Russian Hackers Pivot to Steal Signal Backup Keys in Phishing Blitz

Russian Intelligence Shifts Signal Phishing Tactics

Russian hackers, linked to state intelligence agencies, are escalating their efforts to breach encrypted messaging platforms. According to a recent FBI and CISA warning, threat actors aligned with Russian Intelligence Services (RIS) are now specifically targeting the Signal Backup Recovery Keys — a critical piece that unlocks access to archived conversations stored in Signal’s Secure Backups.

What’s new? The attackers have updated their phishing methods. No longer just seeking account verification codes or PINs to hijack Signal accounts, they’re now attempting to trick users into handing over their backup recovery keys. With these keys in hand, attackers can restore and decrypt backed-up Signal messages on their own devices, bypassing the need to defeat Signal's end-to-end encryption directly.

Who’s in the Crosshairs?

This campaign isn’t a scattershot effort. RIS-backed groups are deliberately going after individuals considered high-value: current and former government officials (both U.S. and abroad), military personnel, politicians, journalists, and key Ukrainian contacts. The FBI notes that actors involved include operatives from Russia's Federal Security Service (FSB) Border Guards and military-aligned individuals. The ongoing activity is tracked by incident response teams as UNC5792 and UNC4221.

Anatomy of the Phishing Lure

The latest wave of phishing attacks relies on social engineering and impersonation. Attackers pose as automated support accounts from Signal, sending plausible-sounding messages to targets. The initial message warns of a surge in hacking attempts (purportedly from Iran and post-Soviet states), claiming Signal will soon enforce mandatory two-factor verification in response. To avoid losing access, users are instructed to create and copy their Signal backup recovery key.

The second message follows, again feigning urgency. This time, the target is told their message data is at risk due to a synchronization error and asked to paste their recovery key into the chat to "prevent the loss" of their stored data. If the victim complies, attackers immediately gain the means to download and decrypt the victim's complete message backup, including private conversations and group chats.

The Real-World Impact for Defenders

While Signal’s end-to-end encryption remains robust, these attacks highlight that the greatest risk often lies in users and backup processes, not in cryptography itself. Anyone who loses control of their Signal backup recovery key faces a total compromise of their message archive, even if their main account is later re-secured.

The technical nuance here is critical: If an attacker gets hold of the backup key, creating a new Signal account with the same phone number will not revoke the attacker’s access to downloaded backups. Only by generating a new backup recovery key inside Signal can users revoke the old one, but this merely prevents future downloads — any backup already retrieved is still at the attacker's disposal.

Staying Out of the Trap

FBI and CISA stress that legitimate messaging app support teams will never request verification codes or recovery keys inside the app, nor will they send unsolicited links or ask for sensitive information via chat. Official communication only comes from corporate email addresses.

Anyone who suspects they’ve been targeted or may have handed over their recovery key should report it promptly to the FBI’s Internet Crime Complaint Center (IC3), a local FBI office, or CISA.

Signal users — especially those in high-risk professions or government — should review their backup settings, ensure new recovery keys are generated if there’s any doubt, and maintain healthy skepticism toward support requests received via messaging platforms.

This article is original CyberSecFlux reporting based on news first reported by BleepingComputer.