Security/ signal · russia · phishing · security

Russian Hackers Target Signal Recovery Keys, FBI Warns

A joint FBI and CISA advisory warns that Russian intelligence operatives are phishing Signal backup recovery keys, granting persistent account access.

Russian Hackers Target Signal Recovery Keys, FBI Warns

Russian intelligence hackers have found a way into Signal that survives a phone swap.

A joint advisory from the FBI and CISA, published Thursday, warns that Russian intelligence-linked hackers have shifted their Signal phishing campaign toward backup recovery keys. The tactic is a meaningful escalation: whereas previous approaches required ongoing access to a target's device, stealing a recovery key lets attackers restore a full account backup on hardware they control. That access persists even after a victim changes phones, wipes a device, or believes they have contained a breach.

The shift matters because it exploits user trust in Signal's own security model. Recovery keys exist precisely so users do not lose their message history - but handing one to a phishing page turns that safety net into a skeleton key. Signal's encryption remains intact; the attack bypasses it entirely by impersonating the recovery process rather than breaking the cryptography.

This is not the first time Russian state actors have treated Signal as a high-value target - Google's Threat Intelligence Group documented linked-device abuse against Signal in early 2025. The new advisory suggests that campaign has matured, with attackers refining social engineering rather than relying on device-level compromise. If your Signal recovery key has ever been entered anywhere other than a freshly installed Signal app, treat it as burned.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →