Cybersecurity & Privacy

Russian hackers use phishing to steal Signal backup keys, FBI warns

By Mag-Info Tech editorial · 2026-06-28

Russian intelligence services shift from hijacking Signal accounts to stealing backup keys

Federal law enforcement and cybersecurity authorities say a phishing campaign tied to Russian intelligence services has moved beyond stealing verification codes and account PINs to targeting Signal’s Backup Recovery Keys. This evolution means attackers can decrypt and access a user’s historical messages and media, not just take over new communications. The shift underscores how threat actors adapt tactics when initial methods fail or when higher-value data becomes accessible through secondary features. For Signal users who enabled backups to preserve chat history across devices or after uninstalling the app, the Backup Recovery Key is now a prime target.

The campaign continues to impersonate automated customer support accounts, using messages that claim Signal is introducing mandatory two-factor verification following alleged waves of attacks by hackers from Iran and post-Soviet countries. These messages instruct users to set up backups and share the generated Recovery Key to “prevent data loss.” In reality, the Recovery Key acts as a master password that can unlock archived chats and attachments stored in Signal’s encrypted backup system. Once obtained, attackers can decrypt the backup locally or upload it to a device they control, bypassing the end-to-end encryption that protects live messages.

Security experts note that this tactic is effective because many users do not fully understand how Signal’s backup system works or the sensitivity of the Recovery Key. The key is a 30-digit string displayed once during setup and often stored insecurely by users who save it in notes apps, cloud drives, or even email. Unlike a verification code sent via SMS, which expires quickly, the Recovery Key remains valid indefinitely unless the user disables backups or changes the key. This makes it a high-value asset for persistent attackers.

Who is being targeted and why

According to advisories, the threat actors are focusing on individuals of high intelligence value, including current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine. The targeting reflects a broader pattern in Russian cyber operations: prioritizing access to communications that reveal policy discussions, intelligence sources, or strategic planning. By compromising Signal accounts, attackers can reconstruct timelines of conversations, identify networks of contacts, and potentially pivot to other communication platforms used by the same individuals.

The campaign is publicly tracked under identifiers UNC5792 and UNC4221, which are used by threat intelligence teams to correlate related intrusion sets. Analysts attribute the activity to Russian Intelligence Services, including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and military-affiliated actors. These groups have a history of leveraging phishing, social engineering, and supply-chain compromises to gain initial access, then moving laterally within networks to extract sensitive information. The focus on Signal backups suggests a calculated shift toward long-term persistence and historical data exfiltration.

For organizations that rely on Signal for secure communication, this campaign highlights the risks of assuming that end-to-end encryption alone is sufficient. While Signal’s live messages remain protected during transmission, the storage and recovery mechanisms can become weak points if not managed carefully. Security teams should reassess how they advise users to handle backup keys and whether the convenience of backups outweighs the risk of compromise in high-threat environments.

How the phishing messages are structured

The phishing messages mimic automated support responses, using urgent language to pressure users into acting quickly. Typical messages claim that Signal has detected unauthorized device links from foreign hackers and that mandatory two-factor verification is being rolled out to prevent further breaches. The messages include links that redirect to lookalike websites designed to harvest credentials or directly prompt users to enter their Backup Recovery Key. Some variants also ask users to “enable backups” and then “view recovery key,” which is a red flag since the key should never be entered outside of the app’s official settings.

The attackers exploit common user behaviors: fear of losing data, trust in official-looking messages, and urgency created by false alerts about security breaches. The messages often include Signal’s branding and may reference real-looking support articles or privacy policy updates to appear legitimate. In some cases, the phishing sites use homoglyphs or misspelled domains to bypass email filters and trick users into visiting malicious pages. Once on the site, users are presented with a form that asks for their phone number and Recovery Key, which is then transmitted to attacker-controlled servers.

Because the messages are sent through automated accounts, they can scale widely and target multiple users simultaneously. The attackers do not need advanced technical skills to launch the campaign; they rely on social engineering and the reuse of stolen branding and messaging templates. This lowers the barrier to entry for state-sponsored actors and increases the volume of potential victims.

What Signal’s Backup Recovery Key does and why it matters

Signal’s Backup Recovery Key is a 30-digit code generated when a user enables encrypted backups in the app. This key allows users to restore their chat history and media on a new device without relying on Signal’s servers. The feature is intended to prevent data loss when switching phones or reinstalling the app, but it also creates a single point of failure if the key is compromised. Unlike verification codes that expire, the Recovery Key is static and can unlock all historical backups associated with the account.

The key is not stored on Signal’s servers, which means Signal itself cannot access it or reset it on behalf of users. This design enhances privacy but shifts responsibility to the user for secure storage. Many users save the key in unencrypted notes, cloud storage, or even email, making it vulnerable to theft if any of those accounts are breached. Attackers who obtain the key can decrypt the backup locally using Signal’s desktop or mobile tools, gaining access to years of private conversations, attachments, and group memberships.

Security professionals emphasize that the Backup Recovery Key should be treated with the same caution as a password or private key. It should never be shared, emailed, or stored in plaintext. Signal recommends writing it down on paper and storing it in a secure location, but this is often impractical for users who need to access it across multiple devices. The tension between usability and security remains a challenge for encrypted messaging platforms that prioritize both privacy and data portability.

Trading isn't a casino. Stop gambling.

Real results from MEFAI's AI. Get $50 off the Pro plan.

Claim $50 off Pro →

Sponsored · Past performance is not indicative of future results. Not financial advice.

Steps users can take to protect themselves

Users should disable Signal backups if they do not need them, especially if they frequently switch devices or rely on cloud sync for other data. Disabling backups removes the risk of losing the Recovery Key and eliminates the target that attackers are currently exploiting. To disable backups, go to Settings > Chats > Backups and turn off the feature. Users who have already enabled backups should avoid storing the Recovery Key digitally and instead write it down and keep it in a secure place, such as a locked drawer or safe.

Never enter the Backup Recovery Key on any website or respond to messages that ask for it, even if they appear to come from Signal support. Signal’s official support team will never ask for the Recovery Key or verification codes via email, chat, or third-party messages. If a message seems suspicious, users should verify it by contacting Signal through official channels, such as the in-app support form or the verified website. Using two-factor authentication (2FA) on the Signal account and the email or phone number associated with it adds another layer of defense against account takeover.

Users should also inspect links in messages for signs of phishing, such as misspelled domains or unusual subdomains. Hovering over links on desktop or long-pressing them on mobile can reveal the true destination. Enabling app updates automatically ensures that users receive the latest security patches, which may include defenses against phishing or unauthorized device linking. For high-risk individuals, using a dedicated device for secure communications and avoiding the installation of unrelated apps can reduce exposure to malware that might capture keystrokes or screen content.

What organizations and security teams should do

Organizations that use Signal for sensitive communications should issue clear guidance to employees about handling Backup Recovery Keys and recognizing phishing attempts. Security awareness training should include simulated phishing exercises that mimic the tactics used in this campaign, such as support impersonation and urgent alerts about security changes. Teams should also review their incident response plans to account for the compromise of Signal backups, including steps to revoke access, rotate keys, and assess the impact on operational security.

Security teams should monitor for indicators of compromise related to this campaign, such as lookalike domains, phishing emails with specific subject lines, or unusual device linking activity. Threat intelligence feeds that track UNC5792 and UNC4221 can provide early warnings and context for ongoing investigations. If a Recovery Key is suspected to be compromised, users should immediately disable backups, generate a new key, and review their account for unauthorized devices. In high-threat environments, organizations may consider prohibiting Signal backups altogether or using alternative encrypted messaging platforms that do not rely on user-managed recovery keys.

Collaboration with platform providers can also help. While Signal cannot reset Recovery Keys, it can monitor for unusual decryption attempts or bulk access patterns that may indicate compromise. Security teams should report phishing attempts to Signal and relevant authorities to help disrupt the campaign. Sharing anonymized data about attack vectors can improve detection and response across the ecosystem, benefiting other users who might be targeted by similar tactics.

The broader implications for encrypted messaging and state-sponsored threats

This campaign illustrates how state-sponsored actors adapt their tactics when traditional phishing methods fail to yield persistent access. By targeting recovery mechanisms rather than live communications, attackers can bypass the strong encryption that protects real-time messages and instead focus on historical data, which often contains the most sensitive information. This shift reflects a growing trend in cyber espionage: prioritizing long-term access and data exfiltration over immediate disruption.

For the encrypted messaging ecosystem, the incident raises questions about the balance between usability and security. Features designed to improve user experience—such as seamless backups and cross-device sync—can inadvertently create new attack surfaces. Platforms may need to redesign recovery mechanisms to reduce reliance on static keys or implement additional safeguards, such as time-limited recovery tokens or hardware-backed authentication. Users, meanwhile, must become more vigilant about managing credentials that protect their digital lives.

The campaign also highlights the ongoing cat-and-mouse game between intelligence services and secure communication providers. As platforms like Signal strengthen encryption and authentication, adversaries pivot to weaker links in the chain, such as user behavior, backup systems, or device management. This dynamic underscores the need for layered security: combining strong encryption with robust user education, secure key storage practices, and continuous monitoring for suspicious activity.

What to watch next

Security researchers will likely analyze this campaign to identify patterns in phishing infrastructure, such as domain registration timelines, hosting providers, or command-and-control servers. Any new advisories or updates from law enforcement or threat intelligence groups may reveal additional tactics, techniques, and procedures used by the attackers. Users should stay alert for follow-on phishing messages that reference this campaign, especially those claiming to offer “security updates” or “mandatory verification.”

Organizations should expect similar tactics to be reused against other encrypted messaging platforms that offer backup or recovery features. The core vulnerability—user-managed secrets that grant access to sensitive data—is not unique to Signal. As more platforms prioritize data portability and cross-device functionality, they may face analogous risks. Security teams should proactively assess their messaging stack for similar weak points and implement compensating controls, such as network-level monitoring or endpoint detection.

Finally, policymakers and platform providers may revisit the role of recovery mechanisms in secure messaging. Discussions could emerge about standardizing secure recovery methods, such as biometric-protected vaults or hardware security modules, to reduce reliance on user-generated secrets. For now, the best defense remains a combination of user awareness, careful key management, and skepticism toward unsolicited messages—no matter how official they appear.