" archive hosted on Signal's servers.
High-Profile Targets and Scope
The hacking wave has raised significant geopolitical and human rights concerns. Public screenshots of the attack reveal that it has heavily targeted anti-Chinese Communist Party (CCP) activists.
However, digital safety experts from Access Now's Digital Security Helpline have confirmed that the threat extends beyond this community, as multiple international dissidents and journalists have reported identical phishing attempts. This indicates either a widespread campaign or multiple separate threat actors employing the exact same strategy.
Signal’s Response and Security Protocol
Signal's leadership, including President Meredith Whittaker, confirmed they are actively tracking the threat and developing internal mitigations.
The organization stresses a strict protocol to prevent exploitation: Signal will never initiate contact with users, nor will it ever ask for a PIN, registration code, or recovery key under any circumstances. Users are strongly urged to ignore these support chats and protect their recovery phrases inside offline notebooks or secure password managers.
