By anyone’s standards, $10 million is a lot of money, more than the average citizen will spend or earn in a lifetime of work.
How many ways might someone become the recipient of such a large sum? A lottery win perhaps, although that’s statistically unlikely. An inheritance? More imaginable but still improbable.
And yet there is one route to earning $10 million that’s gaining more of a profile—send the U.S. State Department information on cybercriminals and the crime groups they’re alleged to work with.
Take, for instance, the following recent State Department Twitter alert regarding the Russian Clop ransomware group which has targeted numerous U.S. organizations, most recently the mass data breach exploiting the MOVEit file transfer platform:
“Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward.”
Earning the full $10 million would probably demand some pretty spectacular information such as the location of the group’s ringleaders or foreign-based enablers. But the mere fact that this group is rated in the $10 million category of rewards serves as a clear signal of its significance.
State Department Bounty Programs
The bounty on Clop’s head is only the latest salvo in the State Department’s expanding Rewards for Justice (RFJ) program which offers money in return for information regarding four categories of crime: terrorism, foreign interference in U.S. elections, malicious cyber activity, and activities supporting North Korea.
The State Department runs a second program, the Transnational Organized Crime Rewards Program (TOCRP). This seems to be aimed more at disrupting narcotics and trafficking gangs but also, confusingly, mentions cybercrime as part of its remit.
Ironically, the bounty offered for Clop is nothing special—the same magic $10 million bounty has been put on the head of a growing list of threat groups and named cybercriminals in recent times.
Those include a 2022 bounty for information on the Conti ransomware group, and bounties in 2021 relating to the attack on the Colonial Pipeline, along with the Darkside group—again, all worth up to $10 million on the State Department rewards scale.
Individuals connected to ransomware are also having prices put on their heads as for example, Mikhail Pavlovich Matveev, who is allegedly involved with the LockBit group. And this is only an illustration; many others have also been similarly tagged as big bounties become the norm.
But Do They Work?
What we don’t know is how much bounties work because that’s rarely revealed beyond the following general statement:
“Since its inception, RFJ has paid in excess of $250 million to more than 125 individuals who provided useful information that helped to protect U.S. national security. These efforts have saved countless innocent lives.”
That sounds like a lot of money, but this is a program that’s been running since 1984 and has mostly bagged people connected to terrorism. Cybercrime might be a harder nut to crack. For a start, unlike most terrorists, cybercriminals have a lot of money of their own. The incentive to earn $10 million should be obvious but some top ransomware groups can probably earn that in a week.
So, does offering large bounties work? Overall, there’s not much evidence in either direction.
The measure of any cybercrime bounty is that the named groups are disrupted and/or key members arrested. Arrests do happen from time to time but it’s never clear what, if any, role bounties might have played.
It’s also possible they offer crime groups a badge of notoriety that plays into their sense of self-importance. What we can say for sure is that they don’t deter ransomware groups—there has never been any obvious slackening in the pace of ransomware attacks since big bounties started being offered. Even so, offering bounties might still be worth it as a psychological tactic. It’s a way to wage war through uncertainty, a reminder that even rich cybercriminals should never stop worrying about that unexpected tap on the shoulder.