FBI Warns of Russian Intelligence Attempts to Compromise Signal Accounts
In a sobering public service announcement (PSA) issued on June 26, the FBI has alerted the public to a rising threat posed by Russian intelligence officers. These operatives are actively engaging in efforts to steal backup recovery keys from Signal accounts belonging to individuals deemed high-risk. This includes a diverse range of targets, notably current and former US and international government officials, military personnel, prominent political figures, journalists, and Ukrainian officials.
The PSA elaborates on the involvement of various clusters of Russian spies, particularly citing the Federal Security Service (FSB) and military hackers. Their strategies have involved sophisticated phishing tactics designed to compromise the security of sensitive communications via commercial messaging applications (CMAs). While the announcement generically refers to CMAs, it notably includes two phishing samples that specifically relate to the Signal app, underscoring the targeted nature of these attacks.
According to the FBI, these Russian Intelligence Services (RIS) cyber-threat actors have advanced their techniques to masquerade as automated support accounts for commercial messaging applications. The aim is to extract crucial information from victims, particularly their Backup Recovery Keys. If a user inadvertently shares such a key, which is designed to allow access to historical messages and account functionalities, the attackers could easily gain full control over the account. This control would grant them access to any ongoing communications, both private and group chats, essentially undermining the primary function of Signal, which is to provide secure messaging.
In its warning, the FBI made it clear that sharing a recovery key carries significant risks. Such keys remain valid indefinitely, even if the user creates a new account using the same phone number, leaving new accounts vulnerable to future attacks. To guard against this risk, the FBI advises users to generate a new backup recovery key through the app’s Settings menu. This action would invalidate the previous key for all future downloads. However, crucially, the FBI warns that this measure does not prevent the attackers from having already downloaded information from the compromised account.
The scale of this hacking campaign was first revealed in March 2026 by Dutch intelligence agencies, including the AIVD and MIVD, which exposed that several of the Netherlands’ government employees had fallen victim to the same tactics targeting Signal and WhatsApp accounts. Victims of this campaign frequently received phishing messages that appeared to originate from a Signal chatbot, soliciting them to share their verification codes or PINs. In some cases, attackers attempted to exploit the app’s linked devices function, a tactic previously observed in campaigns targeting Ukrainian officials.
The FBI has provided a series of reminders for Signal users to enhance their security and vigilance against these threats. Among the key tips outlined are the following:
-
Official Communication: Users should only engage with CMA support services through their official company email addresses. This step is crucial in validating the legitimacy of the communication.
-
Verification Codes: Genuine CMA support services will never request verification codes within the application itself. This serves as a red flag for users receiving such requests.
-
Account Recovery Links: CMA support services do not send unsolicited links to "verify" or "restore" accounts. Users should approach any such communication with skepticism.
- Verification Confirmation: Before providing any verification codes, users must confirm that the request originates from a legitimate CMA communication channel. This step is vital in safeguarding against potential scams.
As the landscape of cyber threats evolves, the FBI’s latest warning serves as a critical reminder for all Signal users, particularly those operating in sensitive environments. By following best practices and remaining vigilant, individuals can significantly reduce their risk of falling prey to these malicious tactics. The onus is now on users to safeguard their information, ensuring secure communication in an increasingly treacherous digital landscape.