Stealing the Key Instead of Breaking the Lock
The FBI and CISA issued an updated public service announcement, tracked as PSA I-062626-PSA, warning that Russian intelligence services have evolved their targeting of Signal. The agencies say operators are no longer chasing the messages themselves. They are after the Signal Backup Recovery Key, the single credential that restores an account's full encrypted history. This is a meaningful shift. Signal's encryption remains intact and uncracked. The attackers simply decided to steal the master key rather than pick the lock, a tactic as old as espionage and far cheaper than any cryptographic assault.
The campaign is attributed to multiple Russian Intelligence Services groups, including two newly named in this alert, UNC5792 and UNC4221, alongside FSB officers and military operatives. The State Department's Rewards for Justice program is offering 10 million dollars for information on UNC5792, a sum that tells you how high this sits on the national security agenda. An earlier notice indicated the broader effort had already compromised thousands of accounts worldwide, which means this is not a theoretical risk being flagged out of caution.
The Social Engineering Playbook
The mechanics are disarmingly simple. Attackers pose as Signal support through in app messaging, then manufacture urgency: a mandatory security update, an account at risk, a recovery process that must be completed now. The target is walked into Settings, told to retrieve their Backup Recovery Key, and asked to paste it into the chat. There is no malware, no exploit, no suspicious link to a fake login page. The victim hands over the credential believing they are following an official instruction. It is phishing stripped down to its psychological essentials.
Once the key is captured, the consequences are severe and durable. Attackers can restore the account's backups, read private and group histories, and take over the account. The alert notes the key remains functional even if the victim later creates a new account on the same phone number. That persistence is what makes this so dangerous for high value targets. A single moment of misplaced trust does not just expose past messages, it can hand an adversary a foothold that survives the victim's attempts to recover.
Who Is in the Crosshairs
The target profile is precise. The agencies cite current and former United States and international government officials, military personnel, political figures, journalists, and Ukrainian officials. These are people whose Signal threads contain genuinely sensitive material, which is exactly why they chose Signal in the first place. The irony is sharp: the population most disciplined about using encrypted messaging is the population now being hunted through the recovery feature that encryption depends on.
We would extend that target list to the private sector. Executives at defense contractors, critical infrastructure operators, law firms handling sensitive matters, and any company with geopolitical exposure should assume they are within scope. State aligned actors do not confine themselves to government inboxes when corporate ones hold deal terms, board deliberations, and source relationships. The same playbook that works against a diplomat works against a chief executive who treats Signal as a private back channel.
Why This Defeats Your Encryption Investment
There is a strategic point here that boards should absorb. Organizations spend heavily on encryption, secure messaging, and zero trust architecture, and then a campaign like this routes around all of it by exploiting the recovery path. Cryptography is rarely the weak link. The weak link is the human workflow built around it: the backup, the reset, the support interaction. Attackers have learned that the cheapest way through strong encryption is to convince the keyholder to hand over the key, and they are industrializing that insight.
This is why we keep arguing that identity and recovery flows deserve the same rigor as the cryptography they protect. A backup key that can be read aloud, copied, and pasted is a backup key that can be social engineered out of a distracted target. The convenience that lets a user recover their own history is the same convenience an adversary exploits. Security leaders should map every recovery mechanism in their communication stack and ask a blunt question: what happens if an employee is talked into surrendering this?
Practical Defenses for High Risk Users
For individuals in the target profile, the guidance is concrete. Treat any in app message claiming to be Signal support as hostile, because legitimate support does not operate that way. Never retrieve or share a Backup Recovery Key in response to an unsolicited prompt. Where the threat model warrants it, consider whether maintaining a recoverable backup is worth the exposure at all, since the most secure key is the one that does not exist to be stolen. Enable every available account protection, and verify device linkage regularly to catch unauthorized restores.
For organizations, this belongs in security awareness training immediately, framed not as a generic phishing reminder but as a specific, named, well funded campaign. We would brief executive assistants and communications staff as well, since they often manage messaging on behalf of principals. The defining feature of this threat is that it requires no technical sophistication from the victim's side to fall for and none from the attacker's side to execute. That asymmetry makes awareness the primary control, and awareness only works if people know exactly what the trap looks like.
A Trend, Not an Incident
We see this alert as part of a broader migration in espionage tradecraft toward recovery and identity abuse. As endpoints harden and encryption becomes default, the productive attack surface moves to the seams: account recovery, device linking, backup restoration, and the support interactions that govern them. Signal is in the headlines today, but the same logic applies to encrypted backups, authenticator recovery codes, and any system where a portable credential can reconstruct access. The feature set that empowers legitimate users is the feature set adversaries probe.
The 10 million dollar bounty and the joint FBI and CISA framing should remove any doubt that this is a sustained operation rather than an opportunistic one. For CISOs, the takeaway is to stop thinking of encrypted messaging as a solved problem and start treating its recovery surface as an active battleground. The organizations that get ahead of this will audit their recovery flows now, while the rest will wait until a compromised thread shows up somewhere it never should have, with a key that was handed over rather than cracked.
