FBI: Russian Spies Now Steal Signal Backup Keys for Persistent Access

The FBI and CISA updated their March warning about Russian intelligence phishing Signal accounts. The new twist: operators are now coaxing targets into handing over their Signal Backup Recovery Key—a 64-character code that grants permanent access to message history.

Once obtained, the key lets attackers restore a target's backup, read private and group message history, and take over the account. The key remains valid even if targets create a new account on the same phone number.

Who's Behind It

The FBI ties the activity to two threat groups:

• UNC5792: Linked to FSB officers embedded with Border Guards
• UNC4221: Associated with Russian military intelligence services

Both groups target individuals the FBI describes as having "high intelligence value"—current and former US government officials, military personnel, political figures, journalists, and Ukrainian officials. The March advisory noted thousands of compromised accounts worldwide.

The State Department's Rewards for Justice program is now offering up to $10 million for information on UNC5792.

The Phishing Playbook

The campaign evolved through three distinct phases:

Phase 1: Standard SMS phishing for verification codes and account PINs

Phase 2: Doctored "group invite" links that silently connected attacker-controlled devices to targets' accounts, similar to other device-linking attacks we've covered

Phase 3: Social engineering targets to share their Backup Recovery Key directly

The current playbook walks targets through turning on Signal backups, opening the Recovery Key screen, and pasting the key into the chat. Sample messages disguise the request as a mandatory two-factor rollout or an urgent "data recovery" fix.

Why Backup Keys Are Valuable

Signal's encryption is strong—strong enough that attacking the protocol directly isn't practical. So Russian operators target the humans instead.

The Backup Recovery Key is particularly valuable because:

• It survives phone changes—attackers maintain access indefinitely
• It unlocks complete message history, not just new messages
• It's a single static credential, unlike rotating 2FA codes
• Victims rarely know to regenerate it after compromise

This persistence makes it far more dangerous than previous linked-device attacks, which victims could discover by checking their linked device list.

Defensive Measures

Treat in-app "Signal support" messages as hostile. Signal staff don't contact users through the app to request credentials.

Never share recovery keys, verification codes, or PINs via chat—regardless of the claimed urgency or authority.

Review Settings → Linked Devices regularly for unauthorized access.

Generate a new recovery key immediately if you suspect compromise. Old keys are invalidated when you create new ones.

For high-risk individuals (journalists, activists, government officials), consider using Signal's registration lock feature and avoid linking backups to cloud services.

The Bigger Picture

This campaign demonstrates how nation-state actors adapt when technical attacks fail. Signal's encryption held, so the FSB pivoted to social engineering.

The technique shares DNA with other social engineering campaigns we track—the key innovation is targeting a credential that provides indefinite, survivable access rather than one-time entry.

Organizations protecting high-value individuals should update their security awareness training to cover backup key theft. The FBI's updated advisory (PSA I-062626-PSA) provides additional indicators for security teams.