Russian Hackers Target Signal Backup Keys in Evolving Phishing Campaign

The FBI and CISA have issued an updated warning that Russian Intelligence Services (RIS) have evolved their phishing tactics to steal Signal Backup Recovery Keys, granting attackers access to victims' historical encrypted conversations. The campaign, tracked as UNC5792 and UNC4221, is attributed to officers embedded with Russia's FSB Border Guards and other actors working on behalf of the Russian military. The updated public service announcement follows a March 2026 advisory that initially warned of account hijacking attempts against Signal users, and now confirms the threat actors have moved beyond stealing verification codes and PINs to targeting the encryption keys that protect Secure Backups stored on Signal's cloud servers.

The new phishing messages impersonate Signal support accounts and falsely claim the platform is introducing mandatory two-factor verification in response to attacks allegedly carried out by hackers from Iran and post-Soviet countries. Targets are instructed to navigate through Signal's settings to enable backups, copy their recovery key, and submit it through the phishing page. Once obtained, the recovery key allows attackers to decrypt the victim's stored conversation history, effectively bypassing the end-to-end encryption that protects live messages. Security analysts note this represents a significant escalation, as backups often contain years of sensitive communications that would not be accessible through real-time interception.

The campaign continues to focus on individuals of high intelligence value, including current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. Signal's Secure Backups feature is end-to-end encrypted using the user-generated recovery key, meaning the key should never be shared with anyone, including purported support staff. Users who suspect they may have submitted a recovery key to a phishing page should immediately disable their Secure Backup and generate a new recovery key to invalidate the stolen one.

To protect messaging accounts from similar credential-based attacks, security professionals recommend enabling phishing-resistant authentication methods and monitoring account activity for unauthorized device links. Individuals concerned about exposed credentials can use the email breach checker to verify whether their contact information has appeared in known data exposures, while the privacy checkup provides a broader assessment of online exposure. Anyone managing sensitive communications should also evaluate their account security posture using the password checker to ensure recovery credentials meet modern complexity standards.