US posts $10 million reward over Russian cyber campaign targeting Signal, WhatsApp

The United States is offering up to $10 million for information leading to the identification or location of members of two Russia-linked cyber groups accused of targeting Signal and WhatsApp accounts belonging to government officials, journalists and other high-profile individuals.

The bounty, announced through the State Department's Rewards for Justice program, targets the hacking groups tracked as UNC5792 and UNC4221, which U.S. authorities say are associated with Russia's Federal Security Service (FSB), Border Guards and military intelligence, respectively.

In a public advisory issued Friday, the FBI warned that the groups' espionage campaigns have evolved, with attackers increasingly attempting to steal backup recovery keys for encrypted messaging applications.

Officials said compromised backup recovery keys can remain valid even if victims create new accounts using the same phone number, potentially allowing attackers to regain access in the future.

The FBI said the Russian intelligence campaign is designed to compromise individual Signal and WhatsApp accounts rather than exploit vulnerabilities in the encrypted messaging platforms themselves.

The hackers use social engineering techniques to trick victims into sharing verification codes, account PINs and backup recovery keys, enabling them to access message histories, private and group chats, and, in some cases, take over victims' accounts.

In some cases, the hackers altered legitimate Signal group invitation pages to redirect victims to malicious links that connected attacker-controlled devices to their accounts.

The U.S. warning follows an announcement last week by Ukraine's Security Service (SBU), which said it had worked with the FBI to uncover a long-running Russian cyber-espionage campaign targeting the messaging accounts of government officials, military personnel, politicians and activists in Ukraine, Europe and the United States.

The SBU said the operation sought to obtain sensitive military, political and economic information exchanged through encrypted messaging applications while also stealing victims' personal data.

One of the most common methods involved sending text messages impersonating official messaging platform support services and urging users to disclose their account credentials.