Signal and WhatsApp aren't breached the way your email is breached—there's no front door lock you picked or password you cracked.
Russian state intelligence has maintained active access to encrypted messages on these platforms since at least March. The US government just announced a $10 million bounty for information leading to the identification of the groups responsible, assuming that knowing who they are means we can stop them.
That assumption is wrong. This isn't about catching spies—it's about a structural vulnerability in how encrypted messaging actually works at scale.
What Russia appears to have done is establish persistent access to the messaging stack itself at a level below where encryption even applies. They didn't target the messages themselves—they targeted the device, the data before encryption happens, the data after decryption happens, the metadata that reveals who is talking to whom and when and from where. A bounty identifies perpetrators and can result in indictments and sanctions. It doesn't close the vulnerability because the structural problem remains untouched.
A bounty works only if catching the thief prevents the theft. When the theft is structural, it just pays you to name it.
The US government identified a crime and assumed solving the crime meant solving the problem. In reality, the crime is a symptom and the problem is that encrypted messaging architecture deployed globally and integrated with commerce and politics and espionage has a surface area no amount of cryptographic elegance can fully protect.