What’s going on (short version)

The FBI and CISA have issued an updated warning: a phishing operation tied to Russian intelligence has shifted tactics and now tries to steal people’s Signal backups by tricking them into handing over their Backup Recovery Key. In plain English: attackers aren’t trying to break encryption — they’re trying to get the key that lets them unlock your chat history.

Targets are not random. The campaign focuses on high-value people — current and former government officials, military folks, journalists, politicians, and people connected to Ukraine. The attackers pretend to be official support messages from Signal and push a fake security narrative to get you to enable backups and then paste the recovery key into a chat. Once they have the key, they can restore your encrypted backup on their devices and read your old messages.

How the scam plays out and what to do

Typical attacker playbook — simplified and slightly insulting to cybercriminals:

  • Step 1: You get a message impersonating support claiming a new mandatory security feature or a sync problem.
  • Step 2: The message gives step-by-step instructions to enable backups and copy the recovery key.
  • Step 3: A follow-up message asks you to paste the recovery key into the chat to “save” or “verify” your data.
  • Step 4: You paste the key. They download the backup, decrypt it with that key, and read your chats.

Quick facts to memorize (like a bad pop song): creating a fresh Signal account with the same phone number does not magically invalidate a stolen recovery key. To stop future downloads with the old key, you must generate a brand-new recovery key in Signal’s backup settings — but that won’t stop an attacker who already downloaded your backup.

How to stay safe (and make phishing actors mildly frustrated):

  • Never share or paste your backup recovery key into a chat or with anyone. Ever.
  • Legit support teams do not ask for verification codes or recovery keys inside the app. If someone does, it’s fake.
  • Don’t follow panic-y instructions that arrive in-app. Pause, breathe, and check official channels separately.
  • If you suspect compromise, generate a new backup key to stop future downloads with the old one, and consider disabling cloud backups until you’re sure things are clean.
  • Protect your device with a screen lock and keep app/device software current. Small annoyances for you, big roadblocks for attackers.
  • If you think you’ve been hit, report it to the FBI or CISA and your local authorities so they can help and collect intel.

This campaign is a good reminder that attackers will happily subvert social trust rather than try to break cryptography. Treat any in-app support message asking you to copy/paste secret keys as suspicious, and take the extra 30 seconds to verify through official, out-of-band channels before obeying instructions that sound urgent or scary.