← Back to blog

FBI Alerts: Russian Hackers Targeting Signal Backup Recovery Keys

Russian intelligence operatives are escalating phishing campaigns against Signal users by stealing backup recovery keys to hijack accounts and access encrypted message histories. The FBI and CISA warn that compromised keys grant persistent access to private communications and account takeover.

TL;DR

  • Russian intelligence actors are phishing Signal users and extracting backup recovery keys to restore accounts and read encrypted messages
  • A single compromised backup recovery key provides indefinite access to account data and enables full account takeover
  • FBI and CISA updated March warnings with new intelligence on this evolving threat targeting high-value targets
  • Organizations should educate users on phishing risks and enforce strong authentication practices for messaging platforms

The FBI and CISA have escalated warnings about an ongoing Russian intelligence phishing campaign targeting Signal users. The threat actors have refined their tactics beyond initial account compromise attempts, now specifically targeting Signal Backup Recovery Keys—the master credentials that unlock full account access and message history.

Once attackers obtain a backup recovery key, they can restore a user's entire account backup, including private and group message conversations, and maintain persistent control. Critically, these keys do not expire, meaning a single compromised key represents a permanent security liability.

This campaign represents a significant threat to organizations and individuals relying on Signal for secure communications, particularly those in government, journalism, and security sectors who are likely targets.

Attack Mechanics and Impact

  • Attackers use phishing to trick Signal users into revealing backup recovery keys
  • Compromised keys enable restoration of complete account backups containing full message history
  • Attackers gain read access to private and group conversations without detection
  • Keys remain valid indefinitely, providing persistent unauthorized access
  • Account takeover allows attackers to impersonate users and access future communications

Defensive Recommendations

  • Educate users on phishing tactics and the sensitivity of backup recovery keys
  • Implement multi-factor authentication and device verification where available
  • Monitor for suspicious account activity and unusual login locations
  • Establish organizational policies restricting Signal use for classified communications if keys cannot be adequately protected
  • Use security awareness training to help staff recognize social engineering attempts targeting authentication credentials

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

FBI Alerts: Russian Hackers Targeting Signal Backup Recovery Keys — Agent Breach Blog | Agent Breach