The FBI and CISA are warning that a phishing campaign targeting Signal users tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims’ historical messages.
The updated public service announcement is an update to a March 2026 advisory that warned threat actors were targeting users of commercial messaging apps, particularly Signal, with phishing campaigns designed to hack accounts rather than break end-to-end encryption.
“RIS cyber threat actors continue to impersonate CMA-backed accounts in updated phishing messages but have changed their tactics to obtain victims’ Backup Keys,” warns an FBI PSA published today.
According to the FBI, the campaign continues to target high-level intelligence officials, including current and former US and international government officials, military personnel, political scientists, journalists and key officials in Ukraine.
The agencies say the operation originates from the Russian Intelligence Services (RIS), including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and other actors working for the Russian military. The campaign is publicly tracked as UNC5792 and UNC4221.
A new phishing tactic targets Signal Backups
While the original advisory focused on phishing messages that attempted to steal authentication codes or account PINs, or trick users into linking attacker-controlled devices to their Signal accounts, the updated warning says attackers have changed their tactics.
The FBI says threat actors continue to pose as Signal-backed groups, sending phishing messages that say Signal introduced mandatory two-factor authentication following a wave of alleged hacker attacks from Iran and post-Soviet countries.
“Recently, attempts to hack users of our messenger by connecting third-party devices to the account have become more common,” the first phishing message read.
“A joint investigation with the US government and European partners revealed that the attacks on the accounts were carried out by hackers in Iran and post-Soviet countries. In this regard, Signal is updating its Terms of Service and Privacy Policy, and introducing Mandatory Two-Factor Authentication for users.”
“To avoid losing your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter recovery key -> Next -> Continue -> Select your backup plan). Click the “Accept” button on the pop-up and stay tuned for security updates from our messenger.”
If the target follows these instructions, their Signal messages are backed up using Signal’s Secure Backups feature, which stores encrypted copies of the conversations on Signal’s cloud servers.
The data is end-to-end encrypted using the recovery key created in the steps above and should never be given to anyone else, as anyone with the key can use it to restore the backed up data to their devices.
The threat actors later send a second phishing message, still posing as Signal Support, warning that your data is at risk of being lost due to a sync problem.
“Your Signal Account data (messages and media) is at risk of permanent loss due to a sync problem,” reads a second Signal message.
The malicious actors then prompt you to go to the Backup settings, copy your recovery key to the clipboard, and paste it into the message to prevent the loss of your backup data.
However, once you provide your recovery key, they can restore the backup to their devices and gain access to the victim’s historical messages, including private chats with the group.
The updated advisory also warns of a recovery situation users may miss after their account is compromised.
The FBI warns that if an attacker obtains a user’s Backup Recovery Key, creating a new Signal account using the same phone number does not make the stolen key obsolete.
Instead, users must generate a Backup Recovery Key using Signal’s backup settings, which disables the previous key for future backup downloads.
However, the agencies warn that generating a new recovery key will not prevent attackers from accessing backups they have already downloaded using a compromised key.
The updated advisory reminds users that official messaging app support teams communicate only through official company email addresses, never ask for verification codes within the application, and never send links asking users to verify or restore their accounts.
Anyone who believes they have been a victim of the campaign is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI office, or CISA.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
