TL;DR
The FBI warns that Russian hackers are phishing Signal users to obtain backup recovery keys, providing persistent access to message history.
The FBI and CISA have warned that Russian intelligence hackers are now targeting Signal users’ backup recovery keys. an escalation of a phishing campaign that has already compromised thousands of accounts around the world. The updated advisory, published Thursday, says that handing over the key once gives attackers the ability to restore an account’s backup, read its entire private and group message history, and take control of the account.
The key continues to work even after the victim changes phones. If a target creates a new account on the same phone number, the old recovery key can still be used to access future backups, the advisory warns. The only solution is to generate a new key in the Signal settings, which invalidates the old one for future downloads but cannot recover anything the attacker has already extracted.
The notice, designated PSA I-062626-PSA, adds two public tracking names that the FBI’s March notice did not include: UNC5792 and UNC4221. The office links the activity to multiple Russian intelligence service groups, including FSB officers embedded in FSB border guards and others working for the Russian military. The campaign targets both Signal and WhatsApp, although the key recovery tactic is specific to Signal.
The 💜 of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Register now!
The targets are people the FBI describes as “high intelligence value,“including current and former US and international government officials, military personnel, political figures, journalists and officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts around the world.
Phishing messages impersonate Signal support. Previous waves asked for SMS verification codes and account PINs, or used “modified”group invitation“Links that silently linked an attacker’s device to the victim’s account. The updated version guides targets to activate Signal backups, open the recovery key screen, and paste the key into the chat.
The FBI released two sample messages used in the campaign. One is disguised as a mandatory two-factor authentication implementation and the other is masquerading as an urgent fix.data recovery“Fix for messages that are supposedly at risk of being lost. Both are social engineering attacks that exploit trust in a platform’s own interface rather than technical vulnerabilities.
The agencies are clear that none of these techniques break Signal encryption or the application itself. Attackers compromise individual accounts through social engineering and then gain entry through a legitimate function. It is a pattern that has become increasingly common in all security productswhere the weakest link is the person who owns the device, not the cryptography that protects the data.
In addition to the notice, the State Department’s Rewards for Justice program is offering up to $10 million for information about UNC5792. The activity overlaps with earlier warnings from Dutch intelligence agencies AIVD and MIVD, Germany’s BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked device feature in early 2025 and later observed the same technique targeting WhatsApp and Telegram.
The campaign is a reminder that end-to-end encryption protects messages in transit, but it cannot protect users who are persuaded to hand over the keys themselves. Anyone who receives a message within Signal requesting a recovery key, verification code, or PIN should treat it as hostile. regardless of how convincing the sender seems. Signal does not send messages to users within the app to request credentials.
