"UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel," the U.S. government's announcement said, laying out the reason for a rare public bounty.
U.S. Department of State 'Rewards for Justice' bounty: up to $10 million
The U.S. Department of State is offering up to $10 million through its Rewards for Justice (RFJ) program for information that helps identify or locate members of two identified hacker groups, UNC5792 and UNC4221. The RFJ program targets foreign state actors carrying out cyberattacks against U.S. critical infrastructure, and the latest posting explicitly links the two groups to Russian services.
In RFJ’s words, it is "seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services."
UNC5792 and UNC4221: affiliations, targets, and the information sought
RFJ and U.S. authorities describe UNC5792 as associated with the FSB Border Guards and UNC4221 as working on behalf of Russian military services. The reward notice lists the specific types of information the U.S. government wants about both groups, including:
- Names, locations, biographies, and affiliations of UNC5792 actors and supporting personnel
- Links to Russian intelligence services, contractors, and third-party service providers
- Operational infrastructure: domains, servers, hosting, data storage, tools, frameworks, and software
- Funding sources, financial accounts, banking relationships, and payment mechanisms
- Cryptocurrency wallets, blockchain transactions, and financial networks supporting operations
Tactics: Signal Backup Recovery Keys and impersonation of support agents
U.S. agencies and RFJ emphasize that the attacks exploit social-engineering techniques rather than breaking the underlying encryption of messaging platforms. The FBI and CISA, updating a March 2026 advisory last week, reported new tactics observed in attacks attributed to the two groups, including stealing Signal Backup Recovery Keys.
Authorities warned that the hackers are impersonating Signal support agents in direct messages to targets and informing them of a supposed mandatory two-factor verification process. That procedure, according to the advisory, is used as a ruse to trick users into revealing their data backup key, thereby granting the attacker access to a victim’s previous communications on the platform.
The U.S. government also emphasized that "communication platforms and the encryption they offer haven’t been compromised," while noting the attacks can still be highly effective at siphoning private data. RFJ's announcement confirmed that thousands of individual accounts for commercial messaging applications were compromised via these techniques.
FBI and CISA advisory update and the scale of compromise
Last week’s update to the March 2026 advisory from the FBI and CISA added the Signal-backup key theft detail to a catalog of evolving techniques attributed to UNC5792 and UNC4221. The advisory links the impersonation tactic and the backup-key ruse to successful intrusions into Signal and WhatsApp accounts belonging to U.S. government officials, military leaders, allied personnel, journalists, NGOs supporting Ukraine, and researchers focused on security and Russian affairs.
The breadth of targets cited by the U.S. government—U.S. and NATO government, diplomatic, defense, and intelligence officials; policy analysts; journalists covering Russia and Ukraine; NGOs supporting Ukraine; and security and Russian affairs researchers—illustrates the operational focus and intelligence value these accounts represent to the accused groups.
What this means for technologists, policymakers, and Signal users
- Technologists and security teams: The RFJ listing and advisory flag the importance of detecting social-engineering campaigns that target account recovery processes and backup keys. The source material also cites a statistic from a Picus whitepaper: "Security teams log 54% of successful attacks and alert on just 14%," underscoring challenges in detection and the need to test SIEM and EDR rules.
- Policymakers and regulators: The explicit request for financial and infrastructure links—including cryptocurrency wallets and blockchain transactions—signals a law-enforcement and intelligence emphasis on disrupting funding and operational infrastructure rather than solely attributing individual intrusions.
- End users and journalists: The advisory reiterates a practical rule for Signal users: real support teams communicate only through official company email addresses and "never ask users to provide verification codes within the application or send links requesting account verification, recovery, or restoration."
The U.S. government has placed a high monetary value—up to $10 million—on information that could identify or locate members of UNC5792 and UNC4221, and has paired that incentive with public warnings about a specific, actionable ruse: impersonation to steal Signal Backup Recovery Keys. Whether the bounty produces the names, locations, or infrastructure the RFJ seeks remains the next step in a story the U.S. government has framed as both a law-enforcement effort and a national-security priority.
