Hackers are trying to steal Signal users’ backups in new wave of phishing attacks

黑客正试图通过新一轮网络钓鱼攻击窃取 Signal 用户的备份

Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new hacking campaign, TechCrunch has learned. 据 TechCrunch 获悉，黑客正针对 Signal 用户发起新一轮攻击，试图窃取他们的聊天备份。

On Wednesday, Washington Post analyst Josh Rogin posted a screenshot of a new kind of attack against Signal users, where hackers pretend to be the app’s support team and warn the target that their backed-up chats and media are “at risk of permanent loss due to a sync issue.” 周三，《华盛顿邮报》分析师 Josh Rogin 发布了一张针对 Signal 用户的新型攻击截图。截图中，黑客冒充该应用的官方支持团队，警告受害者称其备份的聊天记录和媒体文件“因同步问题面临永久丢失的风险”。

To avoid that, the message said, the target needs to share the recovery key that is used to access their online backups in the chat with the hackers. “This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data,” read the message purporting to come from an account called Signal Support. 消息称，为避免损失，受害者需要将用于访问在线备份的恢复密钥（recovery key）发送给黑客。这条冒充“Signal 支持”账号发出的消息写道：“此操作将把您现有的备份关联到您的账户。若不执行，可能会导致您失去对账户及所有存储数据的访问权限。”

This is a phishing attempt. If you get this message on Signal, do not follow the instructions. Many anti-CCP activists have also received this phishing attempt. Beware and be aware. pic.twitter.com/8J1YDcpUAX— Josh Rogin (@joshrogin) May 27, 2026 这是一次网络钓鱼攻击。如果您在 Signal 上收到此消息，请勿按照指示操作。许多反中共活动人士也收到了此类钓鱼信息。请务必保持警惕。—— Josh Rogin (@joshrogin) 2026年5月27日

Rogin said that several anti-Chinese Communist Party activists have received this malicious message. Mohammed Al-Maskati, the director at Access Now’s Digital Security Helpline, which investigates cyberattacks against journalists, dissidents, and human rights activists, told TechCrunch that two people shared similar messages with him. Rogin 表示，已有几位反中国共产党活动的积极分子收到了这条恶意信息。Access Now 数字安全热线（该机构专门调查针对记者、异见人士和人权活动家的网络攻击）的主管 Mohammed Al-Maskati 告诉 TechCrunch，有两人曾向他分享过类似的消息。

Al-Maskati said that the two are not Chinese activists. This suggests that the hacking campaign could be more widespread and targeting other communities, or there may be different groups of hackers using the same strategy. Al-Maskati 指出，这两人并非中国活动人士。这表明该黑客行动可能更为广泛，目标涵盖其他群体，或者有不同的黑客组织正在使用相同的策略。

It’s not clear how effective the hacking campaign has been. Al-Maskati said that stealing the victim’s recovery keys for their chat backups is only one step in the attack, and that the hackers still have to take over the victim’s account. 目前尚不清楚此次黑客行动的成效如何。Al-Maskati 表示，窃取受害者的聊天备份恢复密钥只是攻击的一个环节，黑客仍需进一步接管受害者的账户。

In general, this type of attack relies on phishing targets, meaning tricking them into sharing some important and private information with the hackers. In this particular case, the hackers are pretending to be Signal’s support team to exploit the target’s trust in the app and the organization behind it. 总体而言，此类攻击依赖于网络钓鱼，即诱骗受害者向黑客分享重要的私人信息。在此案例中，黑客冒充 Signal 支持团队，利用受害者对该应用及其背后组织的信任进行诈骗。

It’s important to note that Signal says it “will never reach out” to users first, and will never ask for their registration code, PIN, or recovery key. That means any chat pretending to be coming from “Signal Support” is actually coming from malicious hackers. The organization publicly warned about this exact type of attack last month. 需要特别注意的是，Signal 官方表示“绝不会主动联系”用户，也绝不会索要用户的注册码、PIN 码或恢复密钥。这意味着任何冒充“Signal 支持”的聊天信息实际上都来自恶意黑客。该组织上个月曾公开警告过此类攻击。

While there have been several campaigns of hackers impersonating Signal support in recent months, this is a new type of attack because it specifically targets backups, which can contain a victim’s older chats, photos, and documents. 尽管近几个月来已出现多起黑客冒充 Signal 支持团队的行动，但这次攻击属于新型手段，因为它专门针对备份文件，而这些备份中可能包含受害者过往的聊天记录、照片和文档。

Previous hacking campaigns targeting Signal users attempted to hijack a victim’s account and then impersonate them, often with the potential goal of stealing the victim’s contacts or starting conversations with other people as if they were the account owner. 此前针对 Signal 用户的黑客行动通常试图劫持受害者账户并进行冒充，其潜在目的往往是窃取受害者的联系人列表，或以账户所有者的身份与他人进行对话。

In these cases, the hackers do not get access to past messages, since the attacks rely on them re-registering the victim’s account on a device they control. Because of how Signal is designed, older messages do not appear on the new device. 在这些案例中，黑客无法获取过往消息，因为攻击依赖于在他们控制的设备上重新注册受害者的账户。由于 Signal 的设计机制，旧消息不会出现在新设备上。

Hackers can take over Signal accounts by hijacking someone’s phone number, for example. But Signal offers opt-in security features to protect against that, such as Registration Lock, which prevents attackers from linking a target’s number to a new device unless they steal the target’s PIN. 例如，黑客可以通过劫持某人的电话号码来接管 Signal 账户。但 Signal 提供了可选的安全功能来防止此类情况，例如“注册锁定”（Registration Lock），除非攻击者窃取了受害者的 PIN 码，否则无法将目标号码关联到新设备。

In that scenario, one way to see older messages would be to access a victim’s online backup, which requires the recovery key. Last year, Signal launched Secure Backups, a new opt-in feature that lets users upload their account’s contents to Signal’s servers, which are encrypted with a recovery key that the organization says is “never shared with Signal’s servers,” and “never leaves” the users’ device. 在这种情况下，查看旧消息的一种途径就是访问受害者的在线备份，而这需要恢复密钥。去年，Signal 推出了“安全备份”（Secure Backups）功能，这是一项可选功能，允许用户将账户内容上传至 Signal 服务器。这些内容通过恢复密钥加密，Signal 官方称该密钥“绝不会与 Signal 服务器共享”，且“绝不会离开”用户的设备。

Signal says users should store the recovery key securely on a notebook or inside a password manager. “Without your unique recovery key, no one (including Signal) can read, decrypt, or restore any of the data in your Secure Backup Archive,” Signal said. Signal 建议用户将恢复密钥安全地存储在笔记本或密码管理器中。Signal 表示：“如果没有您唯一的恢复密钥，任何人（包括 Signal 本身）都无法读取、解密或恢复您安全备份存档中的任何数据。”

That means only the user can access their archive in a scenario where they register their account on a new phone, download the encrypted backup from Signal’s servers, and then decrypt it with the recovery key. Signal did not respond to a request for comment. 这意味着，只有当用户在一部新手机上注册账户、从 Signal 服务器下载加密备份，并使用恢复密钥进行解密时，才能访问其存档。Signal 未回应置评请求。