• Home  
  • US offers $10M reward for Signal hack leads
- Cybersecurity

US offers $10M reward for Signal hack leads

The US is offering up to $10 million for info on the Russian group behind the Signal and WhatsApp phishing campaign that compromised thousands of accounts, including journalists and officials.

US offers $10M reward for Signal hack leads

Federal authorities are dangling a bounty of up to $10 million for tips that pinpoint the Russian state‑affiliated actors behind the ongoing Signal phishing campaign. The reward, announced on June 30, 2026, targets the group that’s been hijacking thousands of Signal and WhatsApp accounts belonging to investigative reporters and U.S. government employees. That figure alone makes the operation one of the heftier cyber‑bounties the Justice Department has ever floated.

Key Takeaways

  • U.S. agencies are offering a $10 million reward for information leading to the identification or location of the attackers.
  • The campaign has compromised thousands of Signal and WhatsApp accounts since at least March.
  • Attackers use fake support messages to trick users into linking a foreign device or handing over backup passcodes.
  • Two Russian groups, tracked as UNC5792 and UNC4221, are believed to be behind the operation.
  • Signal’s built‑in safety feature blocks access to past messages, but a newer backup‑extraction trick can circumvent it.

Signal phishing campaign draws $10 million reward

When the FBI first sounded the alarm in March, it warned that high‑value targets were receiving phishing messages that pretended to be automated support communications. Those messages asked recipients to click a link or supply verification codes, and if they complied, the attackers could link their own device to the victim’s account or completely seize it. The agency’s advisory noted that the victims included current and former U.S. officials, military personnel, political figures, and journalists. That advisory’s timing lines up with the first public reports of the breach, which suggests the operation’s been simmering for months.

Historical Context

The March advisory was the first public acknowledgment that a coordinated effort was targeting encrypted messaging services. Prior to that, security bulletins had mentioned isolated incidents involving fake support bots, but none had linked the activity to a state‑affiliated group. The FBI’s warning marked a shift from treating the problem as a series of opportunistic attacks to recognizing a sustained espionage campaign. By the time the Rewards for Justice bounty was unveiled on June 30, 2026, the investigation had already cataloged dozens of phishing templates and traced the infrastructure back to two distinct Russian‑linked entities. The bounty’s size signals that the government sees the campaign as a strategic threat to national security, not just a nuisance for individual users.

How the attackers bait victims

The phishing lures look like routine support prompts – “Your account needs verification” or “Click here to secure your messages.” Once a user follows the link, a script silently installs a secondary device identifier on the victim’s Signal or WhatsApp profile. In the case of Signal, the attackers can read any new messages that arrive after the compromise, but they can’t see historic conversations because Signal’s architecture isolates past data. That limitation, however, isn’t staying in place for long.

Typical bait messages use language that mirrors official branding. They reference recent policy updates or claim that a security scan has detected suspicious activity. The link points to a domain that mimics the legitimate support site, often differing by a single character. When the victim clicks, the page loads a hidden frame that triggers the device‑linking routine. The process happens without any visible prompts, so the user thinks the action was automatic. By the time the victim notices a new device in their session list, the attacker already has a foothold.

Signal’s safety feature and its limits

Signal’s developers built a safeguard that blocks attackers from pulling old chat logs. The feature works by keeping historical keys on the user’s device, never exposing them to the server. But the FBI’s latest update from last week shows the attackers have upgraded their playbook. After convincing users to link a foreign device, they send a second message that urges the victim to create a backup of all prior communications. The follow‑up then asks the user to share the long passcode that encrypts the backup stored on Signal’s servers. Hand over that passcode, and the attackers gain access to everything that was written before the compromise.

The backup‑extraction trick exploits the fact that the backup encryption key is stored on the server for convenience. When a user exports the backup, Signal prompts for a passphrase that protects the archive. The attackers’ second message frames the request as a mandatory security step, urging the victim to “confirm” the backup to keep the account active. Because the passphrase is the only gatekeeper, the attackers can replay the backup file and decrypt it at will. The result is a full view of historic conversations, effectively nullifying the original safety feature.

Russian groups UNC5792 and UNC4221: what we know

Two distinct Russian‑linked entities are being tracked as UNC5792 and UNC4221. Both groups appear to be operating under the umbrella of Russian intelligence services, according to the FBI’s briefing. The agencies haven’t disclosed the exact chain of command, but they’ve linked the groups to previous operations that targeted European politicians and journalists. What’s striking is the coordinated use of both messaging platforms – Signal for encrypted chats and WhatsApp for broader outreach – which suggests a level of resource sharing that’s uncommon among typical cyber‑crime outfits.

Bounty mechanics and legal hurdles

The reward program is being run through the Department of Justice’s “Rewards for Justice” scheme. To qualify, informants must provide actionable intelligence that leads to the identification or location of the perpetrators. The bounty is capped at $10 million, but the DOJ can award less if the information is partial. The program also promises protection for whistleblowers, which is a crucial detail for anyone considering coming forward. The FBI’s advisory notes that the information can be submitted anonymously through a secure portal.

Applicants must submit a written statement that outlines the source of the tip, the chain of custody for any evidence, and how the data ties back to the identified actors. The DOJ evaluates each submission on a case‑by‑case basis, weighing the credibility of the source against the operational value of the intelligence. If the tip leads to an arrest or a conviction, the reward is paid out after the case is closed. The anonymity clause is reinforced by a dedicated encrypted drop‑box that strips IP metadata before the tip reaches analysts.

Implications for developers and security teams

For developers building on Signal’s SDK or integrating WhatsApp Business APIs, the campaign underscores the importance of user education. Even the most strong cryptographic protocols can be undermined by social engineering. That means you can’t rely solely on technical safeguards; you need to embed clear warnings about unsolicited support messages directly into your UI. the backup‑extraction trick shows that any feature that stores encryption keys on a server can become a liability if the user is duped into sharing the passcode.

  • Never store raw encryption keys on cloud services without additional user‑controlled protection.
  • Implement in‑app phishing detection that flags messages matching known support‑bot patterns.
  • Provide users with a one‑click method to revoke linked devices without needing to share backup passwords.

Developers should also watch the evolving threat intel coming from the FBI and allied European agencies. The original original report notes that the phishing messages have become more sophisticated, now mimicking official policy updates and prompting users to enable mandatory two‑factor verification – a clever ploy that actually pushes users toward a more secure configuration while simultaneously harvesting their credentials.

What This Means For You

If you’re responsible for securing communications in a newsroom, a government office, or a fintech startup, the bounty signals that you’re a high‑value target. That means you need to double‑down on training: simulate phishing attacks that use the exact language the attackers have been using – “Click the ‘Accept’ button” and “Enable backups.” Run tabletop exercises that walk teams through the steps of revoking a compromised device and resetting backup passcodes. And make sure your incident response plan includes a rapid‑kill switch that can isolate an account from the network within minutes.

On the code side, consider adding a secondary verification step whenever a user tries to export a backup key. That could be a hardware‑based token or a biometric prompt that the attacker can’t replicate remotely. You’ll also want to audit any third‑party integrations that might inadvertently expose the backup passcode to external services. The fewer places that key can travel, the less likely it is to end up in the hands of a Russian UNC‑designated group.

Beyond the three sectors already mentioned, other environments face similar pressure. A non‑profit advocacy group that communicates with donors via encrypted chat could see its reputation damaged if a breach exposed sensitive fundraising details. A legal firm that uses Signal for privileged client communications might risk breaching attorney‑client privilege. In each case, the same mitigation steps apply: educate users, enforce device revocation, and limit the exposure of backup passwords.

Will the bounty finally push the attackers into the light, or will they simply shift tactics and keep exploiting the human factor? Only, but the message is clear: the U.S. government is willing to spend serious money to protect the privacy of its most sensitive communications, and developers need to treat that as a warning to shore up the human element of security.

Key Questions Remaining

Even with a $10 million incentive on the table, several uncertainties linger. First, how quickly can investigators trace the digital breadcrumbs back to a specific nation‑state unit, given the layers of proxies and false flags that the actors have employed? Second, will the public release of the bounty prompt other hostile groups to copy the playbook, thereby expanding the attack surface across other encrypted platforms? Third, what additional defensive measures might platform developers roll out once the FBI’s advisory becomes widely known? Answers to these questions will shape the next wave of policy and technical responses.

Sources: Ars Technica, FBI Cyber Advisory

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.