The US State Department’s Rewards for Justice program has announced a $10 million reward for information leading to the identification, location, or disruption of members of UNC5792 and UNC4221 — the FSB- and GRU-linked Russian threat groups behind an ongoing campaign targeting Signal, WhatsApp, and other encrypted messaging platforms used by government officials, military leaders, journalists, and political figures across the United States, Europe, and Ukraine.
The $10 Million Bounty Scope: Identities, Infrastructure, and Cryptocurrency Wallets
The Rewards for Justice announcement covers a broad range of actionable intelligence. Qualifying information includes the identities and locations of UNC5792 and UNC4221 members, their affiliations with Russian intelligence services, details on supporting entities, infrastructure used in the operations, tooling, funding sources, and financial networks — including specific cryptocurrency wallet addresses.
The cryptocurrency wallet inclusion is notable. It reflects a maturing US government approach to targeting not just the operators of state-linked hacking campaigns but the financial infrastructure that sustains them. Cryptocurrency tracing has become an increasingly central tool in the US government’s responses to nation-state threat actors, and the explicit inclusion of wallet addresses as bounty-qualifying intelligence signals a continued emphasis on economic disruption as a complement to attribution disclosure.
CISA and FBI Advisory Updates Tracking UNC5792 and UNC4221 Since March 2026
The bounty announcement arrives alongside a June 2026 updated advisory from CISA and the FBI documenting the tactical evolution of both groups. An earlier advisory, published in March 2026, first documented the groups’ phishing campaigns targeting messaging platform accounts. The June 2026 update reveals a significant shift in approach: UNC5792 and UNC4221 are now specifically requesting victims’ Signal and WhatsApp Backup Recovery Keys rather than focusing solely on one-time verification codes.
Backup recovery keys are distinct from verification codes in their impact on account security. A verification code provides access for a single authentication session; a backup recovery key allows an attacker to restore an account’s complete message history to a new device at any future point. That capability means account takeover via backup key theft persists through device changes, app reinstallations, and even the victim’s belief that they have secured their account — making it a qualitatively more dangerous access vector than the phishing method the groups previously used.
Targets Span US Government Officials, Allied Military, and Ukrainian Political Figures
The Rewards for Justice announcement identifies the population under threat from UNC5792 and UNC4221 as current and former US government officials, military leaders, allied personnel, journalists, political figures, and Ukrainian officials. The breadth of targeting — spanning active and former government roles, allied country personnel, and civil society actors — reflects a comprehensive intelligence collection posture rather than a narrowly scoped operation.
The inclusion of journalists and political figures alongside government and military targets aligns with Russian intelligence collection priorities that extend beyond formal government structures to civil society actors connected to Ukraine policy, Western security institutions, and affiliated organizations.
The Strategic Signal Behind the $10 Million Reward
The Rewards for Justice bounty for UNC5792 and UNC4221 follows a pattern the US government has used to publicly attribute and pressure Russian intelligence operations: formal public identification of threat groups, release of technical advisory detail, and a financial incentive structure designed to surface insider knowledge about group membership and infrastructure.
Offering $10 million for two specific groups — rather than for a general category of Russian cyber activity — indicates that the administration views the messaging app targeting campaign as a distinct and significant national security threat. The escalation in the groups’ tactics from basic verification code phishing to backup recovery key theft appears to have accelerated the US government’s public response.
The $10 million figure, consistent with prior Rewards for Justice offers targeting Russian intelligence operatives, sends a clear signal about how seriously the US government is treating the messaging platform campaign as a national security priority. The bounty reflects US cyber policy’s use of economic incentives and public disclosure as tools to counter state-sponsored operations targeting American officials and allies.
Tips for the Rewards for Justice program can be submitted through the program’s secure reporting channels, which accept information from individuals anywhere in the world.
