FBI Warns Russian Intelligence Hackers Are Targeting Signal Backup Recovery Keys
7 min. read 
Published on
The FBI and CISA are warning that Russian intelligence-linked hackers are trying to trick high-value targets into sharing Signal Backup Recovery Keys.
The updated FBI and CISA advisory says the phishing campaign targets commercial messaging applications, including Signal and WhatsApp. The newest tactic focuses on Signal’s backup feature and asks victims to hand over the key that protects their message archive.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
If attackers get that key, they may be able to restore the victim’s backup, view historical private and group messages, and take over the account. The agencies stress that the campaign does not break Signal’s encryption or the app itself. It abuses trust, account workflows, and legitimate recovery features.
What Changed in the New Warning
The June 26, 2026 update expands a March warning about Russian intelligence services targeting secure messaging accounts. The advisory now names two public tracking labels, UNC5792 and UNC4221.
The FBI says multiple Russian Intelligence Services clusters are involved, including Federal Security Service officers embedded with FSB Border Guards and actors working on behalf of Russian military services. The campaign targets people whose communications may have intelligence value.
The warning says attackers still request verification codes and account PINs, but they now also push victims to enable Signal backups and paste the Backup Recovery Key into a chat. That changes the risk from account linking to possible access to saved message history.
Why the Signal Recovery Key Matters
| Item | Why it matters |
|---|---|
| Backup Recovery Key | Protects access to a Signal Secure Backup archive |
| Message history | May include private chats, group chats, and media stored in backups |
| Account takeover risk | Attackers may use the key to restore account data and control the account |
| Old key risk | A shared key can remain useful unless the user generates a new one |
| Encryption status | The campaign does not defeat Signal encryption |
Signal says Secure Backups are optional and protected by a cryptographically secure 64-character recovery key. Signal also says the recovery key never leaves the device and is not shared with Signal’s servers.
That design protects users from server-side access, but it also means the recovery key becomes extremely sensitive. If a target voluntarily shares it in a chat, the attacker can use a legitimate recovery path rather than breaking encryption.
The agencies say users who shared a Backup Recovery Key should generate a new one in Signal settings. This invalidates the old key for future backup downloads, but it cannot undo any backup the attacker may have already downloaded.
Who Is Being Targeted?
The campaign focuses on individuals with intelligence value, not ordinary mass phishing victims. Targets include current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.
The U.S. State Department’s Rewards for Justice notice says UNC5792 has targeted Signal and WhatsApp accounts belonging to U.S. government officials, military leadership, and allied personnel. It also offers up to $10 million for information that helps identify or locate relevant actors tied to malicious cyber activity against U.S. critical infrastructure.
The campaign matters because secure messaging apps often carry sensitive conversations between officials, diplomats, military personnel, policy advisers, journalists, researchers, and organizations supporting Ukraine.
How the Phishing Messages Work
The phishing messages pose as automated Signal support or security notices. They claim the user must verify the account, enable backups, prevent data loss, or follow a new security process.
One sample message in the updated public service announcement tells the victim to open Signal backups, view the recovery key, copy it, and paste it into the chat. Another frames the request as a mandatory security update.
Legitimate support teams do not ask users to paste recovery keys, PINs, or verification codes inside a messaging app. Any in-app message claiming to be Signal support and requesting those details should be treated as malicious.
Russian-Linked Messaging Attacks Are Evolving
This update builds on earlier research into Russian-aligned operations against secure messaging apps. In February 2025, Google Threat Intelligence Group reported increasing efforts by several Russia state-aligned threat actors to compromise Signal accounts used by people of interest to Russian intelligence services.
Google’s report described earlier phishing campaigns that abused Signal’s linked-device feature. In those cases, attackers used malicious QR codes or modified group invite pages to link a victim’s account to an attacker-controlled device.
The newest backup-key tactic is different because it targets stored message history. Instead of only receiving future messages through a linked device, the attacker tries to obtain the key that can open the backup archive.
What Users Should Do Now
- Do not trust in-app messages claiming to be Signal support.
- Never paste a Backup Recovery Key, verification code, or PIN into any chat.
- Open Signal settings and review linked devices.
- Remove any linked device you do not recognize.
- Generate a new Backup Recovery Key if you shared the old one.
- Assume any backup already restored by an attacker has been exposed.
- Report suspected phishing attempts to the appropriate authorities.
Signal’s backup guidance makes clear that the recovery key is required to decrypt and restore a secure backup archive. Users should store it safely and should never send it to another person or account.
People in government, defense, journalism, diplomacy, aid work, and Ukraine-related organizations should use extra caution. They should also brief staff that secure messaging apps can still become targets through social engineering, even when encryption remains intact.
What Organizations Should Tell Staff
| Risk | Recommended message to staff |
|---|---|
| Fake support chats | Signal, WhatsApp, or other app support will not ask for codes or keys inside the app |
| Recovery key theft | A recovery key should stay private and should never be pasted into a conversation |
| Linked-device abuse | Review linked devices often and remove anything unfamiliar |
| Account compromise | Report suspicious messages quickly so security teams can help contain damage |
The Rewards for Justice program says these actors have used social engineering to exploit legitimate device-linking features and gain unauthorized access to sensitive communications, contact lists, and group conversations.
The same broader tradecraft has appeared across Signal, WhatsApp, and Telegram, according to the Google Threat Intelligence research. That means users should apply the same rule across messaging apps: never share security codes, account PINs, QR pairing prompts, or backup recovery keys through chat.
FAQ
The FBI and CISA warn that Russian intelligence-linked actors are phishing high-value targets and asking them to share Signal Backup Recovery Keys. If attackers obtain the key, they may be able to restore the victim’s backup and access historical messages.
No. The FBI and CISA say the attackers compromise individual accounts through social engineering. The campaign does not break Signal’s encryption or exploit the app’s encryption protections.
Generate a new Backup Recovery Key in Signal settings immediately. This invalidates the old key for future backup downloads, but it cannot reverse any backup access that may have already happened.
The campaign targets individuals with high intelligence value, including government officials, military personnel, political figures, journalists, Ukrainian officials, diplomats, and allied personnel.
Ignore in-app messages claiming to be Signal support, never share recovery keys or verification codes, review linked devices, remove unfamiliar devices, and keep Signal updated.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages