The United States government has announced a reward of up to $10 million for information leading to the identification or location of Russian state-sponsored hackers behind a sustained campaign against secure messaging applications. The bounty, issued through the State Department’s Rewards for Justice program, comes as cyberattacks on platforms such as Signal and WhatsApp continue to escalate, and as federal agencies warn that the attackers’ tactics are growing more sophisticated and more persistent.
This is one of the largest rewards the program has ever offered for cyber-related intelligence, underscoring how seriously Washington views the threat. The campaign does not target ordinary spam victims. Instead, it focuses on a narrow but high-value group of individuals whose communications carry significant intelligence weight, and the methods being used reveal an uncomfortable truth about modern security: even the most heavily encrypted apps can be undermined when the human using them is tricked into opening the door.
Two Russian-Linked Groups in the Crosshairs
The reward specifically targets two threat clusters that security researchers track as UNC5792 and UNC4221. According to the U.S. government, UNC5792 is associated with the Russian Federal Security Service (FSB) Border Guards, while UNC4221 operates on behalf of Russian military services. Both groups are tied to Russia’s broader intelligence apparatus, and both have been linked to a long-running espionage operation aimed at compromising the messaging accounts of carefully selected targets.
The State Department is seeking a detailed picture of how these groups operate. Investigators want names, locations, biographies, and affiliations of the individuals involved, along with their connections to Russian intelligence agencies, contractors, and third-party service providers. The request extends to the infrastructure and tooling behind the attacks, as well as the financial networks, bank accounts, and cryptocurrency wallets that fund the operations. In effect, the U.S. is trying to map an entire ecosystem rather than identify a single hacker.
Tips can be submitted through the Rewards for Justice website or via encrypted channels designed to protect sensitive sources, including a dedicated Tor-based portal. Individuals who provide useful information may, in some cases, qualify for relocation and protection under U.S. law.
Who the Attackers Are Targeting
The victims of this campaign are not random. Federal agencies describe the targets as individuals of “high intelligence value.” This includes current and former U.S. and international government officials, military personnel, diplomats, intelligence officers, political figures, policy analysts, and journalists who cover Russia and Ukraine. Non-governmental organizations supporting Ukraine and researchers specializing in Russian affairs and security have also been singled out, alongside key officials located in Ukraine itself.
The geographic and professional focus reflects the strategic intent behind the operation. By compromising the private and group conversations of these individuals, the attackers can gather military, political, and economic intelligence, harvest personal data, and gain insight into the inner workings of governments and organizations aligned against Russian interests. The campaign overlaps with warnings issued earlier in the year by Dutch intelligence, Germany’s domestic security service, and France’s national cybersecurity agency, indicating that this is a coordinated and internationally recognized threat rather than an isolated series of incidents.
How the Attacks Actually Work
One of the most important details in the FBI and CISA advisories is also the most reassuring and the most unsettling at the same time. The agencies are unambiguous: these attacks do not break Signal’s or WhatsApp’s encryption, and they do not exploit a flaw in the applications themselves. The encryption holds. The weak point is the account, and the way attackers reach it is through social engineering.
The hackers pose as automated support accounts for the messaging platform. Victims receive convincing messages, sometimes framed as a mandatory two-factor authentication rollout, other times as an urgent “data recovery” fix for messages supposedly at risk of being lost. These lures are designed to create urgency and lower the target’s guard. From there, the attackers exploit legitimate device-linking features built into secure messaging apps. By tricking a victim into scanning a malicious QR code or clicking a doctored “group invite” link, they quietly link an attacker-controlled device to the victim’s account, gaining ongoing access to messages, contact lists, and group conversations.
In some documented cases, the groups altered genuine Signal group invitation pages so that the links redirected victims to attacker-controlled infrastructure. Because most users rarely check the list of devices linked to their account, this foothold can persist undetected for a long time. The compromised accounts have then been used to launch further phishing attacks against other valuable individuals, allowing the operation to spread from one target to the next.
This pattern of impersonation, urgency, and abuse of trust is the hallmark of social engineering. For readers who want to understand the mechanics behind these lures in greater depth, our detailed guide on what phishing is and how to recognize it breaks down the techniques attackers rely on and the warning signs that give them away.
A Dangerous New Twist: Stealing Backup Recovery Keys
The reason the U.S. government escalated to a $10 million bounty now, rather than months ago, lies in a recent shift in tactics. In a fresh update to their March 2026 advisory, the FBI and CISA warned that the attackers have evolved their approach and are now attempting to steal victims’ Signal Backup Recovery Keys.
This change is significant. Earlier waves of the campaign focused on stealing SMS verification codes and account PINs. The updated method walks the victim through enabling Signal backups, opening the Recovery Key screen, and pasting that key directly into the chat with the fake support account. Once the attacker has the key, they can restore the account’s backup and read its entire private and group message history.
What makes this especially dangerous is persistence. According to the advisory, if a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they later create a new account using the same phone number. In other words, an attacker who obtains the key could potentially regain access to the account well into the future, even after the victim believes they have started fresh. The recommended fix is direct: generate a new recovery key in the app’s settings immediately, which invalidates the old one for future backup downloads. However, the agencies caution that this does not undo any damage already done, since the attacker may have already downloaded a copy of the original account’s data.
What This Means for Everyone Else
Most people reading this are not the kind of high-profile official these groups are pursuing. Even so, the campaign carries a lesson that applies to every messaging app user. Strong end-to-end encryption protects the contents of your messages in transit, but it cannot protect you from a decision to hand over a verification code, a PIN, or a recovery key to someone pretending to be official support.
The single most important habit to internalize is this: legitimate messaging platform support teams communicate only through official company email addresses. They never ask users to provide verification codes inside the app, and they never send links requesting account verification, recovery, or restoration. Any message inside Signal, WhatsApp, or a similar app that asks for a recovery key, verification code, or PIN should be treated as hostile, no matter how convincing or urgent it appears.
These same principles of layered defense apply far beyond a single chat app, especially for remote teams and businesses that depend on digital communication. Our walkthrough on setting up a secure virtual office covers the practical steps that reduce exposure across the board, from enabling multi-factor authentication everywhere to choosing communication tools with the right administrative controls.
Choosing Communication Tools Built with Security in Mind
As organizations reassess how they communicate, many are looking closely at the security posture of the platforms they rely on for meetings, webinars, and confidential discussions. Encryption, access controls, and regulatory compliance have moved from nice-to-have features to baseline requirements.
For teams that need to host secure video conferences and online events, it is worth exploring the brand-new video conferencing and webinar features developed by https://clickmeeting.com/, which is built with these safety concerns in mind. ClickMeeting offers end-to-end encryption (E2EE) for confidential meetings, covering the video and audio window as well as chat messages so that sensitive conversations stay private. As a European provider, the platform is committed to GDPR compliance, holds ISO/IEC 27001 certification for its information security management system, and protects data with strong encryption both in transit and at rest. Moderation controls allow hosts to manage exactly who joins a meeting or webinar, helping prevent unauthorized access. For confidential business discussions, legal consultations, or healthcare-related sessions, this combination of encryption, certification, and access management provides a meaningful layer of protection.
Strengthening Your Defenses
Security experts continue to recommend a set of fundamental practices that hold up well against the kind of tactics described here. Keep your software updated so that known vulnerabilities are patched promptly. Use strong, unique passwords and enable multi-factor authentication wherever it is available. Periodically review the list of devices linked to your messaging and online accounts, and remove anything you do not recognize. Be skeptical of unsolicited messages that create urgency or ask you to take an unusual action, and verify requests through official channels before acting.
Anyone who believes they may have fallen victim to a campaign like this is encouraged to report the incident to the FBI’s Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
The Bigger Picture
The $10 million bounty is part of a broader U.S. effort to disrupt and deter state-sponsored cyber operations. Whether the reward leads to arrests is, in many respects, secondary. These hackers operate inside Russia and are unlikely to be extradited, so the more immediate value of the announcement may lie in raising awareness, signaling resolve, and pressuring the networks of contractors and intermediaries who enable the attacks.
For the rest of us, the takeaway is clear. The tools we trust for private communication are remarkably strong, but they are only as secure as the people using them. As attackers increasingly bypass encryption by going straight for the human, vigilance, healthy skepticism, and good security hygiene remain the most reliable defenses available.
Frequently Asked Questions
How can I protect my messaging app from Russian hacker attacks?
Keep your app and device software up to date, enable multi-factor authentication, and never share verification codes, PINs, or backup recovery keys with anyone, including accounts claiming to be official support. Regularly review the list of devices linked to your account and remove any you do not recognize. Treat any in-app message asking for credentials as a red flag.
What is the $10M bounty offered by the US for Russian hackers?
The U.S. State Department’s Rewards for Justice program is offering up to $10 million for information leading to the identification or location of members of the Russian-linked groups UNC5792 and UNC4221. These groups have targeted government officials, military personnel, journalists, and other high-value individuals through phishing attacks on Signal and WhatsApp.
Why are messaging app attacks by Russian hackers surging?
The attacks are part of a broader cyber-espionage strategy aimed at gathering military, political, and economic intelligence, while also stealing personal data. Encrypted messaging apps have become essential tools for officials and organizations, making the accounts of high-value targets an attractive prize for intelligence services.
Do these attacks break Signal or WhatsApp encryption?
No. The FBI and CISA are explicit that these attacks do not break the encryption or exploit a flaw in the apps themselves. Instead, attackers use social engineering to trick victims into linking a malicious device or revealing their backup recovery key, gaining access through legitimate features rather than by defeating the encryption.
What should I do if I shared my Signal Backup Recovery Key?
Generate a new recovery key in Signal’s settings immediately, which invalidates the old key for future backup downloads. Be aware, however, that this does not undo access the attacker may have already gained, since they could have downloaded your backup data before you reset the key. Report the incident to the FBI’s IC3 or CISA.