The FBI reports that Russian spies are now deceiving Signal users into giving up their backup recovery key.

      **TL;DR** The FBI has issued a warning that Russian hackers are phishing Signal users for their backup recovery keys, which allows them ongoing access to message history. The FBI and CISA indicated an increase in phishing attempts targeting Signal backup recovery keys, affecting thousands of accounts globally. An updated advisory states that sharing the key enables attackers to restore account backups, access full message history, and seize control of the account. The key remains functional even if the victim changes devices; if a new account is created using the same phone number, the old recovery key can still grant access to new backups. The only resolution is to generate a new recovery key in Signal settings, which nullifies the old one for future access, but does not recover data already taken by the attacker.

      The advisory, designated PSA I-062626-PSA, introduces two public identifiers previously unmentioned in March: UNC5792 and UNC4221. The FBI links these activities to several Russian Intelligence Service groups, including members embedded with the FSB Border Guards and others from the Russian military. This phishing campaign targets both Signal and WhatsApp, but the recovery key method is unique to Signal.

      The FBI notes that the targets are individuals deemed of “high intelligence value,” including present and former U.S. and international officials, military personnel, political figures, journalists, and Ukrainian officials. The March advisory reported that the larger campaign had already compromised thousands of accounts worldwide.

      The phishing attempts masquerade as Signal support. Earlier stages requested SMS verification codes, account PINs, or included altered “group invite” links that linked an attacker’s device to the victim’s account without notice. The current iteration guides victims to enable Signal backups, access the recovery key screen, and paste the key into a chat.

      The FBI shared two examples of messages used in this campaign. One pretends to be about a necessary two-factor authentication process, while the other claims to be an urgent “data recovery” solution for messages at risk of loss. Both employ social engineering tactics that leverage trust in the platform’s interface rather than exploiting technical vulnerabilities.

      The involved agencies confirm that these methods do not undermine Signal’s encryption or the application itself. Instead, attackers compromise individual accounts through social engineering and exploit legitimate features. This trend highlights that the weakest link in security often lies with the device user rather than the cryptographic measures securing the data.

      Additionally, the State Department's Rewards for Justice program is offering up to $10 million for information regarding UNC5792. The activity aligns with previous warnings from Dutch intelligence agencies AIVD and MIVD, Germany's BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group initially noted UNC5792 exploiting Signal’s linked-device feature in early 2025 and later observed similar tactics targeting WhatsApp and Telegram.

      This campaign underscores that while end-to-end encryption protects messages during transmission, it cannot shield users who are convinced to reveal their keys. Anyone receiving a message within Signal requesting a recovery key, verification code, or PIN should consider it suspicious, regardless of how legitimate the sender seems. Signal does not contact users within the app for credential requests.