The United States Department of State has announced a reward of up to $10 million for information leading to the identification or location of members of the UNC5792 and UNC4221 hacking groups.
These groups are linked to Russia’s military and intelligence agencies. This offer is part of the State Department’s Rewards for Justice program.
The groups have carried out extensive phishing campaigns targeting the Signal and WhatsApp accounts of US government officials, military leaders, and allied personnel.
UNC5792 is associated with the border guards of Russia’s Federal Security Service, while UNC4221 is described as operating on behalf of the Russian military services.
Last week, the FBI and CISA updated a March 2026 advisory with new tactics seen in attacks attributed to these groups.
What the US government wants to know
The US government is seeking information about the UNC5792 group and its support personnel. They want details about the names, locations, biographies and affiliations of these actors and their crew members.
Additionally, they are interested in connections with Russian intelligence agencies, contractors and third-party service providers. The request includes information about the group’s operational infrastructure, such as domains, servers, hosting environments, data storage solutions, tools, frameworks and software used.
They are also investigating funding sources, financial accounts, banking relationships and payment methods. Finally, they seek details about cryptocurrency wallets, blockchain transactions, and financial networks that support the group’s operations.
The attacks do not exploit vulnerabilities in Signal or WhatsApp encryption. Instead, they rely on social engineering tactics that target users to obtain access details.
According to the FBI and CISA, attackers are posing as Signal support representatives in direct messages, claiming that mandatory two-factor verification is needed.
This is a scam designed to persuade users to share their Signal Backup recovery key, which provides access to their previous communications on the platform.
Once attackers have the backup key, they can restore the victim’s Signal data to a device they control and view previous messages.
The US government has confirmed that thousands of individual accounts have been compromised on both Signal and WhatsApp through these methods.
Who is at risk and how to stay protected
The main objectives include:
- US and NATO government officials, diplomatic and defense personnel, intelligence officials, policy analysts, journalists covering Russia and Ukraine.
- NGOs supporting Ukraine, security researchers and specialists in Russian affairs.
Although the focus is primarily on individuals in government and political roles, the techniques used can be modified to target any high-value individuals.
Signal and WhatsApp users should follow these practices to stay protected:
- Never share Signal Backup recovery keys with anyone, regardless of how legitimate the request seems.
- Please note that Signal Support never requests verification codes or recovery keys within the app or through unsolicited messages.
- Treat any requests to verify or restore your account using links or codes as possible phishing.
- Check the source of any communication claiming to be from Signal or WhatsApp by visiting the official support page directly through the company’s app or website.
- Enable two-factor authentication for your accounts using a separate authenticator app, not via SMS.
- Be especially cautious if you work in or with the government, defense, journalism or NGO sectors, as these are common targets.
The official Signal support team communicates only through official email addresses and does not send direct messages within the app or communicate through unsolicited contacts.
How to report information about Russian hackers
Anyone with information that could help identify or find members of UNC5792 or UNC4221 is asked to contact the Rewards for Justice program.
Tips can be submitted through your website or through encrypted channels designed for confidential sources. The $10 million reward is among the highest offered by the program, indicating the serious and ongoing threat it poses.
In previous cases, rewards have been paid for information leading to the identification or capture of state-sponsored cyber actors.
The reward announcement is part of the broader U.S. response to Russian cyber operations targeting U.S. and allied interests.
The attacks on Signal and WhatsApp do not indicate a vulnerability in the platforms themselves, but show how attackers are adapting to encrypted messages by targeting users directly instead of exploiting the encryption.
For those not in the targeted groups, these attacks serve as a reminder that even highly encrypted messaging services can be compromised through social engineering.
Maintaining good operational security, such as being cautious about unsolicited messages and protecting recovery keys, remains important regardless of the strength of the encryption.
