The U.S. Department of State is offering up to $10 million for information that helps identify or locate members of the UNC5792 and UNC4221 hacker groups, which are linked to Russia’s intelligence and military services.
The bounty is part of the ‘Rewards for Justice’ (RFJ) program, which targets foreign state actors carrying out cyberattacks against U.S. critical infrastructure.
“RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” reads the U.S. government’s announcement.
“UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel.”
The U.S. government seeks the following information on UNC5792 and UNC4221:
- Names, locations, biographies, and affiliations of UNC5792 actors and supporting personnel
- Links to Russian intelligence services, contractors, and third-party service providers
- Operational infrastructure, including domains, servers, hosting, data storage, tools, frameworks, and software
- Funding sources, financial accounts, banking relationships, and payment mechanisms
- Cryptocurrency wallets, blockchain transactions, and financial networks supporting operations
The FBI and CISA updated a March 2026 advisory last week with new tactics used observed in attacks attributed to the two threat groups, which include stealing Signal Backup Recovery Keys.
The U.S. government agencies have alerted that the hackers are impersonating Signal support agents in direct messages to targets, informing them of a mandatory two-factor verification process.
The procedure is used as a ruse to trick users into revealing their data backup key, thereby granting access to the victim’s previous communications on the platform.
The U.S. authorities have emphasized that while communication platforms and the encryption they offer haven’t been compromised, the attacks can still be highly effective at siphoning private data.
In fact, the RFJ announcement confirms that thousands of individual accounts for commercial messaging applications were compromised in this way.
Typical targets of this activity are U.S. and NATO government, diplomatic, defense, and intelligence officials, policy analysts, journalists covering Russia and Ukraine, NGOs supporting Ukraine, and security and Russian affairs researchers.
Signal users should always keep in mind that real support teams communicate exclusively through official company email addresses and never ask users to provide verification codes within the application or send links requesting account verification, recovery, or restoration.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
