Cybersecurity researchers are warning of a new phishing campaign targeting users of the encrypted messaging platform Signal, with attackers attempting to trick people into handing over recovery keys that could give access to their cloud-stored chat backups. The campaign marks a significant shift from traditional password-stealing attacks and highlights how hackers are increasingly focusing on backup and account recovery systems to bypass security protections.
According to security experts cited by TechCrunch, the attackers are impersonating Signal’s support team and sending messages that falsely claim a user’s chat backups are at risk of being lost because of a synchronization problem. These messages create a sense of urgency and instruct victims to share their recovery key, presenting it as a necessary step to preserve access to their account data.
Recovery keys play a critical role in Signal’s backup system. They are designed to allow users restore encrypted backups when setting up the app on a new device. Because Signal’s backup architecture relies on end-to-end encryption, the company itself cannot access or recover backup contents without the user’s unique recovery credentials. That security model makes recovery keys extremely valuable targets for attackers.
Researchers say several privacy advocates, journalists, and security-focused individuals have already reported receiving the fraudulent messages. While it remains unclear how many users may have fallen victim to the scheme, experts believe the campaign could be broader than initially thought and may not be limited to any specific country or political target group.
Unlike malware-based attacks that exploit software vulnerabilities, this campaign relies heavily on social engineering. Instead of breaking through Signal’s encryption, attackers attempt to manipulate users into voluntarily revealing sensitive information. Cybersecurity analysts note that phishing remains one of the most effective forms of cybercrime because it targets human trust rather than technical weaknesses.
The latest incident fits into a wider trend of growing attacks against secure messaging platforms. Earlier this year, Dutch intelligence agencies warned that Russian-backed hackers were conducting large-scale campaigns against users of both Signal and WhatsApp. Those operations reportedly relied on phishing tactics and social engineering rather than exploiting flaws within the apps themselves.
Security researchers say attackers increasingly favor account takeover techniques because modern messaging apps have strengthened their core encryption systems, making direct interception of communications far more difficult. By targeting backup credentials, registration codes, or account recovery processes, hackers can sometimes gain access to conversations without needing to crack encryption itself.
Signal has repeatedly stated that it never contacts users asking for registration codes, PINs, passwords, or recovery keys. Experts emphasize that any message claiming to come from “Signal Support” and requesting such information should be treated as suspicious. Legitimate support teams generally do not require users to disclose private recovery credentials.
The campaign also reflects a broader evolution in cybercrime. Recent security reports show that phishing attacks have become more sophisticated, often using convincing branding, realistic language, and impersonation tactics designed to mimic trusted organizations. Mobile messaging platforms have become particularly attractive targets because users often respond more quickly to chat messages than to suspicious emails.
