FBI: Russian APT Hackers Steal Signal Backup Recovery Keys via Phishing

The FBI and CISA have updated their March advisory (PSA I-062626-PSA) warning that Russian intelligence services are now actively phishing Signal users into surrendering their Backup Recovery Keys. Once handed over, the key allows attackers to restore account backups, exfiltrate private and group message history, and take persistent control of the account. The advisory notes the key remains valid even if the victim creates a new Signal account on the same phone number, meaning the compromised key can be reused indefinitely until manually rotated in Settings.

The phishing operation poses as Signal support and walks targets through enabling Signal backups, locating the Recovery Key, and pasting it directly into the chat. Two sample lures are included in the advisory: one impersonates a mandatory two-factor authentication rollout, the other pressures victims with an urgent "data recovery" request claiming messages are at risk. Earlier waves used SMS verification code theft, account PIN harvesting, and malicious "group invite" links that silently linked an attacker-controlled device to the victim's account. The campaigns also extend to WhatsApp and Telegram. Targets are individuals of high intelligence value, including current and former U.S. and international government officials, military personnel, political figures, journalists, and Ukrainian officials. The March notice indicated thousands of accounts worldwide had already been compromised.

The update introduces two new tracking identifiers absent from the original notice: UNC5792 and UNC4221. The FBI attributes the activity to multiple Russian Intelligence Services (RIS) units, including FSB officers embedded with the FSB Border Guards and operators tied to Russian military services. The tradecraft aligns with warnings previously issued by Dutch intelligence (AIVD and MIVD), Germany's BfV and BSI, and France's ANSSI. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025 before observing the same approach against WhatsApp and Telegram. Alongside the advisory, the State Department's Rewards for Justice program is offering up to $10 million for information leading to the identification of UNC5792 operators. Users who suspect exposure should verify their account integrity with a privacy checkup and confirm no unauthorized sessions remain, while high-risk individuals can validate their broader exposure footprint using an email breach checker.

The agencies emphasize that none of these attacks break Signal's encryption or compromise the application itself. Attackers gain access through social engineering, then exploit legitimate features to move laterally. Defenders should treat any in-app message claiming to be from "Signal support" as hostile since legitimate support never asks for codes, PINs, or Recovery Keys inside the app. Victims should immediately open Settings, revoke any unrecognized linked devices, generate a new Recovery Key to invalidate the stolen one, and accept that previously backed-up data is already in adversary hands.