U.S. Targets Russian Cyber Spies With $10M Bounty Over Messaging App Attacks
June 29, 2026 
The U.S. offers up to $10M for information on Russian hackers targeting Signal and WhatsApp accounts of officials and journalists.
The U.S. government is offering rewards of up to $10 million for information leading to the identification of members of the Russian-linked groups UNC5792 and UNC4221.
The hackers target government officials, military personnel, journalists, and political figures through phishing attacks on Signal and WhatsApp. U.S. agencies warn the groups have evolved their tactics and now trick victims into revealing Signal Backup Recovery Keys, giving them access to past conversations and account data.
“Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.” reads the announcement published by the US Government.
The attackers rely on social engineering rather than breaking encryption. They abuse legitimate device-linking features in secure messaging apps such as Signal to trick victims into connecting an attacker-controlled device to their accounts.
Once they have gained access to the target’s account, they can read sensitive conversations, access contact lists and group chats, and use the compromised account to launch new phishing attacks. In some cases, the hackers modified legitimate Signal group invite pages to redirect users to malicious links.
According to U.S. authorities, these tactics have already compromised thousands of messaging accounts.
“Targets of this cyber scheme include U.S. government officials, diplomatic personnel and foreign affairs officials, defense and national security personnel, policy analysts and advisors, NATO member-state officials and diplomats, allied intelligence and defense partners, investigative journalists covering Russia, Ukraine, and international affairs, non-governmental organizations providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs.” continues the announcement.
The U.S. Rewards for Justice program is seeking information that could identify members of UNC5792 and expose how the group operates. Authorities are interested in the hackers’ identities, their links to Russian intelligence, supporting personnel and contractors, the infrastructure and tools used in attacks, as well as the financial networks, bank accounts, cryptocurrency wallets, and funding sources that sustain the group’s operations.
This week, the FBI and CISA updated their March 2026 warning about Russian intelligence phishing campaigns, and the new advisory adds a detail that wasn’t in the original: the operators have shifted their primary objective from stealing verification codes to stealing Signal Backup Recovery Keys.
The March warning covered FSB-linked groups targeting government officials, military personnel, journalists, and Ukrainian officials through fake Signal support messages. The June update gives those groups public tracking names: UNC5792 and UNC4221, both linked to Russian Federal Security Service officers including those embedded with FSB Border Guards and others working on behalf of Russian military services.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Signal)
