Russian Intelligence Turns Signal Backup Keys Into One-Time Takeover Tools

Russia-aligned cyber operators have added a new step to a long-running phishing campaign aimed at Signal users: they now ask targets to hand over their Signal Backup Recovery Key. Once the key is surrendered, the attackers can restore the account’s encrypted backup, read past private and group messages, and seize control of the account indefinitely. Even if a victim changes their phone number and creates a new Signal account, the old backup key remains valid, letting the intruders regain access. The blunt fix, according to a joint advisory, is to generate a fresh backup key in Signal’s settings, which invalidates any previously stolen key and severs future access—though anything already exfiltrated is lost.

The campaign primarily targets individuals of high intelligence value: current and former U.S. and allied government officials, military personnel, political figures, journalists, and Ukrainian officials. Security agencies report the broader operation has already compromised thousands of accounts worldwide. The phishing messages mimic Signal support, evolving from requests for SMS verification codes and account PINs to more elaborate lures that walk the target through enabling Signal backups, opening the Recovery Key screen, and pasting the key into a chat. Two sample messages highlighted in the advisory pose as a mandatory two-factor rollout and an urgent “data recovery” fix for messages supposedly at risk of loss.

Security authorities emphasize that the compromise does not reflect a failure of Signal’s end-to-end encryption or the app itself. Instead, the attackers succeed through social engineering, exploiting legitimate features such as account backups and recovery mechanisms. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency updated their March warning with two new tracking names—UNC5792 and UNC4221—and tied the activity to multiple Russian Intelligence Services groups, including officers embedded with border guard units and personnel from Russian military services. The State Department’s Rewards for Justice program is offering up to $10 million for information leading to the identification or location of UNC5792.

How the Updated Attack Works: From Code Request to Key Theft

The phishing flow begins with a message that appears to come from Signal support, often delivered via another compromised messaging account or a spoofed email address. Early versions of the campaign asked for SMS verification codes or account PINs, or tricked users into clicking doctored “group invite” links that silently linked an attacker’s device to the target’s account. The updated tactic is more involved: the message guides the user through turning on Signal backups, navigating to the Recovery Key screen, and copying the 30-digit code into the chat. Once the key is shared, the attacker can download the account’s encrypted backup at any time, decrypt it on their own device, and reconstruct the full message history. Because the key is static, it continues to grant access even if the victim changes their phone number and registers a new Signal account on the same device.

The advisory highlights two specific message templates. The first claims Signal is rolling out mandatory two-factor authentication and instructs the user to share their Recovery Key to “complete the transition.” The second claims messages are at risk of permanent loss and urges the user to paste the Recovery Key immediately to “recover data.” Both templates are designed to exploit urgency and familiarity with Signal’s legitimate backup feature. In practice, the attacker’s chat interface is controlled by the adversary, so the instructions and prompts come from the same source the victim believes is providing support.

Who Is Being Targeted and Why It Matters

The campaign’s targeting is highly selective. High-profile individuals with access to sensitive political, military, or intelligence information are singled out because their communications can yield strategic insight or be leveraged for further espionage. The inclusion of Ukrainian officials reflects Russia’s ongoing intelligence priorities in the region. The advisory notes that thousands of accounts have already been compromised globally, underscoring the campaign’s scale and persistence. Because the attackers maintain persistent access via the Recovery Key, they can monitor ongoing conversations, impersonate the compromised user in group chats, and harvest new messages as they arrive. This persistence makes the attack more damaging than a one-time credential theft.

The overlap with warnings from European intelligence agencies—including the Dutch AIVD and MIVD, Germany’s BfV and BSI, and France’s ANSSI—suggests a coordinated, multi-country effort to counter Russian intelligence cyber operations. These agencies have previously documented similar tactics, indicating that the use of legitimate app features for account takeover is a recurring theme in Russian cyber operations. For targets in sensitive roles, the risk is not limited to personal exposure; compromised accounts can serve as footholds for broader network intrusions, especially if the victim reuses passwords or PINs elsewhere.

What Signal Users Should Do Immediately

The advisory’s recommended remediation is straightforward but consequential. Users who suspect they have shared their Recovery Key should open Signal, go to Settings > Chats > Backup, and tap “Generate New Recovery Key.” This action invalidates the old key, preventing future backups from being restored by the attacker. After generating a new key, users should avoid sharing it under any circumstances. If the old key was already used to back up messages, those messages are considered compromised and cannot be securely recovered. Users should also review their Signal account activity, check for unfamiliar linked devices, and consider enabling the app’s “Registration Lock” feature to add another layer of protection against unauthorized re-registration.

Signal has emphasized that the issue lies with user behavior, not the app’s security model. End-to-end encryption remains intact, and the backup feature is designed to protect users against device loss. The problem arises only when users are tricked into surrendering their Recovery Key. To reduce exposure, users should treat any unsolicited message claiming to be from Signal support as suspicious. Signal’s official support channels do not proactively contact users via chat to request account details or recovery keys. If in doubt, users can verify instructions by checking Signal’s official help pages or contacting support through the verified in-app channel.

Enterprise and Organizational Response: Beyond Individual Users

For organizations that include high-value personnel, the risk extends beyond individual accounts. Security teams should assume that any Signal account used by executives, diplomats, or military officers could be compromised and should plan accordingly. Organizations should conduct phishing-awareness training focused on social-engineering tactics that abuse legitimate features like account backups and two-factor authentication rollouts. They should also implement device management policies that restrict the installation of unofficial Signal clients or the sharing of recovery keys via unapproved channels.

Technical controls can help mitigate the impact. Enforcing app-store-only installations reduces the risk of trojanized Signal clients. Requiring hardware-backed authentication for sensitive accounts adds another hurdle for attackers. Monitoring for unusual backup activity or repeated registration attempts can flag compromised accounts early. In cases where Signal is used for sensitive communications, organizations may choose to disable backups entirely or use a dedicated, managed device with additional security policies. These measures do not eliminate the risk of social engineering but can limit the blast radius when a Recovery Key is accidentally shared.

The Broader Context: Social Engineering Meets Legitimate Features

This campaign exemplifies a growing trend in cyber espionage: attackers increasingly abuse legitimate features and workflows rather than exploiting software vulnerabilities. By posing as support staff and guiding users through built-in functions like backups and recovery keys, adversaries bypass technical defenses and exploit human trust. The tactic is effective because it leverages familiar, everyday actions—enabling backups, following update prompts—that users rarely question. This approach is not unique to Signal; similar campaigns have targeted WhatsApp accounts by tricking users into sharing verification codes or clicking malicious links.

The fact that the advisory ties the activity to multiple Russian Intelligence Services groups underscores the strategic nature of these operations. The involvement of embedded FSB officers and military personnel indicates that the campaign is centrally coordinated and resourced. The overlap with European intelligence warnings suggests a shared threat model across NATO and EU member states, reinforcing the need for coordinated defense. For defenders, the lesson is clear: technical hardening is necessary but insufficient. Human factors—training, awareness, and verification habits—are now the primary battleground.

What to Watch Next: Indicators and Countermeasures

Security teams should monitor for the two public tracking names—UNC5792 and UNC4221—as well as any new aliases that emerge. Indicators of compromise can include unsolicited Signal messages with instructions to enable backups or share recovery keys, unexpected registration lockouts, or the appearance of unfamiliar devices linked to an account. Users should also watch for follow-on phishing attempts that use the compromised account to send messages to contacts, especially if those messages contain links or requests for further information.

On the policy side, the State Department’s Rewards for Justice offer signals a high level of U.S. government concern and may encourage insider reporting or defectors to come forward. For affected individuals, reporting the incident to their organization’s security team or to national cybersecurity agencies can help attribute the activity and improve collective defenses. Longer term, Signal and similar messaging platforms may consider adding user-configurable limits on backup retention, time-bound recovery keys, or mandatory user verification steps before sensitive actions like key generation or sharing. These changes would reduce the window of opportunity for attackers while preserving the legitimate use case of account recovery.

Practical Takeaways for Readers

If you use Signal for sensitive communications, treat any message asking for your Recovery Key as highly suspicious. Signal’s official support will never proactively contact you via chat to request account details or recovery keys. Enable Registration Lock in Signal’s settings to add another layer of protection against unauthorized re-registration. If you suspect you’ve shared your Recovery Key, generate a new one immediately to block future access, and assume any previously backed-up messages are compromised.

For organizations, include Signal-specific social-engineering scenarios in phishing simulations, especially those that mimic support workflows. Restrict app installation sources and enforce hardware-backed authentication for high-risk users. Monitor account activity for unusual backup or registration patterns, and prepare incident response playbooks that account for the persistence enabled by Recovery Keys. Finally, stay informed about new advisories and attribution updates, as adversaries frequently rotate tactics and infrastructure to evade detection.