FBI: Russian Hackers Now Target Signal Backup Keys

What did the FBI warn about Signal backup recovery keys?

In a June 2026 advisory (IC3 PSA260626), the FBI and CISA warned that Russian Intelligence Services have expanded their long-running Signal phishing campaign to steal the app's 64-character backup recovery key. With that single key, an attacker can restore your encrypted backup, read your entire message history, and take over the account. The agencies tie the activity to tracked groups including UNC5792 and UNC4221.

This is an escalation, not a brand-new attack. Earlier waves chased SMS verification codes, account PINs, and malicious 'group invite' links that silently linked an attacker's device to a victim's account. Signal's secure cloud backups added a new prize: one recovery key that unlocks everything at once. Reported targets so far skew toward journalists, human rights workers, and activists, with roughly 13,500 accounts caught in the wider campaign — but the technique works against anyone who can be talked into pasting a code.

How the recovery-key phishing attack actually works

The attack is pure social engineering. There is no exploit, no malware, no zero-day. The operators impersonate Signal Support and manufacture urgency — usually a fake 'sync failure' or 'account verification' problem — then walk the target step by step into handing over the keys to their own archive.

The updated playbook looks like this:

1. Contact under a trusted name. A message arrives appearing to come from Signal Support or a known contact, claiming your backups failed to sync and must be re-verified.
2. Guided setup. The 'support agent' helpfully walks you through enabling Signal backups and opening your Recovery Key screen.
3. The ask. You're told to copy the 64-character recovery key and paste it into the chat to 'confirm' or 'restore' your account.
4. Full compromise. The moment you send it, the attacker restores your backup on their own device, reads your full private and group history, and can take over the account.

Signal Support will never ask you to read out, type, or paste your recovery key, PIN, or any verification code into a chat. Any message that does is an attack — full stop.

The nastiest detail is persistence. According to the advisory, the stolen key keeps working even after the fact. Delete the account and re-register the same phone number, and the old recovery key can still be used to hijack the new account. That is why simply 'starting over' does not save you.

Which Signal secrets are safe to share — and which are never

Confusion about what's normal is exactly what these operators exploit. Some codes you'll legitimately type into the app yourself; none of them are ever pasted into a conversation or read to a person. Use this as a quick reference.

The rule that covers every row: anything that restores, verifies, or links your account belongs to you alone and is entered only inside Signal's own settings — never in a message, never on a phone call, never on a web form a stranger sent you.

Why this matters if you run a website or own domains

You might not be a journalist or an activist, but if you operate a website, manage client sites, or own valuable domains, you are sitting on exactly the kind of recovery secrets these crews want — and they reuse this script far beyond Signal.

The identical pattern shows up against:

• Hosting control panels — fake 'your server is suspended, verify now' messages that harvest panel logins and 2FA codes.
• Domain registrars — 'urgent renewal' or 'transfer authorization' phishing aimed at stealing your EPP/auth code so a domain can be moved out from under you.
• 2FA and backup codes — the printed recovery codes you saved when enabling two-factor are the offline equivalent of Signal's recovery key. One screenshot in the wrong inbox undoes the whole protection.

A domain or hosting takeover is often more damaging than a single messaging account: lose control of your domain's DNS and an attacker can redirect your traffic, intercept email, and impersonate your brand. This is why where your infrastructure lives, and who you can actually reach when something goes wrong, matters. A privacy-forward, offshore host like LaunchPad Host emphasises strong account protections, registrar-level domain locks, and direct human support — so a 'verify your account or lose it' scare message is easy to ignore, because you know exactly how your provider really contacts you.

It's also worth remembering that attackers research before they strike. Public WHOIS records, leaked support tickets, and old breach data give them the details that make a phishing message convincing — your registrar's name, your renewal date, your hosting plan. WHOIS privacy on your domains and a host that doesn't leak account details by email both shrink the surface a phisher can work with. The less an attacker can quote back to you accurately, the harder it is for them to sound like the real thing.

How to protect your Signal account and your hosting credentials

Defence here is mostly discipline, not technology. The whole campaign collapses if the target never pastes a secret. Lock these habits in.

1. If you may have shared your recovery key, rotate it now. In Signal, generate a new backup recovery key in Settings — this invalidates the old key for future backup downloads. Accept that anything already pulled is gone, and change it anyway to stop further access.
2. Treat every 'support' message as hostile by default. Real providers do not DM you asking for codes. Verify through the official app or website you navigated to yourself, never a link someone sent.
3. Audit your linked devices. In Signal, open Settings and review Linked Devices regularly; remove anything you don't recognise. The same goes for active sessions on your hosting panel and registrar.
4. Store recovery codes offline. Keep Signal's recovery key, 2FA backup codes, and domain EPP codes in a password manager or on paper — never in email, chat, or a cloud note an attacker could phish.
5. Lock your domains and enable registrar 2FA. Turn on registrar lock (clientTransferProhibited) and two-factor on both your host and registrar accounts so a single stolen password isn't enough.
6. Slow down on urgency. 'Act now or lose access' is the common thread in every version of this attack. A 60-second pause to verify defeats almost all of it.

The takeaway is simple and it scales from a chat app to a server fleet: recovery keys exist so that you can get back in — the instant anyone else asks for one, that's the attack.