Vendor Access · Social Engineering

FBI: Russian Hackers Now Target Signal Backup Recovery Keys

June 29, 2026 · 5 min read

Russian state-linked hackers have found a way to own your Signal account permanently — not by breaking its encryption, but by tricking you into handing over a single string of characters called a Backup Recovery Key. On June 26, 2026, the FBI and CISA issued an updated Public Service Announcement warning that the same threat clusters behind months of messaging-app phishing have now escalated their tactics: instead of just stealing verification codes and PINs, they are specifically engineering victims into revealing the one credential that unlocks an account's entire message history — and keeps working even after the victim thinks they have locked the attacker out by creating a new account.

What actually happened

The campaign, publicly tracked under cluster names UNC5792 and UNC4221 and attributed to Russian Intelligence Services (RIS) — including FSB officers embedded with border guards and Russian military services personnel — began attracting regulatory attention as early as March 20, 2026, when the FBI and CISA published an initial advisory (PSA I-032026-PSA). By that point, thousands of accounts worldwide had already been compromised. The June 26, 2026 update (PSA I-062626-PSA) documents a significant tactical evolution: attackers are no longer satisfied with intercepting one-time verification codes. They now specifically target Signal's Backup Recovery Key.

The phishing lures are designed to sound urgent and administrative. One sample message impersonates an automated Signal support account and warns of a "sync issue" that will cause permanent data loss unless the victim acts immediately. The instructions are surgical: navigate to Settings → Backups → Configure → Enable Backups → View Recovery Key, then paste the key directly into the chat. A second documented lure poses as a mandatory two-factor authentication rollout, creating a sense of institutional legitimacy that lowers a target's guard. Targets are not random — the campaign focuses on current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.

Once an attacker possesses the Backup Recovery Key, they can restore the victim's full backup and read the entire private and group message history. Critically, that key remains valid even if the victim subsequently deletes their account and creates a new one on the same phone number. The FBI and CISA are clear that Signal's end-to-end encryption and the application itself have not been compromised; this is a pure account-takeover operation built on social engineering. The only remediation available after compromise is to generate a new Backup Recovery Key in Signal's Settings — which invalidates the old key for any future backup downloads — but any data the attacker already pulled cannot be recovered.

"RIS actors have evolved their tactics to elicit victims' Signal Backup Recovery Keys … allowing them to view victims' entire message history." — FBI/CISA PSA I-062626-PSA, June 26, 2026

Why this should matter to you even if you don’t run Signal

Even if your organization does not run Signal, this campaign illustrates a threat pattern that is entirely platform-agnostic. Nearly every collaboration and messaging tool in wide enterprise use — Microsoft Teams, Slack, WhatsApp, Telegram, Google Messages — has some form of account-recovery credential or backup passphrase. Russian state actors have now demonstrated that these recovery credentials are high-value targets precisely because they bypass the strong encryption that organizations rely on, and because most users are almost completely unaware that such credentials exist, let alone that they carry the same risk as a master password.

The social engineering model documented here is also transferable. Urgent warnings about data loss, mandatory security rollouts, and impersonated support channels are the same playbook used in business email compromise and IT help-desk scams. The only thing novel is the specific credential being requested. Any employee who has been trained to hand over a code texted to their phone can be trained — under the right pressure — to hand over a backup key they have never thought about before. High-value targets such as executives, legal counsel, HR directors, and anyone with access to sensitive communications should be treated as equivalent to the government officials and journalists named in the FBI advisory.

There is also a persistence dimension that makes this threat particularly insidious for incident response. Standard containment advice — change your password, revoke sessions, create a new account — does not evict an attacker who holds the Backup Recovery Key. Organizations that lack documented procedures for messaging-app account takeover will likely miss this vector entirely during a breach investigation, leaving a silent back channel open long after they believe the incident is closed.

The control that would have blunted it

The specific control that would have blunted this attack is phishing-resistant multi-factor authentication combined with a formal credential-inventory and security-key management policy. The FBI and CISA advisory makes the attack surface explicit: attackers are winning because victims do not know what a Backup Recovery Key is, do not know where it is stored, and have no organizational policy governing when — if ever — it should be shared or transmitted. A credential-inventory policy that classifies backup and recovery keys as high-sensitivity secrets, equivalent to private keys or master passwords, would have given employees a clear decision rule: this credential is never shared in any chat, with any support contact, for any reason.

Cyber insurers have increasingly codified this expectation. Underwriters now routinely ask whether organizations have MFA deployed across all communication platforms and whether security-awareness training covers social engineering beyond email. The shift toward evaluating messaging-app hygiene reflects exactly the threat pattern the FBI is documenting. Organizations that cannot demonstrate a training program covering account-recovery credential handling, or that lack a policy prohibiting sharing such credentials via in-app messages, face harder questions at renewal — and reduced coverage if a breach occurs through this vector.

Practically, the control has three components. First, generate a new Signal Backup Recovery Key now and store it in an organizational secrets manager or password vault — not in the messaging app itself, not in a note on your phone. Second, add backup and recovery keys for all communication platforms to your credential-inventory policy, with the same handling rules applied to API keys and certificates. Third, update security-awareness training to include a dedicated module on messaging-app account takeover, with explicit examples of the lures documented in the FBI advisory: fake data-loss warnings and fake mandatory-2FA rollouts. These are low-cost, high-signal controls that insurers can verify and that directly address the documented attack chain.

Strondex's Security Checklist walks your team through exactly these controls — credential inventory, MFA coverage, and awareness-training requirements — in the format cyber insurers expect to see at renewal.