Russian Hackers Target Signal Recovery Keys: Stay Safe

What is the FBI warning about Signal backup recovery keys?

In June 2026 the FBI and CISA updated an earlier advisory to warn that Russian intelligence operators are now phishing Signal users for their backup recovery key — the 64-character code that decrypts a user's entire encrypted message archive. The attackers pose as 'Signal Support', claim your data is about to be lost, and trick you into pasting the key into a chat.

This is a meaningful escalation. Earlier Russian campaigns abused Signal's linked-device QR feature to mirror a target's messages going forward. Stealing the recovery key is worse: it unlocks the backup, so an attacker can download and decrypt your full conversation history — every group, every old thread — not just new messages. The FBI attributes the activity to multiple Russian Intelligence Services groups, and security researchers report the campaign has focused on journalists, human rights workers, and activists, the people whose archives are most valuable to a hostile state.

Signal's backup encryption itself is not broken. These keys are designed to never leave your device and are never shared with Signal's servers. The attack is pure social engineering — it relies on a human being persuaded to give the key away.

How does the Signal recovery-key phishing attack work?

The campaign is a textbook urgency-and-authority scam delivered inside a trusted app. A message arrives from an account named something like 'Signal Support' warning that your account data faces permanent loss due to a sync issue. It then walks you through specific steps: open Settings, go to Backups, choose Configure, tap View Recovery Key, copy the 64-character string, and paste it back into the chat to 'verify' or 'restore' your account.

It looks legitimate because every instruction is real — those menus exist, and that is exactly where your recovery key lives. The only fraudulent part is the final step. No real Signal process ever asks you to share that key with anyone.

Signal will never contact you first inside the app, and it will never ask for your registration code, PIN, password, or backup recovery key under any circumstances. Treat any in-app message claiming to be 'Signal Support' as malicious.

Once an operator has the key and access to the account, they can restore the backup and read everything in it. Worse, the key keeps working: if you later create a new account on the same phone number, an attacker who still holds the old key can use it against the new backup too. That is why simply reinstalling the app is not a fix — you have to rotate the key.

What should you do if you use Signal?

Protecting yourself takes a few minutes and costs nothing. The single most important action is to rotate your recovery key, because that invalidates any copy an attacker may already hold for future backup downloads.

• Never share your recovery key, PIN, or registration code. No legitimate service will ever ask for them in a chat. This is non-negotiable.
• Generate a new recovery key. In Signal, go to Settings, then Backups, and create a fresh key. Store it offline — written on paper or in a reputable password manager — not in a note synced to the cloud.
• Enable the Signal PIN and Registration Lock. Registration Lock stops someone from re-registering your number on a new device without your PIN.
• Audit your linked devices. Open Settings, then Linked Devices, and remove anything you do not recognize. Linked-device abuse was the previous wave of this same campaign.
• Verify out of band. If a message claims to be official, confirm through the company's real website or a known contact — never through the link or chat that contacted you.

If you believe you already pasted your key to someone, assume your backup history is compromised: rotate the key immediately, review linked devices, and warn anyone in sensitive conversations with you so they can take their own precautions.

Why this matters for anyone running a website

The Signal attack is the consumer-facing edge of a much larger pattern, and if you operate a website you are squarely in the blast radius. The exact same playbook — a fake 'support' message, a manufactured emergency, a request to reveal a secret — is aimed every day at the credentials that control your hosting, domains, and DNS.

The web-owner versions are easy to recognize once you know the shape of them. Here is how the same trick translates across the assets you manage:

The defense is identical in every row: legitimate providers do not ask you to hand over passwords, one-time codes, recovery keys, or EPP transfer codes through chat or email. Lock down what you can in advance — turn on two-factor authentication everywhere, enable domain transfer lock and registrar lock, and use WHOIS privacy so your contact details are not a ready-made target list. A privacy-forward host like LaunchPad Host bundles WHOIS privacy and registrar locks with its domains precisely because reducing your exposed surface is the cheapest security you will ever buy.

What most security advice gets wrong about phishing

Common guidance fixates on spelling mistakes and suspicious links, which trains you to relax the moment a message looks polished. The Signal campaign defeats that instinct completely: every menu path it cites is genuine, the sender name is plausible, and there is no malicious link to spot — the payload is you, copying a real key out of a real settings screen.

The durable rule is not 'look for bad grammar' but 'secrets never move toward whoever contacted you'. Recovery keys, PINs, 2FA codes, and transfer codes only ever flow out of your control when you deliberately start an action yourself — never in response to an inbound message, no matter how official it feels or how urgent the deadline sounds. Manufactured urgency is the tell that survives even a perfectly written message.

The second blind spot is treating privacy and security as separate concerns. They are the same project. Every piece of personal data you leave public — an email in a WHOIS record, a phone number on a contact page, a reused username — is reconnaissance an attacker uses to make the next phish more convincing. Minimizing what you expose, through privacy-respecting hosting, redacted WHOIS, and disciplined credential hygiene, shrinks the pool of believable lies anyone can tell about you. For people running sites where confidentiality genuinely matters, that combination of privacy by default and hard credential locks is the practical version of the protection Signal users are now scrambling to enable.