The United States Department of State has announced a reward of up to $10 million for information that leads to the identification or location of individuals linked to the hacker groups UNC5792 and UNC4221, which U.S. authorities say are connected to Russia’s intelligence and military networks.
The reward is being offered under the Rewards for Justice Program, a programme focused on foreign state-linked actors involved in cyberattacks targeting critical infrastructure in the United States.
“RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” reads the U.S. government’s announcement.
“UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel.”
According to the U.S. government, the reward offer covers information that could help identify or track members of UNC5792 and UNC4221, including:
* Names, whereabouts, background details, and affiliations of individuals involved in UNC5792 operations and those providing support
* Connections between the groups and Russian intelligence agencies, contractors, or third-party service providers
* Details of operational infrastructure such as domains, servers, hosting services, data storage systems, software, tools and technical frameworks used in their activities
* Information on funding channels, financial accounts, banking links, and payment methods supporting their operations
* Cryptocurrency wallets, blockchain activity, and financial networks allegedly used to facilitate the groups’ activities
Last week, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency updated a March 2026 advisory with newly identified tactics linked to attacks attributed to UNC5792 and UNC4221, including efforts to steal Signal Backup Recovery Keys.
U.S. authorities also warned that the hackers have been posing as Signal support representatives through direct messages, telling targets they must complete a mandatory two-factor authentication verification process.
Authorities said the tactic works by deceiving users into handing over their data backup recovery key, which then allows attackers to gain access to past conversations stored on the platform.
U.S. agencies stressed that the communication platforms involved and their encryption systems have not been breached. However, they warned that the social engineering method remains highly effective in extracting sensitive and private user data.
The RFJ announcement further revealed that this method has already led to the compromise of thousands of individual accounts across commercial messaging platforms.
According to U.S. authorities, those most frequently targeted include government officials, diplomats, defence and intelligence personnel from the United States and NATO countries, as well as policy experts, journalists reporting on Russia and Ukraine, NGOs supporting Ukraine, and researchers focused on security and Russian affairs.
Signal users have been advised to remember that legitimate support teams only contact users through official company email channels and do not request verification codes through the app or send links asking users to verify, recover or restore their accounts.
