FBI says Russian spies now trick Signal users into handing over their backup recovery key


TL;DR

FBI warns Russian hackers are phishing Signal users for backup recovery keys, giving persistent access to message history.

The FBI and CISA have warned that Russian intelligence hackers are now targeting Signal users’ backup recovery keys, an escalation of a phishing campaign that has already compromised thousands of accounts worldwide. The updated advisory, published Thursday, says that handing over the key once gives attackers the ability to restore an account’s backup, read its entire private and group message history, and take over the account.

The key keeps working even after the victim changes phones. If a target creates a new account on the same phone number, the old recovery key can still be used to access future backups, the advisory warns. The only fix is to generate a new key in Signal’s settings, which invalidates the old one for future downloads but cannot recover anything the attacker has already pulled.

The advisory, designated PSA I-062626-PSA, adds two public tracking names the FBI’s March notice did not include: UNC5792 and UNC4221. The bureau ties the activity to multiple Russian Intelligence Services groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military. The campaign targets both Signal and WhatsApp, though the recovery key tactic is specific to Signal.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The targets are individuals the FBI describes as being of “high intelligence value,” including current and former US and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March advisory said the broader campaign had already compromised thousands of accounts worldwide.

The phishing messages pose as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used doctored “group invite” links that silently linked an attacker’s device to the victim’s account. The updated version walks targets through turning on Signal backups, opening the recovery key screen, and pasting the key into the chat.

The FBI published two sample messages used in the campaign. One is disguised as a mandatory two-factor authentication rollout, and the other poses as an urgent “data recovery” fix for messages supposedly at risk of being lost. Both are social engineering attacks that exploit trust in a platform’s own interface rather than technical vulnerabilities.

The agencies are clear that none of these techniques break Signal’s encryption or the app itself. The attackers compromise individual accounts through social engineering, then walk in through a legitimate feature. It is a pattern that has become increasingly common across security products, where the weakest link is the person holding the device, not the cryptography protecting the data.

Alongside the advisory, the State Department’s Rewards for Justice programme is offering up to $10 million for information on UNC5792. The activity overlaps with earlier warnings from Dutch intelligence agencies AIVD and MIVD, Germany’s BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked-device feature in early 2025 and later observed the same tradecraft targeting WhatsApp and Telegram.

The campaign is a reminder that end-to-end encryption protects messages in transit but cannot protect users who are persuaded to hand over the keys themselves. Anyone who receives a message inside Signal asking for a recovery key, verification code, or PIN should treat it as hostile, regardless of how convincing the sender appears. Signal does not message users inside the app to request credentials.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


YouTube has an AI slop problem, and its crackdown is catching legitimate creators in the crossfire. Faceless channels, where no human host ever appears on screen, have existed for years and are not inherently AI-generated.

Many are run by solo creators who simply prefer to stay anonymous. The problem is that AI tools made it easy to flood the platform with low-effort faceless content at scale, and YouTube’s algorithm is now penalizing the format as a whole.

How bad is the AI slop problem on YouTube?

A Kapwing study found that roughly 21% of the first 500 videos recommended to a new YouTube account were classified as AI slop, while 33% fell into a broader brainrot category. The problem extends to children, too, as more than 40% of YouTube Shorts recommended to kids in a 15-minute session contained low-quality AI content.

YouTube’s response has been to tweak its algorithm to favor videos with real human faces on camera, which is hitting faceless creators even when their content is entirely human-made.

How is YouTube tackling its AI slop problem?

YouTube is now testing a new pop-up on mobile that asks viewers to rate whether a video feels like AI slop, on a scale from “not at all” to “extremely.” The idea sounds reasonable, but crowdsourcing AI detection has real problems. People are bad at spotting AI content, and they are getting worse at it as AI capabilities continue to improve.

There are also legitimate concerns that YouTube could use this viewer feedback as training data for its own AI models, potentially making future AI-generated content even harder to spot.

🚨 Did you just see what YouTube did?

YouTube isn’t banning AI slop.. They’re making you label it so they can train their next model to not look like slop.

Read that again…

You flag the bad AI content. YouTube collects it. Google feeds it into Veo 4… Then next year their… https://t.co/8UC2J3mjjv pic.twitter.com/mIrTChqC1b

— Tuki (@TukiFromKL) March 17, 2026

Meanwhile, faceless creators are scrambling to adapt. According to The Hollywood Reporter, some are hiring cheap on-camera hosts through platforms like Fiverr and Upwork. Others are doubling down on niche educational content, which has held up better than broad content farms.

The AI text-to-video space is still valued at enormous sums, with Higgsfield AI alone sitting at $1 billion, but on YouTube, the math for faceless creators is getting harder to work out every month.



Source link