How much money would it take for you to rat out a member of a Russian organized crime gang?
See Also: Rethinking Endpoint Security
That's one obvious question posed by the FBI's practice of offering big-dollar rewards for people on its "most wanted" list of hackers.
Now in first place on the FBI Cyber's Most Wanted list is Evgeniy Mikhailovich Bogachev, who was indicted by a federal grand jury in 2012 - under the nickname "lucky12345" - on charges ranging from fraud and racketeering to identity theft and hacking.
Bogachev allegedly headed the criminal syndicate known as Evil Corp. and masterminded the Gameover Zeus campaign - designed to steal banking and other personal credentials from infected PCs - that led to an estimated $100 million in losses. Security experts say that as part of the campaign, the malware was often deployed with Cryptolocker ransomware.
The U.S. government is currently offering "a reward of up to $3 million for information leading to the arrest and/or conviction of Evgeniy Mikhailovich Bogachev."
"This is a really interesting development," cybercrime expert and University of Surrey computer-science professor Alan Woodward tells me. "People talk about the Internet being the Wild West; this is almost like taking the Wild West approach to policing and putting up 'wanted' posters."
FBI officials have said they believe that Bogachev remains in Russia; the country has no extradition treaty with the United States. In the past, the U.S. has managed to extradite suspects based in Russia when they traveled through - or vacationed in - a friendly country. Attorney Mark Rasch, who created the computer crime unit at the U.S. Department of Justice, says U.S. law enforcement agencies sometimes also resort to what's called informal extradition, "because kidnapping is such a dirty word."
More "Wanted" Hackers
Beyond Bogachev, the rest of the FBI's top 10 alleged "cyber" public enemies list features smaller rewards, or in some cases no rewards at all:
- Nicolae Popescu ($1 million reward), an alleged "car fraudster" who the FBI has accused of participating in a scheme that stole $3 million by selling people non-existent cars.
- Alexsey Belan ($100,000 reward), who's been indicted on charges that include computer intrusion - last known to be residing in Athens, Greece. He's been accused of hacking into "the computer networks of three major United States-based e-commerce companies in Nevada and California," stealing user data - including "the encrypted passwords of millions of accounts" - and then selling it.
- Viet Quoc Nguyen (no reward), who's been charged with masterminding hack attacks that resulted in the theft of 1 billion email addresses (see Biggest-Ever Data Breach: 3 Charged).
- Peteris Sahurovs ($50,000 reward), who's been accused of running a 2010 malware-driven "international cybercrime scheme" predicated on selling fake computer-security programs, which netted $2 million in fraudulent profits.
- Five members of China's People's Liberation Army (no reward) who were indicted by a federal grand jury in 2014 on 31 criminal counts (see The Real Aim of U.S. Indictment of Chinese).
Do Rewards Work?
The offer of reward money begs the question of whether people would risk their lives by ratting out hardcore criminals, and especially ones that are resourceful enough to have evaded the long arm of U.S. law for months or years. Or as Woodward summarizes: "Would you cross the Russian mafia or some organized crime gang for $3 million?"
Alan Woodward analyzes the U.S. government's move to offer million-dollar rewards for hackers who remain at large.
It's also not clear if these rewards work, from the standpoint of their leading to the capture of at-large fugitives, or helping to deter would-be criminals in general.
But Woodward, who's also a cybersecurity adviser to Europol, says the reward money helps serve as a statement of purpose. "It's a way of saying, 'look, this is how seriously we take it'," he says.
When it actually comes to chasing down criminals, however, reward money is only one tool that law enforcement agencies and prosecutors use to try and bring suspects to trial. "I suspect the more effective parts will be the collaboration, behind closed doors, between FBI and the Russia security services, Europol, Interpol. Those types of links will probably actually, at the end of the day, track the guy down and get him arrested," Woodward says.