New Phishing Campaign Targets Signal Users with Russian Ties

A recent joint warning from the FBI and CISA reveals an alarming evolution in a phishing campaign targeting Signal users linked to Russian intelligence services. The threat now involves stealing Signal Backup Recovery Keys, enabling cyber attackers to gain access to users’ historical messages.

The updated public service announcement serves as a follow-up to a previous advisory issued in March 2026, which highlighted how threat actors were focusing on users of various commercial messaging applications, particularly Signal. The phishing campaigns were designed to compromise accounts rather than attempt to break the end-to-end encryption.

The FBI’s latest PSA, published today, cautions that “RIS cyber threat actors continue to pose as automated CMA support accounts in updated phishing messages but have adapted their strategies to extract victims’ Backup Recovery Keys.”

According to the FBI, the ongoing campaign specifically targets individuals of high intelligence value, including current and former government officials from the US and other countries, military personnel, political figures, journalists, and key personnel in Ukraine.

Both agencies attribute these malicious activities to Russian Intelligence Services (RIS), which include operatives embedded within Russia’s Federal Security Service (FSB) Border Guards and other entities operating on behalf of the Russian military. The campaign is publicly identified as UNC5792 and UNC4221.

Advanced Phishing Tactics Now in Play

While the initial advisory primarily focused on phishing messages aimed at stealing verification codes or account PINs, or tricking users into connecting attacker-controlled devices to their Signal accounts, the latest alert reveals a more sophisticated approach.

The FBI notes that the threat actors are still impersonating Signal support teams, sending phishing messages that falsely claim Signal is implementing mandatory two-factor verification in response to alleged attacks by hackers from Iran and post-Soviet countries.

The phishing message states, “Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.” It goes on to mention an investigation conducted in collaboration with the US government and European partners, revealing that the attacks were carried out by hackers from Iran and post-Soviet countries.

The attackers urge users to set up Signal Backup to safeguard their messages and media. However, falling for this tactic could lead to the exposure of sensitive data.

Once a user follows the provided instructions, their Signal messages are backed up using Signal’s Secure Backups feature, which securely stores encrypted copies of conversations on Signal’s cloud servers. The recovery key generated during this process should never be shared, as it can be exploited by malicious actors to access the backed-up data on their own devices.

Subsequently, the threat actors send a follow-up phishing message, still posing as Signal support, warning users of a potential data loss risk due to a synchronization issue. This deceptive tactic aims to trick users into revealing their recovery key, granting the attackers access to historical messages.

The updated advisory also highlights a recovery scenario that users may overlook after their accounts have been compromised. If an attacker obtains a user’s Backup Recovery Key, creating a new Signal account using the same phone number does not invalidate the stolen key. Users must generate a new key through Signal’s backup settings to render the compromised key obsolete for future backups.

Despite generating a new recovery key, attackers who have already downloaded backups using the compromised key may still access the data. The advisory stresses the importance of vigilance and adherence to security best practices.

Legitimate messaging application support teams communicate solely through official company email addresses and never solicit verification codes within the application or send links requesting account verification or restoration. Users who suspect they have been targeted by such campaigns are urged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.