$10 Million Bounty for Russian State Hackers Targeting Signal and WhatsApp

The U.S. State Department has announced a reward of up to $10 million for information leading to the identification or location of two Russian state-sponsored hacking groups—UNC5792 and UNC4221—that have been running a sustained phishing campaign targeting Signal and WhatsApp accounts since at least March 2026.

How the Attack Works

The attackers send messages that mimic official support communications from Signal or WhatsApp. These messages urge recipients to click a link or provide verification codes, backup recovery keys, or account passcodes. If a user complies, the attacker links their own device to the victim's account, gaining full access to current messages. In an evolved variant, the attackers also trick users into generating and sharing their Signal backup recovery key, which allows the attacker to download and read all past conversations.

The FBI's advisory from last week details two specific message templates used by the attackers. One example reads:

Signal is here
Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.
An investigation conducted jointly with the US government and European partners revealed that the attacks on accounts were carried out by hackers from Iran and post-Soviet countries.
In this regard, Signal updates Terms of Service & Privacy Policy, and introduces Mandatory Two-factor Verification for users.
Not to lose your messages and media, set up your Signal Backup (Settings -> Backups -> Enable backups -> View recovery key -> Copy to clipboard -> Next -> Enter the recovery key -> Next -> Continue -> Choose your backup plan).
Click the "Accept" button in the pop-up and stay tuned for security updates on our messenger.
Stay safe and thank you for using the most secure messenger with end-to-end encryption.
If you have any questions, send /help

Another message, labeled "Action Required: Data Recovery Needed," instructs users to copy and paste their recovery key into the chat:

Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.
To avoid losing your messages and media:
Go to Settings -> Backups -> Configure -> Enable Backups -> View Recovery Key.
Copy the recovery key to your clipboard.
Paste the key into this chat.

Technical Details and Mitigation

Importantly, these attacks do not exploit any vulnerability in Signal's or WhatsApp's encryption. They rely entirely on social engineering. The FBI notes that if a user has already shared their backup recovery key, they must generate a new one immediately via Settings > Backups > Change Recovery Key. This invalidates the previous key for future backup downloads, but does not prevent an attacker who already downloaded the backup from reading it.

The attackers also abuse Signal's group invite link feature. In some cases, UNC5792 altered legitimate "group invite" pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim's account.

Who Is Targeted

The phishing campaigns target "individuals of high intelligence value," including current and former U.S. government officials, military personnel, political figures, and journalists. The FBI reported that thousands of accounts have already been compromised.

The two groups are associated with Russian intelligence services: UNC5792 with the Federal Security Service (FSB) Border Guards, and UNC4221 with Russian military services.

Developer Takeaways

For developers and security professionals, this incident reinforces several key practices:

  1. Never share verification codes or backup keys outside the app. Legitimate support services never ask for these.
  2. Phishing-resistant 2FA (e.g., hardware tokens) should be mandatory for high-value accounts. Signal and WhatsApp both support external 2FA via authenticator apps.
  3. Monitor for unexpected device linking. Signal shows all linked devices in Settings > Linked Devices. Users should regularly audit this list.
  4. Backup recovery keys should be rotated periodically. If you suspect compromise, generate a new key immediately.

The FBI also advises that users should not act on urgent-sounding messages. There is rarely a penalty for waiting an extra hour to verify a request through an official channel.

Conclusion

The $10 million reward under the State Department's Rewards for Justice program underscores the severity of this ongoing operation. While the technical sophistication is low—no zero-days, no encryption bypass—the human factor remains the weakest link. Developers building secure systems must account for this reality and design user interfaces that make phishing harder. For now, the best defense is user education and strict operational security for those most at risk.