Jul 01, 2026 · 5 min read
US Offers $10M for Russian Hackers Targeting Signal and WhatsApp
Two Russian state-sponsored groups — UNC5792 (FSB) and UNC4221 (military intelligence) — compromised thousands of accounts belonging to NATO officials, diplomats, journalists, and NGO workers by impersonating Signal support. The US Department of State is now paying for information on their members and infrastructure.
Key Takeaways
- • UNC5792 (Russian FSB Border Guards) and UNC4221 (Russian military intelligence) conducted phishing attacks against Signal and WhatsApp users across US and NATO institutions.
- • Attackers impersonated Signal support agents in direct messages, asking targets for their Signal Backup Recovery Keys — giving full access to message history.
- • Primary targets: US and NATO government officials, diplomatic staff, defense and intelligence personnel, journalists covering Russia-Ukraine, and NGO workers supporting Ukraine.
- • The US Department of State's Rewards for Justice program is offering $10 million for information on the groups' members, infrastructure, funding, or cryptocurrency wallets.
- • Signal's genuine support team never contacts users through the app and never asks for backup keys or verification codes.
Who Are UNC5792 and UNC4221?
UNC5792 is a Russian threat group operating under the Federal Security Service (FSB) Border Guards directorate — Russia's domestic intelligence and border security agency. UNC4221 is linked to Russian military intelligence services. Both groups represent the state-sponsored tier of Russia's cyber operations apparatus, distinct from the ransomware criminals and hacktivists who also operate out of Russia with varying degrees of government tolerance.
Their target list is a who's who of people Russia has strategic interest in monitoring: US and NATO government officials, diplomatic personnel, defense and intelligence staff, policy analysts, journalists covering the Russia-Ukraine conflict, NGOs providing humanitarian support to Ukraine, and security researchers investigating Russian cyber activity.
The operation documented by the Department of State is not new — both groups have been active for years — but the bounty announcement on June 29, 2026 signals that US intelligence has developed enough detail on their operations to put a $10 million price on identifying their members.
How Did the Attacks Work?
The primary attack vector was social engineering inside Signal itself. Attackers posed as Signal support representatives in direct messages, warning targets that their accounts required "mandatory two-factor verification" or faced suspension. The ruse directed victims to provide their Signal Backup Recovery Key — a string of digits that, in the wrong hands, grants complete access to a user's message history and contacts.
Signal Backup Recovery Keys are designed to help users restore their accounts when switching phones. They are not credentials that Signal or any support team would ever need to see. Anyone who asks for one — regardless of how official they appear — is attempting to steal your account.
The attack worked because Signal's legitimate branding lends credibility. A message appearing to come from "Signal Support" inside the app, using correct terminology, caught some experienced users off guard. WhatsApp users were targeted through similar impersonation tactics, with attackers exploiting the same principle: people trust communications that appear to originate from the platform itself.
Thousands of individual accounts were compromised this way — a dragnet targeting the communications of people whose private messages carry serious intelligence value to Russian state actors.
Why Messaging Apps Are the New Frontline
Encrypted messaging applications like Signal were designed to be mathematically resistant to interception. Nation-state adversaries cannot break the encryption by attacking the protocol — so they attack the humans using it instead. Phishing for backup keys, exploiting device vulnerabilities, and deploying spyware like NSO Group's Pegasus are all ways to read encrypted messages without cracking the encryption itself.
For journalists and activists, the calculus is stark: Signal and WhatsApp remain the best tools available for confidential communication, but using them securely requires understanding that the threat is now mostly social, not cryptographic. The weak point is not the algorithm — it is the person holding the phone.
Email carries an additional layer of risk that encrypted messaging apps do not. Even when message content is protected, email headers, metadata, and tracking pixels embedded by senders can reveal who is communicating with whom, when, and from where — without any hacking required. Compartmentalizing sensitive communications to dedicated encrypted apps, and protecting your email inbox from passive surveillance, are complementary steps.
What the $10 Million Bounty Signals
The US Department of State's Rewards for Justice program has been used for decades to solicit information on terrorist groups and foreign intelligence operations. A $10 million offer specifically targeting the members, infrastructure, funding sources, and cryptocurrency wallets of UNC5792 and UNC4221 suggests that US intelligence has tracked enough of their operations to believe that human intelligence — a defector, an insider, or a cooperating partner — could provide the remaining pieces.
The announcement also serves as a public warning. Naming the groups and their affiliations puts allied governments, technology companies, and civil society organizations on notice: these attacks are ongoing, they are state-sponsored, and the US treats them seriously enough to pursue criminal accountability.
For the targets of these groups — journalists, NGO workers, government employees handling sensitive communications — the announcement is a reminder that their threat model includes well-resourced state actors willing to invest significant effort in compromising a single inbox or conversation thread.
How to Protect Your Messaging Accounts
Signal and WhatsApp both have official guidance on this class of attack. The most important rule: neither platform's support team will ever contact you through the app, and neither will ever ask for your backup recovery key, verification code, or password. Any message making such a request — regardless of how official it looks — is an attack.
- Enable Registration Lock in Signal — This requires your PIN to register your number on a new device, blocking SIM-swapping attacks and unauthorized re-registration.
- Never share your Backup Recovery Key — Store it offline, in a password manager or physically, and treat any request for it as a social engineering attempt.
- Enable two-step verification in WhatsApp — Adds a PIN to WhatsApp account registration, making it harder for attackers to take over your number.
- Verify contacts out of band — If you receive an unexpected message from someone claiming to represent a service or authority figure, verify through a separate, established channel before responding.
- Audit linked devices — Periodically check Signal's linked devices list (Settings → Linked Devices) and remove any you do not recognize.
If you believe you may have been targeted by UNC5792 or UNC4221, the Department of State's Rewards for Justice program accepts tips through its secure reporting mechanism. Contact information is available at rewardsforjustice.net.