US offers $10 million for information on a Signal and WhatsApp hacking campaign

The United States government is offering a reward of up to $10 million for information about a group behind a hacking campaign aimed at users of the encrypted messaging apps Signal and WhatsApp, according to Ars Technica. The size of the bounty is a measure of how seriously authorities regard attacks on the tools that hundreds of millions of people rely on for private communication.

Large reward offers of this kind are a recognised instrument of cybersecurity policy. When suspected attackers operate from beyond easy legal reach, financial incentives for tips can help identify the individuals involved, map their infrastructure, or pressure associates into coming forward. The mechanism trades money for intelligence that traditional investigation alone may struggle to obtain.

The targets in this case are significant. Signal and WhatsApp are among the most widely used encrypted messaging platforms in the world, valued precisely because their end-to-end encryption is designed so that only the sender and recipient can read a message. That makes them essential tools for ordinary users, but also high-value targets for those seeking to surveil or compromise specific people.

It is important to understand what attacks on these apps usually involve. End-to-end encryption, when correctly implemented, is extremely hard to break directly. So attackers typically aim not at the encryption itself but at the devices and accounts around it, through phishing, malicious links, vulnerabilities in phones, or tricks that hijack an account. The encryption can be sound while the user is still compromised by other means.

The involvement of a coordinated group, as described in the reporting, points to an organised effort rather than opportunistic crime. Campaigns that target users of specific secure-messaging apps are often associated with attempts to monitor particular individuals, which can include journalists, activists, officials or others whose communications are of interest to a capable adversary.

For that reason, attacks on encrypted messengers carry implications beyond ordinary cybercrime. They touch on surveillance, press freedom and the safety of people who depend on confidential communication. A government attaching a multi-million-dollar reward signals that it views the campaign as a serious matter, potentially with a national-security dimension.

For everyday users, the episode is a reminder that secure apps are necessary but not sufficient on their own. The encryption protects messages in transit, but the security of the conversation also depends on the device and the user's habits. Keeping software updated, treating unexpected links and login prompts with suspicion, and enabling available account-protection features all reduce exposure to the kinds of attack that bypass encryption.

The app makers themselves are continually engaged in this contest. Companies behind major messengers invest heavily in detecting and closing the avenues attackers use, and they sometimes alert users they believe have been targeted. Cooperation between platforms and authorities, supported by tips that rewards like this aim to generate, is part of how such campaigns are eventually unravelled.

It is worth being precise about what a reward offer is and is not. It is a tool for gathering information, not a resolution of the case. Whether it leads to identifications, arrests or disruption depends on what information surfaces and how it is used, and those outcomes typically unfold over a long period and often out of public view.

The broad takeaway is that secure messaging has become important enough that attacks on it draw a major government response. The $10 million figure, as reported by Ars Technica, underscores both the value placed on protecting private communication and the seriousness with which a coordinated campaign against these platforms is being treated.