Russian Social Engineering Campaign Hijacked Signal and Messaging Accounts
Ukraine’s Security Service (SBU) said, in coordination with the FBI, it uncovered a long-running Russian campaign that used social engineering to compromise messaging accounts belonging to government officials, military personnel, politicians, activists, journalists, and other high-value targets in Ukraine, Europe, and the United States. According to Ukrainian and U.S. authorities, the attackers impersonated messaging-platform support teams in text and in-app messages, often contacting victims in the morning, and tricked them into handing over credentials and other sensitive account data to gain access to military, political, economic, and personal communications.
The FBI and CISA separately warned that Russian intelligence-linked operators are specifically phishing Signal Backup Recovery Keys, allowing them to restore backups, read private and group message history, and take over accounts without breaking Signal’s encryption. The updated advisory said the broader operation has already compromised thousands of accounts worldwide and is tracked publicly as UNC5792 and UNC4221, with links to multiple Russian intelligence services, including FSB-associated personnel and Russian military services. U.S. and allied agencies in the Netherlands, Germany, and France urged users to distrust messages claiming to be from Signal support, never share verification codes, PINs, or Recovery Keys, and review linked devices for unauthorized access.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
U.S. offers $10 million reward for UNC5792 and UNC4221 members
The United States announced a reward of up to $10 million for information leading to the identification or location of members of the Russia-linked groups UNC5792 and UNC4221. Authorities said the groups are tied to Russian security and intelligence services and were involved in social-engineering campaigns targeting Signal and WhatsApp accounts.
State Department offers reward tied to UNC5792 activity
The U.S. State Department’s Rewards for Justice program offered up to $10 million for information on UNC5792. The reward was cited in connection with the Russian intelligence-linked activity targeting Signal users.
FBI and CISA update advisory to add Signal Recovery Key phishing
The FBI and CISA updated their earlier advisory to warn that Russian intelligence-linked operators were phishing Signal users for Signal Backup Recovery Keys, enabling backup restoration, message access, and account takeover. The update said the broader campaign had already compromised thousands of accounts worldwide and identified tracking names UNC5792 and UNC4221.
FBI and CISA issue advisory on Russian targeting of Signal users
A March advisory warned of a Russian intelligence-linked campaign targeting Signal users through social engineering rather than breaking the app's encryption. The activity targeted high-value individuals including government officials, military personnel, journalists, political figures, and Ukrainian officials.
SBU and FBI uncover long-running messaging account campaign
Ukraine’s Security Service said, together with the FBI, it uncovered a long-running Russian campaign targeting messaging accounts of government officials, military personnel, politicians, activists, and others in Ukraine, Europe, and the United States. According to the disclosure, the operation relied primarily on social engineering, including impersonation of messaging platform support services to steal credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacks | IT Pro
itpro.com
Open sourceUS Offers $10 Million Bounty for Information on Russian Hackers Targeting Signal and WhatsApp Users - gHacks Tech News
ghacks.net
Open sourceU.S. Offers $10 Million Reward for Russian Hackers Behind Signal and WhatsApp Phishing
securityaffairs.com
Open sourceSSU and FBI Uncover Russian Cyber Espionage Operation Against Officials and Military Personnel
securityaffairs.com
Open sourceFBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys
thehackernews.com
Open sourceRussia used social engineering to breach prominent messaging accounts, Ukraine says | The Record from Recorded Future News
therecord.media
Open sourceInternet Crime Complaint Center (IC3) | Russian Intelligence Services Continue to Target Commercial Messaging Applications
ic3.gov
Open sourceFBI: Russian hackers now target Signal backup recovery keys
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


