Signal Backup Security Warning: FBI Alerts Users to Phishing Campaign

On June 26, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security advisory that sent shockwaves through the global defense and diplomatic communities. To protect sensitive state, corporate, and personal communications, optimizing your Signal backup security has suddenly shifted from a secondary best practice to an immediate operational necessity. The updated advisory—designated PSA Alert Number: I-062626-PSA—details an active, highly targeted phishing campaign orchestrated by Russian Intelligence Services (RIS).

This aggressive campaign is designed to bypass the end-to-end encryption standards of commercial messaging applications by targeting a critical human-centric vulnerability: the local and cloud backup recovery key. Rather than attempting to break the rigorous mathematical framework of the Signal Protocol, state-sponsored operators are utilizing sophisticated social engineering to trick high-value targets into handing over the cryptographic keys that unlock their entire chat archives. The implications of this tactical shift are severe, threatening the persistent confidentiality of journalists, military planners, government officials, and diplomatic personnel worldwide.

The Evolution of Russian Intelligence Operations (UNC5792 & UNC4221)

The joint advisory attributes this ongoing global espionage campaign to two distinct clusters of Russian state-aligned cyber threat actors:

• UNC5792: A sophisticated espionage group linked to officers within the Russian Federal Security Service (FSB), including those embedded with the FSB Border Guards. This cluster has been highly active, drawing a $10 million bounty from the U.S. State Department’s Rewards for Justice program.
• UNC4221: An offensive cyber unit closely aligned with Russian military intelligence (GRU) and military services. This group has historically targeted Ukrainian defense infrastructure and allied organizations.

Historically, both groups focused on rapid, short-term session hijacking. Throughout 2024 and 2025, they heavily abused Signal’s “Linked Devices” feature. Under that model, UNC5792 would host cloned or altered “group invite” pages embedded with malicious JavaScript. When scanned or clicked, these pages would execute a silent redirect using custom Uniform Resource Identifier (URI) protocols (specifically sgnl://linkdevice?uuid=), secretly pairing the victim’s Signal account to an attacker-controlled secondary device. Simultaneously, UNC4221 deployed custom-developed phishing kits designed to mimic military applications, such as the Ukrainian tactical software Kropyva, tricking targets into scanning malicious QR codes.

While device-linking attacks allowed attackers to passively monitor incoming and outgoing messages in real time, they suffered from a fatal operational flaw: they left a visible footprint in the “Linked Devices” tab within the application settings, and the access could be severed instantly by the user. The June 2026 campaign represents a major evolutionary leap. By pivoting to target the Backup Recovery Key, the Russian Intelligence Services have secured a method of silent, long-term, and cryptographically persistent access that is incredibly difficult for the average user to detect or remediate without a complete understanding of how Signal’s data storage architecture operates.

The Cryptographic Trap: Understanding Backup Decryption

To appreciate why this attack is so devastating, it is necessary to examine how Signal manages its backup framework. By default, Signal operates on a zero-knowledge architecture. The Signal Foundation does not maintain unencrypted copies of your chats on its servers. For users who choose to enable backups, Signal generates a highly secure, local archive encrypted with AES-256. The cryptographic cornerstone of this archive is a 30-digit Backup Recovery Key (which may appear as a 64-character alphanumeric string depending on the operating system and client version).

This recovery key is generated exclusively on the user’s device using local entropy. It is never transmitted to or stored by Signal’s servers. When a user backs up their device, this local key encrypts the database. If the user switches devices, they must provide this exact recovery key to decrypt and restore the historical chat record.

The RIS threat actors realized that if they could acquire this recovery key, they could bypass the need to break any encryption algorithms. Once the 30-digit key is harvested, the attackers use auxiliary malware or file-extraction scripts—such as the WAVESIGN batch script or the Infamous Chisel malware—to exfiltrate the victim’s encrypted local backup database from their mobile device or desktop. By pairing the stolen, encrypted backup file with the socially engineered recovery key, the attackers can decrypt and read years of private messages, shared media, contact lists, and sensitive file attachments at their leisure, entirely offline and undetected.

Worse still is the issue of compromise persistence. Unlike temporary access tokens or session keys, a Signal Backup Recovery Key does not expire when a session is closed or when a device is unlinked. As CISA and the FBI warned in PSA I-062626-PSA, even if a victim realizes they have been targeted, deletes their current profile, and registers a fresh Signal account using the exact same phone number, the compromised recovery key chain remains structurally active. Any future backup archives generated using that unrotated key chain will remain entirely vulnerable to decryption by the threat actors.

Inside the Phishing Funnel: Anatomy of the Backup Heist

The social engineering tactics utilized by UNC5792 and UNC4221 are meticulously planned and executed with high psychological precision. The attack operates through a highly coordinated, multi-step funnel:

Step 1: The Trust Injection (In-App Spoofing)

The attackers exploit the fact that Signal does not restrict or verify custom profile names. Threat actors register standard accounts and change their display names to variations of “Signal Support,” “Signal Security Team,” or “System Administrator”. Because they initiate the contact directly within the Signal chat interface, unsuspecting targets assume the message is a system-generated administrative notification rather than a standard user-to-user chat.

Step 2: The Urgent Lure

The phish relies on creating a high-stress scenario to bypass the victim’s critical thinking. The joint advisory highlights two primary templates used in the wild:

1. The Mandatory Security Rollout: The target receives a message claiming that due to a recent wave of state-sponsored cyberattacks originating from Eastern Europe or the Middle East, Signal is rolling out mandatory two-factor authentication (2FA) for all high-profile users. The user is warned that failure to comply will lead to immediate account suspension.
2. The Urgent Sync Correction: The message warns the target of an alleged synchronization error on Signal’s servers. It states: “Action Required: Data Recovery Needed. Your Signal account data is at risk of permanent loss due to a sync issue. To avoid losing your messages, please follow the steps below.”

Step 3: The Step-by-Step Extraction

The spoofed support account walks the victim through their own phone’s native UI settings to extract the key. The message directs them to navigate through Settings > Chats > Chat Backups (or Configure > View Recovery Key). The attacker instructs the user to copy the resulting 30-digit or 64-character string and paste it directly back into the chat window, claiming it will “re-sync” their local backup with the secure cloud registry. The moment the victim hits send, the cryptographic security of their archive is broken.

Maximizing Signal Backup Security: Actionable Mitigation Steps

To successfully neutralize the threat posed by UNC5792, UNC4221, and other highly skilled state-sponsored actors, organizations and individuals must transition from a passive posture of trusting the software to an active posture of continuous cryptographic hygiene. If you suspect your communication footprint has been exposed, or if you want to proactively secure your infrastructure, implement the following steps immediately:

1. Recognize and Train Against In-App Support Scams

First and foremost, understand that Signal will never contact you within the application interface to request configuration settings, PINs, SMS codes, or recovery keys. If a chat bubble appears claiming to be “Signal Support,” it is a fraudulent account. Legitimate administrative notifications from Signal will only occur via verified external channels or via immutable system-level pop-up prompts (such as PIN reminders) that do not take the form of an active chat conversation. Block and report any account claiming otherwise immediately.

2. Rotate and Regenerate Your Recovery Key Immediately

If there is any possibility that your key has been exposed, you must instantly execute a manual rotation to generate a new cryptographic key. This process invalidates the compromised key on Signal’s registry and cuts off the threat actors from accessing any future backup generations.

• Open Signal on your primary mobile device.
• Navigate to Settings > Chats > Chat backups (on Android) or the corresponding backup menu on your OS.
• Tap on View Recovery Key or select the option to Turn Off Backups.
• Confirm the deletion of old backups. This action effectively deletes the historical, potentially compromised backup state from the cloud or local storage.
• Re-enable backups and select Generate New Recovery Key.
• Write down the newly generated key. Store this key in a secure physical location (such as a hardware safe) or within an encrypted, offline local password manager. Never keep it in unencrypted cloud notes, emails, or on your device’s clipboard.

3. Conduct a Device and Session Audit

To eliminate the possibility of persistent device-pairing exploits (the secondary vector utilized by these groups), review all active sessions:

• Go to Settings > Linked Devices.
• Carefully examine every listed machine (Desktop clients, tablets, etc.).
• If you find any device that you do not recognize, or if the login location or date seems anomalous, select the device and tap Unlink or Remove immediately.

4. Activate Registration Lock

To prevent threat actors from attempting a complete account takeover via SMS interception or SIM-swapping, you must activate the Registration Lock feature:

• Go to Settings > Account.
• Toggle on Registration Lock. This requires your custom Signal PIN to register your phone number with Signal again.
• Ensure your Signal PIN is strong, unique, and not shared with any other applications or services.

By enforcing these strict security controls, you deny state-sponsored adversaries the access they seek. End-to-end encryption is a powerful tool, but its defensive strength is only as robust as the user’s diligence in protecting the cryptographic keys that govern it. Secure your backups, rotate your keys, and treat every unsolicited administrative request with absolute skepticism.