The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and operators have added a step: They now prepare targets to hand over their Signal backup recovery keys.
Assign it once, and the attacker can restore account backups, read private and group message history, and take over the account. Worse yet, the key keeps working. Create a new account on the same phone number and the old key can still be used against it, the advisory warns.
The solution is obvious: generate a new key in Settings, which deletes the old one for future backup downloads, and acknowledge that the attacker has already pulled it.
The updated advisory, PSA I-062626-PSA, adds two public tracking names that were missing in the March notice: UNC5792 and UNC4221. The FBI links this activity to several Russian intelligence services (RIS) groups, including FSB officers attached to FSB border guards and others working for the Russian military services. The campaign affected Signal and WhatsApp accounts; The new recovery-key strategy described by the advisor is specific to the signal.
Targets are individuals with high intelligence value: current and former US and international government officials, military personnel, political figures, journalists, and Ukrainian officials. The March notice said the widespread campaign had already compromised thousands of accounts around the world.
The phishing message poses as a signal endorsement. Earlier waves asked for SMS verification codes and account PINs, or used compromised “group invite” links that quietly linked an attacker’s device to the account.
The updated version runs on the target via turning on Signal Backup, opening the recovery key and pasting it into the chat. The advisory prints two sample messages: one framed as a mandatory two-factor rollout, the other as an immediate “data recovery” fix for messages allegedly at risk of loss.
As of March, the agencies have been clear that none of this breaks Signal’s encryption or the app. Actors compromise individual accounts through social engineering, then move through a legitimate facility.
In addition to the update, the State Department’s Justice Rewards Program is offering up to $10 million for information on UNC5792.
This activity overlaps with warnings earlier this year from Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked-device feature in early 2025, and saw the same tradecraft pitted against WhatsApp and Telegram.
What do we do now
- Treat any in-app messages from “Signal Support” as hostile. Real support does not message you inside the app asking for the code, PIN, or your recovery key.
- Never paste your backup recovery key, verification code, or PIN into a chat. Nothing legitimate asks for them like that.
- Open Settings, check linked devices, and remove anything you don’t recognize.
- If you think you’ve handed over your recovery key, create a new key in Settings now and assume that any backups made before this are already in someone else’s hands.
The March notice warned that the strategy would change. They have tasks ranging from chasing down a one-time code to collecting the key that opens the entire collection. Holds encryption. The account is the weak point, and the person holding it is the target.
