{"id":730116,"date":"2026-05-28T22:25:11","date_gmt":"2026-05-28T19:25:11","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks\/"},"modified":"2026-05-28T22:25:11","modified_gmt":"2026-05-28T19:25:11","slug":"hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks\/","title":{"rendered":"Hackers are trying to steal Signal users&#8217; backups in new wave of phishing attacks"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a21492b5d34e\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a21492b5d34e\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks\/#Contact_Us\" >Contact Us<\/a><\/li><\/ul><\/nav><\/div>\n<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new hacking campaign, TechCrunch has learned.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">On Wednesday, <em>Washington Post<\/em> analyst Josh Rogin <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/joshrogin\/status\/2059634806648930614\">posted a screenshot<\/a> of a new kind of attack against Signal users, where hackers pretend to be the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>\u2019s support team and warn the target that their backed-up chats and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a> are \u201cat risk of permanent loss due to a sync issue.\u201d To avoid that, the message said, the target needs to share the recovery key that is used to access their online backups in the chat with the hackers.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cThis links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data,\u201d read the message purporting to come from an account called Signal Support.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">This is a phishing attempt. If you get this message on Signal, do not follow the instructions. Many anti-CCP activists have also received this phishing attempt. Beware and be aware. <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/8J1YDcpUAX\">pic.twitter.com\/8J1YDcpUAX<\/a><\/p>\n<p>\u2014 Josh Rogin (@joshrogin) <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/joshrogin\/status\/2059634806648930614?ref_src=twsrc%5Etfw\">May 27, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">Rogin said that several anti-Chinese Communist Party activists have received this malicious message.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Mohammed Al-Maskati\u2069, the director at Access Now\u2019s Digital Security Helpline, which investigates cyberattacks against journalists, dissidents, and human rights activists, told TechCrunch that two people shared similar messages with him. Al-Maskati said that the two are not Chinese activists. This suggests that the hacking campaign could be more widespread and targeting other communities, or there may be different groups of hackers using the same strategy.<\/p>\n<p class=\"wp-block-paragraph\">It\u2019s not clear how effective the hacking campaign has been. Al-Maskati said that stealing the victim\u2019s recovery keys for their chat backups is only one step in the attack, and that the hackers still have to take over the victim\u2019s account.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a>, this type of attack relies on phishing targets, meaning tricking them into sharing some important and private information with the hackers. In this particular case, the hackers are pretending to be Signal\u2019s support team to exploit the target\u2019s trust in the app and the organization behind it. <\/p>\n<p class=\"wp-block-paragraph\">It\u2019s important to note that Signal <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/support.signal.org\/hc\/en-us\/articles\/6746004451610-Contact-Us#:~:text=Signal%20Support%20will%20never%20reach%20out%20to%20you%20first.%20We%20will%20only%20respond%20if%20contacted.\">says<\/a> it \u201cwill never reach out\u201d to users first, and <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/signalapp\/status\/2053957236376961474\/photo\/4\">will never ask<\/a> for their registration code, PIN, or recovery key. That means any chat pretending to be coming from \u201cSignal Support\u201d is actually coming from malicious hackers. The organization <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/bsky.app\/profile\/signal.org\/post\/3mkixc3xidg2u\">has publicly warned<\/a> about this exact type of attacks last month.\u00a0<\/p>\n<div class=\"article-block block--callout block--right has-green-500-background-color\">\n<h4 class=\"block--callout__title\"><span class=\"ez-toc-section\" id=\"Contact_Us\"><\/span>Contact Us<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\t\t\tDo you have more information about these attacks against Signal users? Or other similar attacks? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.\t\t<\/p><\/div>\n<p class=\"wp-block-paragraph\">While there have been several campaigns of hackers impersonating Signal support in recent months, this is a new type of attack because it specifically targets backups, which can contain a victim\u2019s older chats, photos, and documents.\u00a0\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Previous hacking campaigns targeting Signal users attempted to hijack a victim\u2019s account and then impersonate them, often with the potential goal of stealing the victim\u2019s contacts or starting conversations with other people as if they were the account owner. In these cases, the hackers do not get access to past messages, since the attacks rely on them re-registering the victim\u2019s account on a device they control. Because of how Signal is designed, older messages do not appear on the new device.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Hackers can take over Signal accounts by hijacking someone\u2019s phone number, for example. But Signal offers opt-in security features to protect against that attack such as <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/support.signal.org\/hc\/en-us\/articles\/360007059792-Signal-PIN#manage_registration_lock\">Registration Lock<\/a>, which prevents attackers from linking a target\u2019s number to a new device unless they steal the target\u2019s PIN.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">In that scenario, one way to see older messages would be to access a victim\u2019s online backup, which requires the recovery key. <\/p>\n<p class=\"wp-block-paragraph\">Last year, <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/signal.org\/blog\/introducing-secure-backups\/\">Signal launched Secure Backups<\/a>, a new opt-in feature that lets users upload their account\u2019s contents to Signal\u2019s servers, which are encrypted with a recovery key that the organization says is \u201cnever shared with Signal\u2019s servers,\u201d and \u201cnever leaves\u201d the users\u2019 device. Signal <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/support.signal.org\/hc\/en-us\/articles\/9708267671322-Signal-Secure-Backups#:~:text=Your%20recovery%20key%20is%20always%20in%20your%20hands%3B%20it%20never%20leaves%20your%20device%20and%20is%20never%20shared%20with%20Signal%E2%80%99s%20servers.\">says<\/a> users should store the recovery key securely on a notebook or inside a password manager.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cWithout your unique recovery key, no one (including Signal) can read, decrypt, or restore any of the data in your Secure Backup Archive,\u201d Signal said.<\/p>\n<p class=\"wp-block-paragraph\">That means only the user can access their archive in a scenario where they register their account on a new phone, download the encrypted backup from Signal\u2019s servers, and then decrypt it with the recovery key.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Signal did not respond to a request for comment.<\/p>\n<\/div>\n<p><em>When you purchase through links in our articles, we may earn a small commission. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2026\/05\/28\/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new hacking campaign, TechCrunch has learned.\u00a0 On Wednesday, Washington Post analyst Josh Rogin posted a screenshot of a new kind of attack against Signal users, where hackers pretend to be the app\u2019s support team and warn the target&#8230;<\/p>\n","protected":false},"author":1,"featured_media":730117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/techcrunch.com\/wp-content\/uploads\/2026\/05\/signal-app-icon-phone.jpg?resize=1200,800","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[15047,70375,61594,70944,70513,72287,90583,81180],"class_list":["post-730116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-privacy","tag-cybersecurity","tag-exclusive","tag-hackers","tag-hacking","tag-security","tag-signal","tag-surveillance"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/730116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=730116"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/730116\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/730117"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=730116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=730116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=730116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}