Signal Backup Recovery Keys: FBI Warns of Russian Hackers

What did the FBI warn about Signal backup recovery keys?

The FBI's June 26, 2026 advisory warns that Russian Intelligence Services are phishing Signal users to steal their Backup Recovery Key, the single secret that decrypts a Signal backup. Hand it over, and an attacker can restore your entire message history, photos, and files onto a device they control.

This is an update to an advisory first issued in March 2026. The earlier campaign focused on hijacking Signal and WhatsApp accounts by tricking people into linking a rogue device through a malicious QR code. The new twist goes after the backup itself, which means the attacker no longer needs live control of your phone to read everything you have ever sent.

The FBI attributes the activity to Russian Intelligence Services, including FSB-linked operators, tracked under the threat clusters UNC5792 and UNC4221. The named targets are high-value individuals: current and former government officials, military personnel, political figures, journalists, and people inside Ukraine. The technique itself, though, is generic social engineering that scales to anyone, which is exactly why it deserves attention well beyond those circles.

How does the Signal backup recovery key attack work?

There is no Signal vulnerability here. The encryption holds. The attack defeats the human in front of the screen by manufacturing urgency and impersonating a trusted source. It runs in stages.

1. Impersonation. A message arrives appearing to come from Signal support, often citing a 'mandatory two-factor verification' supposedly required after a wave of hacking attempts.
2. Setup. You are walked through enabling Signal Backup and copying your recovery key from the app's settings, framed as a routine security step.
3. The hook. A follow-up message warns of imminent data loss from a 'synchronization issue' and tells you to paste your recovery key into the chat to confirm or rescue your data.
4. Theft. The moment you paste the key, the attacker has what they need. They restore your backup on their own device and read the lot.

The deception works because each step looks individually reasonable. Below is how the lure maps to reality.

The single rule that defeats the entire chain: a recovery key is for you to decrypt your own backup. Anyone asking for it, in any wording, is trying to read your data.

How do you protect your Signal account and rotate your key?

Defense here is about handling, not software. The encryption already works; your job is to never let the key leave your control. Run through these steps.

1. Never paste your recovery key anywhere. Not into a chat, a form, an email, or a 'support' window. There is no legitimate reason to type it outside Signal's own backup-restore flow on your own device.
2. Treat urgency as the red flag. Real security processes do not threaten you with instant data loss to force a decision. Pressure is the tell.
3. Verify through official channels only. If a message claims to be Signal, confirm through Signal's published help pages, not a link or contact handed to you in the message.
4. Rotate a key you think was exposed. In Signal's backup settings, generate a new Backup Recovery Key. This invalidates the old one for future downloads.
5. Understand the limit of rotation. A new key does not retroactively protect a backup an attacker already downloaded. If the key was leaked, assume past data is compromised and act on that basis.
6. Audit linked devices. Check Signal's linked-devices list and remove anything you do not recognize, which closes the earlier QR-code hijack route too.

Report incidents to the FBI's IC3, a local FBI field office, or CISA. The faster a campaign is documented, the faster the next target gets warned.

Why this matters for anyone running a website or business

Most readers are not FSB targets. The lesson still lands, because the exact same pattern is used to pry open hosting panels, domain registrars, email accounts, and payment dashboards. Swap 'Signal recovery key' for 'hosting login code', 'domain auth code', or 'two-factor backup codes' and the playbook is identical: impersonate support, invent urgency, ask for the one secret that unlocks everything.

If you run a site, your equivalent of a Backup Recovery Key is the bundle of credentials that controls your online presence. A phished registrar code can let someone transfer your domain. A leaked control-panel password plus a captured 2FA backup code can hand over your whole hosting account, including its backups. The damage scales the same way: one secret, total exposure.

Apply the same discipline to your infrastructure

• Use a host that takes account security seriously. Look for enforced two-factor authentication, encrypted off-site backups, and clear, verifiable support channels. A privacy-forward, offshore-friendly provider such as LaunchPad Host is built around exactly this posture: hardened accounts, encrypted backups, and support you reach through known channels rather than unsolicited messages.
• Store domain auth codes and 2FA recovery codes offline. Keep them in a password manager or on paper, never pasted into a chat or 'verification' prompt.
• Separate and lock down recovery email. The mailbox that can reset your hosting and domain logins deserves its own strong password and its own 2FA.
• Keep independent, encrypted backups. If an account is ever seized, a clean backup you alone can decrypt is the difference between a bad afternoon and a lost business.

The real takeaway: keys and backups are only as safe as how you handle them

End-to-end encryption did its job in this campaign. The maths was never broken. What broke was trust, manufactured by an attacker patient enough to walk a victim through handing over the one secret that made the encryption pointless. That is the uncomfortable heart of modern security: the strongest cryptography in the world is undone the instant the key holder is talked into giving it away.

A recovery key, a domain auth code, a 2FA backup code, a hosting password: these are not things to be shared, confirmed, or pasted. They are things to be guarded. Anyone who asks for one is, by definition, the threat.

Build the reflex now, while the stakes are low. Treat every unsolicited 'urgent security' message as hostile until you have verified it through a channel you chose, not one handed to you. Keep your most sensitive secrets offline and unshared. Run your sites on infrastructure that defends accounts and encrypts backups by default. Do that, and the next campaign, whatever it impersonates, hits a wall instead of a victim.