The FBI and CISA have issued an updated warning about an ongoing phishing campaign linked to Russian intelligence services that now targets Signal users by stealing Backup Recovery Keys. The advisory builds on earlier alerts from March 2026, which documented attempts to hijack Signal accounts by stealing verification codes or tricking users into linking attacker-controlled devices.
The updated campaign uses impersonation tactics, posing as official Signal support accounts and sending convincing messages that reference fake security incidents and mandatory account protection updates. Victims are instructed to navigate Signal’s backup settings and retrieve their recovery key under the guise of preventing data loss or enabling enhanced security features.
Once obtained, the recovery key allows attackers to restore encrypted Signal backups on their own devices, granting access to historical messages, including private chats and group conversations. While Signal’s Secure Backups feature remains end-to-end encrypted, the recovery key itself becomes a single point of compromise if exposed.
The FBI warns that even if victims later regain control of their accounts or regenerate a new recovery key, previously compromised backups remain accessible to attackers. Officials are urging users to treat recovery keys as highly sensitive credentials and to be cautious of any unsolicited requests claiming to originate from messaging platform support teams.
