Russian intelligence hackers have found a way into Signal that survives a phone swap.
A joint advisory from the FBI and CISA, published Thursday, warns that Russian intelligence-linked hackers have shifted their Signal phishing campaign toward backup recovery keys. The tactic is a meaningful escalation: whereas previous approaches required ongoing access to a target's device, stealing a recovery key lets attackers restore a full account backup on hardware they control. That access persists even after a victim changes phones, wipes a device, or believes they have contained a breach.
The shift matters because it exploits user trust in Signal's own security model. Recovery keys exist precisely so users do not lose their message history - but handing one to a phishing page turns that safety net into a skeleton key. Signal's encryption remains intact; the attack bypasses it entirely by impersonating the recovery process rather than breaking the cryptography.
This is not the first time Russian state actors have treated Signal as a high-value target - Google's Threat Intelligence Group documented linked-device abuse against Signal in early 2025. The new advisory suggests that campaign has matured, with attackers refining social engineering rather than relying on device-level compromise. If your Signal recovery key has ever been entered anywhere other than a freshly installed Signal app, treat it as burned.
