U.S. State Department offers $10 million reward for information on Russian cyber group targeting Signal and WhatsApp accounts

The U.S. State Department announced a reward of up to $10 million for information leading to the identification or location of individuals involved in a Russian state cyber group’s phishing campaigns targeting Signal and WhatsApp accounts. The campaign, active since at least March, has compromised thousands of accounts belonging to investigative reporters, U.S. government employees, military personnel, political figures, and journalists.

The Federal Bureau of Investigation previously warned of phishing messages masquerading as automated support communications, asking users to click links or provide verification codes or account passcodes. Compromised accounts allow attackers to read new messages, though Signal’s safety feature prevents access to prior conversations unless users share their backup encryption keys.

Last week, the FBI updated its advisory to note the campaign’s evolution. Attackers now also urge users to create backups and share the long passcode used to encrypt those backups, granting access to past Signal conversations. The FBI attributed the activity to two Russian government-linked groups: UNC5792, associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, working on behalf of Russian military services.

In some cases, UNC5792 altered legitimate Signal group invite pages to redirect users to malicious URLs, linking victims’ accounts to attacker-controlled devices without exploiting platform encryption vulnerabilities. The State Department’s Reward for Justice program explicitly seeks information on these groups, emphasizing their widespread targeting of U.S. and allied personnel.