The FBI and CISA are warning that a phishing campaign targeting Signal users tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims’ historical messages.
The updated public service announcement is an update to a March 2026 advisory that warned the threat actors were targeting users of commercial messaging applications, particularly Signal, through phishing campaigns designed to hijack accounts rather than break end-to-end encryption.
“RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys,” warns an FBI PSA published today.
According to the FBI, the campaign continues to target individuals of high intelligence value, including current and former US and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.
The agencies attribute the activity to Russian Intelligence Services (RIS), including officers embedded with Russia’s Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military. The campaign is publicly tracked as UNC5792 and UNC4221.
New phishing tactic targets Signal backups
While the original advisory focused on phishing messages that attempted to steal verification codes or account PINs, or to trick users into linking attacker-controlled devices to their Signal accounts, the updated alert says the attackers have evolved their tactics.
The FBI says the threat actors continue to impersonate Signal support teams, sending phishing messages that falsely claim Signal is introducing mandatory two-factor verification following an alleged wave of attacks by hackers from Iran and post-Soviet countries.
“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent,” reads the initial phishing message.
“An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries. In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.”
“Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the “Accept” button in the pop-up and stay tuned for security updates on our messenger.”
When a target follows these instructions, their Signal messages are backed up using Signal’s Secure Backups feature, which stores encrypted copies of conversations on Signal’s cloud servers.
The data is end-to-end encrypted using the recovery key created in the steps above and should never be given to anyone else, as anyone with the key can use it to recover the backed-up data on their own devices.
The threat actors later send a second phishing message, still posing as Signal support, warning that your data is at risk of loss due to a synchronization issue.
“Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue,” reads the second Signal message.
The threat actors then prompt you to go into the Backup settings, copy your recovery key to the clipboard, and paste it into the message to prevent the loss of your stored data.
However, once you provide your recovery key, they can restore the backup to their own devices and gain access to the victim’s historical messages, including private and group conversations.
The updated advisory also warns of a recovery scenario that users may miss after their account was compromised.
The FBI warns that if an attacker obtains a user’s Backup Recovery Key, creating a new Signal account using the same phone number does not invalidate the old stolen key.
Instead, users must generate a new Backup Recovery Key through Signal’s backup settings, which invalidates the previous key for future backup downloads.
However, the agencies warn that generating a new recovery key will not prevent attackers from accessing backups they already downloaded using the compromised key.
The updated advisory reminds users that legitimate messaging application support teams only communicate through official company email addresses, never request verification codes within the application, and do not send links asking users to verify or restore their accounts.
Anyone who believes they have fallen victim to the campaign is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
