US offers $10 million for info on group behind Signal and WhatsApp hacking spree

The US government is offering $10 million for information leading to the identification of operatives behind a hacking campaign targeting Signal and WhatsApp users. Two Russian state-sponsored groups have conducted the operation since at least March, according to federal officials.

The reward, issued through the State Department's Rewards for Justice program, targets the actors responsible for compromising these encrypted messaging platforms. Hackers exploited vulnerabilities in both applications to intercept communications and harvest user data, bypassing the end-to-end encryption that makes these services popular with journalists, activists, and security-conscious users.

The Russian state groups leveraged sophisticated techniques to gain initial access to target devices before deploying malware that intercepted messages at the application level. This approach circumvents encryption protections by attacking the applications themselves rather than the encryption protocols. The campaign focused on high-value targets including government officials, journalists, and activists across multiple countries.

Signal and WhatsApp represent two of the world's most widely used encrypted messaging platforms, collectively serving billions of users. Both companies patched the exploited vulnerabilities after discovery, but the months-long operation before detection underscores the persistent threat posed by state-level actors.

The reward announcement reflects escalating US-Russia tensions over cyber operations. American intelligence agencies have documented consistent Russian efforts to penetrate communications infrastructure used by government and private sector targets. The $10 million bounty aims to generate leads from insiders or associates of the hacking groups who might provide actionable intelligence.

Neither Signal nor WhatsApp disclosed the full scope of compromised accounts or the exact number of affected users. The companies declined to provide specific details about vulnerability chains used in the attacks. Security researchers indicate the campaign targeted fewer than 100 accounts, suggesting the operation focused on high-priority objectives rather than mass exploitation.

The State Department did not name specific individuals or organizational units within Russian intelligence services responsible for the attacks,