MLXIO
person in black and red mask holding smartphone
CybersecurityJune 30, 2026· 6 min read· By MLXIO Insights Team

$10M Bounty Targets Russian Signal, WhatsApp Hackers

Share

MLXIO Intelligence

Analysis Snapshot

71
High
Confidence: LowTrend: 10Freshness: 98Source Trust: 100Factual Grounding: 94Signal Cluster: 40

High MLXIO Impact based on trend velocity, freshness, source trust, and factual grounding.

Thesis

High Confidence

The US State Department is offering up to $10 million for information identifying or locating members of Russian-linked groups UNC5792 and UNC4221 accused of targeting Signal and WhatsApp users via phishing-based account takeovers.

Evidence

  • The reward was announced through the State Department’s Rewards for Justice program.
  • The FBI attributes the campaign to UNC5792 and UNC4221, with UNC5792 linked to Russia’s FSB Border Guards and UNC4221 to Russian military intelligence.
  • Targets reportedly include current and former US government officials, military personnel, political figures, and journalists.
  • The attacks rely on tricking users into linking attacker-controlled devices, sharing verification codes, or providing Signal backup recovery keys rather than breaking app encryption.

Uncertainty

  • The article does not specify how many accounts were successfully compromised.
  • The source excerpt confirms the bounty and targeting but provides limited operational detail.
  • Attribution details are reported via US officials and the FBI, not independently verified in the provided text.

What To Watch

  • Whether Rewards for Justice announces arrests, identifications, or sanctions tied to UNC5792 or UNC4221.
  • Further FBI or State Department advisories on phishing tactics targeting encrypted messaging users.
  • Signal or WhatsApp changes to backup, device-linking, or account recovery protections.

Verified Claims

The US State Department announced a reward of up to $10 million for information identifying or locating members of UNC5792 and UNC4221.
📎 The reward was announced by the US State Department and targets two groups tracked as UNC5792 and UNC4221.High
The hacking campaign targeted high-value Signal and WhatsApp users, including current and former US government officials, military personnel, political figures, and journalists.
📎 The campaign has focused on high-value users of encrypted messaging apps, including those groups.High
US officials associate UNC5792 with the Russian Federal Security Service’s Border Guards and UNC4221 with Russian military intelligence.
📎 US officials say UNC5792 is associated with the Russian Federal Security Service’s Border Guards, while UNC4221 works on behalf of Russian military intelligence.High
The reported attacks relied on phishing and account-linking tactics rather than breaking Signal or WhatsApp encryption.
📎 The article states the attacks did not require breaking Signal or WhatsApp encryption and relied on tricking users into handing over account access.High
Attackers allegedly instructed Signal users to create backups and share recovery keys so they could access past Signal conversations.
📎 The FBI said attackers instructed targets to create a backup of previous Signal communications and send the recovery key.High

Frequently Asked

How much is the US offering for information on the Signal and WhatsApp hackers?

The US State Department is offering up to $10 million for information that can identify or locate members of UNC5792 and UNC4221.

Which hacking groups are named in the Signal and WhatsApp phishing campaign?

The groups are tracked as UNC5792 and UNC4221, which US officials link to Russian state-backed activity.

Did the hackers break Signal or WhatsApp encryption?

No. The article says the attacks did not require breaking encryption; they used phishing to trick users into giving account access, linking devices, or sharing recovery keys.

Who was targeted in the Signal and WhatsApp account takeover campaign?

Targets included high-value users such as current and former US government officials, military personnel, political figures, and journalists.

How did the attackers try to access past Signal messages?

They allegedly told targets to create a Signal backup and share the recovery key, which could allow access to past Signal conversations if provided.

Updated on June 30, 2026

The US is putting up to $10 million on the table for information that can identify or locate members of two Russian-linked hacking groups accused of compromising thousands of Signal and WhatsApp accounts.

The reward, announced by the US State Department, targets two groups tracked as UNC5792 and UNC4221, according to 9to5Mac . The campaign has focused on high-value users of encrypted messaging apps, including “current and former US government officials, military personnel, political figures, and journalists.”

Washington puts a bounty on UNC5792 and UNC4221

The State Department is offering the reward through its Rewards for Justice program, which is seeking information on the identities or locations of people involved in the campaign.

The FBI attributes the activity to UNC5792 and UNC4221. US officials say UNC5792 is associated with the Russian Federal Security Service’s Border Guards, while UNC4221 works on behalf of Russian military intelligence, according to reporting cited by 9to5Mac and Ars Technica.

“Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” the Rewards for Justice post said, according to Ars Technica.

The FBI began publicly warning about the phishing campaigns in March, when it said attackers were targeting people considered valuable to Russian intelligence services. The reported victim pool includes users whose communications can carry diplomatic, military, political, or journalistic significance.

The key point: the described attacks did not require breaking Signal or WhatsApp encryption. They relied on tricking users into handing over account access.

That distinction matters. Encrypted apps can protect message content in transit, but they cannot protect a user who is persuaded to link an attacker-controlled device, share a verification code, or disclose a backup recovery key.


The attack turns support messages into account takeovers

The phishing messages pose as automated support communications. They ask users to click a link, provide verification codes, or share account passcodes.

If a target complies, the attacker can link a new device to the victim’s account or take over the account entirely, locking the real user out. Once linked, attackers can read new messages sent to the compromised account, according to Ars Technica.

Signal has a protection that prevents newly linked devices from accessing prior conversations. The campaign adapted.

The FBI said attackers have been instructing targets to create a backup of previous Signal communications and send the recovery key used to encrypt backups stored on Signal servers. If the target sends that key, attackers may gain access to past Signal conversations.

One reported message told users to set up a Signal backup and copy the recovery key under the pretext of a security update:

“Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.”

Another message was more direct:

“Action Required: Data Recovery Needed
Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.”

The message then instructed users to enable backups, view the recovery key, copy it, and paste it into the chat.

This is the operational center of the campaign. It does not ask users to install an obvious malicious file. It asks them to perform legitimate app actions for illegitimate reasons.

Signal and WhatsApp security is not the same as user immunity

The State Department’s reward lands at a sensitive moment for encrypted messaging. Signal and WhatsApp are default communications tools for many people whose messages are valuable to governments, political actors, and investigators.

That does not make every user a target. The source material specifically describes campaigns aimed at high-value individuals such as US officials, military personnel, political figures, journalists, and allied personnel.

The campaign also shows why account-linking flows are attractive to attackers. A linked device can become a quiet access point if the victim approves the connection. A backup recovery key can be even more damaging because it may expose older Signal messages that linked-device protections would otherwise keep out of reach.

The Rewards for Justice notice said some UNC5792 actors altered legitimate “group invite” pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim’s Signal account.

“Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the RFJ post said, according to Ars Technica.

That line is the technical and political hinge of the case. The platforms’ encryption protections were not described as broken. The users’ trust paths were attacked instead.

MLXIO has recently covered WhatsApp from the product side, including 3B Users Are Racing for WhatsApp Usernames — Claim Yours and 32-Person Group Calls Hit WhatsApp Web Before Rollout. This case is different: it is not about features, scale, or rollout timing. It is about how attackers exploit familiar app workflows to get users to authorize their own compromise.


The next move depends on tips, attribution, and user discipline

The reward offer narrows the immediate ask: information that helps identify or locate members of UNC5792 or UNC4221. The source material does not specify every form of evidence that may qualify beyond that.

Possible next steps now sit with US investigators and anyone able to provide usable information. The public record to watch is whether the reward leads to named individuals, further public attribution, or enforcement action tied to the two groups.

For users, the FBI’s guidance is blunt.

  • Verification codes: Legitimate commercial messaging app support services will not request verification codes inside the application.
  • Restore links: Support services do not send links asking users to “verify” or “restore” accounts.
  • Recovery keys: Users should not provide a verification code or backup recovery key without confirming the request through a legitimate communication channel.
  • Compromised keys: If a Signal backup recovery key has already been shared, the FBI says the user must generate a new Backup Recovery Key in Settings to invalidate the previous key for future backup downloads. That does not stop an attacker from having already downloaded a backup.

The practical prescription is simple and unforgiving: treat in-app “support” messages asking for codes, passcodes, linked-device approval, or backup keys as hostile until proven otherwise.

The broader watch item is whether Washington can turn a public bounty into names and locations. Until then, the campaign’s lesson is already clear: encrypted messaging remains strong only if attackers cannot persuade users to open the door from the inside.

Impact Analysis

  • The $10 million reward signals that the US views encrypted messaging account compromises as a serious national security threat.
  • Targets include government officials, military personnel, political figures, and journalists whose communications may be valuable to foreign intelligence.
  • The case highlights that phishing remains a major risk even for users of secure messaging apps like Signal and WhatsApp.

Russian-linked groups named in the US reward offer

GroupAttributed associationAlleged role
UNC5792Russian Federal Security Service Border GuardsTargeting high-value Signal and WhatsApp users
UNC4221Russian military intelligenceTargeting high-value Signal and WhatsApp users
MLXIO

Written by

MLXIO Insights Team

Algorithmic Research & Human Oversight

Powered by advanced algorithmic research and perfected by human oversight. The Insights Team delivers highly structured, cross-verified analysis on emerging tech trends and digital shifts, filtering out the fluff to give you high-fidelity value.

Related Articles

people walking on sidewalk near white concrete building during night time
CybersecurityMay 22, 2026

Leaked AWS GovCloud Keys Drag CISA Into Congress Fight

CISA faces congressional scrutiny after a contractor exposed agency credentials and AWS GovCloud keys on GitHub.

7 min read

woman holding cardboard box with do we look like bots ? text
CybersecurityMay 27, 2026

AI Hatred Sparks New Threat Label: Anti-Tech Extremism

US agencies are recasting violent AI backlash as anti-tech extremism, raising hard questions about protest, labor anger, and surveillance.

8 min read

a close up of a network with wires connected to it
CybersecurityMay 27, 2026

Iranian Hackers Turn LA Transit Breach Into Warning Shot

A weeks-long LA Metro recovery may trace back to Iranian intelligence using a fake hacktivist front, not a local IT failure.

8 min read

icon
CybersecurityMay 23, 2026

Texas Says Meta's WhatsApp Encryption Promise Was a Lie

Texas says Meta oversold WhatsApp encryption. The lawsuit could make privacy slogans enforceable promises.

7 min read

A red white and blue flag flying in the sky
CybersecurityMay 26, 2026

800 Servers Seized as Dutch Cops Hit Cyberattack Lifeline

Dutch authorities seized 800+ servers and arrested two hosters accused of keeping Russia-linked cyber operations online.

11 min read

icon
TechnologyJun 29, 2026

3B Users Are Racing for WhatsApp Usernames — Claim Yours

WhatsApp username reservations are rolling out, letting users lock handles before phone-number-free contact goes live.

8 min read

silver iPhone X on brown surface
AI / MLJun 30, 2026

180-Day Clock Puts AI Health Data Sales on Notice

Democrats want AI health data sales banned, with a 180-day enforcement clock and chatbot medical disclosures in scope.

7 min read

black and silver-colored Casio digital watch with link bracelet
TechnologyJun 27, 2026

Casio W738H Packs 10-Year Battery and Silent Alerts

Casio’s W738H hits the US at $54.95 with a 10-year battery, vibration alarm, and three color options.

6 min read

magnifying glass near gray laptop computer
TechnologyJun 30, 2026

Missing Article Details Kill Real SEO Metadata Fast

The article lacks enough content to create accurate SEO metadata without inventing facts.

1 min read

Black smartphone with three camera lenses on back
TechnologyJun 30, 2026

Early iPhone 18 Rumors Put Apple's Ultra Bet on Trial

iPhone 18 and Ultra rumors are turning Apple's next flagship cycle into a strategy test long before launch.

8 min read

Stay ahead of the curve

Get a weekly digest of the most important tech, AI, and finance news — curated by AI, reviewed by humans.

No spam. Unsubscribe anytime.