The FBI and CISA are warning that Russian intelligence-linked hackers have shifted part of their encrypted-messaging phishing campaign toward a deceptively simple target: Signal backup recovery keys.
In a June 26 public service announcement, the agencies said Russian Intelligence Services actors are continuing to target commercial messaging apps used by current and former U.S. and international government officials, military personnel, political figures, journalists, and people in Ukraine. The advisory names two publicly tracked clusters, UNC5792 and UNC4221, and says the attackers have compromised individual messaging accounts without breaking the apps’ encryption or the applications themselves.
The newer tactic is aimed at account recovery. Instead of only asking targets for verification codes or account PINs, the attackers are impersonating automated support accounts and trying to persuade victims to enable backups, reveal recovery keys, or hand over information that can keep an account takeover useful even after the victim tries to recover.

Why the recovery key matters
Signal Secure Backups are designed so that Signal cannot read a user’s backed-up messages. Signal’s own support documentation says the optional backup archive is end-to-end encrypted and protected by a cryptographically secure 64-character recovery key that is not shared with the Signal service.
That design is good for privacy, but it also makes the key extremely valuable. A recovery key is not a routine support code. It is the credential that unlocks a backup archive during restoration. Signal cannot reset it for a user, and anyone who obtains it may be able to use it against the backup data tied to that account flow.
The FBI and CISA said the latest phishing messages push victims through instructions that appear to come from Signal support or security. The lure tells users their account data is at risk, directs them to the backup settings, and asks them to paste the recovery key into the chat. Another sample asks the target to provide account-recovery information under the pretext of preventing message loss.
The important point for readers is narrow but serious: this is not a claim that Signal’s encryption has failed. It is a warning that attackers are trying to make the user export the secret needed to unlock protected data.
What attackers get if a victim shares it
According to the FBI and CISA, if a targeted user backs up messages and then provides the recovery key, the actors can view historical messages, private and group messages, and take over the victim’s account. The advisory also warns that a compromised key can remain valid even if the victim creates a new account using the same phone number.
That persistence changes the cleanup problem. Reinstalling the app or starting fresh may not be enough if the same recovery key remains usable for future backup downloads. The agencies say the user must generate a new Backup Recovery Key in settings to invalidate the previous key for future backup access. That does not undo any backup data an attacker already downloaded, but it closes off continued use of the old key.
For high-risk users, the campaign also shows how encrypted apps can be attacked around the edges. End-to-end encryption protects message contents in transit and at rest under normal app control. It does not stop a successful social-engineering attack that persuades a user to reveal recovery material, link an attacker-controlled device, or approve an account-reset flow.
Who should treat this as urgent
The advisory is aimed especially at people of intelligence value: officials, military personnel, political figures, journalists, and people connected to Ukraine. But the guidance is useful beyond that group because the same technique can be copied by criminals, stalkers, doxxing crews, or financially motivated account-takeover groups.
Anyone who receives an in-app message claiming to be Signal support should treat it as hostile. Signal’s own safety guidance says users should never share SMS verification codes, recovery keys, passwords, or payment information. It also says Signal will never contact users in-app and that support or security bots do not exist.
That is the clearest rule to remember. If a chat, pop-up, or message request asks for a code, PIN, recovery key, QR scan, payment detail, or backup secret, it should not be trusted because it uses security language.
What to check now
Signal users who think they may have been targeted should start with linked devices. Open Signal on the phone, review the linked-device list, and remove anything unrecognized. When in doubt, remove every linked device and relink only the computers or tablets the user personally controls.
Users who shared a recovery key should generate a new one in Signal’s backup settings. That action invalidates the previous key for future backup downloads. They should then store the new key in a password manager or another secure place that is not part of the same messaging conversation.
Users should also keep the app and device operating system updated, enable Signal’s two-step verification and registration lock, be cautious with new message requests, and verify sensitive contacts through a separate channel. For journalists, public officials, activists, and other high-risk users, those checks should be part of a recurring security routine, not only a response after an obvious phishing attempt.
How organizations should respond
Newsrooms, campaigns, NGOs, government offices, and companies that allow staff to use encrypted consumer messaging for sensitive work should turn this advisory into a short internal checklist. The checklist should explain that support accounts cannot ask for recovery keys, that backup keys are treated like passwords, and that any suspected compromise should be reported quickly instead of handled quietly by the individual user.
Organizations should also separate three different risks that often get collapsed into one discussion. A linked-device attack can give an intruder ongoing access to live chats. A verification-code or PIN phish can support account takeover. A backup-recovery-key phish can expose historical messages and may outlast a simple account reset unless the key is replaced.
That distinction matters because the response steps differ. Removing linked devices, regenerating recovery keys, rotating account protections, preserving evidence, and notifying affected contacts may all be needed depending on what the victim shared.
The bottom line
The practical lesson from the FBI and CISA update is that encrypted messaging security now depends heavily on recovery flows, not just cryptography. Signal’s backup design keeps Signal from reading a user’s archive, but that privacy property also means the recovery key is powerful enough to become a phishing target.
For most people, the fix is simple: never paste a Signal recovery key, verification code, or PIN into a chat, and do not treat an urgent support message as proof that it is real. For high-risk users, the safer baseline is stricter: audit linked devices, know where the recovery key is stored, regenerate it after any exposure, and make account-recovery checks part of normal operational security.