The FBI reports that Russian intelligence agents are now deceiving Signal users into giving up their backup recovery key.

      TL;DR: The FBI has issued a warning that Russian hackers are phishing Signal users for their backup recovery keys, granting them ongoing access to message history. According to the advisory released on Thursday by the FBI and CISA, these hackers are targeting backup recovery keys, marking a progression in a phishing campaign that has already impacted thousands of accounts globally. Providing the key allows attackers to restore backups, view all private and group messages, and take control of the account. The key remains valid even after the victim changes devices. If a target creates a new account with the same phone number, the old recovery key can still be used for accessing future backups. The only solution is to generate a new key in Signal’s settings, which invalidates the old key for future use but does not recover data that the attacker may have already accessed.

      This advisory, labeled PSA I-062626-PSA, introduces two public tracking identifiers not mentioned in an earlier March notice: UNC5792 and UNC4221. The bureau links the activities to various Russian Intelligence Services factions, including FSB agents associated with the FSB Border Guards and others connected to the Russian military. The phishing attempts are directed towards both Signal and WhatsApp users, but the recovery key strategy is unique to Signal.

      The intended victims are described by the FBI as individuals of “high intelligence value,” including current and former government officials from the US and other nations, military personnel, political figures, journalists, and Ukrainian officials. The March advisory indicated that the wider campaign has compromised thousands of accounts worldwide.

      Phishing messages have been posing as Signal support. Previous attempts solicited SMS verification codes and account PINs or utilized fake “group invite” links that discreetly linked the attacker’s device to the victim’s account. The latest version guides targets to activate Signal backups, access the recovery key screen, and paste the key in a chat.

      The FBI shared two examples of messages used in this campaign. One masquerades as an obligatory two-factor authentication implementation, while the other claims to be an urgent “data recovery” fix for messages supposedly at risk. Both represent social engineering tactics that exploit user trust rather than technical vulnerabilities.

      The agencies clarify that these methods do not breach Signal's encryption or the application itself. Attackers target individual accounts through social engineering, leveraging legitimate features of the app. This trend is increasingly common in security domains, where the weakest link is often the user, not the cryptographic protections in place.

      In conjunction with the advisory, the State Department’s Rewards for Justice program is offering up to $10 million for information about UNC5792. This activity aligns with previous warnings from Dutch intelligence agencies AIVD and MIVD, Germany’s BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group first reported on UNC5792 exploiting Signal’s linked-device feature in early 2025 and later noted similar tactics targeting WhatsApp and Telegram.

      This campaign serves as a reminder that while end-to-end encryption secures messages during transmission, it cannot safeguard users who are tricked into giving up their access credentials. Any Signal user receiving a message requesting a recovery key, verification code, or PIN should consider it suspicious, regardless of how credible the sender appears. Signal does not request user credentials through messages in the app.