On June 26, 2026, the FBI and CISA released advisory PSA I-062626-PSA, adding two tracking names—UNC5792 and UNC4221—to their March warning about Russian intelligence actors phishing Signal accounts. That’s the first time the agencies have explicitly flagged the Signal backup key hack as a new step in the campaign.
Historical Context
The advisory sits on a timeline that began well before the June notice. In early 2025, Google’s Threat Intelligence Group published the first public analysis of the tradecraft that would later become known as the Signal backup key hack. That report highlighted a pattern of actors exploiting linked‑device features across multiple encrypted messaging platforms. A few months later, the FBI issued a March warning that focused on phishing for SMS codes, PINs, and counterfeit group‑invite links. Those early alerts already mentioned “thousands of accounts worldwide” being compromised, an estimate that still holds true as the campaign evolves.
European partners followed suit throughout 2025. Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI, and France’s ANSSI each released advisories warning about similar phishing attempts. Their documents referenced the same operational signatures—crafted messages that masquerade as official support, use urgent language, and request sensitive credentials. The convergence of these warnings hinted at a coordinated playbook that transcended national borders, and the June 2026 advisory finally tied those threads together with concrete tracking numbers.
Key Takeaways
- The updated advisory notes that attackers now ask for the Signal Backup Recovery Key, not just SMS codes or PINs.
- Handing over the key lets the attacker restore the entire backup, read private and group histories, and retain access even after the victim changes numbers.
- Generating a new recovery key in Settings invalidates the old one for future downloads, but anything already exfiltrated remains compromised.
- State Department’s Rewards for Justice offers up to $10 million for information on UNC5792.
- The campaign overlaps with warnings from Dutch, German, and French intelligence agencies, and Google’s Threat Intelligence Group first documented the tradecraft in early 2025.
Signal backup key hack: How Russian actors are stealing backups
What’s striking is that the attackers aren’t breaking Signal’s encryption at all—they’re exploiting the user’s own trust in a legitimate feature. The FBI ties the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and other operatives working for Russian military services. That breadth suggests a coordinated effort rather than a lone hacker group.
Earlier in March, the warning focused on phishing messages that asked for SMS verification codes, account PINs, or used doctored “group invite” links that silently linked an attacker’s device to the victim’s account. Those tactics already compromised thousands of accounts worldwide, according to the agencies.
What the recovery key does
When a user enables Signal’s backup feature, the app generates a Signal Backup Recovery Key. That key is essentially a master password for the encrypted backup file. If an attacker gets hold of it, they can download the backup from Signal’s cloud storage, decrypt it, and replay every private message and group conversation ever stored. Even if the victim later revokes the key or changes their phone number, the key continues to work, letting the attacker reconstitute the account on a fresh device.
Technical Architecture of the Backup Feature
Signal stores encrypted backups on a cloud service that is controlled by the app developer. The recovery key is the only piece of information that can unlock those files; Signal never retains a copy of the key. Because the key is a symmetric secret, anyone who possesses it can decrypt the entire backup without needing additional credentials. The design assumes the user will keep the key offline or in a password manager, treating it as a highly privileged secret.
From a defensive standpoint, the architecture places the onus on the user to protect the key. The app’s built‑in safeguards—such as verification codes sent via SMS—only protect the initial login flow. Once a backup is created, the key becomes the gatekeeper for all historic data. That separation is why the phishing script can bypass the usual two‑factor checks; the attacker sidesteps the login altogether and goes straight to the backup file.
Phishing playbook evolution
The updated phishing script walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat. The advisory prints two sample messages: one pretends to be a mandatory two‑factor rollout, the other claims an urgent “data recovery” fix for messages supposedly at risk of loss. Both messages ask the victim to paste the key directly into a chat, a request that legitimate Signal support never makes.
Because the attackers are using a legitimate feature, they can bypass many of the app’s built‑in safeguards. The FBI stresses that none of this breaks Signal’s encryption or the app itself; the compromise happens at the account level, where the user’s credentials become the weak point.
Who’s being targeted and why it matters
The advisory says the campaign focuses on individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. That aligns with the broader pattern of Russian intelligence groups seeking strategic information rather than random consumer data.
- U.S. and allied government officials
- Military officers and defense contractors
- Political leaders and campaign staff
- Journalists covering security and geopolitics
- Ukrainian officials and civil‑society actors
When you consider that a single compromised Signal backup can reveal years of private communications, the stakes become crystal clear. An attacker who obtains the key could piece together operational details, diplomatic exchanges, or even personal threats that weren’t meant for public eyes.
Response steps and why they’re blunt
The fix the FBI recommends is blunt but effective: generate a new recovery key in Settings, which kills the old one for future backup downloads. That action doesn’t erase any data the attacker may already have, but it stops further exfiltration.
Immediate actions for any Signal user
- Treat any in‑app message from “Signal support” as hostile. Real support never asks for codes, PINs, or your Recovery Key inside the app.
- Never paste your Backup Recovery Key, verification code, or PIN into a chat. Nothing legitimate asks for them that way.
- Open Settings → Linked Devices and remove any devices you don’t recognize.
- If you think you handed over your Recovery Key, generate a new one in Settings now and assume any backup made before that is already compromised.
Those steps sound simple, but they require users to adopt a mindset that treats any unsolicited request for credentials as a potential breach. That cultural shift is exactly what the FBI hopes to accelerate.
Broader context and overlapping warnings
The United States isn’t the only nation sounding alarms. Earlier this year, Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI, and France’s ANSSI all issued advisories about similar phishing campaigns targeting encrypted messaging apps. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked‑device feature in early 2025, and they saw the same tradecraft turn up against WhatsApp and Telegram.
That convergence suggests a shared playbook among Russian intelligence groups, possibly shared via the same operational cells. The fact that the FBI’s advisory now includes explicit tracking numbers—UNC5792 and UNC4221—helps defenders correlate incidents across borders and platforms.
What This Means For You
If you’re a developer building on Signal’s SDK or integrating encrypted messaging into a product, you need to assume that the backup feature can become an attack vector. That means you should educate users about the dangers of sharing the Recovery Key and consider offering programmatic ways to rotate keys without user friction.
For security teams, the advisory underscores the importance of monitoring for suspicious in‑app messages and enforcing strict device‑management policies. It also raises the question of whether you should disable backup entirely for high‑risk accounts, or at least enforce multi‑factor authentication for any key‑generation operation.
For founders and product owners, the incident presents a design dilemma: preserve the convenience of cloud‑based backups while mitigating the single‑point‑of‑failure risk that the recovery key introduces. You might explore alternative approaches, such as hardware‑bound keys or escrow mechanisms that require dual‑owner approval before a backup can be restored.
For end users, the lesson is clear. Treat any request for the Backup Recovery Key as hostile, even if it appears to come from an official channel. The extra step of generating a new key after a suspected compromise is the only reliable way to cut off future unauthorized restores.
Looking ahead, will Signal’s design evolve to make the recovery key less attractive as a single point of failure, or will attackers keep adapting their social‑engineering tricks to the next feature?
Key Questions Remaining
- Will Signal introduce a secondary verification step for backup restoration, similar to the way some services require a password plus a device‑specific token?
- How will intelligence agencies coordinate cross‑border incident response now that tracking numbers are publicly attached to the campaign?
- What mitigation strategies can organizations adopt without sacrificing the user experience that makes Signal popular in the first place?
Sources: The Hacker News, original report
