US Targets Russian Hacking Groups With Massive $10 Million Bounty
Federal authorities are hunting two state-linked cyber groups behind a persistent, large-scale campaign targeting Signal and WhatsApp.
The digital boundaries protecting high-value communications have been systematically breached, not through complex cryptographic failures, but through the precise manipulation of human trust. As federal agencies scramble to contain a far-reaching espionage operation, the latest state-sponsored campaign highlights the vulnerability of even the most secure messaging platforms when faced with sophisticated social engineering.
A Coordinated State-Backed Offensive
The campaign, which has been active since at least March, involves the targeted compromise of thousands of accounts belonging to US government employees, investigative journalists, and military personnel. By masquerading as automated support services, attackers have successfully tricked users into linking unauthorized devices or disclosing sensitive account passcodes.
The Evolution of Digital Deception
As the campaign has matured, the methodologies employed by the adversaries have become increasingly devious. The FBI noted that in addition to initial account hijacking attempts, attackers are now specifically coercing users into creating and sharing backup encryption keys. This evolution allows the actors to bypass the platform's native protections to access historical message logs that were previously shielded by end-to-end encryption.
“Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” Monday’s post read. “UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of US government officials, military leadership, and allied personnel.”
Quantifying the Escalating Threat
- $10 million: The maximum reward offered by the State Department for information regarding the identities or locations of the actors.
- Thousands: The number of Signal and WhatsApp accounts confirmed to have been compromised during the operation.
- Two: The count of specific Russian government-linked groups, tracked as UNC5792 and UNC4221, identified as responsible for the activity.
Defending Against Social Engineering
The persistence of these attacks serves as a stark reminder that even the most secure communication tools remain susceptible to human error. Because the attackers are exploiting trust rather than software vulnerabilities, the primary defense lies in extreme vigilance regarding unsolicited messages. Users who have inadvertently shared their recovery keys are advised to immediately generate a new Backup Recovery Key, which invalidates previous keys for future downloads, though this does not negate the exposure of already exfiltrated data.
The Long-Term Security Implications
For organizations and individuals alike, this operation signals a shifting landscape in state-sponsored espionage. The reliance on persistent phishing tactics against elite targets—despite the high risk of discovery—underscores the strategic importance these actors place on intercepting sensitive communications. As the government increases the financial stakes through the Reward for Justice program, the burden of security shifts back to the end-user, who must now navigate messaging environments where even seemingly legitimate support prompts should be treated as potential conduits for state-level intelligence theft.