FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

Summary

The FBI and CISA have updated their warning about Russian intelligence actors targeting Signal accounts. The attackers now specifically target Signal Backup Recovery Keys through social engineering, allowing them to restore and access message history. This tactic, used by UNC5792 and UNC4221, targets high-value individuals and has already compromised thousands of accounts globally.

Full text

FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Swati KhandelwalJun 26, 2026Secure Messaging / Social Engineering The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account's backup, read the private and group message history, and take over the account. Worse, the key keeps working. Make a new account on the same phone number, and the old key can still be used against it, the advisory warns. The fix is blunt: generate a new key in Settings, which kills the old one for future backup downloads, and accept that anything the attacker already pulled is gone. The updated advisory, PSA I-062626-PSA, adds two public tracking names the March notice lacked: UNC5792 and UNC4221. The FBI ties the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military services. The campaign hits Signal and WhatsApp accounts; the new recovery-key tactic the advisory describes is specific to Signal. The targets are individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts worldwide. The phishing message poses as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used doctored "group invite" links that silently linked an attacker's device to the account. The updated version walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat. The advisory prints two sample messages: one dressed up as a mandatory two-factor rollout, the other as an urgent "data recovery" fix for messages supposedly at risk of loss. As in March, the agencies are clear that none of these breaks Signal's encryption or the app itself. The actors compromise individual accounts through social engineering, then walk in through a legitimate feature. Alongside the update, the State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792. The activity overlaps with warnings from Dutch intelligence (AIVD and MIVD), Germany's BfV and BSI, and France's ANSSI earlier this year. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025, and saw the same tradecraft turn up against WhatsApp and Telegram. What to do now Treat any in-app message from "Signal support" as hostile. Real support does not message you inside the app to ask for codes, PINs, or your Recovery Key. Never paste your Backup Recovery Key, verification code, or PIN into a chat. Nothing legitimate asks for them that way. Open Settings, check Linked Devices, and remove anything you do not recognize. If you think you handed over your Recovery Key, generate a new one in Settings now, and assume any backup made before that is already in someone else's hands. The March notice warned the tactics would shift. They have, from chasing one-time codes to taking the key that opens the entire archive. The encryption holds. The account is the weak point, and the person holding it is the target. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CISA, FBI, Phishing, Russian Intelligence, Secure Messaging, Signal, Social Engineering ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• mitre_attack — T1598.003
• mitre_attack — T1078.004
• mitre_attack — T1539

Entities