
US Puts $10 Million Bounty on Russia-Linked Hackers Hijacking Signal and WhatsApp
Washington has offered up to $10 million for information on two Russia-linked groups accused of hijacking Signal and WhatsApp accounts belonging to government officials via phishing ‘linked device’ pages. The reward signals that secure messaging is now a contested battlefield for espionage, putting diplomats, defense staff and anyone handling Ukraine-related policy under new pressure.
The United States has put a multi-million-dollar price on the heads of Russian-linked hackers accused of turning encrypted messaging apps into espionage tools, in a move that formally elevates account hijacking on Signal and WhatsApp to a national security threat.
The State Department on 4 July announced a reward of up to $10 million for information leading to the identification or location of members of two hacking groups tracked as UNC5792 and UNC4221. US officials say the clusters are tied to Russia and have specialized in compromising the messaging accounts of government personnel, including those working on Ukraine-related policy, by abusing legitimate “linked device” features through carefully crafted phishing pages.
According to the US description, the operations did not break Signal or WhatsApp encryption itself. Instead, attackers tricked targets into entering their credentials or scanning QR codes on fake web pages that mimicked the services’ own device-linking interfaces. Once they had those tokens, the hackers could add an unauthorized device to the victim’s account, silently receiving copies of future communications as if they were the account owner.
For diplomats, military officers and civil servants who moved sensitive coordination into encrypted chats after earlier scandals over email interception, the revelation cuts close. A single misstep on a phishing page could give a foreign intelligence service access to negotiations, operational planning or personal networks, all without obvious signs on the victim’s phone. The campaign also matters for journalists, activists and aid workers who rely on the same platforms and may be targeted under similar techniques, even if this specific reward focuses on officials.
Strategically, the bounty is another sign that Washington is prepared to use law-enforcement and financial tools against what it sees as state-backed intrusion campaigns, even when the technical methods fall into a legal gray zone between hacking and social engineering. By publicly naming the clusters and tying them to Russia-linked actors, the US is signaling to Moscow and others that compromising encrypted services via their own features will be treated as aggressively as more traditional network breaches.
The tactic itself highlights a broader vulnerability in the architecture of secure messaging: the human user is often the weakest link. Encryption can protect messages in transit, but if an attacker becomes a “trusted” device in the conversation, they do not need to crack the math. The campaign attributed to UNC5792 and UNC4221 shows how features designed for user convenience, such as quickly adding desktop clients, can be repurposed into access points for hostile intelligence services.
The move also fits into a widening contest between Western governments and Russia in cyberspace over the Ukraine war. Alongside wiper malware, industrial control system probes and disinformation operations, compromising the very apps used to coordinate sanctions, arms deliveries and diplomatic outreach offers a high return for relatively low technical cost.
The key takeaway is that secure messaging was never a magic shield; it is a system of trust that can be quietly rerouted if attackers can convince you they are the service you already use. For officials, that pushes operational security from a niche concern into a daily discipline.
Next, observers will watch whether the named clusters go quiet, retool or resurface under new designations after the reward announcement. Signals to track include fresh phishing campaigns mimicking linked-device pages, any arrests or indictments tied to the bounty, and whether allies follow the US in publicly attributing similar operations to Russia-linked actors. The response of Signal, WhatsApp and other encrypted platforms — whether through new warnings, UI changes, or tighter device-link controls — will show how seriously the industry takes this new front in the encryption wars.
Sources
- OSINT