Overview
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning that a phishing campaign linked to Russian intelligence services has expanded its tactics to target Signal Backup Recovery Keys. Attackers who successfully steal these keys can decrypt and read a victim's entire message history — a significant escalation from earlier campaigns that focused on session hijacking or device-linked code theft.
The campaign is believed to be connected to the same threat actors the FBI warned about in March 2026, when operators were observed abusing Signal's device-linking feature to silently add attacker-controlled devices to victims' accounts.
What Changed: From Device Linking to Key Theft
Earlier iterations of this campaign exploited Signal's legitimate "Linked Devices" feature. Attackers would craft convincing phishing pages mimicking Signal group invites or security alerts and trick users into scanning QR codes that linked an adversary-controlled device to the target account. This gave attackers real-time visibility into ongoing conversations.
The evolved campaign goes a step further. Threat actors are now specifically targeting Signal's Backup Recovery Keys — a 30-digit numeric code that users can generate to back up and restore their complete message history. If obtained, these keys allow an attacker to import the victim's entire encrypted message archive into a new Signal installation without any hardware access to the original device.
This is particularly dangerous for high-value targets such as journalists, dissidents, military personnel, and government officials who use Signal precisely because of its end-to-end encryption guarantees.
Phishing Lures and Delivery Methods
The FBI advisory describes several lure types observed in the wild:
- Fake Signal security alerts warning users that their account has been compromised and prompting them to "verify" their backup key
- Spoofed Signal support pages requesting recovery codes to "restore" an account
- Trojanized Signal invitation links distributed via email, SMS, and other messaging platforms
- Targeted spear-phishing against individuals affiliated with defence, government, and journalism sectors
Some variants leverage prior reconnaissance — incorporating the victim's real phone number or partial account details to increase credibility.
Attribution
While the advisory stops short of naming a specific group, prior reporting and intelligence assessments have attributed the broader campaign to APT44 (Sandworm) and UNC2589, both assessed to operate under the direction of Russia's GRU (military intelligence). The targeting profile — Ukrainian government officials, NATO allies, and Western journalists — is consistent with known GRU priorities.
Signal's Response
Signal has acknowledged the advisory and emphasized that its architecture does not allow the company to help attackers access messages even if credentials are compromised. However, the company notes that Backup Recovery Keys are specifically designed to enable message restoration, meaning their theft does enable full historical access — a design trade-off inherent to the feature.
Signal recommends users:
- Never share their Backup Recovery Key with anyone, including apparent support contacts
- Regularly audit linked devices via Settings → Linked Devices
- Enable a registration lock PIN to prevent account takeover via SIM-swapping
Defensive Recommendations
The FBI and CISA recommend the following mitigations:
- Disable or avoid Signal's backup feature if operating in high-threat environments where historical message access by adversaries is unacceptable
- Audit linked devices and immediately remove any unrecognized entries
- Enable Signal's registration lock (Settings → Account → Registration Lock)
- Apply security awareness training specifically covering messaging app phishing — many users are unaware that QR codes or links can silently link devices
- Use separate devices for sensitive communications and general use when threat levels warrant
- Report suspicious Signal activity to CISA via their 24/7 Operations Center
Bottom Line
This campaign illustrates that end-to-end encryption does not protect against social engineering aimed at the key material itself. As Signal adoption grows among high-risk populations, adversaries are adapting — moving from direct device compromise to targeting the backup and recovery mechanisms that were designed as safety nets.
For defenders and users alike, the lesson is clear: the weakest link in encrypted communications is rarely the cryptography. It is the human layer.
Sources: FBI/CISA Joint Advisory (June 2026), BleepingComputer