← Threat Intelligence
Nation-State

FBI: Russian Intelligence Now Steals Signal Backup Recovery Keys to Loot Entire Chat Histories

The FBI and CISA warn that Russian operators now trick targets into surrendering their Signal Backup Recovery Key. One handover restores the full backup and seizes the account. The encryption is intact; the human holding the account is the target.

Matt Lucas  |  June 27, 2026  |  5 min
Editorial illustration: a shadowy gloved hand slips a stolen key into the back of a padlocked vault, springing it open and spilling private conversation
$10M
reward for UNC5792 intel
Thousands
accounts compromised worldwide
2
new tracked groups (UNC5792, UNC4221)
5+
allied agencies corroborating
TL;DR
  • What: Russian intelligence operators posing as Signal support now phish targets into handing over their Signal Backup Recovery Key, per FBI/CISA advisory PSA I-062626-PSA.
  • Impact: One handover lets attackers restore the backup, read all private and group history, take over the account, and the stolen key keeps working even against a new account on the same number.
  • Fix / mitigation: Generate a new Recovery Key in Signal Settings to kill the old one, remove unrecognized Linked Devices, and never paste keys, PINs, or codes into a chat.
  • Who's at risk: Current and former U.S. and international officials, military personnel, political figures, journalists, and Ukrainian officials of high intelligence value.

The FBI and CISA have updated their March warning about Russian intelligence services phishing Signal accounts, and the tradecraft has escalated. Operators now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account's backup, read the full private and group message history, and take over the account outright. The updated advisory, PSA I-062626-PSA, makes the blast radius clear: this is not a one-time code anymore, it is the key to the entire archive.

The detail that should worry every targeted user is persistence. The stolen key keeps working. Make a new account on the same phone number, and the old Recovery Key can still be used against it. The only fix is blunt: generate a new key in Settings, which kills the old one for future backup downloads, and accept that anything the attacker already pulled is already gone.

Who is behind it

The updated advisory adds two public tracking names the March notice lacked: UNC5792 and UNC4221. The FBI ties the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and others working for Russian military services. The campaign hits both Signal and WhatsApp accounts, though the new recovery-key tactic is specific to Signal. The State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792.

This is not an isolated U.S. assessment. The activity overlaps with warnings from Dutch intelligence (AIVD and MIVD), Germany's BfV and BSI, and France's ANSSI earlier this year. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025, and watched the same tradecraft surface against WhatsApp and Telegram.

The targets

These are not opportunistic spray-and-pray operations. The targets are individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March notice reported the broader campaign had already compromised thousands of accounts worldwide before this latest tactic shift.

How the lure works

The phishing message poses as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used doctored group invite links that silently linked an attacker's device to the account. The updated version walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat. The advisory prints two sample lures: one dressed up as a mandatory two-factor rollout, the other as an urgent data recovery fix for messages supposedly at risk of loss. Both manufacture authority and urgency, the two levers social engineering always pulls.

The encryption is not broken

FBI and CISA are explicit: none of this defeats Signal's encryption or the app itself. The actors compromise individual accounts through social engineering, then walk in through a legitimate feature. The cryptography holds. The account, and the person holding it, is the weak point. Hardening the app does nothing here; hardening the human is the entire defense.

What to do now

The takeaway for defenders

The March notice warned the tactics would shift, and they have, moving from chasing one-time codes to seizing the key that opens the entire message archive. For IT managers and security teams protecting high-value personnel, the lesson is that endpoint hardening and app choice are not enough when the attacker's path runs through a legitimate recovery feature and a convincing impersonation. Brief at-risk staff specifically on Recovery Key and Linked Device abuse, audit linked devices on a schedule, and treat any unsolicited security prompt inside a messaging app as a phishing attempt until proven otherwise. The encryption holds. The account is the target.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

Other10 Million-Install Chrome Ad Blocker Hides a Remote Kill Switch for Arbitrary JavaScriptOtherGaslight: North Korea's Rust macOS Stealer Tries to Trick the AI Analyzing ItOtherBackdoor.Turn Got the Headlines. convoC2 Is the Version Anyone Can Run

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →Caver SIEM →Live detection feed →