If you use Signal, the rules for spotting a scam just got harder. Hackers are now posing as Signal's own support team and asking users to hand over the recovery key that protects their encrypted chat backups, a piece of information that opens up everything they have ever sent.
The attack first surfaced on 27 May, when Washington Post analyst Josh Rogin posted a screenshot of a fake "Signal Support" message warning that the target's backup was at risk of "permanent loss due to a sync issue." To stop the loss, the message said, the user just had to paste their recovery key into the chat. According to TechCrunch, the campaign first hit anti-Chinese Communist Party activists, but Access Now's Digital Security Helpline has since seen the same pattern in unrelated communities.
Signal president Meredith Whittaker told TechCrunch the company is "working on mitigations here, and monitoring." The organisation also reminds users that it "will never reach out" first, and will never ask for a registration code, PIN, or recovery key. Any message from a "Signal Support" account is from someone pretending to be Signal.
Editor
Kai T chevron_right
Table of Contents
Why Malaysian Signal Users Should Care
Signal has quietly become the messenger of choice for many Malaysian journalists, lawyers, civil-society researchers, and a growing band of privacy-conscious professionals. It is also where many sources pass leaks to local newsrooms. A stolen backup in this country does not just compromise a personal photo album. It can expose months of attributable conversations with people who chose Signal precisely because they wanted attribution to be impossible.
The local scam landscape makes the threat worse. Phishing accounted for around 69 percent of cyber fraud incidents reported to MyCERT in Q2 2025, the largest single category in the country. Bank Negara Malaysia has issued repeated warnings about phishing schemes using its name, including campaigns that pushed fake BNM apps designed to harvest banking credentials. Malaysians are already heavily targeted by social engineering. A Signal-flavoured one looks no different to the eye, and the payoff for the attacker is far larger than a single banking session.
What Actually Gets Stolen
Signal's Secure Backups feature, launched last year, lets users upload an encrypted copy of their chat history to Signal's own servers. The recovery key is the only thing that can decrypt that archive, and Signal says the key never leaves the user's device or touches Signal's servers. Without it, even Signal cannot read the backup.
That is the whole point of the attack. Hijacking someone's Signal account through a SIM swap or phone-number takeover used to be the worst-case scenario, but a fresh device gets no message history because of how Signal is designed. With the recovery key, attackers can register a new device, download the encrypted backup from Signal's servers, and decrypt it to read every old chat, image, and document. For a journalist's source list, an activist's organising chat, or a lawyer's client conversations, that is a full disclosure rather than a partial one.
What Malaysian Users Should Do Now
Three steps are within reach today. First, store the recovery key somewhere that is not a phone screenshot. A password manager or a printed copy in a notebook is what Signal recommends. Second, switch on Registration Lock in Signal's settings so that an attacker who hijacks the number still needs the PIN to register a new device. Third, treat any incoming message from "Signal Support" as a phishing attempt by default, regardless of how technical or urgent it sounds.
The campaign is also a reminder for organisations. Under Malaysia's updated Personal Data Protection Act, a data breach involving personal data must be notified to the regulator within 72 hours and to affected individuals within 7 days. If a company-issued device sits inside the affected Signal account, the breach clock starts the moment the recovery key leaves the user's hands.
Signal already warned about this exact pattern last month. The reason the warning needs repeating is that the trick works for the same reason every banking phishing campaign in Malaysia has worked for the past five years. The platform changes. The instinct to trust the brand does not.