Russian Hackers Bypass Signal and WhatsApp Encryption by Targeting Backup Keys

Russian military-linked hackers are intensifying phishing campaigns against Signal and WhatsApp users, not by breaking encryption, but by convincing targets to hand over account recovery details that can unlock private messages and group chats.

A new alert from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warns that Russian intelligence services are posing as automated support bots for commercial messaging apps. The campaigns are aimed at high-value targets across the United States, Ukraine, Europe and Australia, including government officials, diplomats, military personnel, defense advisers, journalists, researchers and organizations supporting Ukraine.

The attacks do not exploit vulnerabilities in Signal, WhatsApp or their encryption protocols. Instead, they rely on social engineering. Hackers impersonate support accounts, send fake recovery prompts or manipulate group invite pages to trick users into sharing verification codes, PINs or backup recovery keys. Once attackers obtain those details, they can seize control of the victim’s messaging account and potentially access historical private messages, group conversations and contact lists.

The latest warnings show how state-backed hackers are adapting as end-to-end encryption blocks traditional surveillance paths. Rather than trying to defeat cryptography, Russian operators are targeting the recovery systems and human workflows surrounding secure messaging apps.

“Backups have always been an attractive set of targets as they typically don't have nearly as much security around them as the actual primary files. Plus, if you can get into the general backup server, you can steal the entire companies files! And now, Signal is happy to save your backups for you! You just have to use your Signal Secure backup key, and those lovely Russian hackers will save it for you!! They kindly put a phishing scheme together to collect those keys, and then they can make sure they're reading your messages for you! Isn't that nice of them?” said Joshua Marpet, Sr. Product Security Consultant at Finite State.

“Be careful where you click! From fake scheduling reminders to renew your Norton 365, to Signal Backup keys being phished, social engineering is alive and well.”

The warning updates earlier March guidance from U.S. agencies and allied intelligence services, which described the campaigns as “unsophisticated, yet effective.” Dutch intelligence agencies previously warned that Russian actors frequently impersonate Signal support chatbots to lure targets into giving up account access codes. Other methods abuse the “linked devices” feature in Signal and WhatsApp, allowing attackers to connect their own device to a victim’s account.

Ukraine’s Security Service, the SBU, said the broader objective is to collect sensitive military, political and economic intelligence, as well as personal data. In some cases, phishing messages arrive by SMS and appear to come from support teams. Ukrainian officials warned that attackers may time messages for the morning, when targets are less alert.

The U.S. Department of State has tied the activity to Russian-linked groups including UNC5792, associated with the FSB Border Guards, and UNC4221, linked to Russian military services. Through its Rewards for Justice program, the State Department is offering up to $10 million for information that helps identify or locate people working with those groups.

Jacob Krell, Senior Director of Secure AI Solutions and Cybersecurity at Suzu Labs, said the campaign shows that even elite operators often choose the cheapest path into hardened targets.

“Russian intelligence has zero-day budgets and custom implant toolchains. For this Signal campaign, they sent a chat message asking targets to paste a 64-character string. Social engineering beat every technical tool in their inventory on cost per compromised account. That cost advantage has held since before digital systems existed.

“Each security upgrade the industry ships concentrates more attacker effort on the human-operated recovery path. E2E encryption took them off the wire. MFA eliminated stolen passwords as a viable entry point. Signal's backup key hands attackers a single credential that unlocks full message history and survives the victim creating a new account.

“The key binds to the phone number, not the account instance.

“Signal shipped cloud backups in 2025. Using the recovery key restores the full account on a new device with no notification to the original owner.

“One successful phish becomes persistent surveillance. UNC5792 and UNC4221 deployed this against government officials, military personnel, and journalists in Ukraine. State-level operators choosing phishing over technical exploitation tells you which vector delivers better ROI against hardened targets.”

The FBI and CISA warned that if a victim shares a backup recovery key, that key may remain valid even after the user creates a new account with the same phone number. To cut off future access, users must generate a new backup recovery key inside app settings. That step will invalidate the old key, although it does not undo any data already downloaded by attackers.

Signal has also warned users that its support team will never send message requests or ask for registration codes, Signal PINs or recovery keys.

Security agencies are urging users to regularly review all linked devices and active account sessions, remove anything unfamiliar, enable two-factor authentication and never share verification codes, PINs or recovery keys. They also warn users not to trust suspicious links, even when they appear to come from known contacts, because compromised accounts are often reused to target the next victim.

The campaign is a reminder that secure messaging is only as strong as the account recovery process around it. Russian operators did not need to crack Signal or WhatsApp encryption. They simply found a way to make users open the door.