A coordinated phishing campaign is targeting Signal users, tricking them into handing over their 64-character recovery keys through fraudulent in-app messages impersonating Signal’s own support team — giving attackers access to full message history going back through every stored backup.
How the Attack Works
Unlike traditional phishing that arrives by email or SMS, this campaign operates entirely within Signal itself. Victims receive a text message from what appears to be Signal support, warning of a “sync issue” that puts their data at risk. The message instructs them to share their 64-character recovery key to resolve the problem.
This is purely social engineering — there is no technical vulnerability in Signal being exploited. The attackers are leveraging Signal’s strong reputation as a secure, trustworthy platform to make the fraudulent message appear legitimate. Receiving a message through an encrypted app that you specifically chose for its security makes many users more inclined to trust it, not less.
What Is the Recovery Key and Why Is It So Valuable?
Signal’s recovery key is a 64-character code that provides complete access to a user’s encrypted message backup stored on Signal’s servers. Handing this key to an attacker does not just expose future messages — it exposes the full message history stored in the backup, including every conversation since backups were enabled.
For most users, this represents months or years of private communications. For the groups being targeted — journalists, activists, dissidents, and individuals critical of authoritarian regimes — that history could include source identities, sensitive investigations, and communications that carry serious real-world risk if disclosed.
Who Is Being Targeted?
Access Now’s Digital Security Helpline has confirmed this is a coordinated, targeted operation — not indiscriminate phishing. Primary targets identified include:
- Journalists and media professionals
- Activists and human rights workers
- Political dissidents
- Individuals identified as anti-CCP opponents
The targeting profile suggests a threat actor with specific intelligence objectives rather than financially motivated cybercriminals. High-profile individuals using Signal as their secure communications platform are at greatest risk.
What to Do If You Use Signal
Never Share Your Recovery Key
Signal will never ask for your recovery key, PIN, or verification code through a message — under any circumstances. Treat any in-app message requesting these as an attack, regardless of how official it looks. Report it and delete it.
Enable Registration Lock
Signal’s Registration Lock feature requires your PIN before a new device can register your Signal account. This adds a critical barrier against account takeover even if an attacker obtains your phone number. Enable it at: Signal Settings → Account → Registration Lock.
Enable Device-Change Alerts
Signal can alert you when a new device links to your account. Enabling this provides early warning if an attacker attempts to register your account on a device they control.
Treat All Unsolicited Account Warnings as Suspicious
Genuine issues with your Signal account do not require you to share credentials via a message. Any unsolicited message claiming your account is at risk, that a sync error has occurred, or that action is required to protect your data should be treated as a social engineering attempt.
Use Disappearing Messages
For sensitive conversations, enabling disappearing messages limits the historical data available if an account is ever compromised. This is particularly important for individuals whose message history could pose personal safety risks.
A Reminder About Social Engineering
This attack is a reminder that the weakest link in any security system — including end-to-end encrypted messaging — is the human at the end of it. The most technically secure platform in the world cannot protect against a user being deceived into voluntarily handing over access. Security awareness training and clear policies around credential sharing are as important as the technical tools themselves.
At BIT Tech IT Solutions, we help businesses implement security awareness training and communication security policies. If you’d like to discuss how to protect your team from social engineering attacks, contact our team.
