Phishing the Recovery Key: Fake Signal Support Goes After Encrypted Backups

The Campaign in One Sentence

People posing as Signal's support team are messaging users to warn that their backed-up chats and media are at risk of permanent loss due to a sync issue, and instructing them to share their recovery key to prevent it. That is the entire attack. There is no link to click, no document to open, and no software to install. The operator is asking, in plain language, for the one secret that decrypts a victim's archived conversations.

What makes this campaign worth a record is not novelty of mechanism. It is the cleanliness of it. Most phishing has an artifact a defender can latch onto: a domain, a payload, a rewritten link. Here the artifact is a sentence and a deadline. The method is pure social engineering aimed at a single high-value credential, and it routes around every control that assumes there is something technical to inspect.

What Is Actually at Risk

Signal's Secure Backups feature lets a user store an encrypted archive of their conversations on Signal's servers. That archive is protected by a 64-character recovery key. By design, the key never leaves the user's device and is never shared with Signal's servers, which is precisely what keeps the backup confidential even from Signal itself.

That design is a strength right up until a human is talked into typing the key into a chat. The recovery key is the whole security model in one string. An attacker who obtains it can decrypt the backup and read the conversation history it contains. For an ordinary user that is a privacy breach. For the people this campaign appears to be hitting, it is more serious.

Reporting indicates the targets include anti-CCP activists, and that the messages reached multiple people through at least one digital security helpline, suggesting either a campaign broader than a single community or several groups reusing the same playbook. When the victims are activists, journalists, or dissidents, the loss is not an account that can be reset. It is the disclosure of who they spoke to and what they said, with consequences that no password change reverses.

Why the Channel Disarms Suspicion

The same instinct that protects users against email phishing works against them here. Many people have been trained to be wary of unexpected email, to hover over links, and to distrust attachments. A message that arrives inside Signal triggers none of that. The app is associated with private, trusted conversation, so a message claiming to be from its support team inherits a baseline of credibility that an email from an unknown sender would never get.

The pretext compounds it. The lure is loss aversion: your backups are about to disappear, and only a quick action will save them. Urgency narrows attention. A user worried about losing years of conversation is focused on the fix being offered, not on the strange fact that fixing it requires handing a secret to a stranger. The operator is not bypassing the user's judgment with a clever exploit; they are crowding it out with a deadline.

This is why the channel matters as much as the message. The defensive lesson from our coverage of collaboration-tool abuse applies directly: a trusted app is an untrusted inbound channel the moment an unknown party can message you through it. The brand on the conversation is not evidence of who is on the other end of it.

Defending the People Most Likely to Be Hit

The single most durable defense is a rule simple enough to survive a stressful moment: legitimate support for Signal, WhatsApp, or any comparable app will never ask you, in a chat message, to send back a recovery key, a PIN, a verification code, or a password. If a message asks for any of those, the request itself is the proof that it is an attack, regardless of how official it looks or how urgent it sounds. High-risk users should be taught this as a reflex, not a checklist item, because the attack gives them no link to inspect and no time to deliberate.

Account hardening backs up the rule for the cases where pressure wins. Users should enable the protections the app already offers: registration lock and a registration PIN so the account cannot be silently re-registered on another device without an extra secret, and device-change alerts so a new linked device does not go unnoticed. These do not stop a recovery key from being phished, but they raise the cost of the follow-on steps an attacker needs and create a signal the victim can act on.

For organizations responsible for at-risk staff, the response is education before incident, because there is little to detect after the fact. Run the scenario explicitly: a message from "Signal Support" with a backup warning and a request to share a key. Make the expected behavior unambiguous, give people a way to report the message to a security contact, and confirm that the people most likely to be targeted know the one rule before the message arrives. When the entire attack is a sentence, the only place to win is before the sentence is believed.