DEV Community

Cover image for US Slaps $10M Bounty on Russian Signal, WhatsApp Hackers
XOOMAR
XOOMAR

Posted on • Originally published at xoomar.com

US Slaps $10M Bounty on Russian Signal, WhatsApp Hackers

$10 million is now on the table for tips on Russia-linked hackers targeting Signal and WhatsApp, after U.S. officials said two cyber groups tied to Russian intelligence have compromised messaging accounts used by government officials, journalists and other high-value targets.

The reward, offered through the State Department’s Rewards for Justice program, targets UNC5792 and UNC4221, according to The Record. U.S. authorities say UNC5792 is associated with Russia’s Federal Security Service (FSB) Border Guards, while UNC4221 is linked to Russian military intelligence.

$10 million reward targets UNC5792 and UNC4221 in Signal WhatsApp campaign

The U.S. is seeking information leading to the identification or location of members of the two groups. The campaign is aimed at individual Signal and WhatsApp accounts, not at breaking the encryption of the apps themselves.

That distinction matters. The FBI said the attackers are using social engineering to trick targets into handing over verification codes, account PINs and backup recovery keys. Once they get those, they can access private chats, group conversations, message histories and, in some cases, seize accounts.

The targets named in the advisory are the kind of people whose inboxes can carry diplomatic, military or political value: government officials, journalists and other high-profile individuals. Ukraine’s Security Service, the SBU, said last week it worked with the FBI to uncover a long-running Russian cyber-espionage operation targeting government officials, military personnel, politicians and activists in Ukraine, Europe and the United States.

“Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the Rewards for Justice notice said, according to Ars Technica.

The campaign also lands as messaging identity is becoming a higher-stakes security surface. WhatsApp has been tightening controls around usernames, as we covered in Meta Locks Down WhatsApp Usernames as Scammers Circle, and username reservation itself has already become a target for impersonation concerns in Best WhatsApp Username Picks May Vanish Before Launch.


Fake support messages and backup keys are doing the damage

The FBI warning says the Russian intelligence campaign has evolved. Attackers are now increasingly trying to steal backup recovery keys for encrypted messaging apps.

Those keys are especially dangerous because, according to officials, compromised backup recovery keys can remain valid even if a victim creates a new account using the same phone number. That can let attackers regain access later.

The core attack path is simple and effective:

  • Impersonation: Attackers pose as official messaging platform support services.
  • Credential theft: Targets are pushed to share verification codes, account PINs or recovery keys.
  • Device linking: Victims may unknowingly connect attacker-controlled devices to their accounts.
  • Account takeover: In some cases, attackers lock victims out or gain access to chats.
  • Persistence risk: Stolen backup recovery keys can keep working unless the user generates a new one.

In some cases, the hackers altered legitimate Signal group invitation pages so victims were redirected to malicious links. Those links connected attacker-controlled devices to victims’ accounts.

That tactic is especially corrosive because it abuses trust inside real communication flows. A fake support message can be ignored. A tampered group invite, especially in a professional or political network, has a better chance of getting clicked.

The SBU said one common method involved text messages pretending to be official support notices from messaging platforms. The messages urged users to disclose account credentials, a blunt phishing move wrapped in the language of account recovery or security maintenance.

Encrypted apps held up, but account control became the weak point

The FBI’s message is narrow but uncomfortable: end-to-end encryption is not the same as account safety. If a user is tricked into linking a hostile device or handing over a recovery key, the attacker doesn’t need to crack the platform’s cryptography.

That puts Signal WhatsApp Russian hackers in a different category from actors hunting for zero-day exploits. This campaign relies on people, timing and trust. The platforms’ encryption may still work as designed, while the target loses control of the account around it.

A short comparison shows the pressure points:

Attack route What the campaign appears to exploit Why it matters
Verification code theft Users share codes after fake support prompts Can allow account access or takeover
Backup recovery key theft Users disclose keys used for encrypted backups Can expose past communications and create future access risk
Malicious group invites Legitimate-looking Signal invite pages are altered Can link attacker-controlled devices to victim accounts
Support impersonation Messages mimic platform security notices Makes phishing look like routine account protection

For security teams, the takeaway is sharper than “train users better.” High-value users need processes that assume support impersonation will happen and that attackers will use real product features against them.

The FBI said legitimate commercial messaging app support services will not request verification codes inside the application, do not send links to “verify” or “restore” accounts, and users should not provide verification codes without confirming the request came from a legitimate channel.

Public naming gives defenders a shared map, but not the hackers’ identities

The names UNC5792 and UNC4221 are tracking labels, not public identities. Still, naming them gives defenders a way to connect similar incidents across agencies, vendors and allied governments.

The RFJ reward also raises the stakes. A public bounty of up to $10 million signals that U.S. officials want information that can point to who is behind the operation or where they are located. The supplied advisory does not say what evidence has already been collected, nor does it identify individual operators.

There are still important blanks. Officials have not publicly named the victims. The source material does not say how many accounts belong to U.S. officials versus journalists, military personnel or allied users. It also does not say whether Signal or WhatsApp will make product changes in response to this campaign.

The next useful signals will be specific. Watch for updated FBI guidance on recovery keys, new platform warnings around device linking, and any further U.S. or allied statements connecting Signal WhatsApp Russian hackers to named Russian intelligence units or individual operators. For users in sensitive roles, the practical move is immediate: treat any request for a verification code, PIN or backup recovery key as hostile until proven otherwise.

Impact Analysis

  • The campaign targets government officials, journalists and other high-value individuals whose messages may carry diplomatic or military value.
  • Officials say the attackers are bypassing encryption by tricking users into surrendering verification codes, PINs and recovery keys.
  • The $10 million reward signals that the U.S. views the operation as a serious Russian intelligence-linked cyber threat.

Originally published on XOOMAR. For more news and analysis, visit XOOMAR.

Top comments (0)