TLDR
Criminals are targeting Signal users with SMS phishing that impersonates Signal Support and tricks victims into handing over their 64 character backup recovery key. Once shared, attackers can download and decrypt the user's entire...
How it works
Criminals are targeting Signal users with SMS phishing that impersonates Signal Support and tricks victims into handing over their 64 character backup recovery key. Once shared, attackers can download and decrypt the user's entire...
Red flags
- : Unsolicited message claiming to be from Signal Support asking for your recovery key Urgent threats of permanent data loss pressuring immediate action Instruction to paste a secret key directly into a chat conversation What to do: Never share recovery keys, PINs, SMS codes, or MFA secrets with anyone, including 'support' Open the Signal app directly, not via links in the message, to verify any warning Enable registration lock, registration PIN, and disappearing messages for extra protection
What to do
- 1Red flags: Unsolicited message claiming to be from Signal Support asking for your recovery key Urgent threats of permanent data loss pressuring immediate action Instruction to paste a secret key directly into a chat conversation What to do: Never share recovery keys, PINs, SMS codes, or MFA secrets with anyone, including 'support' Open the Signal app directly, not via links in the message, to verify any warning Enable registration lock, registration PIN, and disappearing messages for extra protection
Source
malwarebytes
Source reviewed by Mythos Forensic Team
https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-backup-stealing-phishing-attacksFAQ
Is Phishing campaign steals Signal backup recovery keys via fake support messages a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
: Unsolicited message claiming to be from Signal Support asking for your recovery key Urgent threats of permanent data loss pressuring immediate action Instruction to paste a secret key directly into a chat conversation What to do: Never share recovery keys, PINs, SMS codes, or MFA secrets with anyone, including 'support' Open the Signal app directly, not via links in the message, to verify any warning Enable registration lock, registration PIN, and disappearing messages for extra protection
What should I do first?
Red flags: Unsolicited message claiming to be from Signal Support asking for your recovery key Urgent threats of permanent data loss pressuring immediate action Instruction to paste a secret key directly into a chat conversation What to do: Never share recovery keys, PINs, SMS codes, or MFA secrets with anyone, including 'support' Open the Signal app directly, not via links in the message, to verify any warning Enable registration lock, registration PIN, and disappearing messages for extra protection
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.