Russian Espionage: New Method to Steal Signal Backup Keys

TL;DR: Russian hackers are stealing Signal recovery keys via phishing, allowing them to read messages even after changing devices. The FBI and CISA have issued an updated alert. The key is not to share the backup key and enable two-step verification.

What Happened?

On June 30, 2025, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an updated joint alert about a phishing campaign targeting users of Signal, the encrypted messaging app. According to the advisory, hackers linked to Russian intelligence are using a new method to steal Signal's backup recovery keys. These keys allow restoring message history and files when installing the app on a new device. Once the key is obtained, attackers can link their own device to the victim's account and access all messages, even after the victim changes phones.

Why Is This Important?

Signal is widely considered the world's most secure messaging app, used by journalists, activists, dissidents, government officials, and military personnel. Its reputation is based on end-to-end encryption and minimal metadata collection. However, this new attack demonstrates that Signal's security also depends on protecting the backup key. If an attacker obtains this key, they can bypass encryption and access past and future conversations. The FBI alert indicates that the campaign has compromised thousands of accounts worldwide, with primary targets being individuals involved in defense, foreign policy, and civil society.

How Does the Attack Work?

Hackers send phishing messages that mimic legitimate Signal notifications, asking the victim to click a link to verify their account or activate a security feature. The link leads to a fake site that requests Signal's 12-word recovery key. Once the victim enters the key, attackers use it to restore the account on a device they control. From that point on, the attacker can read all synchronized messages, including those before the theft. The FBI notes that this method is more effective than trying to break encryption directly, as it exploits the human factor.

Consequences and Historical Context

This attack is part of a long history of Russian espionage operations against encrypted communications. From election interference to attacks on critical infrastructure, Russia has shown a persistent ability to adapt its tactics. In 2023, the same hacker group (identified as UNC5792) was already linked to phishing campaigns against Signal, but the new method focuses on the backup key, enabling persistent access. The immediate consequence is a loss of trust in Signal's security, although the company has responded by updating its documentation and recommending users not to share their backup key with anyone. For users, the lesson is clear: the backup key must be treated with the same level of security as a master password.

What Should Readers Know?

Never share your Signal recovery key. Signal will never ask for it via a link or message.
Enable two-step verification (PIN) in Signal to add an extra layer of security.
Be wary of unexpected messages asking you to click links or provide sensitive information.
Review linked devices in Signal's settings and remove any unknown devices.
If you think you've been a victim, change your backup key immediately and contact Signal support.

“End-to-end encryption is useless if the user hands over the key to their house to the attacker,” an FBI spokesperson said in the alert.

This campaign underscores that security depends not only on technology but also on user behavior. Awareness and cybersecurity training are essential to counter these threats.