Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Under this reward offer, RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services. UNC5792 has conducted widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel.
Using social engineering techniques, these malicious cyber actors exploit legitimate device-linking features in these secure messaging applications to gain unauthorized access to sensitive government communications, contact lists, and group conversations. After compromising an account, the malicious actors were also able to send messages and conduct additional phishing against other accounts using those same commercial messaging applications
In some instances, UNC5792 actors altered legitimate “group invite” pages to redirect users to a malicious URL that linked a UNC5792-controlled device to the victim’s Signal account. Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts.
Targets of this cyber scheme include U.S. government officials, diplomatic personnel and foreign affairs officials, defense and national security personnel, policy analysts and advisors, NATO member-state officials and diplomats, allied intelligence and defense partners, investigative journalists covering Russia, Ukraine, and international affairs, non-governmental organizations providing support and assistance to Ukraine, and academic researchers in security studies and Russian affairs.
RFJ seeks information on UNC5792 actors, including but not limited to:
• Names, locations, and biographical information of UNC5792 actors
• Affiliations within Russian intelligence services
• Identities of personnel providing technical support
• Contractors or third-party entities providing services
• Domain names, server locations, hosting providers, data storage and processing infrastructure, and technical tools, frameworks, and software used in operations
• Funding sources for operations
• Financial accounts and banking relationships
• Cryptocurrency wallets and blockchain transactions
• Payments for infrastructure, hosting, and domain registration services
• Money flows and financial networks supporting operations


