Russian intelligence hackers have launched a massive phishing campaign targeting backup recovery keys for Signal messenger users, giving them permanent access to their victims' chat history, even if they change phones.
Russian intelligence hackers have launched a massive phishing campaign targeting backup recovery keys for Signal messenger users, giving them permanent access to their victims' chat history, even if they change phones.
This was reported by The Hacker News, citing an official warning from the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA).
Intelligence agencies note that transferring the recovery key gives attackers the ability to read the entire history of private and group messages, as well as effectively take over the account. Moreover, if the user creates a new account with the same phone number, the old key will still allow hackers to read future backups.
The hackers are targeting individuals with «high intelligence value»: current and former U.S. and foreign government officials, military personnel, politicians, journalists, and officials in Ukraine. Thousands of accounts have already been compromised worldwide.
The Russians are using social engineering techniques to carry out the attack. No technical vulnerabilities have been found in Signal’s encryption or the program itself. The scheme works like this:
The victim receives a message masquerading as an official Signal support service (for example, requesting to enable two-factor authentication or urgently «restore data»).
The user is persuaded to enable backup, open a screen with a recovery key, and send this key in the chat.
In previous waves of attacks, hackers also tricked into sending SMS verification codes, PIN codes, or fake «group invitations» that silently linked the attacker’s device to the victim’s account.
The attacks are linked to Russian intelligence services, including FSB officers and groups subordinate to the Russian armed forces. They are tracked in cyberspace under the identifiers UNC5792 and UNC4221. In addition to Signal, hackers are using similar phishing methods on WhatsApp and Telegram.
The US State Department, as part of its Rewards for Justice program, has already announced a reward of up to $10 million for information about the activities of the UNC5792 group.
The only way to protect yourself if you have already transferred data is to generate a new key in Signal’s settings. This will invalidate the old key for future uploads, but will not restore information that has already been stolen.
Experts emphasize that end-to-end encryption is powerless if the user personally gives away access keys. Signal representatives emphasize that the messenger never sends messages within the application asking for any credentials, PINs, or recovery keys.
Recall that in 2025 , the Russian hacking group Gamaredon conducted 35 separate targeted phishing campaigns against Ukraine, with the majority of attacks occurring in the second half of the year. The main targets of the attackers were Ukrainian state and military institutions.
