The campaign centres on messages sent inside Signal from accounts posing as “Signal Support”. Targets are warned that their backed-up chats and media face permanent loss because of a supposed sync problem. They are then urged to paste their backup recovery key into the chat to “relink” their archive. The request is fraudulent. Anyone who shares the key risks exposing years of private conversations, attachments and media stored through Signal’s encrypted backup feature.
The attack does not appear to break Signal’s encryption or compromise its servers. It relies instead on social engineering, the long-favoured method of hackers seeking to bypass strong cryptography by manipulating the person using it. That distinction is important for Signal, whose reputation rests on end-to-end encryption, minimal data collection and resistance to surveillance. The vulnerability being exploited is not the code that protects messages in transit, but the trust users place in official-looking warnings.
Signal’s secure backup system was introduced as an opt-in feature to protect message history if a user loses a device or changes phones. It uses a 64-character recovery key generated on the user’s device. Signal says the key is not shared with its servers and cannot be reset, recovered or bypassed by the company. That design strengthens privacy, but it also makes the key an attractive target. Whoever obtains it may be able to restore and decrypt backed-up material if other account-access conditions are met.
The campaign has drawn attention because it targets a class of users who often rely on Signal for sensitive communications, including journalists, activists, political figures, government staff and civil society organisations. Security specialists have warned that stealing a recovery key may be only one part of a broader operation. Attackers may still need to gain control of an account, phone number, device setup process or related authentication step before accessing the archive. Even so, the lure marks a shift from attacks focused mainly on verification codes, PINs or device-linking QR codes towards attempts to steal backup secrets directly.
The timing is significant. Signal expanded secure backups across Android and iOS during the past year, offering a free tier for text messages and limited media, alongside a paid option with larger storage. The broader availability of backups gives users a way to preserve message history, but it also creates a new target for criminals and state-aligned operators. Encrypted backup systems often face a difficult balance: users want recoverability when phones are lost, while privacy advocates want providers to have no access to stored content. A recovery key solves part of that problem, but only if users recognise that it must never be shared.
The latest phishing wave follows a series of warnings this year about attacks on encrypted messaging apps. Security agencies in several countries have flagged campaigns in which hackers posed as support services or security bots to obtain verification codes, PINs or linked-device access. Some operations were linked to Russia-backed actors targeting officials, military personnel and journalists. Other campaigns have been more opportunistic, seeking access to high-value accounts through impersonation rather than technical exploits.
Signal has repeatedly advised users that its staff do not contact people through in-app messages, phone calls, SMS or social media to request account secrets. The company’s guidance is clear: any message claiming to be from Signal support or Signal security inside the app should be treated as a scam. Users are advised not to reply, not to share recovery keys or verification codes, and to report and block the account.
The phishing messages are effective because they exploit urgency. A warning about imminent data loss can push users into acting before they verify the request. The language used in such attacks is typically designed to sound technical but simple enough to follow: a sync issue, a backup failure, an account risk or a request to confirm ownership. This is a common pattern in credential theft, where attackers create a false deadline and present disclosure of a secret as the quickest way to avoid damage.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
