The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a fresh warning that cyber actors linked to Russian intelligence services have adopted a new phishing tactic targeting users of the Signal messaging app. Instead of attempting to break Signal’s end-to-end encryption, attackers are now trying to steal users’ Signal Backup Recovery Keys, enabling them to restore encrypted backups and gain access to historical messages and media files.
Automated Support Personas and Public Service Advisory Escalations
According to the FBI, the latest advisory expands on an earlier warning issued in March 2026. Initially, threat actors focused on stealing Signal verification codes, account PINs or tricking victims into linking attacker-controlled devices to their accounts. The campaign has now evolved, with attackers concentrating on obtaining Backup Recovery Keys to access stored conversations.
The agencies said the campaign primarily targets individuals of high intelligence value, including current and former government officials, military personnel, political leaders, journalists and key officials associated with Ukraine. The activity has been attributed to cyber groups linked to Russian intelligence services.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Geopolitical Social Engineering and Mandatory Security Updates
Investigators said the attackers impersonate Signal’s support team and send phishing messages falsely claiming that the platform is introducing mandatory security updates and two-factor verification due to increased attacks by hackers from Iran and other countries. Victims are instructed to enable Signal’s Secure Backup feature and generate a Backup Recovery Key.
In a second stage of the attack, victims receive another fraudulent message warning that their Signal data could be permanently lost because of a synchronization issue. They are then asked to copy and share their Backup Recovery Key. Once the recovery key is disclosed, attackers can restore the encrypted backup on their own devices and access the victim’s historical private and group conversations.
Key Invalidation Mechanics and Persistent Archive Vulnerabilities
The FBI has also warned that simply creating a new Signal account using the same phone number does not invalidate a previously compromised Backup Recovery Key. Users must generate a new recovery key through Signal’s backup settings to invalidate the old one for future backups. However, if attackers have already downloaded the backup using the stolen key, generating a new key will not prevent them from accessing that previously obtained data.
Human Element Vulnerabilities and Official Verification Protocols
Renowned cybercrime expert and former IPS officer Professor Triveni Singh said cybercriminals are increasingly relying on social engineering rather than exploiting technical vulnerabilities. He emphasised that no legitimate organisation or messaging platform will ever ask users to share their Recovery Key, OTP, PIN or verification code through chat, SMS or messaging applications. Sharing such credentials could expose private conversations, sensitive documents and other confidential information to attackers. He advised users to trust only official communications from service providers and verify any security-related message before following its instructions.
Cybersecurity experts also recommend that users never disclose their Backup Recovery Key, OTP or other sensitive authentication credentials under any circumstances. Any suspicious phishing attempt or fraudulent message should be reported immediately to the platform’s official support channels and relevant cyber security authorities to minimise the risk of data compromise.
