FBI says Russian intelligence hackers have a new trick for reading your Signal messages, and it works even after you change phones

At a glance:\n- Russian intelligence hackers are phishing Signal users for backup recovery keys, granting persistent access to message history even after a phone change.\n- The campaign targets high‑value individuals—including government officials, military personnel, journalists, and Ukrainian officials—and also affects WhatsApp and Telegram.\n- The FBI offers a $10 million reward for information on UNC5792, the group linked to this activity, and warns that Signal's end‑to‑end encryption remains secure.\n\n## What happened\nThe FBI and CISA issued PSA I‑062626‑PSA on Thursday, warning that Russian‑linked actors are now harvesting Signal backup recovery keys through a phishing campaign. Previously, attackers used SMS verification codes or fake group invites; the new wave tricks victims into enabling backups and copying the recovery key displayed on screen. Handing over the key once lets attackers restore backups, read all private and group messages, and keep access even if the victim switches phones.\nThe advisory notes that the compromised key remains functional for future backups, and the only remediation is to generate a new key in Signal's settings, which invalidates the old one. The FBI ties the operation to UNC5792 and UNC4221, two tracking names not present in the March alert. The campaign is attributed to multiple Russian Intelligence Services groups, including FSB officers embedded with the FSB Border Guards and elements of the Russian military.\n\n## Who is targeted\nThe attackers focus on individuals of “high intelligence value.” The list includes:\n- Current and former US and international government officials\n- Military personnel\n- Political figures\n- Journalists\n- Officials in Ukraine\nBeyond these high‑profile targets, the broader phishing effort has already compromised thousands of accounts worldwide, affecting ordinary Signal users as well.\n\n## How the attack works\nThe phishing messages masquerade as Signal support. One sample pretends to be a mandatory two‑factor authentication rollout; another claims an urgent “data recovery” fix for supposedly lost messages. Both social‑engineering tactics exploit trust in the platform's own interface rather than breaking encryption.\nSignal does not contact users inside the app to request credentials, so any such request should be treated as hostile. The FBI published the two sample texts to help users recognize the manipulation. By walking victims through enabling backups and copying the recovery key, attackers gain a legitimate foothold in the account without touching the app's cryptography.\n\n## Why it matters\nThe advisory overlaps with earlier warnings from Dutch AIVD and MIVD, Germany's BfV and BSI, and France's ANSSI, highlighting a coordinated intelligence‑gathering effort across NATO allies. The State Department's Rewards for Justice program is offering up to $10 million for information on UNC5792, underscoring the severity of the threat.\nThe campaign illustrates that end‑to‑end encryption protects data in transit, but cannot stop attackers who persuade users to hand over recovery keys. The weakest link remains human behavior, a pattern now common across security products.\n\n## What users can do\nIf you receive an in‑app message asking for a recovery key, verification code, or PIN, treat it as hostile regardless of how convincing it appears. Signal's own policy is never to request such credentials, so the request is a clear red flag.\nTo protect yourself, generate a new recovery key in Signal's settings if you suspect compromise; this invalidates the old key for future backups. Keep backups encrypted and avoid sharing recovery keys or verification codes with anyone, even if they claim to be support.\n\n## Conclusion\nThe Russian phishing campaign shows how social engineering can bypass even the strongest encryption by exploiting user trust.\nContinued vigilance, combined with clear guidance from platform providers, is essential to keep private communications secure. As attackers refine their tactics, users and organizations must stay alert to new warning signs from agencies like the FBI and CISA.