Cyber Security

FBI Warns Of Russian Intelligence Hackers Signal Backup Recovery Keys

ISwati KhandelwalJune 26, 2026Secure Messaging / Social Engineering

The FBI and CISA have updated their March warning about Signal accounts being hacked by Russia, and operators have added a step: they are now tricking targets into providing a Signal Backup Key.

Give it once, and an attacker can restore an account backup, read private and group message history, and take over the account. Even worse, the key continues to work. Create a new account on the same phone number, and the old key can still be used against it, the advisory warns.

The fix is ​​wrong: generate a new key in Settings, which kills the old one for future backup downloads, and accepts that whatever the attacker has downloaded is gone.

The updated advisory, PSA 062626-PSA, adds two public tracking names that were missing from the March notice: UNC5792 and UNC4221. The FBI is tasked with working with many Russian Intelligence Services (RIS) groups, including FSB officers embedded with FSB Border Guards and others working for Russia’s military services. Campaign hits Signal and WhatsApp accounts; the new hint recovery key strategy we describe is specific to Signal.

Targets are individuals of high intelligence value: current and former US and international government officials, military personnel, politicians, journalists, and officials in Ukraine. The March notice said the widespread campaign had already compromised thousands of accounts around the world.

The phishing message appears as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used “group invite” links that silently connected the attacker’s device to the account.

The updated version walks the target by opening Signal backups, unlocking the Recovery Key, and pasting it into the conversation. The advice prints two sample messages: one dressed as a two-issue release obligation, the other as an emergency “data recovery” fix for messages that are said to be at risk of loss.

As of March, the agencies are clear that none of this breaks Signal’s encryption or the app itself. Actors compromise individual accounts through social engineering, then log in with a legitimate feature.

In addition to the update, the State Department’s Justice Awards program is offering up to $10 million for information on UNC5792.

The operation overlaps with warnings from Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI, and France’s ANSSI earlier this year. Google’s Threat Intelligence Group first documented UNC5792 exploiting the Signal device feature in early 2025, and saw similar exploits appear on WhatsApp and Telegram.

What you have to do now

  • Treat any in-app message from “Signal Support” as hostile. Real Support does not message you within the app to request codes, PINs, or your recovery key.
  • Never paste your Backup Key, verification code, or pin in a chat. There is nothing legal to ask them that way.
  • Open Settings, check Connected Devices, and remove anything you don’t recognize.
  • If you think you’ve given away your recovery key, create a new one in settings now, and take any backups made before that are already in someone else’s hands.

March’s notice warned that tactics would change. They have it, from chasing one-time codes to taking the key that unlocks the entire archive. The nailing took hold. The account is a weak point, and the person holding it is the target.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button