Russian Hackers Found A Signal Weak Spot In Recovery Keys

FBI and CISA warn that Russian hackers are phishing Signal users for backup recovery keys that can unlock message archives.
Key Points:
Russian intelligence-linked hackers are seeking Signal backup recovery keys, not only codes or PINs.
A stolen key can let attackers restore backups, read private and group chats, and keep access tied to the same number.
The campaign abuses social engineering and legitimate features, not Signal’s encryption.
Signal Hackers
The updated advisory, published Jun. 26, says Russian Intelligence Services-linked actors are posing as automated support accounts to push targets into exposing Signal recovery keys.
The notice identifies UNC5792 and UNC4221, names absent from the March warning, and links the activity to Russian intelligence groups, including FSB officers embedded with FSB Border Guards.
The campaign targets people the agencies describe as being of “high intelligence value,” including current and former U.S. and international officials, military personnel, political figures, journalists and officials in Ukraine.
Earlier versions asked targets for verification codes and account PINs, or used fake group invite links to connect an attacker’s device to the account.
The newer version tells users to enable Signal backups, open the recovery key screen and paste the key into the chat.
Also Read: Claude Fable 5 May Return As Washington Softens Anthropic Standoff
FBI Warning
The FBI said one sample message was framed as a mandatory two-factor authentication rollout, while another claimed urgent data recovery was needed to prevent message loss.
If a target shares the key, attackers can restore the backup, read private and group message history, and take over the account. The key can remain valid after the victim changes phones or creates a new account using the same number.
Generating a new key in Signal settings invalidates the old one for future backup downloads, but it does not undo any backup already accessed.
The tactic does not defeat Signal encryption or the app itself. It works because victims are persuaded to hand over credentials that protect their backups.
The State Department Rewards for Justice program is offering up to $10 million for information on UNC5792.
Google Threat Intelligence Group documented UNC5792 abusing Signal’s linked-device feature in early 2025, before researchers saw similar tradecraft aimed at WhatsApp and Telegram.
Read Next: PUMP Gains 12% While Protocol Data Warns The Rebound May Be Fragile