ctipilot.ch

Home · Live brief · Daily brief 2026-05-31

"Signal Support" impersonation phishing harvests cloud-backup recovery keys from high-value users

high threat discovered 2026-05-31 05:00 UTC

Part of run 2026-05-31-d742bed9 (intel · Claude Opus 4.8)

A phishing campaign first reported on 2026-05-28 impersonates Signal's support team, warning targets that their cloud-backed chats are "at risk of permanent loss due to a sync issue" and instructing them to retrieve their Signal cloud-backup recovery key from the app and paste it into the conversation (TechCrunch, 2026-05-28; Malwarebytes, 2026-05-29). Signal cloud backups are end-to-end encrypted with that recovery key: without it, an attacker who separately hijacks the victim's phone number (SIM-swap or SS7 abuse) can intercept only future messages, while the historical archive of conversations, photos and documents stays sealed. Surrendering the key unlocks that archive. The technique is pure social engineering (T1598 spearphishing for information / T1566) with no exploit component; reporting notes targeting consistent with anti-CCP activists, but both outlets stress the lure is reusable by any actor against secure-messaging users — a population heavily represented among government officials, lawyers, journalists and civil-society staff.

Why it matters to us: Signal is widely used inside Swiss and European public-sector bodies and by the journalists and civil-society contacts they work with for sensitive communications. The attack bypasses transport encryption entirely by going after the backup key, so MDM and message-content controls do not help. Defender takeaway: brief high-value users that Signal Support never initiates contact and never asks for a recovery key, PIN or registration code; pair this with carrier-side SIM port-freeze / number-lock for principals, since phone-number hijacking is the prerequisite for full account takeover even without the key.

“A new hacking campaign is trying to trick Signal users to give up their secret recovery key, which can be used to access online backups containing past messages” — TechCrunch

“Signal says it 'will never reach out' to users first, and will never ask for their registration code, PIN, or recovery key” — Malwarebytes

phishing identity mobile global