-
The U.S. State Department offers $10 million for information on Russian hacking group UNC5792, which targets Signal and WhatsApp accounts of officials, journalists, and military personnel.
-
Hackers steal Backup Recovery Keys through phishing messages, allowing them to access encrypted message archives even after victims change accounts.
-
The FBI and CISA urge users to never share verification codes or recovery keys and to report incidents to IC3 or CISA.
The U.S. State Department has announced that it is offering a reward of $10 million for information leading to the identification of individuals involved with UNC5792, a Russian hacking group and a state-linked cyber espionage team.
The bounty comes via the Rewards for Justice program. This is the primary channel through which the State Department gathers information regarding potential foreign threats to the United States.
The FBI and CISA have also issued a concurrent warning regarding the activities of this group along with the issuance of the reward. They say the hacking campaign has grown more dangerous. Attackers now steal Signal Backup Recovery Keys, which let them access archived messages even if victims change accounts.
UNC5792 works with Russian intelligence officers embedded in the FSB Border Guards. The group collaborates with UNC4221, another cluster tied to Russian military intelligence. Both groups use phishing tricks that abuse legitimate app features rather than breaking encryption itself.
How the Attack Works
The attackers pose as customer service representatives from the messaging apps themselves. They send messages asking for verification codes, PINs, or Backup Recovery Keys. These requests look legitimate to many recipients.
Once the attackers have obtained a Backup Recovery Key, they can use that to retrieve all of the targeted person’s message history. This message history includes all attachments, private conversations, and group conversations. Also, the recovery key remains functional even if the target creates a new account with the same phone number as the original account.
Federal authorities state that this operation has already compromised thousands of accounts across the globe. The targeted individuals include present and past government officials, embassy officials or local embassy workers, military command personnel, NATO personnel, intelligence partners, academic researchers and journalists who are currently working to provide information on Russia and Ukraine, and NGOs that are providing assistance for Ukraine.
The scale of Russian cyber operations is alarming; they have also threatened the UK with black screens and empty bank accounts, underscoring the broad reach of these threats.
The advisory is a follow-up to a March warning from the FBI and CISA that described how Russian intelligence agents abused the linked device feature of Signal and social engineering techniques to compromise accounts. In May, researchers and targeted users provided examples of phishing campaigns that impersonated Signal Support, with attempts to obtain Backup Recovery Keys.
What the State Department Wants to Know
The US Department of State requests specific information to identify and locate individual members of UNC5792. Specifically, the State Department is looking for real names, intelligence ties, physical locations, and information about the digital infrastructure used by UNC5792.
Additionally, the authorities want to find the group’s web domains, web hosting providers, cryptocurrency wallets, funding sources, and financial networks. They are even offering a cash reward for information on private contractors who support the Russian operations.
This very large $10 million cash reward demonstrates how seriously the US Government perceives this specific type of cyber threat. Every day many senior government officials and independent journalists use Signal to communicate about highly confidential political and military issues. If hackers are successful in breaking into those accounts, they could easily leak classified state secrets and put the lives of innocent people at risk immediately.
The large dollar bounty sends a very clear message to foreign hackers as well as encourages any tech-savvy insiders to come forward.
How to Protect Yourself
According to the FBI and CISA, users should treat any unsolicited messages that claim to be from Signal Support to be fraudulent. Never give verification PINs, codes, or Backup Recovery Keys to someone through chat messages; always verify account-related requests through the official channels.
Users can also use Signal’s settings menu to create a new Backup Recovery Key, to make any compromised key worthless. However, creating a new Backup Recovery Key will not stop attackers from obtaining any backups they have already downloaded.
Victims of these types of incidents should report them to the appropriate authorities; they can use the FBI Internet Crime Complaint Center, local FBI Field Office, or CISA. These types of attacks exploit human nature as a means of attack, not technology. Therefore, the best defense is to always be skeptical of unexpected messages.