Russian Hackers Target Signal Users with Sophisticated Phishing Campaign
A sophisticated phishing campaign tied to Russian intelligence services has evolved to target Signal users, potentially giving attackers access to their historical messages. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a public service announcement warning about the threat, which affects individuals of high intelligence value, including government officials, military personnel, journalists, and key figures in Ukraine.
The phishing campaign, attributed to Russian Intelligence Services (RIS), involves attackers masquerading as Signal support teams. They send messages claiming that Signal is introducing mandatory two-factor verification due to alleged hacking attempts from Iran and post-Soviet countries. The initial message prompts users to set up their Signal backup by creating a recovery key, which is stored on Signal’s cloud servers in an end-to-end encrypted form.
However, once the victim follows these instructions, the attackers send a second phishing message claiming that there is a synchronization issue with the user’s account data, putting it at risk of permanent loss. They prompt the victim to copy their recovery key and paste it into the message, which allows the attackers to access the backed-up data on their own devices.
The FBI warns that if an attacker obtains a user’s Backup Recovery Key, creating a new Signal account using the same phone number does not invalidate the old stolen key. Instead, users must generate a new Backup Recovery Key through Signal’s backup settings, which invalidates the previous key for future backup downloads. However, this will not prevent attackers from accessing backups they already downloaded using the compromised key.
The agencies attribute the activity to RIS, including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military. The campaign is publicly tracked as UNC5792 and UNC4221.
This phishing campaign highlights the importance of being cautious when receiving messages claiming to be from support teams, especially those that require sensitive information such as recovery keys. Users should verify the authenticity of these messages by contacting Signal’s support team directly or checking their official website for any updates on security measures.
To protect yourself from this type of attack, never share your recovery key with anyone and only use it if you are sure you can trust the recipient. If you suspect that your account has been compromised, change your password immediately and generate a new Backup Recovery Key through Signal’s backup settings. Additionally, consider enabling two-factor authentication on your Signal account to add an extra layer of security. By being vigilant and taking these precautions, you can significantly reduce the risk of falling victim to this sophisticated phishing campaign.
Source: Bleeping Computer — 2026-06-26