What’s going on

Heads up: U.S. agencies updated a previous alert to say Russian intelligence-linked operators have stepped up their phishing game against Signal. Instead of just nagging people for one-time codes or tricking them into linking a rogue device, attackers are now convincing targets to hand over their Recovery Key. Give it up once and the crooks can restore your backups, read private and group chats, and keep access going — even if you make a fresh account on the same number.

The agencies tie this activity to named clusters of hostile actors and say the campaign targets high-value people: government and military folks, politicians, journalists, and officials connected to Ukraine. The trick plays with legitimate Signal features and social engineering rather than breaking Signal’s encryption. In short: the app’s crypto still holds, but the account owner is being fooled into opening the door.

What you should do right now

Don’t panic, but do act like your messages are attractive spy bait. Here’s a quick checklist — repeat until it becomes a weird little ritual.

  • Treat any in-app message claiming to be “Signal support” as hostile. Real support won’t message you inside the app asking for codes, PINs, or your Recovery Key.
  • Never paste a backup recovery key, verification code, or PIN into a chat. Nothing legitimate asks for them that way.
  • Open Settings and inspect Linked Devices; remove anything you don’t recognize.
  • If you think you already gave the key away, generate a new recovery key in Settings immediately. That prevents future downloads with the old key — but assume anything already downloaded is gone.

Short version: encryption isn’t broken, social engineering is. Treat unsolicited in-app help like a suspicious sandwich — looks normal until you take a bite. Update your key, scrub linked devices, and don’t paste secret codes into chats. Your account is the weak link; your skepticism is the strongest defense.