Russian intelligence officers are trying to steal backup recovery keys from the Signal accounts of high-risk users, the FBI has warned.
A new public service announcement (PSA) issued on June 26 revealed that “multiple clusters” of Russian spies, including Federal Security Service (FSB) officers and military hackers, are involved. They are actively targeting current and former US and international government officials, military personnel, political figures, journalists, and Ukrainian officials.
The PSA cited “commercial messaging applications” (CMAs) generically, but the two sample phishing messages it included in the update were both related to Signal.
“Russian Intelligence Services (RIS) cyber-threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims’ Backup Recovery Keys,” it said.
“RIS cyber threat actors continue to elicit victims’ verification codes and account PINs. If a targeted user backs up their CMA messages … and later provides their Backup Recovery Key, RIS cyber threat actors can view the account’s historical messages, private and group messages, and take over the victim’s account.”
Read more on Russian activity targeting messaging apps: Russian Hackers Target Ukrainian Servicemen via Messaging Apps
The FBI warned users that if they share their recovery keys, these will remain valid even if they create a new account using the same phone number – putting the new accounts at risk in the future.
“To mitigate this risk, the user must generate a new backup recovery key within the Settings control; this action will invalidate the previous key for all future backup downloads,” it continued. “However, please note that this does not prevent the actor from having already downloaded a backup of the original account.”
Some Signal Security Tips
The Russian campaign first came to light in March 2026 when the Dutch domestic (AIVD) and military intelligence (MIVD) services warned that some of the country’s government employees had been victimized in a hacking campaign targeting Signal and WhatsApp accounts.
Victims typically received a phishing message purporting to come from a Signal chatbot requesting they enter their PIN or verification code. In another variation, the hackers tried to abuse the linked devices function, as per previous campaigns targeting Ukrainian officials.
The FBI PSA cited several reminders for Signal users:
- CMA support services only communicate with users via official company email addresses
- Legitimate CMA support services will not request verification codes within the application
- CMA support services do not send users links to “verify” or “restore” accounts
- Never provide a verification code without confirming the request comes from a legitimate CMA communication channel
Image credit: Camilo Concha / Shutterstock.com
