FBI Warns: Russian Hackers Steal Signal Backup Keys
The FBI and CISA say Russian intelligence hackers now phish Signal Backup Recovery Keys to read victims past messages. Here is how the scam works and how to stop it.
Founder & Lead Technician
Quick answer
The FBI and CISA warn that Russian intelligence hackers have evolved a phishing campaign to steal Signal Backup Recovery Keys, granting access to victims historical messages. The scam impersonates Signal support and pushes fake mandatory two-factor verification setup steps.
Russian intelligence hackers are now phishing Signal users for their Backup Recovery Keys, and the FBI and CISA say the goal is to read victims entire message history. The agencies issued an updated public warning today after watching the campaign evolve from hijacking accounts to quietly stealing the one secret that unlocks an encrypted Signal backup.
This is trending because it marks a tactical shift. Earlier waves tried to grab verification codes, account PINs, or trick people into linking an attacker-controlled device. The new variant goes after the Backup Recovery Key directly, which hands attackers a clean route into conversations that already happened.
Why stealing the recovery key is so dangerous
Signal end-to-end encryption is not being broken here. That distinction matters. The attackers are not cracking the math that protects messages in transit. They are convincing the victim to hand over the credential that decrypts an archived copy of those messages.
When a Signal user enables Secure Backups, the app stores encrypted copies of conversations on Signal cloud servers. The Backup Recovery Key is what unlocks that archive. Steal the key, restore the backup, and you read everything the victim chose to back up, including older threads that a stolen live session might not reach.
If anyone messages you claiming to be Signal support and asks you to copy, share, screenshot, or confirm your Backup Recovery Key, treat it as an attack. Signal support will never ask for that key.
How the scam actually plays out
The FBI says the threat actors continue to masquerade as automated Signal support accounts. The lure is a fake security upgrade. The phishing message claims Signal is introducing mandatory two-factor verification after a supposed wave of attacks by hackers from Iran and post-Soviet countries.
That framing is deliberate. It borrows the language of a legitimate security alert to lower the victim guard, then redirects the panic into following attacker instructions.
The message then walks the target through a sequence inside the real app: open Settings, go to Backups, enable backups, view the recovery key, copy it to the clipboard, and proceed through the backup setup. Because every tap happens in genuine Signal, nothing looks fake. The victim is using the real product the entire time. The trap is the final step, where the copied key gets surrendered to the attacker rather than kept private.
What makes this hard to spot
There is no malicious app to install and no obvious spoofed website to flag. The attacker weaponizes a real feature and the user own hands. That is why this works against careful people: the instructions are technically accurate, the interface is authentic, and only the intent is hostile.
Who Russian intelligence is targeting
This is not a mass-market scam aimed at everyone. The FBI says the campaign focuses on individuals of high intelligence value. According to the advisory, that includes current and former US and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.
The agencies attribute the activity to Russian Intelligence Services, including officers tied to Russia Federal Security Service Border Guards and other actors operating on behalf of the Russian military. The operation is publicly tracked under the labels UNC5792 and UNC4221.
If you are in one of those categories, assume you are a deliberate target rather than a random one, and adjust your guard accordingly.
Old tactics versus the new playbook
The shift is easiest to see side by side.
| Attribute | Original campaign | Updated campaign |
|---|---|---|
| Primary theft target | Verification codes and account PINs | Signal Backup Recovery Key |
| Access gained | Account takeover or linked rogue device | Decryption of historical message backups |
| Disguise | Signal support impersonation | Signal support impersonation with fake mandatory two-factor |
| Encryption broken | No | No, the key is handed over by the victim |
What happens over the next 24 to 72 hours
Expect the federal advisory to circulate fast through government, newsroom, and Ukraine-focused security channels, since those are the named targets. High-risk individuals should anticipate follow-up phishing attempts as operators rush to exploit the window before awareness spreads.
Watch for copycats. Once a lure that abuses a real backup flow is publicized, lower-tier criminals tend to clone it within days and aim it at broader audiences. The mandatory two-factor pretext is generic enough to be reused against other messaging platforms.
If you received a message matching this description, do not act on its instructions. Independently verify any claimed Signal policy change through official Signal channels, not through links or steps sent to you in a chat.
How to protect yourself right now
- Never share, copy out, screenshot, or read aloud your Signal Backup Recovery Key to anyone, including accounts claiming to be support.
- Treat any unsolicited message about mandatory two-factor verification or urgent policy updates as suspicious, especially if it includes step-by-step setup instructions.
- Verify security claims directly inside the app or on Signal official site, never by following instructions handed to you in a chat thread.
- If you have already enabled backups, store the recovery key offline and assume any version you pasted or shared is compromised.
- High-risk users should review linked devices in Signal settings and remove anything unfamiliar.
The bottom line is simple. The encryption held. The human did not have to. This campaign succeeds entirely on persuasion, which means awareness is the patch.
Source: BleepingComputer
Frequently asked questions
What is a Signal Backup Recovery Key and why do hackers want it?+
It is the secret key that unlocks your encrypted Signal backup stored on Signal cloud servers. If attackers obtain it, they can restore and read your historical messages without breaking Signal end-to-end encryption.
How does the Russian phishing campaign trick Signal users?+
Attackers impersonate Signal support and claim Signal is rolling out mandatory two-factor verification. They walk victims through enabling backups and copying the recovery key, then trick them into handing that key over.
Who is being targeted in this Signal attack?+
The FBI says the campaign targets high intelligence value individuals, including current and former US and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.
Founder & Lead Technician
Daniel founded Ask Technicians to cut through bad tech advice. He writes hands-on troubleshooting guides drawn from years of real-world repair and support work.
Related guides
Russian Hackers Tied to $2.5B Jaguar Land Rover Hack
A report says Russian hackers were behind the Jaguar Land Rover breach that halted production and cost the UK economy an estimated 2.5 billion dollars.
CISA Orders Cisco Patch by Sunday as Flaw Is Exploited
CISA has given federal agencies until Sunday, June 28 to patch an actively exploited Cisco Unified CM flaw, CVE-2026-20230, after attackers began writing files to servers.
Clean GitHub Repo Tricks AI Agents Into Running Malware
Researchers showed a benign-looking GitHub repo can make an AI coding agent open a reverse shell with no malicious code to scan.
Xprize Founder: Humans Behave Better When Watched
Xprize founder Peter Diamandis says global surveillance makes people behave better, echoing Larry Ellison. Here is what he claims and the pushback.