Back to Feed
Nation-stateJun 29, 2026

US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve

US offers $10M bounty for info on Russian state hackers targeting officials via messaging apps.

Summary

The US government is offering up to $10 million for information on individuals linked to Russian intelligence groups UNC5792 and UNC4221. These actors are targeting US officials, military leaders, and allied personnel through phishing campaigns on commercial messaging applications like Signal and WhatsApp, evolving their tactics to request Backup Recovery Keys for historical data access. The US seeks to identify the actors, their affiliations with Russian intelligence services, infrastructure, and funding.

Full text

The US government is offering rewards of up to $10 million for information on individuals associated with two threat actors linked to Russian intelligence. Publicly tracked as UNC5792 and UNC4221, the cyber groups have been targeting current and former US government officials and military leaders, allied personnel, journalists, political figures, and key officials located in Ukraine. The threat actors have been conducting phishing campaigns targeting commercial messaging applications (CMAs), a March alert from CISA and the FBI shows. Posing as automated CMA support accounts, the hackers lure victims into clicking on a link or sharing verification codes to take over their accounts on messaging platforms such as Signal and WhatsApp. In a fresh update, CISA and the FBI warn that the attackers have renewed their tactics and are now asking victims for their Backup Recovery Keys to access historical conversations as well, including private and group messages. “If a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they create a new account following the compromise using the same phone number. Consequently, the actor could potentially use the compromised key to take over the new account in the future as well,” the alert reads.Advertisement. Scroll to continue reading. To evict the hackers from compromised accounts, users need to generate a new Backup Recovery Key, thus invalidating the previous one. “However, please note that this does not prevent the actor from having already downloaded a backup of the original account,” CISA and the FBI warn. UNC5792 and UNC4221, the agencies note, are associated with the Russian intelligence services (RIS). On the Rewards for Justice portal, the US government links UNC5792 to the Russian Federal Security Service (FSB) Border Guards, and UNC4221 to the Russian military services. “Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists, and group conversations,” the US notes. The threat actors have abused the compromised accounts to launch phishing attacks against other valuable individuals, and, in some instances, they modified ‘group invite’ pages to link attacker-controlled devices to victims’ Signal accounts. The US is willing to pay up to $10 million in rewards for information leading to the identification of UNC5792 actors, including their names, location, and biographies. It also seeks information on the threat actors’ affiliation with RIS, on entities that support them, their infrastructure and tooling, their funding sources, and financial networks, including banking accounts, cryptocurrency wallets, and transactions. Related: Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets Related: Russian Initial Access Broker Behind FortiBleed Campaign Related: Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say Related: Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsRunlayer Raises $30 Million in Series A FundingGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCritical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware Families Latest News OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIChinese Framework Powers 200,000 Scam SitesAmazon Q Flaw Enabled Cloud Credential Theft via Malicious RepositoriesMore Klue Breach Victims Identified as Hackers Get HackedIn Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk LayoffsNebulock Raises $25 Million for AI-Native Contextual SecurityLinux Foundation Unveils New Open Source Security Project Akrites$3 Million Reportedly Stolen in Polymarket Hack Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities

UNC5792 (threat_actor)UNC4221 (threat_actor)CISA (vendor)FBI (vendor)Signal (product)WhatsApp (product)