FBI: Russian Hackers Use Signal Recovery Key Phishing to Rea

FBI: Russian Hackers Use Signal Recovery Key Phishing to Read Messages

FBI and CISA warn that Russian intelligence hackers are phishing for Signal backup recovery keys, gaining persistent access to message history even after victims change phones. The advisory details social engineering tactics and offers mitigation steps.

3 min readJun 28, 2026

FBI: Russian Hackers Use Signal Recovery Key Phishing to Read Messages

FBI Warns: Russian Hackers Now Phishing for Signal Backup Recovery Keys

The FBI and CISA have updated their advisory on Russian intelligence hackers targeting Signal users. The new twist: attackers are now phishing for backup recovery keys, which give persistent access to message history even after the victim switches phones. The advisory, designated PSA I-062626-PSA, ties the activity to two threat groups: UNC5792 and UNC4221, linked to Russian Intelligence Services including FSB officers and military personnel.

How the Attack Works

Earlier waves of the campaign targeted SMS verification codes and account PINs, or used doctored "group invite" links to silently link an attacker's device. The new technique is more insidious. Phishing messages, disguised as Signal support, walk targets through enabling Signal backups, opening the recovery key screen, and pasting the key into the chat. Once the attacker has the key, they can restore the account's backup, read all private and group message history, and take over the account.

Crucially, the compromised key remains valid even after the victim changes phones. If the target creates a new account with the same phone number, the old recovery key can still access future backups. The only fix is to generate a new recovery key in Signal's settings, which invalidates the old one for future downloads—but cannot undo any data already exfiltrated.

Technical Details and Sample Messages

The FBI published two sample phishing messages. One poses as a mandatory two-factor authentication rollout, the other as an urgent "data recovery" fix for messages supposedly at risk. Both exploit trust in Signal's own interface rather than technical vulnerabilities. The advisory emphasizes that these attacks do not break Signal's encryption. They are pure social engineering, targeting the user rather than the cryptography.

Who Is Targeted

Victims are individuals the FBI describes as of "high intelligence value": current and former US and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March advisory noted the broader campaign had already compromised thousands of accounts worldwide.

Mitigation and Response

If you receive a message inside Signal asking for a recovery key, verification code, or PIN, treat it as hostile. Signal does not message users inside the app to request credentials. To protect yourself, generate a new recovery key in Signal Settings > Account > Backup Recovery Key. This invalidates any previously shared key. The State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792.

Broader Context

This campaign is part of a pattern. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025, and later observed the same tradecraft targeting WhatsApp and Telegram. The activity overlaps with earlier warnings from Dutch (AIVD, MIVD), German (BfV, BSI), and French (ANSSI) intelligence agencies. The takeaway: end-to-end encryption protects messages in transit, but cannot protect users who are persuaded to hand over the keys themselves.

Editor's Take

I've been a Signal user for years, and this advisory made me immediately check my own backup key settings. The fact that a single key can persist across device changes is a design trade-off that prioritizes convenience over security. I think Signal should add a warning when a new backup key is generated, or require re-authentication for backup restores. Until then, developers should treat backup recovery keys as sensitive as passwords.

— DevDigest Editorial

Key Takeaways

•Never request sensitive credentials like recovery keys via in-app messages; users should only enter them in official settings screens.
•Implement warnings when backup recovery keys are generated or changed, and consider requiring re-authentication for backup restores.
•Educate users that end-to-end encryption does not protect against social engineering; phishing awareness is critical.

Why It Matters

This attack bypasses Signal's encryption not by breaking it, but by tricking users into giving up their backup keys. Any developer building secure messaging or backup features must understand that social engineering is the hardest threat to defend against. The attack's persistence across phone changes makes it especially dangerous for high-value targets.

#Signal#phishing#FBI#CISA#Russian hackers

Get the weekly digest

Every Sunday - top tech stories, industry breakthroughs, and developer tools delivered to your inbox.

No spam, unsubscribe anytime.

FBI: Russian Hackers Use Signal Recovery Key Phishing to Read Messages

FBI Warns: Russian Hackers Now Phishing for Signal Backup Recovery Keys

How the Attack Works

Technical Details and Sample Messages

Who Is Targeted

Mitigation and Response

Broader Context

Editor's Take

Key Takeaways

Why It Matters

Get the weekly digest

You might also like

Anonymous Researcher Drops 30+ 0-Days on GitHub: FFmpeg, libssh2, Floci

TrustSig's Client-Side Defense: Assume the Attacker Read Every Line

White House Orders Quantum-Safe Crypto by 2030, 5 Years Earlier

Usbliter8: A12/A13 SecureROM Exploit Achieves Boot-Chain Compromise

Bounded Cognition: Why Your 4-Slot Mind Shapes Software Engineering

Building a QR Code Generator in Pure Vanilla JS: 202 Tests, Zero Dependencies