The US is putting up to $10 million on the table for information that can identify or locate members of two Russian-linked hacking groups accused of compromising thousands of Signal and WhatsApp accounts.
The reward, announced by the US State Department, targets two groups tracked as UNC5792 and UNC4221, according to 9to5Mac . The campaign has focused on high-value users of encrypted messaging apps, including “current and former US government officials, military personnel, political figures, and journalists.”
Washington puts a bounty on UNC5792 and UNC4221
The State Department is offering the reward through its Rewards for Justice program, which is seeking information on the identities or locations of people involved in the campaign.
The FBI attributes the activity to UNC5792 and UNC4221. US officials say UNC5792 is associated with the Russian Federal Security Service’s Border Guards, while UNC4221 works on behalf of Russian military intelligence, according to reporting cited by 9to5Mac and Ars Technica.
“Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” the Rewards for Justice post said, according to Ars Technica.
The FBI began publicly warning about the phishing campaigns in March, when it said attackers were targeting people considered valuable to Russian intelligence services. The reported victim pool includes users whose communications can carry diplomatic, military, political, or journalistic significance.
The key point: the described attacks did not require breaking Signal or WhatsApp encryption. They relied on tricking users into handing over account access.
That distinction matters. Encrypted apps can protect message content in transit, but they cannot protect a user who is persuaded to link an attacker-controlled device, share a verification code, or disclose a backup recovery key.
The attack turns support messages into account takeovers
The phishing messages pose as automated support communications. They ask users to click a link, provide verification codes, or share account passcodes.
If a target complies, the attacker can link a new device to the victim’s account or take over the account entirely, locking the real user out. Once linked, attackers can read new messages sent to the compromised account, according to Ars Technica.
Signal has a protection that prevents newly linked devices from accessing prior conversations. The campaign adapted.
The FBI said attackers have been instructing targets to create a backup of previous Signal communications and send the recovery key used to encrypt backups stored on Signal servers. If the target sends that key, attackers may gain access to past Signal conversations.
One reported message told users to set up a Signal backup and copy the recovery key under the pretext of a security update:
“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.”
Another message was more direct:
“Action Required: Data Recovery Needed
Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.”
The message then instructed users to enable backups, view the recovery key, copy it, and paste it into the chat.
This is the operational center of the campaign. It does not ask users to install an obvious malicious file. It asks them to perform legitimate app actions for illegitimate reasons.
Signal and WhatsApp security is not the same as user immunity
The State Department’s reward lands at a sensitive moment for encrypted messaging. Signal and WhatsApp are default communications tools for many people whose messages are valuable to governments, political actors, and investigators.
That does not make every user a target. The source material specifically describes campaigns aimed at high-value individuals such as US officials, military personnel, political figures, journalists, and allied personnel.
The campaign also shows why account-linking flows are attractive to attackers. A linked device can become a quiet access point if the victim approves the connection. A backup recovery key can be even more damaging because it may expose older Signal messages that linked-device protections would otherwise keep out of reach.
The Rewards for Justice notice said some UNC5792 actors altered legitimate “group invite” pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim’s Signal account.
“Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the RFJ post said, according to Ars Technica.
That line is the technical and political hinge of the case. The platforms’ encryption protections were not described as broken. The users’ trust paths were attacked instead.
MLXIO has recently covered WhatsApp from the product side, including 3B Users Are Racing for WhatsApp Usernames — Claim Yours and 32-Person Group Calls Hit WhatsApp Web Before Rollout. This case is different: it is not about features, scale, or rollout timing. It is about how attackers exploit familiar app workflows to get users to authorize their own compromise.
The next move depends on tips, attribution, and user discipline
The reward offer narrows the immediate ask: information that helps identify or locate members of UNC5792 or UNC4221. The source material does not specify every form of evidence that may qualify beyond that.
Possible next steps now sit with US investigators and anyone able to provide usable information. The public record to watch is whether the reward leads to named individuals, further public attribution, or enforcement action tied to the two groups.
For users, the FBI’s guidance is blunt.
- Verification codes: Legitimate commercial messaging app support services will not request verification codes inside the application.
- Restore links: Support services do not send links asking users to “verify” or “restore” accounts.
- Recovery keys: Users should not provide a verification code or backup recovery key without confirming the request through a legitimate communication channel.
- Compromised keys: If a Signal backup recovery key has already been shared, the FBI says the user must generate a new Backup Recovery Key in Settings to invalidate the previous key for future backup downloads. That does not stop an attacker from having already downloaded a backup.
The practical prescription is simple and unforgiving: treat in-app “support” messages asking for codes, passcodes, linked-device approval, or backup keys as hostile until proven otherwise.
The broader watch item is whether Washington can turn a public bounty into names and locations. Until then, the campaign’s lesson is already clear: encrypted messaging remains strong only if attackers cannot persuade users to open the door from the inside.
Impact Analysis
- The $10 million reward signals that the US views encrypted messaging account compromises as a serious national security threat.
- Targets include government officials, military personnel, political figures, and journalists whose communications may be valuable to foreign intelligence.
- The case highlights that phishing remains a major risk even for users of secure messaging apps like Signal and WhatsApp.










