The Department of State is offering up to $10 million for information on two Russian-linked hacking groups targeting Signal and WhatsApp users.
This reward is being offered through the department’s Rewards for Justice (RFJ) program, which seeks information on foreign state-backed cyber actors targeting U.S. critical infrastructure and national security interests.
The latest bounty focuses on UNC5792 and UNC4221, two threat groups tied to Russian intelligence and military services.
According to the RFJ announcement, UNC5792 is associated with the Russian Federal Security Service (FSB) Border Guards, while UNC4221 includes cyber actors working on behalf of Russian military services.
Hackers Target Signal and WhatsApp Accounts
U.S. officials said UNC5792 has carried out widespread phishing campaigns against Signal and WhatsApp accounts belonging to U.S. government officials, military leaders, and allied personnel.
The State Department is seeking details that could help identify group members, supporting personnel, and their connections to Russian intelligence services, contractors, or third-party service providers.
Officials are also asking for information about the groups’ infrastructure, including domains, servers, hosting providers, data storage systems, tools, frameworks, and software.
The bounty also covers information about financial activity linked to the groups, including funding sources, bank accounts, payment mechanisms, cryptocurrency wallets, blockchain transactions, and other financial networks used to support operations.
Phishing Campaigns Target Backup Keys
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) recently updated a March 2026 advisory with new tactics observed in campaigns attributed to the two groups.
One of the most notable techniques involves attempts to steal Signal backup recovery keys.
In these campaigns, attackers impersonate Signal support agents and send direct messages to targets. The messages claim that users must complete a mandatory two-factor verification process.
The goal is to trick victims into revealing their backup recovery key, which can give attackers access to previous communications stored in the victim’s Signal backup.
Authorities emphasized that Signal, WhatsApp, and their encryption systems have not been compromised. Instead, attackers are targeting users directly through social engineering.
Thousands of Accounts Compromised
The announcement said thousands of individual accounts tied to commercial messaging applications were compromised through these tactics.
Typical targets include U.S. and NATO officials, diplomats, defense and intelligence personnel, journalists, NGOs supporting Ukraine, and security researchers.
How Users Can Reduce Risk
Signal users should remember that real support teams communicate through official company email addresses and do not ask users to share verification codes, backup recovery keys, or account restoration links inside the app.
Users should treat unexpected support messages with caution, especially if they request account recovery details, backup keys, or urgent verification steps.
They should also avoid clicking links sent through direct messages, verify support claims through official websites, and report suspicious messages to their security teams when using messaging apps for work-related communications.
Organizations should also provide targeted training on messaging app phishing, limit the use of consumer messaging platforms for sensitive communications, and ensure employees understand how recovery keys and verification codes can be abused.
Bottom Line
The $10 million reward underscores the U.S. government’s concern about Russian-linked cyber activity targeting encrypted messaging users.
While the platforms themselves were not compromised, the campaigns show how social engineering can still expose sensitive communications when attackers successfully manipulate users into sharing recovery information.
Zero trust solutions can help reduce risk by continuously verifying users, devices, and access requests instead of assuming trusted communications or accounts are safe.