FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

Russian state-sponsored hackers are escalating phishing attacks against Signal users by targeting backup recovery keys, the FBI and CISA warned in an updated advisory. The threat actors, identified as operatives linked to Russian intelligence services, have expanded their social engineering tactics since March to steal Signal Backup Recovery Keys from victims.

The attack works in stages. Phishers trick targets into compromising their Signal accounts through credential theft. Once inside, attackers manipulate victims into revealing their backup recovery keys, which Signal generates during account setup. Armed with this key, threat actors can restore a compromised account's full message history, including private and group conversations, then assume persistent control over the account.

The recovery key presents a compounding problem. Unlike passwords or session tokens that may expire or reset, backup recovery keys remain valid indefinitely. An attacker who captures one key maintains long-term access to decrypt and restore backups, creating a persistent foothold even if the victim changes their password afterward.

Signal's design encrypts messages end-to-end, but backup recovery keys function as a master credential to decrypt stored backups outside the app. Threat actors exploit this architecture by convincing users they need to provide the key to "verify" their account, "restore settings," or "confirm identity" during fake support interactions.

The FBI and CISA attribute this campaign to Russian intelligence services, though they have not publicly named a specific service or operation designation. Security researchers suspect involvement from units focused on signals intelligence gathering and account takeover operations targeting government, military, and diplomatic personnel.

Organizations should treat this threat seriously. Government agencies, defense contractors, journalists, and activists in Russia's geopolitical sphere face elevated risk. The advisory recommends users never share backup recovery keys with anyone, verify Signal account contacts through alternative communication channels before discussing sensitive account details, and enable two-factor authentication on Signal and associated email accounts. Users should also monitor for unexpected