Signal's recovery key never expires, and Russian intelligence is now phishing for it

The first wave, documented by Google's threat researchers in early 2025, used doctored group-invite links to quietly attach an attacker's own device to a victim's account. That yields a live feed of incoming messages, but a careful user can spot the rogue device under Linked Devices and cut it off. The second wave, the focus of the March advisory, went after one-time verification codes and account PINs. Those let an attacker seize the account, but a code is dead within minutes and a hijacked account can be re-secured. Signal's track record on the cryptography itself is strong; every one of these moves goes around it, not through it.

Why the recovery key is the worst thing to lose

Signal's Secure Backups feature keeps an encrypted copy of your messages and media on Signal's servers. The recovery key is the only thing that decrypts that copy, and by design Signal never holds it. There is no forgot-my-key path and no support agent who can roll it back. That property is exactly what makes the feature trustworthy, and exactly what makes a leaked key a disaster.

Three consequences follow that no password reset hands an attacker:

• No expiry. A verification code is useless in five minutes. A recovery key is a long-lived secret with no clock on it. Once copied, it works until you actively replace it.
• No restore you can see. An attacker loads your backup onto their own phone. There is no session entry, no fresh linked device, nothing inside your app that signals someone just read your history. Prevention is the only control, because after-the-fact detection has nothing to read.
• Rotation does not recall a copied backup. Generating a fresh key protects future backups, not the snapshot already taken. Per the agencies, an old key can even be used against a brand-new account created on the same phone number. Burning the account, the usual containment reflex, does not contain this one.

If that last point sounds familiar, it is the same trap we flagged when a Fortinet password reset failed to evict an attacker who already held a live session: rotating a credential only helps while the attacker still needs it live. A copied backup needs nothing live. And a recovery secret you cannot reset is only ever as safe as the care taken with how it is stored and shared.

This is not a Signal vulnerability, and that shapes how you defend it

There is nothing to patch here. Signal's end-to-end encryption held, and no flaw in the app was used. The operators impersonated Signal support inside the app itself, invented an urgent pretext (a mandatory security check supposedly prompted by other hackers, or a sync error about to erase the user's messages), and coached the target through enabling backups and pasting the key into the chat. Real support never does any of that, which is the whole tell.

That changes the defender's job. For most exploitation stories the answer is a version number. Here the answer is a policy for a specific set of people: anyone whose phone is itself an intelligence target. The advisory names the targets plainly: journalists, politicians, serving and former officials across government and the military, and people connected to Ukraine. If you run security for an organization with staff in any of those groups, treat Signal hardening as part of their onboarding, not an afterthought.

Give your high-risk people one rule before an operator does

The single rule that defeats this entire campaign: your Backup Recovery Key, your PIN, and your verification codes never get typed into a conversation, with anyone, for any reason. Build the brief around that, then add the mechanics:

• Tell high-risk staff today, in plain terms. A message from Signal support that arrives inside Signal is hostile by definition. Genuine support uses official email and never asks for a code, a PIN, or a key.
• Make a Linked Devices check routine. Have targeted users open Settings, review their linked devices, and remove anything they do not recognize. This still catches the older device-linking method, which remains in play.
• Treat enabling Secure Backups as a sensitive step. The recovery key it produces is a long-term secret. It belongs in a password manager, never in a chat, an email, or a screenshot.
• If a key was already shared, assume the history is gone. Generate a new key at once, and treat every backup made before that moment as readable by someone else. There is no clean rollback, so the response is containment plus a candid heads-up to everyone in those conversations.

The uncomfortable takeaway is that telling high-risk staff to use Signal stopped being complete advice. The encryption does its job. The new soft spot is a person who can be talked into surrendering the one key that has no undo, and a patient intelligence service is precisely the adversary willing to put in the work to make that call.