The FBI and CISA are issuing this update to the , Public Service Announcement I-032026-PSA to provide additional information to the public and encourage device owners to take actions to protect themselves.
The FBI has identified multiple clusters of Russian Intelligence Services (RIS) cyber threat actors responsible for an ongoing commercial messaging application (CMA) phishing campaign against individuals of high intelligence value. Russian Federal Security Service (FSB) officers embedded with the FSB Border Guards and others working on behalf of the Russian military services continue to target current and former U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. RIS cyber threat actors have compromised individual CMA accounts, but not the CMA's encryption or the application itself. To date, this activity has been publicly tracked as UNC5792 and UNC4221.
RIS cyber threat actors continue to masquerade as automated CMA support accounts in updated phishing messages but have evolved their tactics to attempt to elicit victims' Backup Recovery Keys. RIS cyber threat actors continue to elicit victims' verification codes and account PINs (see Figure 1). If a targeted user backs up their CMA messages as directed in Figure 1 and later provides their Backup Recovery Key (see Figure 2), RIS cyber threat actors can view the account's historical messages, private and group messages, and take over the victim's account.
If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well.
To mitigate this risk, the user must generate a new Backup Recovery Key within the Settings control; this action will invalidate the previous key for all future backup downloads. However, please note that this does not prevent the actor from having already downloaded a backup of the original account.
For additional details on how cyber threat actors gain unauthorized access to CMA accounts and guidance to protect yourself from phishing campaigns, see the March 2026 Public Service Announcement I-032026-PSA.
Report It
If you or someone you know has fallen victim to this phishing campaign, file a complaint with IC3, report it to your local FBI field office, to CISA via the agency's Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). For additional information, see the FBI's guidance on Spoofing and Phishing. Additionally, see CISA's "Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications | CISA," "Phishing Guidance: Stopping the Attack Cycle at Phase One" and "Mobile Communications Best Practice Guidance."
Signal is here
Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.
An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries.
In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.
Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan).
Click the "Accept" button in the pop-up and stay tuned for security updates on our messenger.
Stay safe and thank you for using the most secure messenger with end-to-end encryption.
If you have any questions, send /help
Action Required: Data Recovery Needed
Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.
To avoid losing your messages and media:
- Go to Settings -> Backups -> Configure -> Enable Backups -> View Recovery Key.
- Copy the recovery key to your clipboard.
- Paste the key into this chat.
This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.