US Offers $10M Reward for Russian Hackers Targeting Signal and WhatsApp Accounts

The United States government has announced a $10 million reward for information leading to the identification or location of members of two Russia-linked hacking groups accused of conducting a sustained espionage campaign against Signal and WhatsApp users. The bounty is being offered through the State Department’s Rewards for Justice program.

The groups, tracked as UNC5792 and UNC4221, are assessed by U.S. authorities to be associated with Russia’s Federal Security Service (FSB) and military intelligence, respectively. Their targets have included government officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States.

How the Attacks Work

According to an advisory issued by the FBI, the campaign does not exploit technical vulnerabilities in Signal or WhatsApp. Instead, the groups rely heavily on social engineering to compromise individual accounts. Tactics include:

• Sending text messages impersonating official messaging platform support services to trick users into revealing account credentials.
• Altering legitimate Signal group invitation pages to redirect victims to malicious links that connected attacker-controlled devices to their accounts.
• Tricking victims into sharing verification codes, account PINs, and backup recovery keys.

Once access is obtained, attackers can read message histories, monitor private and group chats, and in some cases fully take over victim accounts.

Backup Recovery Keys Pose Lasting Risk

The FBI specifically flagged a concerning evolution in the groups’ tactics: attackers are increasingly focused on stealing backup recovery keys for encrypted messaging applications. Officials warned that compromised backup keys can remain valid even if a victim creates a new account using the same phone number, potentially giving attackers a persistent pathway back into communications.

Joint Investigation with Ukraine

The U.S. warning follows a disclosure by Ukraine’s Security Service (SBU), which said it worked with the FBI to uncover the long-running operation. The SBU described the campaign as aimed at obtaining sensitive military, political, and economic information exchanged over encrypted platforms, as well as harvesting victims’ personal data.

Security professionals should advise high-risk users to audit linked devices on their messaging accounts, rotate backup recovery keys, and treat any unsolicited credential requests, even those appearing to come from platform support, as likely social engineering attempts.