US Offers $10M Bounty to Stop Massive Signal and WhatsApp Hacking Spree

A sophisticated Signal and WhatsApp hacking campaign is actively targeting users, allowing attackers to silently read private messages and steal encrypted backups. If you receive an urgent message from an automated support bot asking you to verify your account or sync your data, your entire chat history is at risk of being compromised. Federal authorities have escalated their response to this threat, offering a massive financial reward to dismantle the operation.

The US State Department, through its Rewards for Justice (RFJ) program, is offering up to $10 million for information leading to the identification or location of the individuals behind this widespread cyber espionage campaign. The operation, which has been active since at least March, is being driven by two Russian state-sponsored groups tracked as UNC5792 and UNC4221. These groups are reportedly operating on behalf of the Russian Federal Security Service (FSB) Border Guards and Russian military services.

The attackers are specifically hunting individuals of high intelligence value. The primary targets include current and former US government officials, military personnel, political figures, and investigative journalists. According to the RFJ, the campaign has already successfully compromised thousands of commercial messaging accounts, granting foreign intelligence services unprecedented access to sensitive communications.

The attackers do not rely on breaking the underlying encryption of Signal or WhatsApp. Instead, they utilize highly targeted phishing campaigns masquerading as automated support communications. In the initial phase of the attack, the malicious actors send messages claiming that the user's account is at risk or requires mandatory two-factor verification.

If a user complies with the instructions, they unknowingly link an attacker-controlled device to their account. While Signal's built-in safety features prevent newly linked devices from reading past conversations, the attackers immediately gain the ability to monitor all incoming and outgoing messages in real-time. Recently, the FBI warned that the campaign has evolved to bypass this historical message restriction.

The attackers now send follow-up messages urging targets to create a backup of their previous communications to avoid data loss. The phishing text typically looks like this:

Action Required: Data Recovery Needed
Your Signal Account data (messages and media) is at risk of permanent loss due to a sync issue.
To avoid losing your messages and media:
Go to Settings -> Backups -> Configure -> Enable Backups -> View Recovery Key.
Copy the recovery key to your clipboard.
Paste the key into this chat.

By tricking the user into pasting their long passcode, the attackers gain the ability to decrypt backups stored on Signal servers, exposing the victim's entire conversation history. In other instances, the attackers have altered legitimate group invite pages to redirect users to malicious URLs that automatically link the attacker's device to the victim's account.

Because this attack relies entirely on social engineering rather than technical vulnerabilities, user vigilance is the only effective defense. The FBI and security experts have outlined specific protocols to secure your messaging apps against these state-sponsored tactics.

• Ignore In-App Verification Requests: Legitimate support services for messaging apps will never request verification codes or backup keys within a chat interface.
• Do Not Click Support Links: Official support channels do not send users links to verify or restore accounts. Treat any such link as hostile.
• Invalidate Compromised Keys: If you suspect you have shared your backup key, you must immediately generate a new one.

To mitigate this risk, the user must generate a new Backup Recovery Key within the Settings control; this action will invalidate the previous key for all future backup downloads.

- Federal Bureau of Investigation (FBI)

It is crucial to note that while generating a new key protects future backups, it does not prevent attackers from accessing any backups they have already downloaded.

The success of UNC5792 and UNC4221 highlights a uncomfortable truth in modern cybersecurity: end-to-end encryption is only as strong as the user's operational security. It may seem baffling that highly trained diplomats, intelligence officers, and journalists are falling for relatively simple phishing texts. However, these attacks are designed to exploit human psychology, specifically fatigue and the manufactured urgency of losing critical data.

This campaign proves that nation-state actors no longer need to invest millions in developing zero-day exploits to compromise secure communications. By simply waiting for a target to be sleep-deprived or distracted, attackers can bypass military-grade encryption with a basic text message. The $10 million bounty underscores the severity of the intelligence leak, but it also serves as a stark reminder that the most critical vulnerability in any secure system is the person holding the device.