The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a new warning about an ongoing phishing campaign linked to Russian intelligence services that now targets Signal Backup Recovery Keys, giving attackers a way to access victims’ historical messages without breaking Signal’s end-to-end encryption.
The updated advisory expands on an alert first published in March 2026, which warned that Russian-backed hackers were attempting to hijack Signal accounts by stealing verification codes, PINs, or tricking users into linking attacker-controlled devices. According to the FBI, the attackers have now adopted a more sophisticated tactic aimed at stealing users’ backup recovery keys.
The campaign primarily targets individuals considered to be of high intelligence value, including current and former government officials, military personnel, political leaders, journalists, and officials connected to Ukraine. The activity has been linked to Russian Intelligence Services (RIS), including officers associated with Russia’s Federal Security Service (FSB) Border Guards, and is tracked by security researchers as UNC5792 and UNC4221.
The phishing messages impersonate Signal’s support team and falsely claim the messaging platform is introducing mandatory two-factor verification following alleged attacks by hackers from Iran and post-Soviet countries. Victims are instructed to enable Signal’s Secure Backups feature and create a Backup Recovery Key to avoid losing their messages.
After the backup is created, attackers send a second fake support message claiming the user’s account is experiencing a synchronization issue that could result in permanent data loss. The victim is then instructed to copy and send the Backup Recovery Key to “restore” their account.
In reality, the Backup Recovery Key is the secret required to decrypt Signal’s encrypted cloud backups. Anyone who obtains this key can restore the victim’s backup on another device and gain access to their historical conversations, including private and group chats.
The FBI also warned that simply creating a new Signal account with the same phone number does not invalidate a stolen Backup Recovery Key. Users must manually generate a new recovery key through Signal’s backup settings to prevent future access. However, this will not stop attackers from viewing any backups they already downloaded using the compromised key.
The agencies reminded users that legitimate messaging app support teams never ask users to share verification codes, PINs, or backup recovery keys through messages. Users should ignore unsolicited requests claiming to come from Signal support and verify any security notifications through official company channels.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Anyone who believes they may have shared their Signal Backup Recovery Key or fallen victim to the phishing campaign is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
FBI Warns Russian Hackers Are Now Stealing Signal Backup Keys to Access Private Chats
