FBI Alerts: Russian Hackers Target Signal Backup Recovery Keys in Phishing Campaign
The FBI and CISA have updated their March warning about Russian intelligence phishing campaigns targeting Signal users. The latest advisory reveals that hackers are now coaxing victims into sharing their Signal Backup Recovery Keys, allowing attackers to restore account backups, access private messages, and take over accounts.
What Happened
In March 2026, the FBI and CISA first warned about Russian state-sponsored hackers phishing Signal and WhatsApp users. The campaign initially focused on stealing SMS verification codes and account PINs. However, the latest update (PSA I-062626-PSA) highlights a new tactic: tricking users into handing over their Signal Backup Recovery Key.
How the Attack Works
- Hackers pose as Signal support and send phishing messages within the app.
- Victims are guided to enable backups, locate their Recovery Key, and paste it into the chat.
- Once shared, the key allows attackers to restore backups, access message histories, and maintain access even if the victim creates a new account on the same phone number.
Key Details
- The campaign is attributed to Russian Intelligence Services (RIS), including groups tracked as UNC5792 and UNC4221.
- Targets include current and former government officials, military personnel, journalists, and political figures, particularly those connected to Ukraine.
- The State Department’s Rewards for Justice program is offering up to $10 million for information on UNC5792.
Why It Matters
This phishing campaign underscores the vulnerability of secure messaging apps to social engineering attacks. While Signal’s encryption remains unbroken, the human element—users tricked into sharing sensitive information—becomes the weakest link. The focus on high-value targets also highlights the geopolitical implications of such attacks.
Impact on Users
- Compromised accounts can expose private and group messages, jeopardizing sensitive communications.
- Even after generating a new Recovery Key, users cannot retrieve old backups, as they are presumed compromised.
Key Details
Targeted Platforms
- Signal: The primary target, with hackers exploiting its backup recovery feature.
- WhatsApp: Also affected by earlier phases of the campaign, though the Recovery Key tactic is Signal-specific.
Mitigation Steps
- Never share your Backup Recovery Key, verification codes, or PINs in any chat.
- Enable and regularly check Linked Devices in Signal settings to remove unrecognized devices.
- If you suspect compromise, generate a new Recovery Key immediately.
Bigger Picture
This campaign is part of a broader trend of state-sponsored hackers targeting secure messaging platforms. Earlier this year, Dutch, German, and French intelligence agencies issued similar warnings. Google’s Threat Intelligence Group first documented these tactics in 2025, noting their use against Signal, WhatsApp, and Telegram.
For developers and users interested in secure messaging platforms, platforms like Signal and Telegram have been scrutinized for vulnerabilities. Readers can explore related insights on Aatma for a deeper understanding of similar threats.
Final Takeaway
The FBI and CISA’s updated advisory serves as a stark reminder of the evolving nature of phishing attacks. While encryption keeps messaging platforms secure, users must remain vigilant against social engineering tactics. For high-value targets, the risk of compromise remains significant, necessitating proactive security measures.