FBI and CISA issue joint advisory as Russian threat actor clusters UNC5792 and UNC4221 compromise thousands of encrypted messaging accounts, specifically targeting Backup Recovery Keys that unlock complete, persistent message histories.

Intelligence Lead

Russian intelligence services have escalated a sustained, multi-phase campaign against encrypted messaging applications by pivoting from one-time verification code theft to the systematic harvesting of Signal Backup Recovery Keys — a technique that grants access to a target's full, timestamped message archive and remains valid even after the account is re-registered on a new device. The operation has been formally attributed to two Russian-linked threat actor clusters, UNC5792 and UNC4221, and has resulted in the confirmed compromise of thousands of accounts globally. The United States government has responded by issuing a joint FBI and CISA advisory and offering rewards of up to ten million dollars for information leading to the identification of key operatives.

Situation Report

The Security Service of Ukraine (SSU) and the United States Federal Bureau of Investigation jointly uncovered the operational mechanics of the campaign, which has been running in its current form since at least early 2026. Russian intelligence operators — assessed to be acting under direction of the GRU and FSB — send phishing messages to targets that masquerade as automated Signal support notifications, warning of alleged security threats to the account. Targets are instructed to click a link and enter verification codes or account PINs to "restore" their account security. In the most recent phase of the operation, the attackers have specifically shifted focus toward Signal's Secure Backup Recovery Keys, which, once captured, allow an adversary to decrypt and read a target's entire message history regardless of subsequent account changes.

Named targets include current and former United States government officials, military personnel, senior political figures, and prominent journalists. Specific named individuals reported to have been targeted include personnel connected to Iran policy deliberations within the Pentagon and the State Department. The campaign has been confirmed to have compromised accounts across multiple countries in Europe, North America, and Ukraine, with the total confirmed breach count assessed at several thousand.

UNC5792 and UNC4221 are assessed as distinct but operationally coordinated clusters. Their tradecraft has evolved rapidly: earlier iterations of the campaign focused on linking targets' accounts to attacker-controlled devices via Signal's multi-device function; the Backup Key phase represents a doctrinal shift toward data persistence over real-time access, suggesting the operation's objectives have expanded from tactical surveillance to strategic intelligence collection and long-term archival.

Background & Context

Signal has long been the application of choice for high-risk communicators — journalists, activists, diplomatic staff, and government officials — precisely because of its end-to-end encryption architecture. The Backup Recovery Key feature, introduced to allow users to migrate accounts between devices without losing message history, was not designed as a vulnerability; it is, by design, a high-privilege credential. Its capture by a foreign intelligence service effectively negates the encryption layer entirely for any device the key has been applied to, rendering the security model moot for affected accounts.

Russia's targeting of encrypted messaging infrastructure is not new. From 2024 onward, GRU-linked units were documented attempting to exploit Signal's linked-device mechanism, and Google Threat Intelligence Group published early indicators in its 2024 reporting. What has changed in 2026 is the operational scale, the specific targeting of Backup Keys rather than ephemeral codes, and the formal joint advisory from the US Intelligence Community — a step that signals the threat has crossed an assessed threshold of severity and breadth. The US government's decision to offer a ten million dollar reward further indicates high confidence in the attribution and a determination to impose costs on the operators involved.

Analysis & Assessment

The operational pivot to Backup Recovery Keys is analytically significant for two reasons. First, it reflects a deliberate intelligence collection strategy oriented toward historical reconstruction — the ability to read months or years of prior communications — rather than merely monitoring current conversations. This suggests Russian intelligence is less interested in real-time tactical intercepts and more focused on building comprehensive profiles of decision-makers involved in Iran policy, NATO posture, and Ukraine support. Second, the persistence of a captured Backup Key across device changes means that an affected official who simply replaces their phone or reinstalls Signal remains compromised. Remediation is materially harder than in previous phishing scenarios.

The US government's public attribution and monetary reward signal a posture shift from passive detection to active deterrence. Combined with the Israel counterintelligence elevation announced earlier this month, the US Intelligence Community is demonstrating an unusual willingness in mid-2026 to surface adversarial collection activities against American personnel — potentially as a strategic communications move as much as an operational warning.

The practical implication for allied governments is clear: consumer-grade encrypted messaging, regardless of encryption strength, is not a substitute for purpose-built secure communications infrastructure when the threat actor has the resources and patience of a state intelligence service.