The FBI has issued an urgent public service announcement warning that Russian intelligence services have shifted their approach to intercepting encrypted communications: instead of attempting to defeat Signal’s cryptographic layer, operators are now stealing the backup recovery keys that grant them silent access to full message histories and allow them to persist inside compromised accounts even after victims reset their devices.

From Breaking Encryption to Bypassing It

Published June 26, 2026, FBI Public Service Announcement I-062626-PSA updates a March 2026 alert and documents a meaningful tactical evolution. The current campaign, attributed to operators tracked as UNC5792 and UNC4221 and assessed as working on behalf of Russian state intelligence services including the FSB, targets Signal and other commercial messaging platforms. But the attack vector is not a cryptographic flaw in Signal itself.

Threat actors are phishing users through messages that impersonate automated customer support accounts within the messaging application. Victims are persuaded to surrender two types of credentials: first, verification codes and account PINs; second, and most critically, backup recovery keys. According to the FBI advisory, backup recovery key theft is now the “primary new tactic” in the current phase of this campaign.

Advertisement

300 × 250

The distinction matters enormously for defenders. Signal’s encryption has not been broken. The attack surface here is behavioral and procedural. The adversary is social-engineering the person who holds the key, not breaking the lock itself. Organizations cannot address this threat through cryptographic upgrades or endpoint controls alone.

Why Backup Recovery Keys Are the Real Prize

Signal’s backup recovery key exists to serve legitimate user needs: it allows a user to migrate their complete message history to a new device. That functionality, built for user convenience, becomes a serious liability when it lands in hostile hands. According to the FBI advisory, a threat actor who obtains a victim’s backup recovery key gains access to “historical messages, private and group messages” and can effectively take over the victim’s account.

The persistence mechanism embedded in this attack is particularly significant for security operations teams. The advisory explicitly states that compromised recovery keys remain valid even after the victim creates a new Signal account. Standard incident response workflows that involve asking a user to switch devices or recreate their account do not terminate attacker access unless the victim explicitly generates a new recovery key in Signal’s settings. A single successful phishing event can therefore sustain surveillance for months or years without triggering additional detection events or requiring the attacker to re-establish access.

Impersonation of In-App Support as the Delivery Vector

The phishing method exploits a trust assumption built into how users interact with consumer applications. Most users expect that messages appearing within an application’s own support interface are legitimate. Russian intelligence operators are exploiting this assumption by creating convincing in-app impersonations of automated support bots, then using urgency or apparent authority to extract recovery credentials from targeted individuals.

The FBI advisory is explicit: legitimate Signal support will not request verification codes, PINs, or recovery keys within the application. Any unsolicited support message in any commercial messaging platform that requests these credentials should be treated as a phishing attempt, regardless of how authoritative it appears.

Who Russian Intelligence Is Targeting

The FBI identifies the primary target population as “current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine.” Signal has been widely adopted among this demographic precisely because of its strong privacy protections. That adoption has now made Signal accounts a high-value collection priority for Russian intelligence services.

The campaign is a continuation of well-documented Russian efforts to monitor encrypted communications used by individuals at the intersection of government, military, and journalism. This publication previously covered Turla’s STOCKSTAY backdoor deployed against Ukrainian government and military targets, a technical implant campaign operating on the same collection objectives as this social-engineering operation. The Signal recovery key campaign represents a complementary track: where malware implants target the endpoint, account takeover operations target the communications layer directly.

What This Means for the Security Leader

CISOs overseeing organizations whose employees communicate with government contacts, diplomatic personnel, journalists, or personnel operating in Ukraine-adjacent roles should treat this advisory as more than a consumer warning. Several characteristics of this campaign carry direct implications for enterprise security teams.

The attack is silent and persistent. There is no malware to detect, no endpoint to remediate, and no account lockout to trigger an alert. A user whose recovery key has been extracted will have no visible indication that surveillance is underway unless they actively audit their settings or receive an external notification. SOC teams relying solely on endpoint telemetry and network logs will not see this attack in progress.

Standard incident response may leave the channel open. If a user is identified as a potential target or victim, simply asking them to change their password or recreate their Signal account is insufficient. Recovery key rotation must be an explicit, documented step in any incident response playbook that involves Signal or similar platforms. Omitting that step leaves the surveillance channel intact even after other remediation actions are complete.

Messaging security policy has a gap this campaign is actively exploiting. Most enterprise messaging security policies address data residency, encryption strength, and approved application lists. Few address recovery key management, key rotation cadence, or the procedures for verifying in-app support requests. Organizations that have structured their messaging security posture primarily around encryption have a gap that this campaign is designed to exploit.

Newsletter

Get the week's best tech coverage.

Free. Read by thousands of HR, tech, and business leaders.

The targeting pattern defines the risk population. Organizations supporting policy research, government contracting, Ukraine-related operations, or sensitive journalism should audit Signal usage across their employee population and verify that recovery key hygiene is being practiced. The campaign is focused, not opportunistic: the FBI identifies specific professional categories as the target set.

Recommended Actions for Defenders

Rotate backup recovery keys now. Signal users in sensitive roles should open Settings, locate the Backup Recovery Key option, and generate a new key immediately. This invalidates any previously extracted keys. Organizations should treat this as an urgent, time-boxed action item for personnel in at-risk roles.

Establish out-of-band verification procedures. Any request for verification codes, PINs, or recovery keys received via a messaging application should be verified through a separate channel before any response is given. Never use the same application to verify the legitimacy of an in-app support request.

Update incident response playbooks. IR procedures that involve Signal or comparable platforms should explicitly include recovery key rotation as a required remediation step rather than an optional one. This applies to both confirmed incidents and precautionary responses to suspected targeting.

Brief at-risk employees. Personnel in government-adjacent, diplomatic, or journalistic roles who use Signal for sensitive communications should receive specific guidance on this tactic. The impersonation of automated support accounts is effective precisely because it exploits the trusted context of the application itself.

Report suspected incidents. Organizations aware of potential targeting should report to the FBI’s Internet Crime Complaint Center at ic3.gov, to the nearest FBI field office, or to CISA.

The underlying shift this campaign reveals is significant for security strategy. Commercial encrypted messaging applications are not being attacked at their cryptographic foundation; they are being attacked at their key management and account recovery infrastructure. Organizations that have built their messaging security posture around the strength of the encryption have not addressed the surface that Russian intelligence services are now systematically targeting.

Source: FBI/IC3 PSA I-062626-PSA: Russian Intelligence Services Continue to Target Commercial Messaging Applications