threat-wire

FBI Warns Russian Spies Are Phishing Signal Backup Recovery Keys

The FBI says two Russian intelligence groups are tricking Signal users into handing over the recovery key that unlocks their encrypted message backups. Once they have it, they restore your full chat history on their own phone. The targets are officials and journalists for now, but the same trick works on anyone who uses Signal for work.

By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read

The FBI put out a public warning on 26 June. Two Russian intelligence crews are going after Signal users, and the prize is not your password. It is the recovery key that unlocks your encrypted message backups.

The bait

The attackers pose as Signal support and claim you must complete a mandatory two-factor check. Signal has no such process. Real support teams never ask for a verification code or a recovery key inside the app, and that single rule defeats most of this campaign.

How the theft works

Signal's Secure Backups feature keeps an encrypted copy of your messages on Signal's servers, and one recovery key unlocks it. The attackers walk the victim through the exact taps: Settings, then Backups, then Enable backups, then View recovery key, then Copy to clipboard. A second message warns of imminent data loss to rush the victim into pasting that key back. With the key, they restore your backup on their own device and read everything: private chats, group chats, the full history.

Who they are after

The FBI tracks the two groups as UNC5792 and UNC4221 and links them to Russian intelligence, including FSB border guard officers and Russian military actors. The named targets are current and former US and international government staff, military personnel, political figures, journalists, and Ukrainian officials. If your people use Signal for sensitive work, the same playbook reaches them.

Lock it down today

  • Open Signal, go to Settings then Backups, and generate a new Backup Recovery Key. That immediately invalidates any key an attacker may already hold.
  • Treat any message about a 'mandatory verification' as a scam. Signal never asks for a recovery key or a code through chat.
  • Open Settings then Linked Devices and remove anything you do not recognise.
  • Tell staff who use Signal for work that the recovery key is as sensitive as a password: never shared, never screenshotted, never pasted into a chat.
  • If you think a key leaked, rotate it, warn your contacts, and report it to the FBI's IC3 at ic3.gov.

Encryption protects a message while it travels. It does nothing once someone holds the key to the vault. This campaign skips the cryptography and goes straight for the person holding the key.