US offers $10M reward targeting UNC5792 and UNC4221 for Signal and WhatsApp account takeovers

The FBI advisory and its July update detail two distinct campaigns. Initial messages impersonated Signal support to trigger device linking that grants read access to new messages only. A later variant directs targets to enable backups and surrender the 30-digit recovery key, exposing historical message history stored on Signal servers. Both vectors bypassed the protocol's forward secrecy for active sessions.

Signal's design limits prior-message exposure after linking, yet the backup feature creates an explicit key-exfiltration path that the attackers now exploit. The campaigns specifically targeted US officials, military personnel, and journalists, with thousands of accounts affected according to the FBI. No equivalent public metrics exist for WhatsApp, which lacks the same backup key mechanism but shares the device-linking vector.

The operation reveals that end-to-end encryption does not protect against user-assisted account binding. Mandatory two-factor verification and removal of cloud backups for high-risk users are now operationally required. Future protocol changes must treat recovery keys as high-value secrets equivalent to private keys.

Signal has not yet published a formal post-incident report or altered its backup flow. The FBI continues to track infrastructure overlaps with prior GRU operations documented in 2024-2025 indictments.