NEWS
U.S. Offers $10 Million for Russian Signal, WhatsApp Hackers
State Department bounty targets UNC5792 and UNC4221, two Russia-linked groups accused of phishing Signal and WhatsApp accounts of U.S. officials.
The U.S. State Department is offering up to $10 million for information leading to the identification or location of two Russia-linked cyber groups, UNC5792 and UNC4221, accused of phishing Signal and WhatsApp accounts used by U.S. government officials, military leaders, journalists, and allied personnel. The bounty, announced through the State Department’s Rewards for Justice program and published last week alongside an updated FBI and CISA advisory, is the first public naming of the two groups tied to a long-running social engineering campaign that has compromised thousands of commercial messaging accounts without ever breaking the apps’ encryption.
The new advisory carries a detail the earlier FBI and CISA warning did not. Russian intelligence phishing has shifted its primary target from SMS verification codes and PINs to the Signal Backup Recovery Key itself, the long passcode that unlocks a user’s entire backed-up message history. Once a target hands that key over, the attacker can restore the backup on a device they control and read conversations the user assumed were sealed.
U.S. Puts $10 Million Bounty on Two Russia-Linked Hacker Groups
The offer, published through the State Department’s Rewards for Justice portal, targets what U.S. officials describe as malicious cyber actors tied to Russian intelligence. The FBI’s Cyber Division publicly confirmed the bounty earlier this week on its own channels, framing the disclosure as a direct response to a campaign that uses fake support messages inside Signal and WhatsApp to steal credentials, recovery keys, and access to years of private chats.
Rewards for Justice is the State Department’s main channel for paying out tips on foreign threats to U.S. national security. The program was established in 1984 under the Act to Combat International Terrorism and is administered by the Bureau of Diplomatic Security. Its statutory authorities cover terrorism, foreign election interference, malicious cyber activity carried out at the direction or under the control of a foreign government, and financial mechanisms tied to North Korea, according to the legal framework behind Rewards for Justice. The official Rewards for Justice submission portal lists multiple ways to submit tips, including a Tor-based channel designed for sensitive sources.
The $10 million figure sits near the top of what Rewards for Justice has paid out for cyber tips, and the State Department is asking for a broad package of information in return. The agency wants names, locations, biographies, and affiliations of UNC5792 actors and supporting personnel; links to Russian intelligence agencies, contractors, and third-party service providers; operational infrastructure including domains, servers, hosting environments, data storage solutions, tools, frameworks, and software; funding sources and financial accounts; and details on cryptocurrency wallets, blockchain transactions, and financial networks supporting the operations.

Who UNC5792 and UNC4221 Are
The two groups carry different labels inside the U.S. government’s tracking system but operate inside the same intelligence ecosystem. UNC5792 is publicly tied by the State Department to the Russian Federal Security Service’s Border Guards. UNC4221 is described as a malicious group of cyber actors working on behalf of Russian military services. The FBI’s June update places the activity of both clusters under what the agency calls Russian Intelligence Services, or RIS, cyber operations.
| Group | Affiliation | Documented Activity |
|---|---|---|
| UNC5792 | Russian Federal Security Service (FSB) Border Guards | Widespread phishing against Signal and WhatsApp accounts of U.S. and allied officials |
| UNC4221 | Russian military services | Named alongside UNC5792 in the FBI’s June update as part of the broader Russian Intelligence Services cyber operation |
The two clusters are not branded the way Fancy Bear or Cozy Bear were, and the U.S. government has not released individual names for the operators behind them. The tradecraft was first documented by Google Threat Intelligence Group in early 2025, when researchers tied similar activity to Russian attempts to compromise Signal accounts used by Ukrainian officials. The same techniques have since been observed against WhatsApp and Telegram, the FBI’s update says, building on warnings issued earlier this year by Dutch intelligence, Germany’s BfV and BSI, and France’s ANSSI.
The Phishing Trick That Walks Around End-to-End Encryption
The campaign does not exploit a flaw in Signal or WhatsApp. The FBI and CISA are explicit on this point in their March 2026 public service announcement, published on IC3: “RIS actors have compromised individual CMA accounts, but not CMAs’ encryption or the applications themselves.” The attackers instead walk through a legitimate feature of each platform, using social engineering to convince a target to take an action that hands over access.
The core technique is impersonation. The hackers pose as automated support accounts inside the apps themselves, sending direct messages and asking the target to click a link, paste a verification code, or share an account PIN. If the user complies, the attacker either adds their own device as a linked device on the victim’s account or walks away with the credentials needed to take it over entirely. Once inside, the attacker can read incoming messages, view contact lists, and pivot the compromised account into a new phishing hub aimed at the victim’s contacts.
Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan).
That passage is lifted from one of two sample phishing messages reproduced in the FBI’s June update to the March 2026 advisory. The message is dressed as a Signal “mandatory two-factor verification” rollout and walks the target step by step through enabling Signal backups, navigating to the Recovery Key, and pasting it back into the chat. A second sample, dressed as an urgent data recovery warning, tells the target their messages are at risk of permanent loss unless they share the same key, according to the SecurityAffairs summary of the advisory. Both messages end inside the Signal app, sent from accounts that mimic the platform’s branding.
In some cases the attackers have modified genuine Signal group invitation pages to redirect victims to malicious links that connect attacker-controlled devices to their accounts. The technique does not require breaking Signal’s encryption at all. It requires the user, in a moment of trust, to perform one of several precisely scripted actions in front of the attacker, an approach that renders end-to-end encryption irrelevant once the user has handed over the keys.
Why a Recovery Key Can Outlive the Account
The danger of the Backup Recovery Key is that it does not behave like a one-time code. A verification code expires; a Recovery Key keeps working as long as the account it was generated for exists. The FBI’s June update spells this out: “If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well.” That single property is what turns the new tactic from an account takeover into a long-term espionage foothold.
The only fix the advisory offers is to generate a new Backup Recovery Key inside Signal’s Settings, which invalidates the previous key for any future backup downloads. That step does not undo what the attacker has already pulled. The FBI is direct about that too: “However, please note that this does not prevent the actor from having already downloaded a backup of the original account.” Anything in the backup before the key change is already in someone else’s possession. The Backup Recovery Key effectively outlives the account it was meant to protect, and the advisory gives users no way to claw back what the attacker has already restored on their own device.
The June update is also the first time the FBI has put a public label on the cluster of operators behind the campaign. Before the update, the activity was described only as the work of unnamed “RIS cyber actors.” Naming the two groups is what gives the State Department’s bounty a target, and the price tag tells you what the U.S. government thinks those two groups have done: walked around encryption that holds, by convincing the humans on the other end to hand over the one piece of data that defeats it.
U.S. and NATO Officials Are the Primary Targets
The campaign is indiscriminate in volume but precise in who it aims at. The FBI and CISA’s PSA says the activity “targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists.” The Rewards for Justice announcement extends that list to U.S. and NATO diplomatic and defense personnel, intelligence officials, policy analysts, journalists covering Russia and Ukraine, NGOs supporting Ukraine, and security and Russian affairs researchers.
| Target Group | Why They Are Useful to Russian Intelligence |
|---|---|
| Current and former U.S. government officials | Policy decisions, diplomatic positions, internal deliberations |
| Military personnel and NATO equivalents | Operational details, troop movements, logistics |
| Journalists covering Russia and Ukraine | Source networks, unpublished material, editorial plans |
| NGOs supporting Ukraine | Aid logistics, partner rosters, field reporting |
| Security and Russian affairs researchers | Threat assessments, source networks |
The State Department’s announcement says thousands of individual accounts for commercial messaging applications have been compromised through these methods. The FBI’s March PSA puts the same number globally, describing it as a “global campaign” that has produced “unauthorized access to thousands of individual CMA accounts.” Neither announcement gives a country-by-country breakdown. Ukraine’s SBU said last week it had worked with the FBI to expose a long-running Russian cyber-espionage campaign that hit messaging accounts of officials, military personnel, politicians, and activists in Ukraine, Europe, and the United States. The campaign appears aimed less at any one ministry than at the network of people who talk to each other across borders.
How the Bounty Fits a Wider European Hunt
The U.S. announcement lands at the end of a coordinated European push. The Netherlands’ intelligence service published a warning earlier this month that Russian hackers were running “a large-scale global attempt” to take over WhatsApp and Signal accounts, and Germany’s BfV and BSI and France’s ANSSI have all issued parallel advisories since February. Each European warning has used different language to describe the same pattern: fake support messages, recovery key theft, and account takeover without touching the underlying encryption.
That cross-border pattern is why the FBI’s June update names the two groups publicly for the first time, and why the State Department attached a $10 million price tag. The two moves together are the U.S. government’s way of saying it knows who is running the campaign, it knows which European allies have been hit, and it now wants the kind of human intelligence that only a defector, a contractor, or a middleman can provide. For coverage of related platform-side responses to phishing, see WhatsApp’s new strict account settings and WhatsApp’s on-device scam detection system.
What Signal Says It Will Never Ask For, and What Users Should Do
Signal has been clear, repeatedly, about what its support team does not do. The company does not contact users inside the app to ask for verification codes, PINs, or Recovery Keys. The BleepingComputer summary of the FBI’s June update captures the guidance directly: “Signal users should always keep in mind that real support teams communicate exclusively through official company email addresses and never ask users to provide verification codes within the application or send links requesting account verification, recovery, or restoration.”
The FBI’s March PSA lays out the same discipline in six lines of recommended behavior. Pause if a message feels off. Treat unknown messages as suspicious. Inspect links before clicking. Periodically scan Signal group chats for duplicates or impostor accounts. Learn the security features of the messaging app you use, and turn on message expiration where appropriate. Report any suspected phishing to IC3 and to your organization’s security team, then verify any suspicious “support” contact through the app’s official website rather than the link in the message.
For anyone who believes they may have shared a Recovery Key, the FBI’s advisory is direct: open Signal’s Settings, generate a new Backup Recovery Key, and assume that anything backed up before that moment is already in someone else’s possession. Then rotate passwords and codes on linked accounts, scan group chats for impostor participants, and file a complaint at IC3. The full text of the joint PSA, including the sample phishing messages and the recovery key guidance, is published at the FBI and CISA’s March public service announcement. The encryption still does what it says it does. The user is now the variable, and the $10 million bounty is the U.S. government’s wager that someone, somewhere, knows whose job it is to find the people who figured that out.
Frequently Asked Questions
Has Signal’s encryption actually been broken?
No. The FBI and CISA say explicitly that the attackers have not compromised Signal’s encryption or the application itself. They have walked around it by convincing users to share the keys themselves, a social engineering problem with a social engineering solution.
Who are UNC5792 and UNC4221?
They are the public tracking names the U.S. government now uses for two clusters of Russian Intelligence Services cyber actors. UNC5792 is tied to the FSB’s Border Guards. UNC4221 works on behalf of Russian military services. Both were named for the first time in the FBI’s June 2026 update.
How much is the reward, and who can claim it?
Up to $10 million under the State Department’s Rewards for Justice program, for information leading to the identification or location of either group’s members. Tips can be submitted through the program’s official portal, including a Tor-based channel for sensitive sources.
What is a Signal Backup Recovery Key, and why is it so dangerous to share?
It is the long passcode that encrypts a user’s backed-up Signal message history. Unlike a verification code, it stays valid even after a new account is created on the same phone number, which means a single share can compromise the user again later, according to the FBI’s June update.
What should I do if I think I handed over a recovery key?
Open Signal’s Settings, generate a new Backup Recovery Key, and assume everything backed up before that moment is already in someone else’s hands. Remove any unrecognized linked devices, scan group chats for impostor participants, and report the incident to IC3.
-
FINANCE4 weeks agoZcash Patched a Double-Spend Bug as ZEC Climbed 5%
-
ENTERTAINMENT4 weeks agoSteam Summer Sale 2026 Locks In June 25 to July 9 Dates
-
NEWS2 months agoMeta Adds AI Replies to Threads, But Users Can’t Block It
-
ENTERTAINMENT1 month ago‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
-
ENTERTAINMENT4 weeks agoAmazon Scraps Its Stargate Revival After a 20-Week Writers Room
-
FINANCE4 weeks agoCitigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
-
FINANCE4 weeks agoCLARITY Act Floor Vote Likely Shifts to August, Lummis Says
-
FINANCE4 weeks agoCoinbase Invests in Ethena, ENA Jumps 10% on Open-Market Buy
