A message lands in your Signal inbox: an official-looking alert warning that hackers are targeting your account, with step-by-step instructions to “secure” your backup key. It looks legitimate. It feels urgent. It’s a trap. Russian intelligence operatives figured out they didn’t need to crack Signal’s encryption — they just needed to crack you. The US State Department, through its Rewards for Justice program, is now offering up to $10 million for information identifying members of two Russian state-linked groups: UNC5792, tied to FSB Border Guards, and UNC4221, linked to Russian military services, according to the FBI. Thousands of accounts have already fallen. This mirrors tactics seen in other state-actor operations, such as when a surveillance app was built to digitally target political dissidents.
How the Attack Actually Works
Russian operatives weaponized the features you trust most in your favorite encrypted apps.
The first phase is deceptively simple. Attackers pose as Signal or WhatsApp support bots, sending urgent messages claiming your account has been compromised. They instruct you to click a link or share a verification code. The real payload: they exploit Signal’s legitimate device-linking feature to silently add their own device to your account. Suddenly they’re reading every message in real time. No code broken. Just trust exploited. This account-takeover approach echoes incidents where hackers steal credentials through similar social-engineering exploits.
The evolved phase is worse. According to an updated FBI and CISA advisory, attackers now walk victims through enabling Signal backups and viewing their Backup Recovery Key — then instruct them to paste it directly into the chat. Sharing that key is the messaging-app equivalent of handing your house keys to someone who slid a note under your door claiming to be your landlord. With it, attackers access not just new messages but your entire archived conversation history. That key stays valid even after creating a new account with the same phone number, unless you generate a fresh one.
The encryption held. The people didn’t.
Who’s in the Crosshairs – and What the US Is Doing About It
Targets range from Pentagon officials to Ukraine-beat journalists, and the response spans bounties, domain seizures, and a design debate.
These aren’t random victims. FBI and CISA advisories identify targets including current and former US government officials, military leadership, diplomats, journalists covering Russia and Ukraine, and NGOs supporting Ukraine — a pattern consistent with broader trends of apps secretly tracking users and surveilling high-value political and governmental figures.
Google’s Threat Intelligence Group links this cluster to broader Russian operations — including APT44/Sandworm — spanning Ukraine, Moldova, Georgia, France, and the US. The FBI and DOJ have already seized 26 internet domains tied to the phishing infrastructure.
A $10 million bounty is pressure, not a permanent fix. Security analysts remain divided: one camp argues trained professionals should recognize phishing; the other insists Signal and WhatsApp need design-level changes — stronger backup-key warnings, out-of-band device-link verification — because urgency and fatigue will eventually defeat even solid training. A broader look at tech scandals shows how exploitation at scale has long outpaced user awareness.
Here’s what you can do right now:
- Never share a verification code, PIN, or backup recovery key in response to any in-app message. Legitimate app support simply doesn’t work that way.
- If you already shared a key, open Signal settings and generate a new one immediately. It won’t undo what’s already been accessed — but it slams the door shut.
