The US State Department has announced a reward of up to $10 million for information leading to the identity or location of members of the hacker groups UNC5792 and UNC4221.
These groups are linked to Russia’s intelligence and military agencies. This proposal is part of the State Department’s Awards for Justice program.
The groups have conducted widespread phishing campaigns targeting the Signal and WhatsApp accounts of US government officials, military leaders, and affiliated personnel.
UNC5792 is affiliated with the Russian Federal Security Service Border Guards, while UNC4221 is described as operating on behalf of the Russian military services.
Last week, the FBI and CISA updated a March 2026 advisory that included new tactics seen in attacks caused by these groups.
What the US government wants to know
The US government is seeking information regarding the UNC5792 group and their associated personnel. They want details about the names, locations, biographies and affiliations of these actors and their team members.
Additionally, they are interested in ties to Russian intelligence agencies, contractors, and third-party service providers. The request includes information about the group’s operational infrastructure, such as domains, servers, hosting environments, data storage solutions, tools, frameworks and software used.
They’re also looking at funding sources, financial accounts, banking relationships and payment methods. Finally, they ask for details on the cryptocurrency wallets, blockchain transactions, and financial networks that support the group’s operations.
The attacks do not exploit weaknesses in Signal or WhatsApp’s encryption. Instead, they rely on social engineering tactics aimed at obtaining access details from users.
According to the FBI and CISA, the attackers pose as Signal support representatives in direct messages and claim to require mandatory two-factor verification.
This is a scam designed to persuade users to share their Signal backup recovery key, which grants access to their previous communications on the platform.
Once the attackers have the backup key, they can restore the victim’s Signal data to a device they control and view past messages.
The US government has confirmed that thousands of individual accounts on both Signal and WhatsApp have been compromised through these methods.
Who is at risk and how to stay safe
Main goals include:
- US and NATO government officials, diplomats and defense personnel, intelligence officers, policy analysts, journalists covering Russia and Ukraine.
- NGOs supporting Ukraine, security researchers and experts on Russian affairs.
Although the focus is mostly on individuals in government and policy roles, the techniques employed can be modified to target any high-value individual.
Users on Signal and WhatsApp should follow these practices to stay safe:
- Never share Signal backup recovery keys with anyone, no matter how legitimate the request seems.
- Keep in mind that Signal support never asks for verification codes or recovery keys within the app or through unsolicited messages.
- Treat any request to verify or restore your account via link or code as possible phishing.
- Verify the source of any communication claiming to be from Signal or WhatsApp by visiting the official support page directly through the app or the company’s website.
- Enable two-factor authentication for your accounts by using a different authentication app, not via SMS.
- Be especially cautious if you work in or with the government, defence, journalism or NGO sectors, as these are common targets.
Signal’s official support team only communicates through the official email address and does not send in-app direct messages or outreach through unsolicited contacts.
How to report information about Russian hackers
Anyone who has information that can help identify or locate members of UNC5792 or UNC4221 is encouraged to contact the Rewards for Justice program.
Tips may be submitted through its website or through encrypted channels designed for sensitive sources. The $10 million reward is one of the highest rewards offered by the program, reflecting the serious and ongoing threat.
Previous cases have seen rewards paid for information that helps identify or capture state-sponsored cyber actors.
The reward announcement is part of a broader US response to Russian cyber campaigns targeting US and allied interests.
The attacks on Signal and WhatsApp do not indicate vulnerabilities in the platforms themselves, but show how attackers are adopting encrypted messaging by directly targeting users rather than exploiting the encryption.
For those not in the targeted groups, these attacks serve as a reminder that even highly encrypted messaging services can be compromised through social engineering.
Maintaining good operational security, such as being wary of unsolicited messages and protecting recovery keys, remains important regardless of the strength of encryption.
Thanks for being a Ghax reader. The post US offers $10 million reward for information on Russian hackers targeting Signal and WhatsApp users appeared first on gHacks.



