Russian intelligence hackers have a new trick to spy on Signal users. They no longer need to break Signal’s encryption. Instead, they target users with social engineering and phishing to steal backup recovery keys.
Once a hacker gets that key, they can restore the victim’s entire message history. That includes private chats and group conversations. They can also take full control of the account. The FBI advisory is blunt: “Handing over the key once gives attackers the ability to restore an account’s backup, read its entire private and group message history, and take over the account.”
The key stays valid even if the victim switches phones. If a user creates a new Signal account with the same phone number, the old key still accesses future backups. The only defense is to generate a new recovery key inside Signal’s settings. This stops future downloads with the old key but can’t undo what hackers already stole.
The FBI’s advisory, PSA I-062626-PSA, links this activity to two Russian hacking groups: UNC5792 and UNC4221. They include FSB officers embedded with border guards and military operatives. The campaign targets high-value individuals—US and international officials, military personnel, political figures, journalists, and Ukrainian officials.
This isn’t a casual hack. Thousands of accounts worldwide were compromised by March 2026. The attackers pose as Signal support, sending phishing messages that ask for SMS verification codes, account PINs, or even the recovery key itself. They can also trick users into scanning malicious QR codes to hijack linked devices.
The FBI stresses that none of this breaks Signal’s encryption or app security. It’s pure social engineering. Users get walked through enabling backups, opening the recovery key screen, and pasting the key into chat. Signal never messages users inside the app to request credentials. The advisory warns, “Anyone who receives a message inside Signal asking for a recovery key, verification code, or PIN should treat it as hostile.”
German security agencies BfV and BSI confirm similar campaigns targeting politicians, military personnel, diplomats, and journalists. They advise users: “Never reply to messages from alleged Signal support accounts,” and “Your best bet is to block and report any suspicious accounts immediately.” They also recommend enabling Signal’s “Registration Lock” and regularly checking linked devices under Settings.
Russian groups use QR code pairing scams to register victim accounts on devices they control. Users rarely check their linked devices list, giving attackers a stealthy foothold. The campaign also targets WhatsApp and Telegram, but the recovery key theft is unique to Signal.
The U.S. State Department’s Rewards for Justice program is offering up to $10 million for information on UNC5792. Google’s Threat Intelligence Group tracked UNC5792 abusing Signal’s linked-device feature in early 2025 before expanding to WhatsApp and Telegram.
This campaign is a textbook case of hacking the human element instead of the app. No encryption crack needed. Just convincing people to hand over the keys to their private conversations.
Based on
- FBI says Russian intelligence hackers have a new trick for reading your Signal messages, and it works even after you change phones — thenextweb.com
- Beware! Hackers Are After Your Signal Backup Keys (2026) — pnwbcrescue.org
- Beware: State-Sponsored Hackers Targeting High-Profile Figures on Signal (2026) — laurastasi.com
- FBI Warns Russian Hackers Targeting Signal Users – Thousands Compromised! (2026) — treeplmn.com
- That Secure Messaging App May Be the Weakest Link in Your Digital Life — nadicent.com
