Russian Hackers Target Signal Users with Phishing for Backup Recovery Keys

The FBI and CISA have issued a warning about a phishing campaign by Russian Intelligence Services (RIS) targeting Signal users. The campaign aims to steal Backup Recovery Keys, enabling attackers to access victims' historical messages. This updated alert follows a March 2026 advisory that highlighted initial phishing attempts to hijack Signal accounts. The attackers impersonate Signal support teams, sending messages that falsely claim mandatory two-factor verification due to alleged attacks. The campaign primarily targets individuals of high intelligence value, including government officials and journalists, particularly those in Ukraine. The threat actors have evolved their tactics to elicit sensitive information from users, posing significant risks to personal data security. Users are advised to generate new Backup Recovery Keys to mitigate risks associated with compromised keys. The ongoing threat is tracked as UNC5792 and UNC4221.

Key Points: • Russian hackers are targeting Signal users to steal Backup Recovery Keys. • Phishing messages impersonate Signal support, claiming mandatory security updates. • Victims are primarily high-value individuals, including government and military personnel.