New Hackers Target Signal Users to Steal Private Backups

A new wave of sophisticated phishing attacks is now targeting users of Signal, the encrypted messaging app relied upon by journalists, activists, and privacy-conscious individuals globally. These coordinated campaigns aim to compromise user accounts and steal private backup keys, potentially exposing years of sensitive conversations. The threat, detailed in reports from <a href="https://aiweekly.co/alerts/signal-backup

Hackers are impersonating Signal’s support team and tricking users into handing over their backup recovery keys, which can unlock entire archives of private chat history. The campaign has raised serious concern among cybersecurity researchers and digital rights organizations.

The attack begins with a text message sent directly inside Signal. The message claims to be from “Signal Support” and warns the recipient that their chats and media are “at risk of permanent loss due to a sync issue”.

Victims are then told to share their 64-character recovery key to fix the problem. That key, once handed over, can give attackers full access to years of stored messages, photos, and documents.

TechCrunch said in a report shared with Cyber Security News (CSN) that the campaign was first publicly flagged after Josh Rogin, a Washington Post analyst, posted a screenshot of the fake message on May 27, 2026.

Rogin warned his followers to ignore the message and noted that many anti-CCP activists had already received the same phishing attempt.

Access Now’s Digital Security Helpline confirmed that journalists, dissidents, and activists are being targeted most heavily.

Two separate victims submitted near-identical versions of the phishing message to investigators, confirming this is a coordinated operation rather than a random or opportunistic one.

What makes this campaign especially dangerous is what the recovery key unlocks. Signal’s Secure Backups feature stores encrypted data on Signal’s servers, protected by a key that never leaves the user’s device.

If an attacker gets that key and gains access to the account, they can download and decrypt the full message history, not just future conversations but everything stored in the backup.

Hackers Attacking Signal Users

The phishing message is crafted to look completely believable. It arrives inside Signal from an account calling itself “Signal Support,” giving it a false sense of legitimacy.

The tone is urgent: act now or lose your data. Most users do not expect a scam to reach them through an app they consider private and secure.

Security researchers at Malwarebytes noted that once the victim pastes the recovery key into the chat, the attacker still needs one more step to complete the takeover.

They must gain access to the Signal account before using the key to download and decrypt the backup. However, that step does not make the threat any less serious, as stealing the key is a critical first move in a chain that can lead to total account compromise.

The fact that victims across different networks received nearly identical messages points to a well-organized group. Researchers say the operation appears targeted rather than broad, with activists and journalists being singled out with clear purpose.

Protecting Your Signal Account from Phishing

Signal has made it very clear that it will never reach out to users first. The app also does not ask for registration codes, PINs, or recovery keys under any circumstances. That means any message claiming to be from Signal Support and requesting this kind of information is a scam.

Users should treat any unsolicited message warning of account issues as suspicious, regardless of where it arrives. Clicking links in account-warning messages should be avoided entirely.

Sharing verification codes, recovery keys, or authentication secrets with any contact, even a seemingly official one, should never happen.

Experts recommend enabling the Registration Lock feature in Signal, which requires a PIN before your number can be registered on a new device.

Turning on PIN protection and device-change alerts adds another layer of defense. Using disappearing messages can also help limit damage if an account is ever compromised.

This campaign is a reminder that even the most secure tools can be exploited through human trust. Staying informed and skeptical about unexpected messages remains the first and most effective line of defense.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.