FBI advisory I-062626-PSA, published June 26, updates the March advisory I-032026-PSA with a tactical shift: Russian Intelligence Services have moved from stealing Signal verification codes and PINs to stealing Backup Recovery Keys.
The two tracked clusters, UNC5792 and UNC4221, attributed to FSB Border Guards and Russian military actors, target individuals of high intelligence value: current and former US and international government officials, military personnel, political figures, journalists, and key officials in Ukraine.
The IC3 public service announcement I-062626-PSA describes a two-message phishing sequence. The first impersonates Signal support, claiming mandatory two-factor verification following alleged attacks from “Iran and post-Soviet countries,” a social engineering hook designed to sound credible to the target audience. Victims following the setup steps enable Signal’s cloud backup. The second message then warns of a “sync issue” and prompts the user to paste their recovery key into the chat.
That key is the crown jewel. Anyone with it can restore the entire backup on their own device, including private and group conversations.
Here’s the structural problem I read in this advisory: rotating your phone number doesn’t help. Creating a new Signal account on the same number does not invalidate a stolen recovery key. Users must manually generate a new key in Settings > Backups. Even then, the IC3 advisory warns that any backup already downloaded using the compromised key remains accessible to the attacker.
The shift from account hijacking to backup key theft is a move toward archival access over active monitoring. It’s harder to detect and persists long after victims think they’ve recovered.
Worth rotating your Signal recovery key before you draft anything sensitive this week.
Rebecca Lauren