Ask Technicians
Cybersecurity

That Signal Support DM Could Be a Russian Spy After Your Chats

A fake two-step verification message is quietly handing your old conversations to state hackers. The trick is simpler than you think, and the U.S. just put $10M on it.

DA

Founder & Lead Technician

June 29, 2026 at 10:14 PM IST 4 min
That Signal Support DM Could Be a Russian Spy After Your Chats

Quick answer

The U.S. State Department is offering up to 10 million dollars for information on UNC5792 and UNC4221, two Russian-linked groups that phish Signal and WhatsApp users by posing as support staff and stealing backup recovery keys to read past messages.

The U.S. just put a 10 million dollar price on two Russian hacker crews

The encryption on your messenger is fine. That is exactly why this attack works.

The U.S. Department of State is offering up to 10 million dollars for information that helps identify or locate members of two hacking groups, UNC5792 and UNC4221, both linked to Russian intelligence and military services. The reward comes through the Rewards for Justice program, which goes after foreign state actors hitting U.S. critical infrastructure.

But the bounty is not the part you should care about most. The method is.

UNC5792 has been running widespread phishing campaigns against Signal and WhatsApp accounts. And the newest twist, flagged by the FBI and CISA just last week, is clever enough that even careful people are falling for it.

How they get into chats without cracking a single line of encryption

Here is the problem. End-to-end encryption protects your messages in transit. It does nothing if you personally hand someone the keys to your own backup.

That is the whole play.

According to U.S. agencies, the attackers impersonate Signal support agents and send a direct message to the target. The message claims there is a mandatory two-factor verification process the user must complete. It sounds routine. It sounds like security housekeeping.

It is the opposite.

The fake verification step is a ruse to get the victim to reveal their Signal Backup Recovery Key. Once the attacker has that key, they can restore the victim's backup and read previous communications on the platform. No malware. No zero-day. No broken cipher. Just a person tricked into reading out the one secret that unlocks everything.

If anyone contacts you inside Signal or WhatsApp claiming to be support and asks for a verification code, a recovery key, or a backup key, stop. Real support never does this. Treat the request as a live attack on your account.

U.S. authorities were blunt about it: the platforms and their encryption have not been compromised. The attacks are still highly effective. The Rewards for Justice announcement confirms that thousands of individual messaging accounts have been compromised this way.

Who they are hunting, and why you might be on the list

This is not random spam blasted at everyone. It is targeted.

UNC5792 is associated with the Russian Federal Security Service, the FSB, specifically its Border Guards. UNC4221 is described as working on behalf of Russian military services. These are state crews with a mission, not opportunists chasing your bank login.

The reported targets cluster tightly around Russia and Ukraine:

  • U.S. and NATO government, diplomatic, defense, and intelligence officials
  • Military leadership and allied personnel
  • Policy analysts and journalists covering Russia and Ukraine
  • NGOs supporting Ukraine
  • Security and Russian affairs researchers

If you sit anywhere near that world, assume you are a target rather than a bystander. And even if you do not, the technique is the dangerous part. Impersonating support to steal a recovery key is not a Russia-only idea. It is a template, and templates get copied.

Why this style of attack keeps winning

So what does this actually mean for the rest of us?

The hard truth is that the strongest encryption in the world has a soft edge: the human holding the keys. Attackers have figured out that it is far cheaper to socially engineer one person than to break the math protecting a billion messages.

The recovery-key angle is especially nasty because of how it is framed. A backup key feels like a safety feature, something you are supposed to protect and occasionally enter. Wrapping the request in the language of mandatory security, two-factor, verification, account protection, flips your caution into compliance. You think you are securing the account. You are actually surrendering it.

This is the same lesson that keeps repeating across the security world. The lock is rarely the weak point. The person standing next to the lock is.

What to do tonight to lock this down

You do not need to be a diplomat to act on this. Run through the checklist below for your own accounts.

ActionWhy it matters
Never share a verification code or backup keyNo legitimate support team asks for these. Anyone who does is attacking you.
Verify support only via official emailReal teams use official company email addresses, never in-app DMs.
Distrust unexpected support contactIf you did not open a support request, an inbound support message is a red flag.
Protect your recovery and backup keys offlineStore them somewhere private and never type them in response to a message.
Slow down on urgencyMandatory and immediate are pressure words. Pressure is the tell.

The single rule that defeats this entire campaign: a real support team will never ask you, inside the app, to provide a verification code, and will never send a link asking you to verify, recover, or restore your account. If a message does either, it is not support. It is the attack.

What happens next (24-72 hours)

Expect the advisory to keep evolving. The FBI and CISA already updated their March 2026 guidance once to add the backup-key theft tactic, and active campaigns tend to mutate quickly once they are exposed, swapping lures and impersonated brands to stay ahead of warnings.

In the short term, watch for copycats. Now that the recovery-key trick is public, expect the same script aimed at more ordinary targets, dressed up as your bank, your email provider, or a different messaging app.

The 10 million dollar bounty signals how seriously Washington is taking this. For you, the takeaway is smaller and more immediate: the next support message that asks for a code or a key is the one to be suspicious of. Treat it that way, and this particular attack has nothing to grab.

Source: BleepingComputer

Frequently asked questions

Did Russian hackers break Signal or WhatsApp encryption?

No. U.S. agencies state the encryption itself was not broken. The attackers trick users into handing over their Signal backup recovery key by impersonating support staff, which grants access to past messages without defeating the encryption.

How do I know if a Signal support message is fake?

Real support teams communicate only through official company email addresses. They never message you inside the app asking for a verification code, and never send links asking you to verify, recover, or restore your account. Any in-app support DM asking for codes or your backup key is a scam.

Who is being targeted in these Signal and WhatsApp attacks?

Reported targets include U.S. and NATO government, diplomatic, defense, and intelligence officials, policy analysts, journalists covering Russia and Ukraine, NGOs supporting Ukraine, and security and Russian affairs researchers. Thousands of individual messaging accounts have been compromised.

#signalbackupkeyscam#signalphishing#whatsapphackers#rewardsforjustice
Share
DA

Founder & Lead Technician

Daniel founded Ask Technicians to cut through bad tech advice. He writes hands-on troubleshooting guides drawn from years of real-world repair and support work.

Related guides