"Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users

A phishing campaign first reported on 2026-05-28 impersonates Signal's support team, warning targets that their cloud-backed chats are "at risk of permanent loss due to a sync issue" and instructing them to retrieve their Signal cloud-backup recovery key from the app and paste it into the conversation (TechCrunch, 2026-05-28; Malwarebytes, 2026-05-29). Signal cloud backups are end-to-end encrypted with that recovery key: without it, an attacker who separately hijacks the victim's phone number (SIM-swap or SS7 abuse) can intercept only future messages, while the historical archive of conversations, photos and documents stays sealed. Surrendering the key unlocks that archive. The technique is pure social engineering (T1598 spearphishing for information / T1566) with no exploit component; reporting notes targeting consistent with anti-CCP activists, but both outlets stress the lure is reusable by any actor against secure-messaging users — a population heavily represented among government officials, lawyers, journalists and civil-society staff.

Why it matters to us: Signal is widely used inside Swiss and European public-sector bodies and by the journalists and civil-society contacts they work with for sensitive communications. The attack bypasses transport encryption entirely by going after the backup key, so MDM and message-content controls do not help. Defender takeaway: brief high-value users that Signal Support never initiates contact and never asks for a recovery key, PIN or registration code; pair this with carrier-side SIM port-freeze / number-lock for principals, since phone-number hijacking is the prerequisite for full account takeover even without the key.