Based on reporting by The Hacker News →
Introduction
A phishing campaign that already targeted Signal users has evolved into a more dangerous variant. If an attacker captures your Backup Recovery Key even once, they can silently restore your entire message history and take over your account with no further user interaction.
The problem
The Hacker News reports that the FBI and CISA have updated their March 2025 advisory on a Russian intelligence phishing operation. Attackers previously sought Signal login credentials via fake invitations and verification pages. Now, according to the joint alert, the operators have added a new step: they trick targets into surrendering their Signal Backup Recovery Key—the 30-character string used to re-register an account on a new device. Once an attacker possesses that key, they can restore the backup, read every private and group message, and effectively seize the account. Worse, the key continues to function even after the victim changes their password.
Consequences
The immediate risk is total compromise of Signal communications. Private direct messages, group chats, shared media, and metadata such as contact lists become visible to the attacker. The victim may not detect the takeover because the attacker can monitor communications in real time without alerting the legitimate user—no new login notification triggers when a backup is restored. For journalists, activists, corporate executives, and anyone handling sensitive information under threat from state actors, this single key is a single point of catastrophic failure. The campaign specifically targets individuals likely to hold high-value intelligence.