Search...

A new phishing campaign against Signal users: Backup Recovery Keys are being targeted

A new phishing campaign against Signal users: Backup Recovery Keys are being targeted

Russian intelligence-linked threat actors tracked as UNC5792 and UNC4221 have been identified as conducting a new phishing campaign aimed at obtaining Signal users’ Backup Recovery Keys.            

According to the available information, although these threat actors have primarily sought to obtain users’ account verification codes and Signal PINs in previous attacks, they are now increasingly targeting the Backup Recovery Keys used by Signal. During the attacks, the threat actors impersonate automated Signal support accounts. Users receive fraudulent messages claiming that their accounts are experiencing synchronisation issues, that their messages may be deleted or that additional security measures must be enabled. The victims are subsequently instructed to access Signal’s settings, enable Secure Backups, copy their Backup Recovery Key and provide it to the fraudulent support account.

Signal Secure Backups are end-to-end encrypted and protected by a cryptographically secure 64-character recovery key. This key is never shared with the Signal service and without it, no one, including Signal itself can read, decrypt or restore the data contained in the Secure Backup Archive. The archive may include all text messages, as well as photographs, files, attachments and other media from the preceding 45 days under the standard backup plan.

By obtaining a victim’s Backup Recovery Key, threat actors can restore the encrypted backup archive on a device under their control without compromising Signal’s end-to-end encryption. Consequently, the attackers may gain access to the victim’s historical private and group messages and potentially take control of the victim’s account.

According to the advisory, a compromised Backup Recovery Key may remain valid even if the victim creates a new Signal account using the same telephone number. As a result, the threat actor may attempt to use the previously compromised key to access future backups associated with the newly created account. To prevent the previous key from being used for future backup downloads, the user must generate a new Backup Recovery Key through Signal’s settings. However, generating a new key does not remove or invalidate any backup archive that may already have been downloaded by the threat actor.

Signal states that its representatives do not contact users through SMS messages, telephone calls, social media platforms or ordinary Signal conversations that permit two-way messaging. Signal support personnel will never request a user’s verification code, Signal PIN or Backup Recovery Key.

Users are advised not to respond to unsolicited security or account-recovery messages purporting to originate from Signal, not to disclose their Backup Recovery Keys to any individual or service and to report and block fraudulent accounts within the application. Where there is reason to believe that a Backup Recovery Key has been disclosed to a third party, users should immediately generate a new key and report the potential compromise to the relevant authorities.

© 2011-2026 All rights reserved