Skip to content
hacker_posts

FBI: Russian intel now phishes Signal Backup Recovery Keys

FBI PSA I-062626-PSA names UNC5792 and UNC4221, attributes the activity to Russian Intelligence Services, and adds a new Signal Backup Recovery Key phishing tactic to the March warning.

Published 5 min read
advisorysignalrussiafbiphishing

The FBI's Internet Crime Complaint Center published PSA I-062626-PSA on June 26, 2026, updating its March 20 alert on Russian phishing against commercial messaging apps. Two changes matter. First, the FBI now names the public tracking clusters: UNC5792 and UNC4221, and attributes the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and actors working on behalf of the Russian military. Second, the operators have evolved past one-time codes: the new pattern coaxes targets into pasting their Signal Backup Recovery Key into a chat with a fake support account. The State Department's Rewards for Justice programme is offering up to $10 million for information on UNC5792. The Security Service of Ukraine published its own joint statement on June 27.

Why the recovery key changes the threat model

A Signal verification code lets an attacker register a new device against a phone number — useful for a window, but the victim sees a "new device linked" entry and can revoke it. The Backup Recovery Key is different. It decrypts a Signal account's encrypted message backup, which means an attacker who steals it can:

  • restore the entire historical message archive — private chats, group chats, attachments — to a device under their control;
  • re-restore on future devices, even after the victim rotates phones or creates a new account on the same phone number;
  • maintain persistent read access without triggering a "new linked device" event on the victim's session.

In short, the recovery key turns a one-shot account takeover into a long-lived passive collection capability against the message history. That is the operational delta the FBI is flagging.

What the threat actors do

The primary technical writeup is Mandiant's "Signals of Trouble", which is where UNC5792 and UNC4221 are tracked.

  • UNC5792 distributes phishing pages styled as legitimate Signal "group invite" redirects. The malicious URL uses the sgnl://linkdevice?uuid= URI scheme to link an attacker-controlled device to the victim's Signal account — the linked-device abuse path documented since the original March campaign.
  • UNC4221 runs a Signal phishing kit that mimics Kropyva, the application the Armed Forces of Ukraine use for artillery fire correction. The lure looks like a Kropyva login screen; the payload is account compromise.
  • The June twist described in PSA I-062626-PSA: SMS messages, sent in the early hours of the morning, that purport to come from a Signal "Support Team" and ask the target to copy the Backup Recovery Key out of the app's settings and paste it back into the chat.

The FBI's recommendation matches the threat model: legitimate CMA support services do not request verification codes inside the app and do not send "verify" or "restore" links. Treat any inbound contact claiming to be Signal, WhatsApp or Telegram support as hostile until proven otherwise.

Targets

The PSA describes the target set as individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts worldwide — the June update does not refresh that figure.

What to do today

  1. Treat the Backup Recovery Key as a top-tier credential. Never type it, paste it, or photograph it. It belongs in an offline password manager or on paper, not in any chat — not even a chat with the person you trust most.
  2. Audit your Signal linked devices (Settings → Linked devices) for entries you do not recognise. Unlink anything you cannot account for, then rotate the Backup Recovery Key from Settings → Chats → Backup. If a key was disclosed, the only remediation is rotating it; deleting a leaked key from the chat does not revoke it.
  3. Apply the same hygiene to WhatsApp end-to-end backup keys and to Telegram cloud-password recovery — the same TTP class generalises.
  4. For high-value targets (government, military, journalists covering Russia/Ukraine, Ukrainian officials), assume you are in scope. Move sensitive comms to a freshly provisioned device whose number has never been published, and turn on Signal's registration lock PIN.
  5. If you fell for it, file with IC3, your local FBI field office, and — for U.S. critical-infrastructure targets — CISA at report@cisa.gov or 1-844-Say-CISA. Rotate, then revoke.

Attribution, hedged

PSA I-062626-PSA is an FBI document; it attributes the activity to multiple Russian Intelligence Services clusters and uses Mandiant's UNC tracker names rather than a single state organ. Rewards for Justice's $10M offer goes specifically against UNC5792. None of that is a court filing — read it as confident attribution by the U.S. government, not as a settled criminal finding.

Context

This is the third update in four months to PSA I-032026-PSA, and the trendline is consistent: Russian intelligence operators are systematically migrating their human-intelligence collection workflow into commercial encrypted messengers, then iterating on the social-engineering layer as defenders close gaps. The Backup Recovery Key tactic specifically extends the access window from minutes to indefinite — a defender win on linked-device detection is a defender loss the moment the key is in adversary hands. Expect Mandiant and Google TAG to publish an updated technical report shortly; the PSA is the policy statement, the threat-intel write-up is where the next set of IOCs will land.

Related stories