The FBI and CISA have issued a warning about a phishing campaign aimed at Signal users that has connections to Russian intelligence services. This campaign has now progressed to stealing Signal Backup Recovery Keys, which enables attackers to gain access to victims’ past messages.
This latest public advisory serves as an update to a previous warning from March 2026, which cautioned that threat actors were going after users of popular messaging apps—especially Signal—through phishing efforts meant to take over accounts rather than bypass end-to-end encryption.
“RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys,” warns an FBI PSA published today.
The FBI states that the campaign continues to focus on individuals considered to be of high intelligence value. This includes current and former officials from the US and international governments, military personnel, political operatives, members of the press, and key officials based in Ukraine.
The agencies have linked these activities to Russian Intelligence Services (RIS), including officers stationed with Russia’s Federal Security Service (FSB) Border Guards as well as other operatives acting on behalf of the Russian military. The campaign is publicly identified under the tracking names UNC5792 and UNC4221.
New phishing tactic targets Signal backups
Where the original advisory centered on phishing attempts aimed at swiping verification codes, account PINs, or tricking users into pairing attacker-controlled devices with their Signal accounts, the revised alert indicates that the attackers have shifted their approach.
The FBI explains that the threat actors are still pretending to be Signal support staff, dispatching phishing messages that falsely assert that Signal is rolling out mandatory two-factor verification in response to an alleged surge of attacks by hackers originating from Iran and post-Soviet nations.
“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent,” reads the initial phishing message.
“An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries. In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.”
“Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan). Click the ‘Accept’ button in the pop-up and stay tuned for security updates on our messenger.”
When a target follows these steps, their Signal messages are backed up using Signal’s Secure Backups feature, which stores encrypted copies of conversations on Signal’s cloud servers.
The data is end-to-end encrypted using the recovery key generated in the steps above, and this key should never be shared with anyone else, as anyone possessing the key can use it to retrieve the backed-up data on their own devices.
The threat actors then follow up with a second phishing message, still posing as Signal support, warning that your data faces the risk of permanent loss because of a synchronization problem.
“Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue,” reads the second Signal message.
The threat actors then urge you to navigate to the Backup settings, copy your recovery key to the clipboard, and paste it into the message in order to prevent the loss of your stored data.
However, once you hand over your recovery key, they can restore the backup onto their own devices and gain access to the victim’s historical messages, including both private and group conversations.
The updated advisory also cautions about a recovery scenario that users might overlook after their account has been compromised.
The FBI warns that if an attacker obtains a user’s Backup Recovery Key, simply creating a new Signal account using the same phone number does not render the old stolen key useless.
Instead, users must generate a brand-new Backup Recovery Key through Signal’s backup settings, which invalidates the previous key for any future backup downloads.
However, the agencies caution that generating a new recovery key will not stop attackers from accessing backups they have already downloaded using the compromised key.
The updated advisory reminds users that legitimate messaging app support teams only ever reach out through official company email addresses, never ask for verification codes within the application itself, and do not send links prompting users to verify or restore their accounts.
Anyone who suspects they have fallen prey to this campaign is urged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
