State Department offers $10 million reward for information on Russian cyber spies
The State Department is offering up to $10 million for information on Russian intelligence hackers targeting the Signal and WhatsApp accounts of U.S. officials and journalists.
The…
The State Department is offering up to $10 million for information on Russian intelligence hackers targeting the Signal and WhatsApp accounts of U.S. officials and journalists.
The bounty, issued through the State Department’s Rewards for Justice program, targets Russian state-linked hackers tied by U.S. authorities to a long-running campaign against commercial messaging applications (CMAs).
“Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists and group conversations,” the State Department said on its website.
A March FBI warning said the espionage campaigns had already resulted in unauthorized access to thousands of individual CMAs.
“The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures and journalists,” the notice said.
The latest update shared examples of messages used to gain unauthorized access to the accounts, demonstrating the campaign was not a smash-and-grab cybercrime spree aimed at emptying bank accounts.
Instead, it was a sophisticated espionage operation targeting the people who shape, report on and execute Western policy toward Russia and Ukraine, according to the State Department.
In July 2016, hackers associated with the Russian government carried out the same type of targeted spearphishing campaign against several political figures, including John Podesta, Hillary Clinton’s then-presidential campaign chairman, exposing about 50,000 of his emails.
The hacking campaign fueled allegations that the Trump campaign colluded with Russia to influence the 2016 election, leading to years of investigations into Trump.
“Cybersecurity professionals should not only study how these attacks were conducted, but they should also use them to educate employees on just how catastrophic spearphishing attacks can be to any organization,” Barracuda Networks, a cybersecurity firm, said.
In the March 2026 warning, the FBI said Russian agents sent phishing messages over the CMAs while posing as automated support accounts. The messages relied on social engineering to persuade users to click links and share information.
The messages urged victims to click links, provide verification codes or supply account PINs. If the target complied, the attackers could link their own device to the victim’s messaging account or take over the account entirely.
One sample message obtained by the FBI opened with “Signal is here” and warned about supposed hacking attempts from Iran and former Soviet countries. It then instructed users to enable Signal backups and copy the recovery key.
Another sample message, titled “Action Required: Data Recovery Needed,” told victims their messages and media were at risk of permanent loss unless they copied the recovery key and pasted it into the chat.
Possession of the recovery key is what makes the scheme so dangerous because it is tied to both a device and a phone number.
The FBI warned a stolen recovery key can remain valid even if the victim deletes the compromised account and creates a new account using the same phone number. To shut off that access, the user must manually generate a new recovery key in Signal’s settings.
The FBI said the hackers were associated with Russian intelligence services, including officers assigned to Russia’s Federal Security Service Border Guard Service and others working on behalf of Russian military intelligence.
In some cases, Russian actors also used manipulated Signal group invitation links to connect attacker-controlled devices to victims’ accounts, investigators said.
Once an account is compromised, hackers can read messages and contact lists, send messages from the account and use the compromised account to target additional victims.
Barracuda Networks reported that in 2016 Russian intelligence agents created fake email addresses copied from the Podesta account, altered by a single letter, to target 30 additional Clinton campaign staff members in the phishing scheme.
The 2026 hacking campaigns have also been identified by intelligence agencies in the Netherlands, Germany and France, according to The Hacker News.
Google has reported that Russian hackers it has tracked since early 2025 have been tricking people into linking their devices to attacker-controlled phones on the messaging platforms Signal, WhatsApp and Telegram.
Previously, the State Department offered a $10 million reward for information leading to a North Korean hacker accused of helping Pyongyang extort ransom payments from American health care providers, according to Radio Free Asia.
The United States has paid more than $250 million to more than 125 people over four decades through the Rewards for Justice program, Radio Free Asia reported.
The reward seeks information, likely from Russian insiders, including the identities, locations, technical support personnel, contractors and financial infrastructure behind the Russian intelligence operation.

