Signal recovery key phishing: how messaging account takeover works

The Security Service of Ukraine and the FBI describe a long-running Russian intelligence campaign that breaks into Signal and WhatsApp accounts without touching the cryptography. The attack is pure social engineering: a fake support text that asks for the one secret the protocol cannot revoke. This is a breakdown of the bug class and how to defend or reproduce it in a lab.

The bug class: account recovery as an attack surface

Secure messengers spend enormous effort on end-to-end encryption, then bolt a recovery mechanism onto the side so users who lose a phone do not lose their history. That recovery path is the soft target. The protocol assumes the person holding the verification code or the backup key is the legitimate owner. Phishing breaks that assumption. The class here is account takeover via recovery-flow abuse, and it sits squarely in the human trust boundary rather than the code.

How the fake support text works

The campaign tracked across clusters such as Star Blizzard, UNC5792 (UAC-0195), and UNC4221 (UAC-0185) opens with an SMS that impersonates the app's support team or an official bot. The lures land in the early morning, when targets are least careful, and they create urgency: a session expired, a device needs reauthorization, an account will be locked. The reader is told to confirm a code or follow a link.

The original waves chased the one-time verification code sent during registration. Hand that over and the attacker registers your number on their device. The newer advisories describe an escalation: operators now coax the target into surrendering the Signal Backup Recovery Key. That single string lets them restore the account's backup, read private and group history, and take over the session. Worse, the key keeps working after the fact, so a one-time slip becomes durable access.

The cipher is fine. The system lost because it exposed a recovery secret to a user who could be talked into giving it away. recurring lesson across messaging, email, and SSO recovery

QR codes and linked devices

A parallel technique abuses device linking. Signal and WhatsApp let a desktop or second device join an account by scanning a QR code. Attackers render a malicious linking QR inside a phishing page dressed up as a group invite or a security prompt. Scan it and you have quietly linked the attacker's client to your account. No password, no code typed, just a camera pointed at the wrong square. From there the linked device receives messages in real time until it is removed.

Why the targets matter

The reported victims are government officials, military personnel, politicians, and activists across Ukraine, Europe, and the United States, alongside ordinary nationals. The objective is sensitive military, political, and economic information plus personal data. For a defender the takeaway is that the most security-aware users still fall to a well-timed pretext, because the request looks procedural rather than malicious.

Reproducing it safely in a lab

You do not need real victims to study this. Build the scenario against accounts you own, on an isolated test number, and never send lures to anyone who has not consented.

• Stand up a phishing simulation with a tool like GoPhish and a cloned support-prompt page on a throwaway domain.
• Register a test messaging account and walk the legitimate recovery flow yourself, noting every secret the app asks the user to handle: verification code, recovery key, PIN, linking QR.
• Model the takeover on your own account: practice deauthorizing a rogue linked device and observe what message history a fresh device can and cannot pull.
• Measure the human layer, not the crypto. The metric that matters is how often a realistic lure gets a secret typed back.

The point of the exercise is to feel where the protocol hands a revocable-looking decision to a human who treats it as routine.

How to defend

Defense is mostly hygiene plus the recovery controls the apps already ship.

• Never disclose verification codes, PINs, passwords, or recovery keys. No real support team asks for them.
• Enable a registration lock or Signal PIN so a stolen code alone cannot re-register your number.
• Review active sessions and linked devices regularly and remove anything you do not recognize.
• Do not scan QR codes sent by strangers, and treat any unsolicited support message as a lure until proven otherwise.
• For organizations, rehearse this in awareness training: the failure mode is procedural compliance, so train people to pause on any request for a recovery secret.