FBI: Russian Hackers Now Target Signal Backup Recovery Keys

What is the FBI warning about Signal backup recovery keys?

The FBI and CISA warn that Russian intelligence hackers are running phishing campaigns to steal Signal users' Backup Recovery Key — the secret that restores an account's encrypted backup. Hand it over once and an attacker can read your full private and group message history and take over the account. The encryption itself is not broken; the human is tricked.

This is an update to a March 2026 advisory. Back then the same Russia-linked groups were hijacking Signal accounts by abusing the app's linked-devices feature. The tactics have evolved: now they go after the recovery key directly, which gives them historical messages rather than just future ones. The threat actors are tracked as UNC5792 and UNC4221 and tied to multiple Russian Intelligence Services, including FSB officers embedded with the FSB Border Guards.

The targets are people of high intelligence value — current and former government officials, military personnel, political figures, journalists, and key officials in Ukraine. But the technique is generic, cheap, and copied fast. Anyone who runs a website, manages client data, or holds accounts worth taking should understand exactly how it works, because the same playbook is already pointed at hosting panels and domain registrars.

How the Signal recovery key phishing attack works

The attack never touches Signal's cryptography. It targets the one secret that sits outside it. Here is the chain the FBI describes.

1. The bait. A message arrives that looks like it is from 'Signal support'. It claims Signal is rolling out mandatory two-factor verification after an alleged wave of attacks, and that you must act to keep your account.
2. The urgency. The message manufactures pressure — your account will be locked, you must verify now, follow this link. Urgency short-circuits the part of your brain that checks details.
3. The ask. The attacker requests your Backup Recovery Key, or walks you through 'verifying' in a way that hands it over. Some variants phish the in-app verification code instead.
4. The takeover. With the key, the attacker restores your backup on their own device, reads everything, and controls the account.

The cruel part is the persistence. According to the advisory, creating a new Signal account with the same phone number does not invalidate a stolen key. And generating a new key won't claw back any backup the attacker already downloaded. The damage from a single leaked secret outlives the moment you realize you were phished — which is exactly why this pattern is so dangerous when applied to infrastructure accounts.

The one rule that defeats it

Real Signal support communicates only through official company email addresses. It never requests verification codes inside the app and never sends links asking you to verify or restore your account. Any message that does either of those things is hostile, full stop. That single heuristic neutralizes the entire campaign.

What to do if your Signal recovery key may be stolen

If you suspect you handed over your key — or just want to be safe — move fast and in this order:

• Generate a new Backup Recovery Key in Signal's backup settings. This invalidates the old key for future backup downloads.
• Audit linked devices in Settings and remove anything you do not recognize.
• Turn on the Signal PIN and Registration Lock so your number cannot be re-registered elsewhere without it.
• Assume past messages are exposed. A new key cannot undo a backup already pulled with the old one. Treat anything in that history — passwords, codes, account hints — as compromised and rotate it.
• Report it to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.

That last point about exposed history is the bridge to the real lesson. Most people store more than chit-chat in their messages: a server root password sent 'just this once', a registrar login, a recovery email address. When a message archive leaks, every secret inside it leaks too.

Why this matters for your website, hosting, and domain accounts

Strip away the Signal branding and this is a recovery-credential attack: trick the human into surrendering the one secret that bypasses every other protection. That pattern is not specific to messaging apps. It is the most common way websites, hosting accounts, and domains get stolen.

Think about every 'break glass' secret you hold. Your hosting control panel has a password reset and often backup codes. Your domain registrar holds the keys to your entire web presence — lose that and an attacker can point your site and email wherever they like. Your two-factor app has recovery codes. Each of these is a Backup Recovery Key by another name, and each is phishable in exactly the way the FBI describes.

The hosting angle most providers stay quiet about: your recovery email is the master key to everything. If your registrar and host both reset to an inbox hosted on the same domain you are trying to protect, one breach cascades into all of them. Keep recovery contacts on an independent, well-secured account. This is also where a privacy-forward host helps — at LaunchPad Host we keep account recovery off public WHOIS, support strong authentication, and never ask for your password or codes over chat or email, so a 'support' message that does is an instant red flag you can trust.

Building a recovery-key defense that actually holds

The goal is not to never get phished — skilled attackers are convincing. The goal is that when one secret leaks, it does not unlock everything else. That is defense in depth, and it is built from a few unglamorous habits.

Before you act on any 'urgent security' message, stop and ask one question: does the real company actually contact people this way? Legitimate support does not DM you for codes or recovery keys. If the channel is wrong, the message is an attack — no matter how official it looks.

Practical steps that scale from Signal to your servers

• Use phishing-resistant 2FA. Hardware security keys or passkeys cannot be relayed to an attacker the way an SMS or app code can. Apply them to your registrar and hosting account first.
• Keep backup codes offline. Print them or store them in a dedicated password manager vault. Never send them through chat or email, where a single archive leak exposes them all.
• Separate your recovery email. Use a distinct, hardened account for password resets — not an address hosted on the domain you are protecting.
• Verify out of band. Got a 'support' message? Close it and reach the company through the address or number on their official site.
• Rotate after exposure, and assume reach. When a secret leaks, rotate it and everything it could have touched. As the Signal case shows, a new key does not undo what was already taken.
• Encrypt and isolate your website backups. Store them somewhere separate from production, encrypted at rest, so a panel compromise does not also hand over your archives.

None of this is exotic. It is the same discipline the FBI is urging on Signal users, applied to the accounts that actually run your business online. The attackers reuse one technique against many targets; you defend with one set of habits across all of them.