US Posts $10 Million Reward Over Russian-Intelligence Signal and WhatsApp Phishing

A coordinated US law-enforcement push against a Russian-intelligence messaging-app campaign pairs a Rewards for Justice bounty with an FBI advisory on Signal backup-recovery-key theft.

Share
Flat white line-art of a notice board, a phone with a chat bubble, and a key, on a Raspberry background — US reward over Russian Signal and WhatsApp phishing.

Key Takeaways

  • The US State Department, through its Rewards for Justice program, posted a reward of up to $10 million for information on members of two Russian-intelligence-linked clusters, tracked as UNC5792 and UNC4221, behind a sustained phishing campaign against Signal and WhatsApp accounts.
  • A parallel FBI advisory, published as PSA I-062626-PSA and updating a March 2026 warning, says the operators have shifted their primary objective from stealing one-time verification codes to coaxing targets into handing over their Signal Backup Recovery Key, which grants durable access to message history.
  • The reward and advisory together frame the activity as a law-enforcement and counter-intelligence matter targeting high-value individuals — government officials, military personnel, journalists, political figures, and Ukrainian officials — rather than a single breach event.

A coordinated US law-enforcement push against a Russian-intelligence messaging-app campaign pairs a Rewards for Justice bounty with an FBI advisory on Signal backup-recovery-key theft.

WASHINGTON — The US State Department on or about June 29, 2026 posted a reward of up to $10 million for information on the people behind a Russian-intelligence-linked phishing campaign against Signal and WhatsApp accounts, escalating a months-long government response into a public bounty. The offer, made through the department's Rewards for Justice program, names two clusters tracked by researchers as UNC5792 and UNC4221, which US authorities associate with Russia's Federal Security Service (FSB) and military services respectively. It landed alongside a refreshed FBI advisory warning that the same operators have changed their phishing playbook to target a more durable prize: the Signal Backup Recovery Key.

The pairing of a financial reward with a defender-facing advisory gives the campaign a distinctly law-enforcement framing. Rather than a one-off disclosure, the US action treats the messaging-app activity as a continuing counter-intelligence problem aimed at high-value targets, and it follows a June 28 disclosure from Ukraine's CERT-UA documenting a closely related effort to harvest messaging credentials. Together the two notices sketch a coordinated, cross-border view of how Russian intelligence services have leaned on secure-messaging apps as a collection channel.

At a Glance
FieldDetails
Issued byUS State Department — Rewards for Justice program
RewardUp to $10 million for information
TargetUNC5792 (linked to FSB) and UNC4221 (linked to Russian military services)
AppsSignal and WhatsApp
FBI advisoryPSA I-062626-PSA — updates a March 2026 warning
Cross-referenceJune 28 CERT-UA messaging-credential disclosure
StatusReward active; advisory issued

What the State Department Posted

The Rewards for Justice program, run by the State Department's Diplomatic Security Service, announced a reward of up to $10 million for information leading to the identification or location of people who, acting on behalf of a foreign government, have engaged in malicious cyber activity against US critical infrastructure. In this instance the notice points specifically at two clusters tracked in industry reporting as UNC5792 and UNC4221, which US authorities tie to Russian intelligence and military services.

According to the department, the activity at issue is a widespread phishing campaign aimed at the Signal and WhatsApp accounts of US government officials, military leaders, and allied personnel. Investigators describe operators abusing legitimate features of the apps — most notably the device-linking workflow — to gain access to private messages and contact lists. The reward seeks information on the names, locations, and affiliations of the actors and their support personnel, including any connections to Russian intelligence agencies, contractors, and third-party service providers.

Rewards for Justice is a long-running State Department program originally created for counter-terrorism tips and expanded in recent years to cover foreign state-sponsored cyber activity against the United States. Posting a bounty does not constitute an indictment, and the department has not, in this notice, attached individual names to the clusters; the offer is structured to elicit the kind of identifying detail that could support future attribution or charges.

The FBI Parallel Advisory in Context

Released alongside the reward was a refreshed FBI advisory, published as PSA I-062626-PSA, that updates a March 2026 warning about Russian intelligence phishing of Signal accounts. The headline change is a shift in objective. Earlier waves of the campaign chased one-time SMS verification codes and account PINs, or used doctored "group invite" links that silently linked an attacker-controlled device to a target's account. The updated advisory says the operators now walk targets through enabling Signal backups, opening their Signal Backup Recovery Key, and pasting it into the chat.

That distinction matters for defenders because of what the recovery key unlocks. Where a stolen verification code or a linked device tends to yield access that can be revoked — by unlinking the device or re-registering the number — the recovery key is tied to the encrypted backup itself. The FBI advisory warns that once a target hands the key over, an operator can restore the account's backup and read its private and group message history, and that the key continues to work even if the target later creates a new account on the same phone number. The relevant defensive guidance is therefore narrow and concrete: a Signal Backup Recovery Key should be treated as a long-lived secret that legitimate support staff will never ask for, and it should never be typed or pasted into a chat in response to a prompt, however urgent the message appears.

The advisory reportedly prints two sample lures to help recipients recognize the pattern: one framed as a mandatory two-factor-authentication rollout, the other as an urgent "data recovery" fix for messages supposedly at risk of being lost. Both rely on a posed Signal support identity and on manufactured time pressure — the familiar mechanics of credential phishing applied to a secure-messaging context that many high-risk users assume is out of reach.

Cross-Reference: the June 28 Ukraine-CERT-UA Disclosure

The US notices do not stand alone. A day earlier, on June 28, 2026, Ukraine's Computer Emergency Response Team, CERT-UA, documented a related effort to harvest messaging-app credentials from Ukrainian targets, attributing the activity to Russian intelligence. Read together, the two disclosures describe overlapping tradecraft — social-engineering lures that turn the device-linking and backup features of secure messengers into a collection channel — pursued against parallel sets of high-value targets on both sides of the Atlantic.

The clustering is consistent with how Russian intelligence services have been described targeting messaging platforms over the past two years. Public reporting has previously tied separate Russia-aligned groups to Signal device-linking abuse, and European governments have made their own attributions: Germany, for one, has formally blamed Russia for Signal phishing aimed at members of its parliament. The Rewards for Justice notice and the CERT-UA advisory add US and Ukrainian government weight to a picture that had, until recently, been assembled largely from private-sector threat research.

That convergence is the practical significance of the timing. Two government bodies in two countries, within a day of each other, characterized secure-messaging compromise as a state-directed intelligence operation rather than ordinary cybercrime — a framing that aligns with broader allied efforts, including a recent Five Eyes statement on emerging cyber risks, to treat nation-state activity against trusted software and platforms as a shared problem.

Messaging-App User Awareness for High-Risk Roles

For the audiences the campaign targets — current and former government officials, military personnel, political figures, journalists, and officials in Ukraine — the advisory translates into a small set of habits rather than a software fix. The first is recognizing that the apps themselves are not broken. Signal's and WhatsApp's end-to-end encryption is not what is being defeated here; the operators are persuading targets to perform legitimate actions, such as linking a new device or revealing a backup key, that hand over access. The defense is social and procedural, aimed at the moment a user is asked to do something with their account.

Concretely, the guidance reduces to a few checks that apply regardless of which lure arrives. Treat any unsolicited message that invokes account security, a mandatory update, or data loss as suspect, especially when it carries time pressure or a link. Never share a verification code, account PIN, or — most importantly under the updated advisory — a Signal Backup Recovery Key in response to a prompt; no legitimate support process requires a user to paste that key into a conversation. Periodically review the list of linked devices in each messaging app and remove any that are unfamiliar, since a silently linked device is a primary route to a target's message stream.

High-risk users can also harden the surface in advance. Enabling a registration lock or equivalent PIN, scrutinizing group-invite links before acting on them, and confirming any account-related request through a separate, trusted channel all raise the cost of the social-engineering step the campaign depends on. None of these measures is novel, but the FBI advisory's value is in directing them at a specific, currently active technique against a specific population that is unusually likely to be targeted.

Open Questions

Several aspects of the US action remain open. The Rewards for Justice notice associates UNC5792 and UNC4221 with Russian intelligence and military services but does not, in public materials, name individuals or attach criminal charges; whether the bounty produces identifying information that supports an indictment is, by design, not yet knowable. The scale of the campaign is described in reporting as having affected thousands of messaging accounts, but a precise count, and a full accounting of which organizations and individuals were ultimately accessed, has not been published.

It is also not established from the public notices alone how directly the US-targeted activity and the CERT-UA-documented effort are operationally linked, beyond shared tradecraft and a common adversary. The two disclosures are best read as complementary rather than as a single confirmed operation. Similarly, while the FBI advisory describes the backup-recovery-key technique in detail, the notices do not quantify how many targets fell for it versus the earlier verification-code lures.

What is firmly established is enough to act on. A US government program has put a public price on information about two named Russian-intelligence-linked clusters; a federal advisory has documented a specific, current phishing technique against secure-messaging apps; and a partner government issued a closely related warning a day earlier. For the high-risk individuals these notices address, the durable takeaway is procedural — guard the recovery key, scrutinize account-security prompts, and audit linked devices — and it holds regardless of how the attribution and any future charges ultimately resolve.


Sources

TypeSource
PrimaryUS Department of State — Rewards for Justice notice
PrimaryFBI — Public Service Announcement I-062626-PSA
ReportingCyberScoop
ReportingInfosecurity Magazine — reward
ReportingDark Reading
ReportingInfosecurity Magazine — FBI backup-recovery-key angle
RelatedThe CyberSignal — Signal recovery-key phishing wave
RelatedThe CyberSignal — CERT-UA Russian-intelligence messaging credentials