The US State Department is offering a $10 million reward for information on two Russian state hacker groups, UNC5792 and UNC4221, accused of running a sustained phishing campaign against Signal and WhatsApp users tied to NATO governments, military leadership, and civil society.
The bounty, announced under the State Department's Rewards for Justice program on June 29, 2026, is one of the largest public offers yet for information on Russian cyber operatives targeting encrypted messaging apps rather than the apps' underlying encryption itself.
Who Are UNC5792 and UNC4221?
Security researchers tie UNC5792 to the FSB Border Guard Service and UNC4221 to Russian military intelligence. Both groups have run parallel phishing campaigns against Signal and WhatsApp accounts since at least 2025, according to advisories updated by the FBI and CISA earlier this year.
A Backup-Key Phishing Trick, Not a Signal Exploit
The attackers do not break Signal's or WhatsApp's encryption. Instead, they impersonate official support accounts and message targets directly, claiming that mandatory two-factor verification requires re-entering their Signal Backup Recovery Key. Victims who comply hand over the one credential that unlocks their entire message history and lets attackers silently link a second device to the account.
- Impersonation: Messages appear to come from Signal or WhatsApp support.
- Pretext: A fake mandatory security or verification step.
- Payload: The victim's own backup recovery key, typed directly into a chat.
- Result: Full read access to past conversations and silent device linking.
Journalists and NGOs Were Explicit Targets
The State Department and FBI describe a victim pool that goes well beyond uniformed personnel. Alongside US and NATO government, defense, and intelligence officials, the campaign specifically targeted journalists covering Russia and Ukraine, NGOs supporting Ukraine, policy analysts, and researchers focused on Russian security affairs. For reporters and activists who rely on Signal precisely because it is considered hardened against surveillance, the campaign is a reminder that the weakest link is rarely the protocol itself.
Thousands of Accounts, One Reward
Officials say thousands of commercial messaging accounts have been compromised through this technique across the two campaigns. The $10 million reward is meant to draw out insiders or associates willing to identify individual operators behind UNC5792 and UNC4221, following the same playbook Rewards for Justice has used against other state-linked hacking crews.
How to Protect Yourself
- Never share your Signal Backup Recovery Key or WhatsApp two-step PIN with anyone, including accounts claiming to be "support."
- Check linked devices regularly in Signal (Settings -> Linked Devices) and WhatsApp (Settings -> Linked Devices) and remove anything you don't recognize.
- Enable registration lock or two-step verification with a PIN only you know.
- Treat unsolicited "verification required" messages as phishing by default, regardless of how official they look.
A VPN does not stop this specific attack, since the phishing happens inside the messaging app itself rather than on the network layer - but for journalists and NGO staff operating in or reporting on Russia and Ukraine, routing traffic through a VPN still matters for hiding location and browsing activity from the same state actors running these phishing campaigns.