FBI/CISA: Russian Intelligence Now Stealing Signal Backup Recovery Keys

The FBI and CISA have updated their March 2026 advisory on Russian intelligence-linked phishing against Signal users. The campaign has materially escalated: attackers are no longer just targeting Signal-linked accounts — they are now specifically engineering targets into surrendering their Signal Backup Recovery Key.

What Happened

Russian intelligence operators (assessed as SVR/GRU-affiliated) previously ran phishing campaigns aimed at compromising Signal accounts, typically by abusing Signal's device-linking feature to silently mirror a target's messages. The updated joint advisory from FBI and CISA describes a new step in the kill chain: social engineering the target — often via a fake security alert or verification prompt — into revealing their 30-digit Signal Backup Recovery Key.

That single key is the master credential for your entire Signal history. Hand it over once, and the attacker can restore your full account — including all prior message history — onto a device you'll never see.

Why It Matters

Signal's encryption is end-to-end and unbroken. This attack doesn't touch the cryptography — it targets the human holding the keys. The Backup Recovery Key is deliberately designed to be a durable, portable credential so users can restore Signal on a new phone without losing history. That same durability makes it catastrophically useful to an adversary.

The threat is not theoretical. The campaign is active, the advisory is joint (FBI + CISA carries more weight than either alone), and the targeting profile skews toward journalists, government personnel, NGO workers, and anyone adjacent to Ukraine-related policy or defense contracting. If you or your team uses Signal for anything sensitive, this is a present threat.

Critically: Signal on iOS and Android does not display a persistent warning when your account is restored on a new device by someone else. Compromise can be silent.

What to Do

Right now:

1. Rotate your Backup Recovery Key. In Signal: Settings → Account → Signal Backups → Turn Off, then re-enable to generate a fresh key. Store the new key offline (written down, in a safe) — not in a password manager on a phishable device.

1. Audit linked devices. Go to Settings → Linked Devices and revoke anything you don't recognize. Each linked device gets a live feed of your messages.

1. Never enter your Backup Recovery Key in response to an unsolicited prompt. Signal will never ask for it via a push notification, email, or web form. Any such prompt is a social engineering attempt.

1. Disable cloud backups of Signal. If Signal backups are going to iCloud or Google Drive, the encrypted backup file is only as safe as your cloud account. Consider disabling cloud backup entirely for high-risk use cases.

1. Brief your team. If your organization uses Signal for sensitive communications, distribute this advisory. The attack vector is human, not technical — awareness is the primary control.

For organizations under elevated threat (defense, policy, media covering Russia/Ukraine): treat Signal Backup Recovery Keys with the same sensitivity as a private key or hardware token seed. Document who holds them, enforce rotation, and add it to your offboarding checklist.