Hackers are trying to steal the backup data of Signal users in a new scam

Hackers are targeting Signal users in an attempt to steal their social media data as part of a new phishing campaign, TechCrunch has learned.

Wednesday, Washington Post star Josh Rogin he posted the screen about a new type of attack against Signal users, where hackers pretend to be the app’s support group and warn their target audience that their chat support “is at risk of permanent loss due to a sync problem.” To avoid this, the message said, the target should share the recovery key used to access the online backup in conversations with the hackers.

“This will link existing backups to your account. Failure to do so may result in you losing access to your account and all backups,” read a message purporting to be from an account called Signal Support.

This is a fraudulent attempt. If you receive this message on Signal, do not follow the instructions. Many anti-CCP critics have also welcomed this attempt. Be careful and notice. pic.twitter.com/8J1YDcpUAX

– Josh Rogin (@joshrogin) May 27, 2026

Rogin said that the Chinese Communist Party activists will welcome this bad news.

Mohammed Al-Maskati, director at Access Now’s Digital Security Helplinewhich investigates cyberattacks against journalists, activists, and human rights activists, told TechCrunch that two people shared similar messages with him. Al-Maskati said the two are not Chinese freedom fighters. This suggests that the phishing campaign may be more widespread and target specific areas, or there may be different fraud groups using the same strategy.

It is unclear how effective the hacking campaign has been. Al-Maskati said that stealing the victim’s keys to save their chats is only one part of the attack, and that hackers still need to take over the victim’s account.

In most cases, this type of attack depends fraud targets, meaning to trick them into sharing important and confidential information with hackers. In this case, hackers are pretending to be Signal’s support team in order to exploit the trust of the candidates in the program and the organization behind it.

It is important to note that Signal he says It won’t “reach” users at first, and I will not ask for their registration number, PIN, or recovery key. This means that any chats that pretend to be from “Signal Support” are from malicious hackers. Organization he has warned publicly about the exact nature of the attack last month.

Although there have been several campaigns for destroyers imitation Signal support in recent months, this is a new type of attack because it mainly targets backups, which can contain the victim’s old chats, photos, and documents.

Previous campaigns that have targeted Signal users have attempted to hack into the victim’s account and then impersonate them, often with the goal of stealing their contacts or initiating conversations with other people as if they were the account owner. For this reason, hackers do not have access to previous messages, because attacks depend on re-registering the victim’s account on the device they control. Because of the way Signal is designed, old messages won’t show up on a new device.

Hackers can hijack Signal accounts by hijacking someone’s phone number, for example. But Signal offers security tools to protect you from that attack Lock Registrationwhich prevents the attackers from connecting the target’s code to a new device unless they steal the target’s PIN.

In this case, one way to view old messages would be to access an online backup, which requires a recovery key.

Last year, Signal has implemented Secure Storagea new login feature that allows users to upload their account information to Signal’s servers, which are stored with a recovery key that the organization says is “never shared with Signal’s servers,” and “doesn’t leave” the user’s device. A symbol he says users should keep the recovery key securely on a notebook or inside a password manager.

“Without your unique recovery key, no one (including Signal) can read, decipher, or recover anything in your Secure Archive,” Signal said.

This means that only the user can log into their account when they register their account on a new phone, download the encrypted data from Signal’s servers, and then overwrite it with a recovery key.

Signal did not respond to a request for comment.