FBI: Russian hackers now steal Signal backup recovery keys

Key Takeaways

• Russian hackers now target Signal backup recovery keys instead of just verification codes, allowing access to historical messages
• Creating a new Signal account does not invalidate a stolen recovery key; users must generate a new key in backup settings
• The campaign targets high-value individuals: government officials, military personnel, journalists, and Ukraine-based officials

The FBI and CISA issued an updated warning on June 26, 2026: Russian intelligence operatives have shifted their Signal phishing campaign from stealing verification codes to stealing backup recovery keys. The change is significant. With a recovery key, attackers can restore a victim's entire message history to their own device, bypassing Signal's end-to-end encryption entirely.

The joint advisory updates a March 2026 alert about Russian threat actors targeting users of commercial messaging apps. Three months later, the attackers have refined their approach. They still impersonate Signal support, but now the goal is to trick targets into handing over the one credential that unlocks everything.

Who is being targeted?

The FBI says the campaign focuses on "individuals of high intelligence value." That list includes current and former U.S. and international government officials, military personnel, political figures, journalists, and officials based in Ukraine. The agencies attribute the activity to Russian Intelligence Services, specifically officers embedded with Russia's Federal Security Service (FSB) Border Guards and actors working for the Russian military.

Security researchers track this activity under two designations: UNC5792 and UNC4221.

How the phishing attack works

The attackers pose as Signal's support team and send messages claiming the platform is introducing mandatory two-factor verification. The pretext: an alleged wave of attacks by hackers from Iran and post-Soviet countries. The phishing message instructs targets to enable Signal backups and view their recovery key.

“Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the 'Accept' button in the pop-up and stay tuned for security updates on our messenger.”

— Phishing message cited by FBI

When users follow these instructions, Signal's Secure Backups feature stores encrypted copies of their conversations on Signal's cloud servers. The data is protected by the recovery key. That key is the target.

A second phishing message follows. Still posing as Signal support, the attackers warn that the user's data faces permanent loss due to a synchronization issue. They prompt the target to copy the recovery key and paste it into the chat. Once submitted, the attackers restore the backup to their own devices and gain full access to the victim's message history, including private and group conversations.

Why a new account does not fix this

The FBI highlighted a recovery scenario that victims often miss. If an attacker obtains your backup recovery key, creating a new Signal account with the same phone number does not invalidate the stolen key. The old key still works for downloading backups created before the compromise.

Users must generate a new backup recovery key through Signal's backup settings. This invalidates the previous key for future backup downloads. But there is a catch: generating a new key does not prevent attackers from accessing backups they already downloaded. Once exfiltrated, that data is gone.

How to spot the phishing attempt

• Legitimate Signal support communicates only through official company email addresses.
• Signal never requests verification codes or recovery keys within the app.
• Signal does not send links asking users to verify or restore their accounts.

The FBI encourages anyone who believes they fell victim to this campaign to report the incident to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.

What security teams should do now

For organizations with personnel using Signal for sensitive communications, this is a training moment. The attack does not break encryption. It exploits trust. Employees who handle confidential information need to understand that recovery keys function like master passwords. They should never be shared with anyone, regardless of what the message claims.

Security teams should also audit which personnel use cloud-backed messaging for work communications. Signal's encrypted backups are convenient, but they create a single point of failure. If your threat model includes state-level adversaries, disabling cloud backups entirely may be the right call.

Frequently Asked Questions

What is a Signal backup recovery key?

A Signal backup recovery key is a credential that protects encrypted backups of your Signal messages stored on Signal's cloud servers. Anyone with this key can restore your message history to their own device.

Can Russian hackers break Signal's encryption?

No. This campaign does not break Signal's end-to-end encryption. Instead, attackers use social engineering to trick users into handing over their backup recovery keys, which bypasses encryption entirely.

Does creating a new Signal account protect me if my recovery key was stolen?

No. A new account does not invalidate the stolen key. You must generate a new backup recovery key in Signal's settings. However, attackers can still access backups they already downloaded before you changed the key.

How do I know if a Signal message is a phishing attempt?

Signal support never contacts users within the app, never requests recovery keys or verification codes, and never sends links to verify accounts. Any message doing so is fraudulent.

Who is being targeted by this Russian phishing campaign?

The FBI says targets include current and former government officials, military personnel, political figures, journalists, and officials located in Ukraine. The campaign focuses on individuals of high intelligence value.

Source: BleepingComputer