The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning about a phishing campaign targeting Signal users tied to Russian intelligence services. The campaign has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' historical messages.

What Happened

The FBI and CISA warned in March 2026 that a Russian Intelligence Services (RIS) phishing campaign was targeting "high intelligence value" individuals using commercial messaging apps, particularly Signal. The attacks successfully compromised thousands of individual Signal accounts linked to former U.S. government officials, military personnel, political figures, and journalists. The joint FBI/CISA report stated that the attackers did not break Signal's encryption or hack the app itself but instead used phishing to gain access to individual accounts.

The phishing messages posed as automated Signal support accounts, asking targets to click on links or provide two-factor authentication codes and account PINs. In some cases, attackers exploited Signal's linked device feature by sending malicious links or QR codes that allowed them to connect their own device to a victim's account without taking it over completely.

Background and Context

The campaign is attributed to Russian Intelligence Services (RIS), including officers embedded with Russia's Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military. The activity overlaps with earlier warnings from Dutch intelligence agencies AIVD and MIVD, Germany's BfV and BSI, and France's ANSSI. Google's Threat Intelligence Group first documented UNC5792 abusing Signal's linked-device feature in early 2025 and later observed the same tradecraft targeting WhatsApp and Telegram.

The FBI published two sample messages used in the campaign, one disguised as a mandatory two-factor authentication rollout and the other posing as an urgent "data recovery" fix for messages supposedly at risk of being lost. Both are social engineering attacks that exploit trust in a platform's own interface rather than technical vulnerabilities.

Why It Matters to the Industry

The phishing campaign targeting Signal users highlights the importance of cybersecurity measures in the adult industry, where sensitive information and user data are often at risk. The use of end-to-end encryption protects messages in transit but cannot protect users who are persuaded to hand over their backup recovery keys themselves.

Signal's linked device feature, which allows users to connect multiple devices to a single account, has been exploited by attackers to gain access to victim accounts. This vulnerability underscores the need for robust security measures and user education to prevent such attacks.

What Comes Next

The FBI warns that attackers may adjust their approach in the future to target additional messaging platforms or directly install malware on users' devices. Signal has not commented on the specific measures it will take to address this vulnerability, but the company's emphasis on user education and security best practices is a positive step forward.

Key Facts

  • The FBI and CISA have issued a joint advisory warning about a phishing campaign targeting Signal users tied to Russian intelligence services.
  • The campaign has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' historical messages.
  • Thousands of individual Signal accounts linked to former U.S. government officials, military personnel, political figures, and journalists have been compromised.
  • The phishing messages posed as automated Signal support accounts, asking targets to click on links or provide two-factor authentication codes and account PINs.
  • The campaign is attributed to Russian Intelligence Services (RIS), including officers embedded with Russia's Federal Security Service (FSB) Border Guards and other actors working on behalf of the Russian military.