WhatsApp Hackers Bounty: US Offers Massive $10M Reward

Washington has put a price tag on two of the world’s most elusive cyber units — and it’s a steep one.

The US Department of State announced on Monday a reward of up to $10 million for information that helps identify or locate members of two Russia-linked hacking groups accused of hijacking thousands of Signal and WhatsApp accounts belonging to government officials, military personnel and journalists across multiple countries.

The bounty, issued through the State Department’s Rewards for Justice (RFJ) program, names two specific actors: UNC5792, described as “a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards,” and UNC4221, identified as a group “working on behalf of the Russian military services.”

Who Are UNC5792 and UNC4221

The two clusters have been operating since at least March 2026, when the FBI first warned about phishing campaigns linked to Russian intelligence services. Since then, the scale and sophistication of the campaign have only grown.

According to the State Department’s announcement, UNC5792 “has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel.”

The victim list is far broader than typical state surveillance targets. Per security outlet IT Pro, the group also pursued investigative journalists covering Russia, Ukraine, and international affairs, NGOs providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs.

Google’s Threat Intelligence Group has reportedly linked the cluster to wider Russian state operations, including the notorious APT44/Sandworm unit, with activity stretching across Ukraine, Moldova, Georgia, France, and the US.

How the Scam Actually Works

What makes this campaign unsettling isn’t a flaw in encryption — it’s a flaw in human trust.

The fraud begins with a message dressed up as an official Signal alert, warning the user about a wave of hacking attempts and urging them to “secure” their account through mandatory two-factor verification. The text typically signs off reassuringly, thanking the user “for using the most secure messenger with end-to-end encryption” — a detail designed to lower a reader’s guard rather than raise it.

A second variant skips the reassurance and goes straight for urgency. It warns that a “sync issue” puts the user’s messages and media at risk of permanent loss, then walks them step-by-step through Settings, Backups, and View Recovery Key — ending with an instruction to paste that key directly into the chat.

Either way, the goal is the same: get the victim to hand over a credential that should never leave their device.

Initially, the attackers only needed to link a malicious device to a victim’s account, which let them intercept new incoming messages. A built-in Signal safeguard limited the damage by blocking access to older conversations through that method.

That changed last week. The FBI’s updated advisory describes an evolved version of the campaign, in which attackers now talk victims into creating a Signal backup and then handing over the long passcode used to encrypt it. With that passcode, the entire historical archive — not just future messages — becomes accessible.

Crucially, US officials have stressed that the attackers did not breach any underlying encryption. They got in by convincing people to open the door themselves.

A Reward Program With Teeth

The Rewards for Justice program isn’t new — it has paid out for tips on everything from terrorism financing to election interference — but a $10 million figure for a cyber case signals how seriously Washington is treating this operation.

The State Department isn’t just after names. Officials are seeking information on the identities, locations, affiliations, operational infrastructure, domains, servers, hosting services, software tools, funding sources, banking relationships, payment mechanisms, and cryptocurrency wallets linked to the two hacking groups.

That’s an unusually granular wish list, suggesting investigators already have partial leads and are trying to fill in financial and infrastructure gaps rather than starting from zero.

Authorities have already taken some action independent of the reward. According to Gadget Review, the FBI and DOJ have already seized 26 internet domains tied to the phishing infrastructure used in the campaign. Investigators also found that members of UNC5792 had tampered with legitimate Signal group-invitation pages, quietly redirecting unsuspecting users to malicious links that linked an attacker-controlled device to the victim’s account.

Why Trained Professionals Still Fall For It

It would be easy to assume that diplomats, intelligence officers and seasoned journalists are too savvy to fall for a fake support message. The reality, officials say, is more mundane.

Fatigue, distraction, and the sheer volume of digital notifications people field daily make even high-value, security-conscious targets vulnerable. A message that arrives at the end of a long day, phrased with just enough technical plausibility, doesn’t need to fool everyone — it only needs to fool someone with access worth having.

Phishing remains one of the cheapest, lowest-skill tools in the cybercrime playbook precisely because it exploits this. It doesn’t require breaking code. It requires breaking attention.

Encryption Isn’t the Weak Point — People Are

Security researchers have been quick to stress one point: this is not a Signal or WhatsApp vulnerability story.

As Hacks Tech News put it, the attacks on Signal and WhatsApp do not indicate a vulnerability in the platforms themselves but show how attackers are adapting to encrypted messaging by targeting users directly instead of exploiting encryption.

That distinction matters. End-to-end encryption still holds. What’s collapsing is the human layer around it — the moment a tired official clicks a link that looks official, or pastes a recovery code into a fake support chat.

What Compromised Users Should Do Now

Anyone who has already shared a Signal backup key is being told to act immediately: generate a new recovery key through the app’s settings, which invalidates the old one for any future backup downloads.

There’s an important limitation, though. A fresh key cannot undo damage that’s already done — if an attacker has already downloaded a backup using the original key, regenerating it won’t claw that data back. It only prevents future access.

Officials also reiterated some basic but often-ignored rules: legitimate support teams for messaging apps never ask users to share verification codes inside the app, and they never send links asking users to “verify” or “restore” an account. Any message creating a false sense of urgency deserves extra scrutiny, not an immediate reaction — waiting an hour or two to confirm a request through official channels rarely costs anything, while acting too fast can cost everything.

Why This Matters Beyond Washington

For a global readership, the implications stretch well past US borders. The targeting pattern — diplomats, military figures, journalists, NGO workers — mirrors tactics increasingly used against civil society and media figures in conflict zones and politically sensitive regions worldwide, including South Asia.

Messaging apps like WhatsApp and Signal are the default communication tools for millions of officials, activists and reporters globally. A campaign exploiting trust in “support” messages on these platforms is a template that can be — and likely has been — replicated by other state and non-state actors far beyond the Russia-Ukraine context.