New FBI Alert: Russian Intelligence Uses Signal Recovery Keys to Access Messages
June 27, 2026 
FBI warns Russian spies now target Signal Backup Recovery Keys, enabling access to message history and long-term account takeover.
The FBI and CISA updated their March 2026 warning about Russian intelligence phishing campaigns, and the new advisory adds a detail that wasn’t in the original: the operators have shifted their primary objective from stealing verification codes to stealing Signal Backup Recovery Keys.
The March warning covered FSB-linked groups targeting government officials, military personnel, journalists, and Ukrainian officials through fake Signal support messages. The June update gives those groups public tracking names: UNC5792 and UNC4221, both linked to Russian Federal Security Service officers including those embedded with FSB Border Guards and others working on behalf of Russian military services.
“RIS cyber threat actors have compromised individual CMA accounts, but not the CMA’s encryption or the application itself. To date, this activity has been publicly tracked as UNC5792 and UNC4221.” reads the PSA alert published by the FBI.. “RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys.”
The earlier version of this campaign asked targets for SMS verification codes, account PINs, or tricked them into clicking doctored group invite links that silently linked an attacker’s device to the account. The new version is more damaging. The phishing message walks the target step by step through enabling Signal backups, navigating to the Recovery Key, and pasting it into the chat. Two sample messages are printed in the advisory: one dressed as a mandatory two-factor rollout announcement, the other as an urgent data recovery warning claiming messages are at risk of permanent loss.
The Recovery Key is what makes this particularly serious.
“RIS cyber threat actors continue to elicit victims’ verification codes and account PINs (see Figure 1). If a targeted user backs up their CMA messages as directed in Figure 1 and later provides their Backup Recovery Key (see Figure 2), RIS cyber threat actors can view the account’s historical messages, private and group messages, and take over the victim’s account.” continues the alert.
A backup recovery key doesn’t just unlock one session. It unlocks the entire message archive, and unlike a stolen code that expires, this key keeps working.
“If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number.” continues the report. “Consequently, the actor could potentially use the compromised key to take over the new account in the future as well.”
Making a new account doesn’t help if the old key still works against it. The only fix is generating a new key through Settings, which invalidates the old one for future backup downloads. That doesn’t recover anything the attacker already pulled, and the advisory is clear about that.
The FBI and CISA are unambiguous on one point that tends to get lost in coverage of these incidents: none of this breaks Signal’s encryption or the application itself. The attackers aren’t cracking anything. They’re walking through a legitimate feature with a key the user handed them, which is a completely different problem with a completely different solution.
Alongside the advisory, the State Department’s Rewards for Justice program announced it’s offering up to $10 million for information on UNC5792. The activity overlaps with warnings issued earlier this year by Dutch intelligence, Germany’s BfV and BSI, and France’s ANSSI, and it builds on Google Threat Intelligence Group’s documentation of UNC5792 abusing Signal’s linked-device feature in early 2025. The same tradecraft has since been observed against WhatsApp and Telegram.
For anyone using Signal who works in government, security, journalism, or military-adjacent roles, the advisory’s guidance is direct. Treat any in-app message claiming to be Signal support as hostile: real support doesn’t contact users inside the app to ask for codes, PINs, or Recovery Keys.
Open Settings, check Linked Devices, remove anything unrecognized. If you think you handed over your Recovery Key at any point, generate a new one now and assume anything backed up before that moment is already in someone else’s possession.
The encryption holds. The account is the weak point, and the advisory makes clear that the targeting is deliberate, sustained, and still active.
“To mitigate this risk, the user must generate a new Backup Recovery Key within the Settings control; this action will invalidate the previous key for all future backup downloads. However, please note that this does not prevent the actor from having already downloaded a backup of the original account.” concludes the alert.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, newsletter)
