Signal Recovery Key Phishing: FBI Warns Russian Hackers

by Emma Davis
2 minutes ago

FBI and CISA warn Russian intelligence-linked hackers now phish Signal Backup Recovery Keys. Check linked devices, rotate exposed keys, and never share recovery codes.

The FBI and CISA updated their warning on June 26, 2026, saying Russian intelligence-linked operators are still phishing commercial messaging accounts and have added a sharper lure: stealing Signal Backup Recovery Keys from targeted users.[1] The alert does not say Signal encryption was broken. The risk is account-level social engineering: fake support messages push victims to hand over verification codes, PINs, linked-device approvals, or now the recovery key that can unlock backed-up message history.

The campaign is tracked publicly as UNC5792 and UNC4221, with the FBI tying activity to Russian Intelligence Services clusters, including FSB-linked personnel and actors working for Russian military services.[1] Targets include current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. A March FBI/CISA notice said the broader campaign had already compromised thousands of commercial messaging accounts worldwide.[2]

The June update matters because a recovery key is more damaging than a one-time phishing code. If a victim follows the fake support flow, enables a backup, and then gives the attacker the Backup Recovery Key, the attacker may be able to restore historical private and group messages and take over the account.[1] The FBI also warns that the exposed key can remain useful even if the victim creates a new account with the same phone number, until the user generates a new recovery key.

Ukrainian security reporting published on June 27 described the same class of fake support-message activity against officials, military personnel, politicians, activists, and ordinary Ukrainian users, with SMS messages impersonating a messenger support bot and asking for account credentials.[3] The pattern fits a wider trend: attackers are not only stealing passwords, they are trying to capture the session, token, or account-recovery material that lets them step around normal authentication. HowToFix.guide recently covered that same practical lesson in AiTM phishing against Microsoft accounts and in the StealC and Amadey credential-recovery case.

What Signal users should check now

First, treat any in-app or SMS message claiming to be Signal support as hostile if it asks for a verification code, PIN, recovery key, QR scan, backup setup, or a link to “verify” or “restore” an account. The FBI/CISA reminder is blunt: legitimate messaging-app support does not ask users to provide verification codes inside the app, and it does not send restore links that require account secrets.[1]

Second, review linked devices and active sessions in Signal and any other messaging app used for sensitive work. Remove anything unfamiliar, update the app, and enable the strongest account-locking options available, including a Signal PIN/registration lock where appropriate. If there is any chance a Backup Recovery Key was shared, generate a new key from Signal settings so the old one is invalid for future backup downloads. That does not pull back messages already restored by an attacker, so the follow-up should include contact warnings and incident review.

Third, high-risk teams should brief executives, journalists, political staff, administrators, and Ukraine-facing personnel with concrete examples rather than generic “watch for phishing” language. Look for support-bot impersonation, urgent backup instructions, unknown linked-device prompts, suspicious QR codes, and messages that ask users to copy recovery text out of the app. Similar messaging-app abuse has already appeared in malware delivery, including the WhatsApp VBS malware campaign, so personal chat channels should not be treated as low-risk just because the app itself uses strong encryption.

For organizations, the useful triage question is not “was Signal hacked?” but “did any targeted person expose account-recovery material?” Security teams should ask affected users whether they shared a verification code, PIN, recovery key, scanned a QR code from a chat, or saw an unexpected linked-device/session event. U.S. victims can report incidents to local FBI field offices or CISA, while other targets should use their national cyber reporting channels.[1]

  1. FBI IC3 and CISA. Russian Intelligence Services Continue to Target Commercial Messaging Applications. June 26, 2026.
  2. FBI IC3 and CISA. Russian Intelligence Services Target Commercial Messaging Application Accounts. March 20, 2026.
  3. The Hacker News. Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials. June 27, 2026.
  4. Signal Support. Backup and Restore Messages.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment