US $10M bounty targets UNC4221, UNC5792 for Signal/WhatsApp backup key theft

The FBI advisory details attackers sending impersonation texts to extract verification codes, PINs and 30-digit backup keys from officials and journalists. Compromised keys retain validity across account resets tied to the same number, enabling persistent access to message histories without platform-level breaches. Contract records and prior indictments link UNC5792 to FSB Border Guard subunits and UNC4221 to GRU elements, though independent telemetry shows overlapping TTPs with known FSB infrastructure.

SBU-FBI joint reporting from last week confirms the campaign ran for at least 18 months across Ukraine, Europe and the US, focusing on military planning channels inside Signal groups. Modified invitation links redirecting to attacker-controlled devices represent the primary initial access vector; no CVEs in the core protocols have been required. Procurement patterns indicate sustained investment in native-language social engineering teams rather than novel malware development.

This marks an operational shift from endpoint implants toward durable account persistence that survives device replacement. Encrypted apps remain sound; the attack surface is now human verification flows and cloud backup hygiene. Expect similar bounties on Chinese and Iranian actors within 12 months as recovery-key theft becomes standard tradecraft.

Next indicators will likely appear in updated CISA alerts or new contract awards for defensive key-management tooling.