Washington is putting a price on the heads of hackers who've been spying on encrypted chats. The US State Department is offering up to $10 million, through its Rewards for Justice program, for information on hacking groups behind a campaign that has compromised Signal and WhatsApp accounts, The Record reported. US officials attribute the activity to groups linked to Russian intelligence — tracked as UNC5792 and UNC4221 — and say the reward covers details on the groups' members, infrastructure, funding and crypto wallets.

They didn't break the encryption

The most important point for anyone who uses these apps: the encryption wasn't cracked. Signal and WhatsApp use end-to-end encryption, meaning messages are scrambled so only the sender and recipient can read them. Rather than defeat that, the attackers used social engineering — deception — to get users to hand over access, as BleepingComputer detailed.

The tactics, per the reporting:

  • Fake "verification" prompts — phishing messages posing as the app's support team, telling targets to enter their account PIN or backup recovery key (a credential that can restore an account — and hand an attacker the message history).
  • Malicious QR codes — tricking a user into scanning a code that links the attacker's device to the victim's account, quietly mirroring their messages.
  • Harvesting two-factor authentication codes.

Once in, the attackers can read private and group chats and contacts — not by beating the math of encryption, but by walking through the front door the user unwittingly opened.

Who's being targeted

According to the US, the campaign has hit thousands of accounts, with targets including government officials, diplomats, defense and intelligence personnel, NGOs working on Ukraine, and journalists covering Russia and the war. In other words, this is espionage aimed at high-value individuals, not mass financial fraud.

Why it matters beyond Washington

For Boursel's readers, the lesson is a business-security one. Executives, dealmakers and firms increasingly rely on Signal and WhatsApp for sensitive conversations precisely because they're encrypted. This campaign is a reminder that encryption protects the message, not the user: if someone is tricked into surrendering a recovery key or linking a rogue device, the strongest encryption in the world won't help. It fits the broader pattern Boursel has covered — state-backed and increasingly sophisticated cyberattacks, where the weak link is human, not mathematical.

The use of a multimillion-dollar bounty is itself notable. Rewards for Justice, historically aimed at terrorists, has been repurposed to chase state-sponsored hackers — a sign of how seriously governments now treat cyber-espionage, and a bet that money might pry loose intelligence that technical defenses can't.

The takeaway

The practical defense is unglamorous but effective: treat recovery keys, PINs and "verify your account" messages with the same suspicion as a password request from a stranger, and never link a device or scan a login QR code you didn't initiate. Boursel won't speculate beyond what the US has alleged about who's responsible. But the structure of the attack is the story: in 2026, the easiest way into a "secure" conversation is often to fool the person having it — which is exactly why the threat is so hard to engineer away.