FBI Warns Russian Hackers Now Steal Signal Backup Keys to Read Message History
The FBI and CISA updated their March 2026 warning, saying Russian intelligence-linked phishing now targets Signal Backup Recovery Keys. Attackers can restore encrypted backups and read all past messages, and the keys remain valid even after a new account is created.
The FBI and the Cybersecurity and Infrastructure Security Agency updated a joint public service announcement on June 26, 2026, warning that Russian intelligence services have expanded their phishing campaigns against Signal users to steal Backup Recovery Keys, giving attackers full access to victims' historical messages.
According to the FBI, the threat actors initially sent messages impersonating Signal support and claiming the messenger was introducing mandatory two-factor verification after an alleged wave of attacks from hackers in Iran and post-Soviet countries. The phishing messages instructed targets to enable backups and copy their recovery key. A second message claimed a sync issue was about to cause permanent data loss, prompting victims to paste the same key back into the conversation.
Campaign targets high-value individuals across government and media
The agencies attribute the activity to Russian Intelligence Services, including officers embedded with the Federal Security Service's Border Guards and other actors working on behalf of the Russian military. The operations are publicly tracked as UNC5792 and UNC4221. The phishing campaign continues to target:
- Current and former U.S. and international government officials
- Military personnel and political figures
- Journalists and key officials located in Ukraine
Once an attacker obtains the Backup Recovery Key, they can restore the account's encrypted backup on their own devices, reading all private and group conversations. The attack does not require breaking Signal's end-to-end encryption, because the victim voluntarily provides the key under false pretenses.
Old keys persist across new accounts, limiting countermeasures
The updated advisory highlights a dangerous edge case. If a user creates a new Signal account with the same phone number after a compromise, the old Backup Recovery Key remains valid unless the user manually generates a new one through Signal's backup settings. Even then, the new key does not invalidate backups the attacker already downloaded. The FBI urges users never to share their recovery keys and to treat any support message asking for account credentials or keys as suspicious. The advisory recommends organizations review their communication security policies and train personnel to recognize social engineering attempts. The agencies said they will continue to monitor the threat and update guidance as the campaigns evolve.
Fact check
-
FBI and CISA issued an updated advisory on June 26, 2026, regarding Russian intelligence targeting Signal Backup Recovery Keys.
reported · source
-
The phishing campaign masquerades as Signal support and asks users to copy and paste Backup Recovery Keys.
verified · source
-
The campaign targets current and former government officials, military personnel, journalists, and Ukrainian officials.
verified · source
-
Creating a new Signal account with the same phone number does not invalidate the stolen Backup Recovery Key unless the user manually generates a new key.
verified · source
-
The threat actor operations are tracked as UNC5792 and UNC4221.
reported · source
Source reporting (2)
Join the conversation
You need to be registered and logged in to comment on blog articles.
0 Comments
No comments yet
Be the first to share your thoughts on this article.