What happened
The U.S. Department of State is offering up to $10 million for information that helps identify or locate members of two Russian-linked hacking groups targeting users of encrypted messaging applications.
The reward is part of the Rewards for Justice program, which seeks information on foreign state-linked cyber actors targeting U.S. critical infrastructure and national security interests.
The groups are tracked as UNC5792 and UNC4221. The U.S. government said UNC5792 is associated with Russia’s Federal Security Service Border Guards, while UNC4221 is made up of cyber actors working on behalf of Russian military services.
UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts belonging to U.S. government officials, military leadership, and allied personnel.
The U.S. government is seeking information on the actors’ names, locations, biographies, affiliations, links to Russian intelligence services, contractors, third-party service providers, operational infrastructure, domains, servers, hosting providers, tools, frameworks, software, funding sources, bank accounts, payment mechanisms, cryptocurrency wallets, blockchain transactions, and financial networks.
The FBI and CISA recently updated earlier guidance on the groups’ tactics. The latest activity includes attempts to steal Signal Backup Recovery Keys.
In these attacks, hackers impersonate Signal support agents in direct messages. They claim that the user must complete a mandatory two-factor verification process, then trick the victim into revealing the backup key for their Signal account.
If attackers obtain the recovery key, they can access previous communications stored in Signal backups. Authorities emphasized that Signal, WhatsApp, and their encryption have not been compromised. Instead, attackers are using phishing and social engineering to compromise individual accounts and recovery material.
The Rewards for Justice announcement said thousands of individual accounts for commercial messaging applications have been compromised through this activity.
Typical targets include U.S. and NATO government officials, diplomatic personnel, defense and intelligence officials, military leaders, policy analysts, journalists covering Russia and Ukraine, nongovernmental organizations supporting Ukraine, and researchers focused on security and Russian affairs.
Who is affected
Users of Signal and WhatsApp are affected if they are targeted by UNC5792 or UNC4221 phishing campaigns.
The highest-risk groups include U.S. and NATO officials, military leadership, diplomatic personnel, defense and intelligence officials, journalists covering Russia and Ukraine, NGOs supporting Ukraine, policy analysts, and security or Russian affairs researchers.
Organizations whose employees use encrypted messaging applications for sensitive communications may also be affected if staff members are tricked into sharing verification codes, backup recovery keys, account recovery information, or other sensitive authentication material.
Why CISOs should care
This campaign shows that attackers do not need to defeat encryption when they can manipulate users into handing over account recovery material. The communication platform may remain secure, but the account can still be compromised through phishing.
For CISOs, recovery keys and verification codes should be treated as high-value secrets. If employees share them through a chat message, attackers may gain access to historical communications, group conversations, contacts, and sensitive operational discussions.
The targeting profile also matters. Government, defense, diplomatic, policy, journalism, NGO, and research communities face elevated risk because their private communications can be valuable for intelligence collection.
The $10 million reward also signals that U.S. authorities view these campaigns as part of a serious state-linked threat environment, not ordinary messaging-app fraud.
3 practical actions
- Train users never to share verification codes or recovery keys: Signal support teams do not ask for verification codes, backup recovery keys, or account restoration details inside the app. CISOs should reinforce that recovery keys should be treated like passwords and never shared.
- Move high-risk users to stronger account protection practices: Officials, executives, journalists, researchers, and staff working on Russia, Ukraine, defense, diplomacy, or critical infrastructure should receive targeted guidance on secure messaging, account recovery, device linking, and phishing-resistant authentication.
- Review encrypted messaging use in sensitive workflows: Organizations should define when Signal, WhatsApp, or other commercial messaging apps may be used for work communications and how users should handle backups, recovery keys, lost devices, and suspicious support messages.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.