$10 million is now on the table for tips on Russia-linked hackers targeting Signal and WhatsApp, after U.S. officials said two cyber groups tied to Russian intelligence have compromised messaging accounts used by government officials, journalists and other high-value targets.

US Slaps $10M Bounty on Russian Signal, WhatsApp Hackers
XOOMAR Intelligence
Analyst Take
The reward, offered through the State Department’s Rewards for Justice program, targets UNC5792 and UNC4221, according to The Record. U.S. authorities say UNC5792 is associated with Russia’s Federal Security Service (FSB) Border Guards, while UNC4221 is linked to Russian military intelligence.
$10 million reward targets UNC5792 and UNC4221 in Signal WhatsApp campaign
The U.S. is seeking information leading to the identification or location of members of the two groups. The campaign is aimed at individual Signal and WhatsApp accounts, not at breaking the encryption of the apps themselves.
That distinction matters. The FBI said the attackers are using social engineering to trick targets into handing over verification codes, account PINs and backup recovery keys. Once they get those, they can access private chats, group conversations, message histories and, in some cases, seize accounts.
The targets named in the advisory are the kind of people whose inboxes can carry diplomatic, military or political value: government officials, journalists and other high-profile individuals. Ukraine’s Security Service, the SBU, said last week it worked with the FBI to uncover a long-running Russian cyber-espionage operation targeting government officials, military personnel, politicians and activists in Ukraine, Europe and the United States.
“Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the Rewards for Justice notice said, according to Ars Technica.
The campaign also lands as messaging identity is becoming a higher-stakes security surface. WhatsApp has been tightening controls around usernames, as we covered in Meta Locks Down WhatsApp Usernames as Scammers Circle, and username reservation itself has already become a target for impersonation concerns in Best WhatsApp Username Picks May Vanish Before Launch.
Fake support messages and backup keys are doing the damage
The FBI warning says the Russian intelligence campaign has evolved. Attackers are now increasingly trying to steal backup recovery keys for encrypted messaging apps.
Those keys are especially dangerous because, according to officials, compromised backup recovery keys can remain valid even if a victim creates a new account using the same phone number. That can let attackers regain access later.
The core attack path is simple and effective:
- Impersonation: Attackers pose as official messaging platform support services.
- Credential theft: Targets are pushed to share verification codes, account PINs or recovery keys.
- Device linking: Victims may unknowingly connect attacker-controlled devices to their accounts.
- Account takeover: In some cases, attackers lock victims out or gain access to chats.
- Persistence risk: Stolen backup recovery keys can keep working unless the user generates a new one.
In some cases, the hackers altered legitimate Signal group invitation pages so victims were redirected to malicious links. Those links connected attacker-controlled devices to victims’ accounts.
That tactic is especially corrosive because it abuses trust inside real communication flows. A fake support message can be ignored. A tampered group invite, especially in a professional or political network, has a better chance of getting clicked.
The SBU said one common method involved text messages pretending to be official support notices from messaging platforms. The messages urged users to disclose account credentials, a blunt phishing move wrapped in the language of account recovery or security maintenance.
Encrypted apps held up, but account control became the weak point
The FBI’s message is narrow but uncomfortable: end-to-end encryption is not the same as account safety. If a user is tricked into linking a hostile device or handing over a recovery key, the attacker doesn’t need to crack the platform’s cryptography.
That puts Signal WhatsApp Russian hackers in a different category from actors hunting for zero-day exploits. This campaign relies on people, timing and trust. The platforms’ encryption may still work as designed, while the target loses control of the account around it.
A short comparison shows the pressure points:
| Attack route | What the campaign appears to exploit | Why it matters |
|---|---|---|
| Verification code theft | Users share codes after fake support prompts | Can allow account access or takeover |
| Backup recovery key theft | Users disclose keys used for encrypted backups | Can expose past communications and create future access risk |
| Malicious group invites | Legitimate-looking Signal invite pages are altered | Can link attacker-controlled devices to victim accounts |
| Support impersonation | Messages mimic platform security notices | Makes phishing look like routine account protection |
For security teams, the takeaway is sharper than “train users better.” High-value users need processes that assume support impersonation will happen and that attackers will use real product features against them.
The FBI said legitimate commercial messaging app support services will not request verification codes inside the application, do not send links to “verify” or “restore” accounts, and users should not provide verification codes without confirming the request came from a legitimate channel.
Public naming gives defenders a shared map, but not the hackers’ identities
The names UNC5792 and UNC4221 are tracking labels, not public identities. Still, naming them gives defenders a way to connect similar incidents across agencies, vendors and allied governments.
The RFJ reward also raises the stakes. A public bounty of up to $10 million signals that U.S. officials want information that can point to who is behind the operation or where they are located. The supplied advisory does not say what evidence has already been collected, nor does it identify individual operators.
There are still important blanks. Officials have not publicly named the victims. The source material does not say how many accounts belong to U.S. officials versus journalists, military personnel or allied users. It also does not say whether Signal or WhatsApp will make product changes in response to this campaign.
The next useful signals will be specific. Watch for updated FBI guidance on recovery keys, new platform warnings around device linking, and any further U.S. or allied statements connecting Signal WhatsApp Russian hackers to named Russian intelligence units or individual operators. For users in sensitive roles, the practical move is immediate: treat any request for a verification code, PIN or backup recovery key as hostile until proven otherwise.
Impact Analysis
- The campaign targets government officials, journalists and other high-value individuals whose messages may carry diplomatic or military value.
- Officials say the attackers are bypassing encryption by tricking users into surrendering verification codes, PINs and recovery keys.
- The $10 million reward signals that the U.S. views the operation as a serious Russian intelligence-linked cyber threat.
Russia-linked cyber groups named in U.S. reward notice
| Group | Alleged affiliation | Campaign focus |
|---|---|---|
| UNC5792 | Russia’s FSB Border Guards | Targeting Signal and WhatsApp accounts through social engineering |
| UNC4221 | Russian military intelligence | Targeting Signal and WhatsApp accounts through social engineering |
U.S. reward for information on the cyber campaign
Sources
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityRussian Signal Phishing Hijacks VIP Accounts in Support Scam
Russian actors are phishing Signal users for recovery keys, targeting officials, military figures and journalists without breaking encryption.
CybersecurityRussian Hackers Turn Jaguar Land Rover Hack Into $2.5B Hit
Russian hackers were reportedly tied to a Jaguar Land Rover breach that cost the U.K. economy $2.5B and forced a bailout.
CybersecurityStockStay Backdoor Lets Turla Haunt Ukraine Networks
Turla’s StockStay backdoor is built for quiet persistence inside Ukrainian government and military networks, not noisy disruption.
CybersecurityPolice Rip SocGholish Malware From 14,971 WordPress Sites
Police cleaned SocGholish from 14,971 WordPress sites and seized 106 servers, cutting a major Evil Corp infection chain.
CybersecurityStolen Patient Data Blows Open AdaptHealth Data Breach
Attackers used contractor access to steal AdaptHealth patient and billing data from cloud systems. The patient count remains unknown.
FintechSEC Hits Alleged NanoBit Crypto Scam With $5.5M Judgment
NanoBit and related defendants owe $5.5M after skipping court in an SEC case over an alleged fake crypto trading platform.
Global TrendsUkraine Drones Strike St. Petersburg Oil Terminal Again
Ukrainian drones hit a St. Petersburg oil terminal, pushing Kyiv's campaign deeper into Russia's energy system.
Global TrendsZelenskyy Turns Ireland EU Presidency Into Ukraine Test
Zelenskyy used Ireland’s EU presidency launch to push sanctions, drones and accession, forcing Dublin into a high-stakes Ukraine test.
Technology277 Americans Put AI Collective Intelligence on Trial
A 277-person birthday debate tested whether AI can structure civic judgment at scale without drowning out human voices.
FintechBNY USDC Custody Pulls Stablecoins Into Wall Street
BNY is turning USDC into bank-grade infrastructure, letting institutions mint, hold and redeem stablecoins inside its custody platform.
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.