The Evolution: From Verification Codes to Backup Keys
Here's the thing about threat actors that never gets enough attention: they get bored. When a phishing tactic stops working — when users stop falling for the old tricks, when detection improves, when the low-hanging fruit dries up — they don't just give up. They evolve.
That's exactly what the FBI and CISA revealed in their updated public service announcement published June 26, 2026. The Russian Intelligence Services campaign that was previously stealing Signal verification codes and account PINs has shifted to something far more consequential: coercing victims into handing over their Signal Backup Recovery Keys.
The difference between these two tactics isn't subtle. A stolen verification code gets you into someone's active session — maybe a few hours of messages, if you're quick. But a Backup Recovery Key? That unlocks the entire historical archive. Every private conversation. Every group chat. Everything the victim has ever sent or received through Signal, stretching back to whenever they first enabled backups.
And here's what makes it worse: unlike a stolen verification code that expires when the session ends, that recovery key keeps working indefinitely. The FBI is unambiguous about this in their advisory (PSA I-062626-PSA). Even if the victim creates a brand-new Signal account with the same phone number, the old stolen key remains valid. The only way to invalidate it is to generate a new one through Signal's backup settings — and even then, that only blocks future downloads. Anything the attacker already pulled down? That's gone.
This is an update to a March 2026 advisory that first warned about the broader campaign. The original notice focused on verification code theft and forced device linking. The new one adds two public tracking identifiers — UNC5792 and UNC4221 — and documents the tactical shift toward backup keys. The State Department's Rewards for Justice program is now offering up to $10 million for information leading to the identification of UNC5792, which tells you everything you need to know about how seriously the U.S. government views this threat.
The March notice already indicated the campaign had compromised thousands of accounts worldwide. This update doesn't suggest the compromise count has dropped. It suggests it's probably gone up.
Who's Behind It: Russian Intelligence Services
The FBI attributes this campaign to multiple groups within the Russian Intelligence Services — not some lone wolf operating from a basement in Vladivostok. We're talking about officers embedded with the FSB Border Guards and actors working directly for Russian military services.
That institutional backing matters. It means these aren't script kiddies trying to make a quick buck on the dark web. These are state-sponsored operators with resources, patience, and a mandate to collect intelligence on anyone the Russian government considers valuable.
The campaign is publicly tracked under two identifiers: UNC5792 and UNC4221. These designations were added in the June update and weren't present in the March advisory, which suggests the FBI has been doing additional attribution work over the intervening months. Google's Threat Intelligence Group actually first documented UNC5792 abusing Signal's linked-device feature back in early 2025, so this isn't brand new — the tactics have just gotten more sophisticated.
What's striking about the RIS approach is how methodical it is. They don't blast phishing messages at random. They target people with actual intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists covering conflict zones, and key officials located in Ukraine. The March notice made clear this was a deliberate campaign against specific individuals, not a scattergun approach.
And this tradecraft isn't Signal-specific. The same social engineering patterns have been observed against WhatsApp and Telegram, which means the RIS operators are treating messaging platforms as a portfolio — they'll exploit whatever gives them the best access to their targets, regardless of which app those targets prefer.
How the Attack Works: The Two-Message Trap
The phishing mechanism is almost elegant in its simplicity, which is exactly what makes it dangerous. The attacker sends two messages, both impersonating Signal support.
The first message arrives looking like an official notification from Signal. It claims the app is introducing mandatory two-factor verification following what it describes as "attacks by hackers from Iran and post-Soviet countries." The framing is deliberate — it creates urgency, invokes geopolitical fear, and positions Signal support as the victim's protector.
The message then walks the user through enabling Signal backups and viewing their recovery key. It tells them to go to Settings, navigate to Backups, enable the feature, copy the recovery key to their clipboard, and follow a series of prompts. At this point, most users are just following instructions from what appears to be their messaging app's official support team. They're setting up a feature they were told is now mandatory.
Then comes the second message. Still posing as Signal support, it delivers the kill shot: a warning that the user's data is at risk of permanent loss due to a "sync issue." The message instructs the victim to go back into their Backup settings, copy that recovery key they just generated, and paste it directly into the chat to prevent data loss.
This is where the trap snaps shut. The user pastes their Backup Recovery Key into a chat with someone they believe is Signal support. They have no idea they've just handed over the master key to their entire communication history.
Once the attacker has that key, they can restore the backup to their own devices and read everything. Private messages. Group conversations. Media files. The full archive, preserved and accessible indefinitely.
The FBI's advisory is explicit about the recovery scenario most victims miss: creating a new Signal account with the same phone number does not invalidate the stolen key. You have to actively generate a new Backup Recovery Key through Signal's settings, and even then, you can't undo what the attacker already downloaded. The damage is done the moment that key leaves your device.
Why This Is Particularly Dangerous
Let me be direct: this is one of the more insidious phishing vectors I've seen because it weaponizes a legitimate security feature against its own users.
Signal's Backup Recovery Key system was designed to help people recover their data if they lose a device. That's a good feature. It's also a feature that requires users to handle the key carefully — Signal explicitly warns you not to share it. But the RIS operators understood something important: users who trust their messaging app will follow instructions from what appears to be that app's support team, even if those instructions ask them to do something the app itself told them never to do.
The psychological manipulation here is layered. First, you're told the feature is now mandatory — creating compliance pressure. Then you're told your data is at risk of permanent loss — creating urgency and fear. Finally, you're given a simple solution that requires trusting the "support agent" in your chat — creating a path of least resistance.
And the technical reality makes it worse. Unlike a password that you can change, or a verification code that expires after minutes, the Backup Recovery Key is designed to be persistent. It's meant to survive account changes and device swaps. That persistence, which is a feature for legitimate users, becomes an infinite vulnerability window when it falls into attacker hands.
The FBI's language on this is unusually blunt for a government advisory. They state clearly that if you share your Backup Recovery Key, "that same key remains valid even if you create a new account following the compromise using the same phone number." That's not a subtle warning. That's a government agency telling you that your normal incident response — creating a new account — won't fix the problem.
The only mitigation is generating a new key, which blocks future backup downloads but does nothing about what's already been exfiltrated. And since the attacker can access backups they've already downloaded indefinitely, there's no technical way to retroactively contain the breach.
What This Means for Signal's Security Model
Here's where I want to push back on any narrative that suggests Signal's encryption has been compromised. It hasn't. Not even close.
The FBI and CISA are unambiguous about this: none of this breaks Signal's encryption or the application itself. The RIS operators aren't cracking anything. They're not exploiting a zero-day vulnerability in Signal's code. They're using social engineering to get users to hand over a legitimate key through a legitimate feature.
This is a completely different problem with a completely different solution than technical vulnerabilities. You can't patch social engineering with a software update. You can't fix this by improving encryption algorithms or adding more authentication factors.
The encryption holds. The account is the weak point, and the person holding it is the target. That's been true since messaging apps existed, but this campaign makes it painfully clear.
Signal has actually taken some steps to address this. They added security warnings for social engineering and phishing attacks, which is a positive development. But the fundamental challenge remains: how do you prevent a user from voluntarily handing over a credential to someone they believe is official support? The answer, unfortunately, is education and vigilance — not technology.
This also highlights a broader tension in the security industry. We spend enormous resources building encryption that can withstand nation-state actors, only to have those same actors bypass it entirely by asking the user nicely for the key. It's the digital equivalent of building a vault with an impenetrable lock, then having the thief convince the homeowner to hand over the combination.
The RIS operators understand something that many security professionals forget: the human being on the other end of the screen is always going to be the weakest link. And they're willing to exploit that with patience and sophistication that most cybercriminal groups simply don't possess.
International Context and Prior Documentation
This isn't just an American concern. The RIS campaign against Signal users has been documented by intelligence agencies across multiple allied nations, which speaks to both the sophistication of the operation and the breadth of its targeting.
Dutch intelligence — specifically AIVD and MIVD — issued warnings about this campaign earlier this year. Germany's BfV (Federal Office for the Protection of the Constitution) and BSI (Federal Office for Information Security) followed with similar advisories. France's ANSSI (Agence nationale de la sécurité des systèmes d'information) also weighed in.
The coordination between these agencies suggests this is a coordinated Russian effort with global reach, not isolated incidents. The targeting of Ukrainian officials places this squarely in the context of the ongoing conflict, where communications intelligence could provide significant operational advantage.
Google's Threat Intelligence Group documented UNC5792 abusing Signal's linked-device feature as early as 2025, which means the RIS operators have been experimenting with Signal for at least a year before this June update. The evolution from device linking to verification code theft to backup key coercion represents a methodical improvement cycle — they tested each approach, measured effectiveness, and moved to the next when the previous one became less viable.
The fact that the same tradecraft has been observed against WhatsApp and Telegram reinforces this pattern. The RIS operators aren't married to any particular platform. They're following the intelligence value, and they'll exploit whatever communication tool their targets use.
This international documentation also provides some comfort: allied nations are sharing threat intelligence about this campaign, which should improve detection and response capabilities over time. But it also means the targeting is likely to persist as long as the geopolitical conditions that drive it remain in place.
What You Can Actually Do About It
Let's cut through the noise and talk about practical mitigation. The FBI's advisory includes specific guidance, and it boils down to a few non-negotiable rules.
First: treat any in-app message from "Signal support" as hostile. Period. Real support teams don't contact users inside the app. They communicate through official company email addresses, and they never request verification codes or recovery keys within the application. If you get a message claiming to be from Signal support, delete it and report it.
Second: never paste your Backup Recovery Key, verification code, or PIN into a chat. Ever. Signal itself warns you about this in the backup setup flow, and for good reason. Anyone asking for these credentials is not Signal support.
Third: regularly check your Linked Devices in Settings and remove anything you don't recognize. This was the original attack vector before the shift to backup keys, and it's still relevant. If you see a device you don't know about, remove it immediately.
Fourth: if you think you've handed over your Recovery Key, generate a new one immediately through Signal's backup settings. This will invalidate the old key for future downloads, but understand that it won't undo what the attacker already has. Assume any backup made before you generated the new key is compromised.
Finally: report incidents. The FBI wants you to file complaints through the Internet Crime Complaint Center (IC3), your local FBI field office, or CISA. This isn't just about helping yourself — it's about building the intelligence picture that helps defenders track and disrupt these actors.
For more context on how nation-state actors exploit messaging platforms, see our article on <a href="/articles/evolution-of-gamaredon-s-spear-phishing-operations-against-ukraine-in-2025">Russia's Gamaredon APT and its spear-phishing pipeline</a>. For a broader look at how AI is reshaping cyber defense, read <a href="/articles/anthropic-claude-fable-5-public-release-guardrails">Anthropic’s Claude Fable 5: Guardrails for National Security</a>.