A $10 Million Hunt for the Group Behind the Chat App Break-Ins
The U.S. government has put a very large price tag on a very annoying problem. A reward of up to $10 million’s now on offer for information that can help identify or locate the people behind a wave of break-ins across Signal and WhatsApp, a blunt move that tells you just how seriously Washington’s treating this campaign.
The target is a Russian-linked cyber group that’s been tied to account takeovers in two of the world’s most widely used encrypted chat apps. That part matters, but maybe not in the way people first assume. This isn’t a story about someone cracking Signal’s or WhatsApp’s encryption like it was a cheap padlock. It’s a story about people getting tricked, pressured, and nudged into handing over access themselves.
And the scale is not tiny. The campaign has touched thousands of accounts, including ones used by reporters, U.S. officials, military personnel, political figures, and staff working for allied governments. That’s a lot of sensitive conversation moving through the same apps millions of ordinary people use to trade family updates, work notes, and the occasional horrendous meme. In other words, the attackers were not rummaging around the digital margins. They were aiming straight at the rooms where power, along with politics and daily communication overlap.
Secure software can still be defeated by an insecure moment.
That sentence may sound almost too simple, which is exactly why attackers keep betting on it. Encrypted messaging apps are built to protect the contents of chats while they move across the internet. They’re not built to save every user from a convincing fake login prompt, a fake support message, or a rushed decision made between meetings. The human layer is where the damage tends to start.
For governments, that creates a messy problem. You can strengthen app security, publish warnings, and push out fresh guidance, but you can’t patch over every bad impulse in real time. A target sees a message that looks official. They are told their account needs checking, restoring, or verifying. They’re in a hurry, and maybe they’re tired. Maybe they are juggling two other things. One tap later, the attacker may have what they need. That’s the ugly charm of social engineering. On the whole, it doesn’t need to be brilliant. It only needs to be believable for long enough.
The reward announcement also says plenty about how the U.S. wants to handle this kind of campaign: not just with defensive tech news releases and stern notices, but with old-fashioned pressure. Money for names, locations, and hard leads is a way of telling suspects that they’ve moved from the category of nuisance into the category of wanted. It is also a signal to anyone watching from the side lines that the U.S. sees these chat app compromises as part of a larger pattern in digital culture, power and politics, not as a string of isolated account hiccups.
There’s a reason this has landed with such force. Signal and WhatsApp have become everyday tools for people who need to talk without broadcasting every detail of their lives. Journalists use them, and campaign staff use them. Officials use them. Military personnel use them. So when a campaign reaches inside those chats, even by tricking users rather than breaking encryption, it creates a mess that extends well beyond one compromised phone.
From there, that’s where the next layer of the story begins: how the attackers got in, what they asked victims to do, and why a system built for privacy can still be shaken by a well-timed scam.
How the Scam Took Over Signal and WhatsApp Accounts
By early spring, the playbook was already in motion. Federal investigators had started warning about phishing aimed at people whose messages could not afford a second of bad judgment, and the same basic trick kept resurfacing in Signal and WhatsApp: an ordinary-looking note that claimed to come from support, security, or account recovery. The language varied just enough to dodge a quick glance. The ask didn’t. Tap this link. Enter the code, and confirm the passcode. In a public service announcement from the FBI’s IC3, investigators described a campaign that went after the account itself, not the encryption.
The cleanest message app on earth still falls apart if the person holding it is pushed into handing over the door key.
That is the ugly part, really. The apps weren’t cracked open with some cinematic software exploit. People were nudged into doing the work for the intruder. In one version of the scam, a fake support page asked the target to “verify” an account by entering a one-time code or recovery passcode. The victim was steered into approving a new device, which effectively attached the attacker’s phone or laptop to the account, in another. Once that link was in place, the real owner might still be logged in for a moment, but the attacker had a foothold and could keep it.
Sometimes the takeover went further. The victim was pushed out entirely, locked out of the account while the attacker kept access. That mattered because Signal and WhatsApp both revolve around live account control. If you can ride along as the account owner, you can see what comes in next. You can reply as if you belong there. You can wait for the next useful message to arrive.
On Signal, the design still limits the damage in a small but meaningful way. Older chats aren’t simply handed over just because someone gets into the account. New messages, though, are a different story. If the attacker has attached a device or fully taken over the account, they can read what arrives after the break-in. That leaves a narrower window of visibility than people might fear, but it’s still enough to expose active conversations, contact lists, and whatever sensitive details are still moving through the thread that day. For people in government, journalism, or campaign work, that is plenty of trouble.
On top of that, the scam then got a little more patient. Instead of stopping at codes and login prompts, newer messages tried to move targets toward backup creation. That sounds harmless if you say it fast. It’s not. Signal’s encrypted backups use a long recovery key, and that key is the real prize. If a victim is tricked into generating a backup and then handing over that key, the attacker may get access to archived chats too. In other words, the scam shifts from stealing the front door to asking for the safe combination after the thief is already inside the hall.
Still, WhatsApp phishing followed a similar rhythm, though the details could differ from one target to the next. Some messages posed as account notices, some as support instructions, and some used a more urgent tone, the kind that makes a person think something’s gone wrong right now. That urgency is doing most of the work. Nobody wakes up wanting to bless a random login prompt. Yet if the message seems to come from the app itself, or from a helpful-seeming recovery flow, a distracted user can click before the brain catches up. That’s the scam in miniature: ordinary wording, false authority, one bad tap.
The official notices do not read like a hacker thriller because the method is almost insultingly simple. A phishing link, and a code request. A fake recovery step. Sometimes a linked device. Sometimes a full takeover. The State Department’s reward page collects the public hunt, and the public notice on Rewards for Justice lays out the same basic picture for anyone who wants the official wording. The mechanics, though, are arguably less glamorous than the chase. They depend on convincing someone to volunteer the access.
That detail matters because it changes the lesson. Quite possibly, people keep looking for a break in the app’s math, when the breach usually starts in the inbox and ends in a moment of trust. It’s classic Signal hacking and WhatsApp phishing, dressed up in support-page clothing. Ugly and ordinary as well as annoyingly effective. The State Department bounty may be grabbing the headlines, but the scam itself’s been running on the oldest trick in the book: make the victim think they’re fixing a problem, then let them open the door (which is worth thinking about).
Why Washington Says UNC5792 and UNC4221 Matter
Once you move past the mechanics of the scam, the naming game starts to matter. Federal officials aren’t describing this as some faceless wave of random phishing emails. In my view, they’re pointing at two tracked clusters, UNC5792 and UNC4221, and tying one to Russia’s FSB Border Guards and the other to work carried out on behalf of Russian military services. That kind of attribution changes the shape of the story. It’s no longer just about a bunch of stolen accounts and embarrassed users. It becomes a state-linked operation with a paper trail, even if that trail is messy and full of aliases.
When a campaign reaches journalists, diplomats, soldiers, and political staff, the real question isn’t just how the trap worked. It’s who built it, who benefits from it, and how far up the chain the planning goes.
The U.S. has made a habit of using public naming and reward notices when it wants to put pressure on an operation and the people behind it. In this case, the State Department’s Rewards for Justice program is dangling up to $10 million for information on the group or groups behind the campaign. The program’s organization page lays out the reward category the government is using here, which tells you the target isn’t just one hacker in a basement with a sticky note full of passwords. Washington’s treating this as an organized effort with enough reach to hit sensitive targets across several countries.
That matters because the signal sent to the crowd behind these campaigns is pretty blunt: if you’re operating with state backing, the U.S. wants your name in public and your logistics under pressure. The same logic shows up in sanctions, indictments, and reward notices. It’s part law enforcement, part theater, part diplomatic nuisance for the other side. Not exactly subtle, but subtlety doesn’t tend to work well when accounts tied to reporters, officials, and military personnel are involved.
The technical detail that caught officials’ attention is almost better than fiction, if you like your cybercrime with a side of bureaucracy. The reward notice says the campaign abused a built-in Signal trait that lets users create invite links for group chats. That sounds harmless enough, and simple as that. People use those links to add trusted contacts, move work chats around, or create secure groups without typing out a hundred phone numbers. In the wrong hands, though, the same feature becomes a lure.
Investigators said some legitimate invite pages were tampered with so they pointed victims toward a malicious address. Once someone clicked through, the attacker could connect their own device to the target’s Signal account. In plain English, the attacker didn’t smash the door; they talked the owner into opening it, then slipped in a second key. That is the part Washington wants people to notice, because it takes the drama out of the operation and replaces it with something more annoying and harder to spot: account-linking abuse.
The labels UNC5792 and UNC4221 also signal something else. They suggest more than one team, or at least more than one tracked line of activity, rather than a single lone operator. That fits the broader shape of Russian cyber activity, where different units, contractors, proxies, and intelligence arms can work the same target set without looking identical on the surface. One cluster tied to border guard services, another tied to military services, and both apparently circling the same messaging platforms. It’s not hard to see why U.S. officials want the distinction made public.
A Dutch intelligence bulletin from March described a similar campaign aimed at Signal and WhatsApp accounts, which lines up with the broader picture Washington is now drawing in public: Russia targets Signal and WhatsApp accounts in cyber campaign. That doesn’t mean every incident is identical, or that every victim was hit the same way. It does suggest a pattern, though, and patterns tend to get attention fast when they involve encrypted messaging security and people with access to sensitive conversations.
The other point officials keep making, and for good reason, is that this wasn’t an encryption break. Signal’s encryption did what it was supposed to do. WhatsApp’s encryption did too. The problem was elsewhere: deceptive messaging, fake support prompts, altered invite pages, and abuse of account-linking features. That’s a much less glamorous sentence than “the app was hacked,” but it’s the one that fits the facts more neatly. The software held up. The human layer got pressed on, and in some cases, it gave way.
That distinction matters for anyone tempted to file this under “messaging apps are broken now.” They aren’t. The attack path ran through trust, urgency, and account management, which is exactly why it worked on people who were probably trying to move fast and keep conversations private. If anything, the attribution to UNC5792 and UNC4221 tells you where Washington thinks the real threat sits: not in the encryption math, but in the combination of state-backed patience, social engineering, and a platform feature that looks ordinary until somebody weaponizes it.
What the Takeaway Is for Users Still Handling Sensitive Chats
The uncomfortable part of this whole mess is how ordinary it looks up close. Nobody needs to crack Signal’s encryption or pry open WhatsApp’s code to get somewhere. A well-timed message, a tired person, and a moment of panic can do the job. That’s the part worth sitting with. People tend to imagine cyberattacks as loud, technical, and dramatic. In practice, a lot of them are just annoyingly persuasive.
If a stranger is rushing you to save your account, the rush is part of the scam.
That simple trick shows up again and again in account takeovers. The message sounds urgent, and the wording sounds official. The link looks tidy enough. Worth noting. Sometimes it claims your account’s about to be locked, sometimes that someone reported suspicious activity, and sometimes it dresses itself up as support asking for a verification code or backup step. The point is the same either way: get you to act before you’ve had time to think.
For anyone using a secure chat app, the safest habit is almost boring in the best way. Treat requests for verification codes, recovery codes, backup keys, or “restore your account” steps as an alarm bell, not a routine task. If a message asks you to share a code you just received, stop. Fair enough. Stop harder, if it asks you to enter a backup key into a chat thread. Legitimate support teams don’t ask for those details inside the app, and they don’t send you off to a page that promises to “prove” your identity or “recover” access in a hurry.
That matters because attackers lean heavily on urgency. They know people respond differently when a message says an account’s been compromised, or when a boss, colleague, or political aide’s waiting on a reply. They also know that people are usually juggling other things. A call, and a commute. A meeting that should have started five minutes ago. That’s when the weird little details slip past, like a typo in the link or a request that makes no sense if you look at it twice.
If a backup recovery key has been exposed, the move is to generate a new one right away. Do it fast, along with before you forget and don’t assume the old one is now harmless. It isn’t. A fresh key can stop future access, but it won’t magically pull back anything an attacker already copied. If the bad actor downloaded your recovery material, that copy’s out there. Annoying, yes. Also very real.
The same goes for any device link you didn’t authorize. “ Maybe, and account linking can be subtle. A phone that suddenly shows extra activity, messages that disappear into another device, or settings you never touched can all be clues. When in doubt, check the linked devices list, remove anything unfamiliar, and change whatever credentials the app lets you reset. It’s tedious. So is sorting out a hijacked account later.
” It’s simpler than that. Slow down when the message creates pressure. Verify through a separate channel if you can. Don’t reuse recovery codes. Interesting. Don’t hand over backup keys because a screen says you’ll lose access in ten minutes. Ten minutes is often exactly the window scammers want.
That’s also why the RFJ reward for justice exists at all. It’s a blunt way of saying that the people behind these campaigns are worth chasing, but the first line of defense still sits with the person holding the phone. A few minutes of caution can beat a polished fake support page, and that’s a pretty unimpressive way for the scam to lose.
