FBI says Russian spies now trick Signal users into handing over their backup recovery key

TL;DRFBI warns Russian hackers are phishing Signal users for backup recovery keys, giving persistent access to message history.

The FBI and CISA have warned that Russian intelligence hackers are now targeting Signal users’ backup recovery keys, an escalation of a phishing campaign that has already compromised thousands of accounts worldwide. The updated advisory, published Thursday, says that handing over the key once gives attackers the ability to restore an account’s backup, read its entire private and group message history, and take over the account.

The key keeps working even after the victim changes phones. If a target creates a new account on the same phone number, the old recovery key can still be used to access future backups, the advisory warns. The only fix is to generate a new key in Signal’s settings, which invalidates the old one for future downloads but cannot recover anything the attacker has already pulled.

The advisory, designated PSA I-062626-PSA, adds two public tracking names the FBI’s March notice did not include: UNC5792 and UNC4221. The bureau ties the activity to multiple Russian Intelligence Services groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military. The campaign targets both Signal and WhatsApp, though the recovery key tactic is specific to Signal.