The FBI and CISA say an evolved Russian-linked phishing campaign targeting Signal users now tries to steal Signal Backup Recovery Keys—letting attackers restore victims’ encrypted historical messages. The agencies urge users to watch for impersonation tactics
For Signal users who thought the threat ended at end-to-end encryption, the newest warning hits a different nerve: the recovery key.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) say a phishing campaign tied to Russian intelligence services has evolved to target Signal users specifically for the Backup Recovery Keys used to restore secure backups. The FBI’s updated public service announcement—published today—builds on a March 2026 advisory that already warned commercial messaging users. particularly Signal. were being targeted through phishing designed to hijack accounts rather than break end-to-end encryption.
“RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys,” the FBI PSA warns.
The campaign remains aimed at people the agencies call of “high intelligence value,” including current and former US and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.
The FBI and CISA attribute the activity to Russian Intelligence Services (RIS), including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military. The campaign is publicly tracked as UNC5792 and UNC4221.
The key change: backups, not just accounts
In the March 2026 advisory, the focus was on phishing messages that attempted to steal verification codes or account PINs, or to trick users into linking attacker-controlled devices to their Signal accounts.
The updated alert says the attackers have shifted tactics. The FBI describes continued impersonation of Signal support teams through phishing messages that falsely claim Signal is introducing mandatory two-factor verification after an alleged wave of attacks by hackers from Iran and post-Soviet countries.
The initial phishing message urges recipients with instructions that mirror Signal’s own backup flow. It says:
“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent,” reads the first message.
It then claims. “An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries. In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.”.
Finally. it pushes users through a step-by-step backup setup: “Not to lose your messages and media. set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the “Accept” button in the pop-up and stay tuned for security updates on our messenger.”.
If a target follows those steps, the FBI says the user’s Signal messages are backed up using Signal’s Secure Backups feature. Those backups store encrypted copies of conversations on Signal’s cloud servers.
The agencies emphasize that the data is end-to-end encrypted using the recovery key created during the setup steps and should never be provided to anyone else—because anyone with the key can use it to recover the backed-up data on their own devices.
But the phishing doesn’t stop with the recovery key
After the first message, the FBI says the threat actors send a second phishing message while still posing as Signal support. This time, the lure is urgency tied to another claimed problem: synchronization.
“Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue,” reads the second Signal message.
From there, the attackers prompt victims to go back into Backup settings, copy the recovery key to the clipboard, and paste it into the message to prevent the loss of stored data.
Once the recovery key is provided, the FBI says attackers can restore the backup to their own devices and access the victim’s historical messages—including private and group conversations.
Even changing your number won’t help—if the key is already out
The updated advisory also warns about a recovery scenario users might miss after their account was compromised.
The FBI says that if an attacker obtains a user’s Backup Recovery Key. creating a new Signal account using the same phone number does not invalidate the old stolen key. Instead. users must generate a new Signal Backup Recovery Key through Signal’s backup settings. which invalidates the previous key for future backup downloads.
Still, the agencies warn a painful limitation: generating a new recovery key will not prevent attackers from accessing backups they already downloaded using the compromised key.
What Signal support is supposed to do—and what attackers won’t
The FBI PSA concludes with reminders meant to prevent escalation during a moment of confusion. Legitimate messaging application support teams. the agencies say. only communicate through official company email addresses. never request verification codes within the application. and do not send links asking users to verify or restore their accounts.
Anyone who believes they have fallen victim is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
FBI CISA Signal phishing Backup Recovery Key Secure Backups cybersecurity UNC5792 UNC4221 Russian intelligence services UNC5792 UNC4221