Home > Security > Security News

Attackers Target Signal Secure Backups via Phishing Campaign

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Signal Support Staff Impersonation - Backup
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Phishing Campaign: Threat actors are targeting Signal users to illicitly obtain recovery keys required to decrypt cloud-based backups.
  • Adversarial Impersonation: Attackers are masquerading as Signal Support, alleging synchronization failures to pressure users into revealing credentials.
  • Target Demographics: The campaign has impacted anti-Chinese Communist Party activists as well as other unaffiliated individuals.

A sophisticated phishing operation is currently targeting Signal users, leveraging social engineering to extract recovery keys associated with encrypted backups. By compromising these credentials, adversaries seek unauthorized access to historically archived communications.

Deceptive Social Engineering Tactics

On May 27, 2026, Washington Post analyst Josh Rogin posted evidence of the campaign via a screenshot on X. The image shows a fake message impersonating Signal Support that notifies recipients of an alleged imminent loss of backed-up data due to a synchronization error. 

Fake message impersonating Signal Support | Source: Josh Rogin on X
Fake message impersonating Signal Support | Source: Josh Rogin on X

Rogin indicated that numerous anti-Chinese Communist Party activists were targeted. However, Mohammed Al-Maskati, director at Access Now’s Digital Security Helpline, confirmed to TechCrunch that multiple unaffiliated individuals reported receiving identical solicitations.

This phishing campaign specifically exploits Signal Secure Backups, an opt-in cloud storage feature accessible via a unique recovery key. The objective is to deceive users into disclosing this key, thereby facilitating the decryption of private message histories.

Targeting Signal Secure Backups

Signal’s security protocol dictates that the organization never initiates unsolicited contact or requests a registration code, PIN, or recovery key. Furthermore, the organization issued a formal advisory regarding this specific attack vector last month.

Multiple international intelligence organizations, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK’s cybersecurity agency, and Dutch intelligence, along with Signal, have issued official warnings about these specific hijacking techniques.  

In other recent news, a GTIG report said Chinese-language phishing services adopt AI and real-time MFA bypass.

In mid-May 2026, Russian hackers were seen targeting 13,500 Signal accounts in a hijacking campaign. In March, Russian cybercriminals targeted Signal and WhatsApp accounts of high-value individuals in a large-scale phishing operation.

Add a Comment
Related
data breach
Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim
Pay Tel Data Leak: Microsoft Azure Server Misconfiguration Exposes 300,000 Government-Issued IDs
Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Kemper Corporation Exposes Approximately 270,000 Accounts Following ShinyHunters Breach Claim
Watch Out for Fake FIFA Websites Appearing Ahead of the 2026 World Cup, FBI and IC3 Warn
FortiClient EMS Exploited via CVE-2026-35616 for EKZ Infostealer Deployment
Most Popular
Copy, Paste, Compromise? Why Developer Workflows Need New Guardrails
How a Cline Vulnerability Exposed a Growing AI Agent Security Gap
data breach
Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim
Pay Tel Data Leak: Microsoft Azure Server Misconfiguration Exposes 300,000 Government-Issued IDs
Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Polymarket KYC Changes Bring Stricter VPN Controls
Polymarket Tightens VPN Restrictions and Expands KYC Checks Amid Regulatory Pressure
Copy, Paste, Compromise? Why Developer Workflows Need New Guardrails
How a Cline Vulnerability Exposed a Growing AI Agent Security Gap
Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim
Pay Tel Data Leak: Microsoft Azure Server Misconfiguration Exposes 300,000 Government-Issued IDs
Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Polymarket Tightens VPN Restrictions and Expands KYC Checks Amid Regulatory Pressure

Most Popular
Copy, Paste, Compromise? Why Developer Workflows Need New Guardrails
How a Cline Vulnerability Exposed a Growing AI Agent Security Gap
data breach
Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim
Pay Tel Data Leak: Microsoft Azure Server Misconfiguration Exposes 300,000 Government-Issued IDs
Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Polymarket KYC Changes Bring Stricter VPN Controls
Polymarket Tightens VPN Restrictions and Expands KYC Checks Amid Regulatory Pressure
Copy, Paste, Compromise? Why Developer Workflows Need New Guardrails
How a Cline Vulnerability Exposed a Growing AI Agent Security Gap
Charter Data Breach: Approximately 4.9 Million Emails Added to HIBP Following ShinyHunters Claim
Pay Tel Data Leak: Microsoft Azure Server Misconfiguration Exposes 300,000 Government-Issued IDs
Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Polymarket Tightens VPN Restrictions and Expands KYC Checks Amid Regulatory Pressure

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: