Russian Hackers Evolve Tactics to Steal Signal Backup Recovery Keys, Exposing Users’ Historical Messages
A phishing campaign targeting Signal users tied to Russian intelligence services has taken a concerning turn. The FBI and CISA have issued an updated public service announcement warning that hackers are now attempting to steal Signal Backup Recovery Keys, granting them access to victims’ historical messages.
The threat actors, attributed to Russian Intelligence Services (RIS), including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military, continue to target individuals of high intelligence value. This includes current and former US and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.
The phishing campaign, publicly tracked as UNC5792 and UNC4221, has evolved from previous tactics aimed at stealing verification codes or account PINs. Instead, the attackers now impersonate Signal support teams, sending messages that falsely claim the introduction of mandatory two-factor verification following an alleged wave of attacks by hackers from Iran and post-Soviet countries.
The initial phishing message convinces targets to set up their Signal Backup by providing a recovery key, which is then used to store encrypted copies of conversations on Signal’s cloud servers. The attackers later send a second phishing message warning that the user’s data is at risk of loss due to a synchronization issue and prompt them to provide their recovery key again.
Once in possession of a victim’s Backup Recovery Key, the hackers can restore the backup to their own devices and gain access to private and group conversations. What’s more concerning is that generating a new recovery key will not prevent attackers from accessing backups they already downloaded using the compromised key.
This development highlights the importance of security awareness among Signal users. With the increased risk of data breaches, it’s crucial for individuals to be cautious when receiving unsolicited messages, especially those claiming to be from support teams or introducing mandatory security updates. Users should verify the authenticity of such messages and never share sensitive information, including recovery keys.
The updated advisory serves as a reminder that legitimate messaging application support will never request sensitive data, including backup recovery keys. If you suspect your account has been compromised, take immediate action by generating a new Backup Recovery Key through Signal’s backup settings, which invalidates the previous key for future backup downloads. However, be aware that this step may not prevent attackers from accessing previously downloaded backups.
As we navigate an increasingly complex cybersecurity landscape, it’s essential to prioritize security awareness and vigilance. Stay informed about phishing campaigns targeting popular messaging applications like Signal, and always err on the side of caution when receiving unsolicited messages or requests for sensitive information.
Source: Bleeping Computer — 2026-06-26