FBI Warns Russian Intelligence Hackers Are Targeting Signal Backup Recovery Keys

The FBI and CISA are warning that Russian intelligence-linked hackers are trying to trick high-value targets into sharing Signal Backup Recovery Keys.

The updated FBI and CISA advisory says the phishing campaign targets commercial messaging applications, including Signal and WhatsApp. The newest tactic focuses on Signal’s backup feature and asks victims to hand over the key that protects their message archive.

If attackers get that key, they may be able to restore the victim’s backup, view historical private and group messages, and take over the account. The agencies stress that the campaign does not break Signal’s encryption or the app itself. It abuses trust, account workflows, and legitimate recovery features.

What Changed in the New Warning

The June 26, 2026 update expands a March warning about Russian intelligence services targeting secure messaging accounts. The advisory now names two public tracking labels, UNC5792 and UNC4221.

The FBI says multiple Russian Intelligence Services clusters are involved, including Federal Security Service officers embedded with FSB Border Guards and actors working on behalf of Russian military services. The campaign targets people whose communications may have intelligence value.

The warning says attackers still request verification codes and account PINs, but they now also push victims to enable Signal backups and paste the Backup Recovery Key into a chat. That changes the risk from account linking to possible access to saved message history.

Why the Signal Recovery Key Matters

Item	Why it matters
Backup Recovery Key	Protects access to a Signal Secure Backup archive
Message history	May include private chats, group chats, and media stored in backups
Account takeover risk	Attackers may use the key to restore account data and control the account
Old key risk	A shared key can remain useful unless the user generates a new one
Encryption status	The campaign does not defeat Signal encryption

Signal says Secure Backups are optional and protected by a cryptographically secure 64-character recovery key. Signal also says the recovery key never leaves the device and is not shared with Signal’s servers.

That design protects users from server-side access, but it also means the recovery key becomes extremely sensitive. If a target voluntarily shares it in a chat, the attacker can use a legitimate recovery path rather than breaking encryption.

The agencies say users who shared a Backup Recovery Key should generate a new one in Signal settings. This invalidates the old key for future backup downloads, but it cannot undo any backup the attacker may have already downloaded.

Who Is Being Targeted?

The campaign focuses on individuals with intelligence value, not ordinary mass phishing victims. Targets include current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.

The U.S. State Department’s Rewards for Justice notice says UNC5792 has targeted Signal and WhatsApp accounts belonging to U.S. government officials, military leadership, and allied personnel. It also offers up to $10 million for information that helps identify or locate relevant actors tied to malicious cyber activity against U.S. critical infrastructure.

The campaign matters because secure messaging apps often carry sensitive conversations between officials, diplomats, military personnel, policy advisers, journalists, researchers, and organizations supporting Ukraine.

How the Phishing Messages Work

The phishing messages pose as automated Signal support or security notices. They claim the user must verify the account, enable backups, prevent data loss, or follow a new security process.

One sample message in the updated public service announcement tells the victim to open Signal backups, view the recovery key, copy it, and paste it into the chat. Another frames the request as a mandatory security update.

Legitimate support teams do not ask users to paste recovery keys, PINs, or verification codes inside a messaging app. Any in-app message claiming to be Signal support and requesting those details should be treated as malicious.

Russian-Linked Messaging Attacks Are Evolving

This update builds on earlier research into Russian-aligned operations against secure messaging apps. In February 2025, Google Threat Intelligence Group reported increasing efforts by several Russia state-aligned threat actors to compromise Signal accounts used by people of interest to Russian intelligence services.

Google’s report described earlier phishing campaigns that abused Signal’s linked-device feature. In those cases, attackers used malicious QR codes or modified group invite pages to link a victim’s account to an attacker-controlled device.

The newest backup-key tactic is different because it targets stored message history. Instead of only receiving future messages through a linked device, the attacker tries to obtain the key that can open the backup archive.

What Users Should Do Now

• Do not trust in-app messages claiming to be Signal support.
• Never paste a Backup Recovery Key, verification code, or PIN into any chat.
• Open Signal settings and review linked devices.
• Remove any linked device you do not recognize.
• Generate a new Backup Recovery Key if you shared the old one.
• Assume any backup already restored by an attacker has been exposed.
• Report suspected phishing attempts to the appropriate authorities.

Signal’s backup guidance makes clear that the recovery key is required to decrypt and restore a secure backup archive. Users should store it safely and should never send it to another person or account.

People in government, defense, journalism, diplomacy, aid work, and Ukraine-related organizations should use extra caution. They should also brief staff that secure messaging apps can still become targets through social engineering, even when encryption remains intact.

What Organizations Should Tell Staff

Risk	Recommended message to staff
Fake support chats	Signal, WhatsApp, or other app support will not ask for codes or keys inside the app
Recovery key theft	A recovery key should stay private and should never be pasted into a conversation
Linked-device abuse	Review linked devices often and remove anything unfamiliar
Account compromise	Report suspicious messages quickly so security teams can help contain damage

The Rewards for Justice program says these actors have used social engineering to exploit legitimate device-linking features and gain unauthorized access to sensitive communications, contact lists, and group conversations.

The same broader tradecraft has appeared across Signal, WhatsApp, and Telegram, according to the Google Threat Intelligence research. That means users should apply the same rule across messaging apps: never share security codes, account PINs, QR pairing prompts, or backup recovery keys through chat.

FAQ