The United States is offering rewards of up to $10 million for intelligence that helps identify Russian-linked hackers behind attacks on Signal and WhatsApp accounts belonging to officials and journalists.
This initiative targets individuals associated with the groups UNC5792 and UNC4221, which investigators believe are tied to Russian state interests. These threat actors have focused their efforts on government representatives, military staff, media professionals, and political figures, primarily using phishing campaigns delivered through secure messaging platforms.
Authorities report that these groups have adapted their methods, moving beyond traditional tactics. Instead of simply intercepting login verification codes, they now attempt to deceive victims into revealing their Signal Backup Recovery Keys allowing access to archived chats and sensitive account information.
According to the U.S. Rewards for Justice program, the bounty applies to information that helps locate or identify anyone acting on behalf of a foreign government and engaging in cyber operations targeting critical U.S. infrastructure in violation of federal law.
Rather than attacking encryption directly, the hackers rely on manipulation techniques. By exploiting built‑in device-linking features in apps like Signal, they trick users into authorizing attacker-controlled devices, effectively granting them account access without needing to break the platform’s security.
Once inside an account, the attackers can read private conversations, review contact lists, monitor group discussions, and even impersonate the victim to spread further phishing messages. In certain cases, they have altered legitimate Signal group invitation pages, redirecting users to malicious destinations.
Officials say these campaigns have already resulted in the compromise of thousands of messaging accounts across a wide range of high-profile targets.
The scope of those targeted spans U.S. government and diplomatic personnel, national security and defense staff, policy advisors, NATO officials, allied intelligence partners, journalists covering geopolitical issues such as Russia and Ukraine, humanitarian organizations supporting Ukraine, and academic researchers focused on security and Russian affairs.
Through this reward program, authorities are seeking detailed intelligence about how these groups operate. This includes identifying the individuals involved, uncovering their connections to Russian intelligence services, mapping their operational infrastructure and tools, and tracing the financial channels such as bank accounts and cryptocurrency wallets that sustain their activities.
Separately, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently updated an advisory first issued in March 2026. The newer guidance highlights a notable shift in attacker behavior: a pivot from stealing one-time authentication codes to targeting Signal Backup Recovery Keys as a more effective means of accessing sensitive communications.
While earlier warnings attributed these campaigns to groups linked to Russia’s Federal Security Service (FSB), the updated advisory formally identifies them as UNC5792 and UNC4221. Investigators say these groups include FSB-affiliated operators, including personnel connected to border security units and others supporting Russian military intelligence efforts.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
