U.S. Offers $10 Million Reward To Identify UNC5792 Russian Hackers Targeting Signal And WhatsApp
Image: Zamin.uz

U.S. Offers $10 Million Reward To Identify UNC5792 Russian Hackers Targeting Signal And WhatsApp

28 May, 2026.USA.23 sources

Key Takeaways

  • Rewards up to $10 million under RFJ to identify or locate UNC5792/UNC4221 Russian hackers.
  • Groups UNC5792 and UNC4221 target Signal and WhatsApp accounts of US officials, journalists, and others.
  • The operation has been active since at least March; FBI advisory warns of phishing campaigns.

$10M Bounty for UNC5792

The U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of members of UNC5792, a Russian state-linked hacking group accused of targeting Signal and WhatsApp accounts belonging to U.S. government officials, military personnel, journalists, and other high-value individuals.

The announcement says the campaign has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' encrypted message archives in addition to taking over their accounts.

Image from Amnesty International
Amnesty InternationalAmnesty International

The FBI and CISA said Russian intelligence operators continue to impersonate messaging app support teams through phishing messages that request one-time verification codes, account PINs, or, more recently, Signal Backup Recovery Keys.

The State Department also linked UNC5792 to officers embedded in the Russian Federal Security Service (FSB) Border Guards and said it works alongside UNC4221, another cluster linked to Russian military intelligence.

The U.S. agencies warned that the key remains valid even if the victim creates a new Signal account using the same phone number, and that users must generate a new Backup Recovery Key in Signal's settings to invalidate a stolen key.

Backup Keys Replace Codes

Security Affairs reported that the U.S. government is offering rewards of up to $10 million for information on individuals associated with UNC5792 and UNC4221, and said the hackers target government officials, military personnel, journalists, and political figures through phishing attacks on Signal and WhatsApp.

It quoted the U.S. government announcement that "Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person" participating in malicious cyber activities against U.S. critical infrastructure.

Image from Ars Technica
Ars TechnicaArs Technica

The FBI and CISA update described in the same coverage says the operators shifted their primary objective from stealing verification codes to stealing Signal Backup Recovery Keys.

GovInfoSecurity said the FBI's cyber division warned that "The threat actors have compromised individual CMA accounts, but not the CMA's encryption or the application itself," emphasizing that the apps' encryption is not broken.

The Record from Recorded Future News added that compromised backup recovery keys can remain valid even if victims create new accounts using the same phone number, potentially allowing attackers to regain access in the future.

Who Is Targeted Next

The U.S. advisory described the campaign as targeting current and former U.S. government officials, diplomatic staff, military leaders, NATO personnel, intelligence partners, journalists covering Russia and Ukraine, NGOs supporting Ukraine, and academic researchers focused on Russian affairs.

CyberInsider said the FBI and CISA recommend treating unsolicited messages claiming to be from Signal or other messaging platform support teams as fraudulent, and urged users to never share verification codes, PINs, or Backup Recovery Keys through chat messages.

SecurityWeek said the U.S. is willing to pay up to $10 million for information leading to the identification of UNC5792 actors, including their names, location, and biographies, and it seeks details on affiliation with Russian intelligence services and supporting entities.

GovInfoSecurity reported that the attackers are continuing to try and socially engineer high-value people in multiple jurisdictions, including in the United States, Ukraine, Australia and Europe.

The U.S. Department of State said the purpose of the hacks is to gain access to sensitive military, political and economic information exchanged by users, as well as to steal their personal data.

More on USA