Bounty for data thieves: Will it help or hurt?

Bounties and rewards have been offered for the capture of criminals, or for information leading to their capture, since at least the first-century Roman Empire, when a tavernkeeper in Pompeii offered a reward for the return of a stolen copper pot and for information leading to the capture of the thief.

In modern times, The US government has offered bounties for help capturing criminals from the FBI’s Ten Most Wanted list since 1950. And since the passage of the 1984 Act to Combat International Terrorism, the US government has offered rewards for information regarding terrorism, foreign election interference, and malicious cyber activity through its Rewards for Justice (RfJ) program.

This past June, a reward of $10M was offered under the RfJ program for information leading to the apprehension of Maxim Alexandrovich Rudometov and others believed to be linked to the creation and deployment of the RedLine malware. 

The Coinbase bounty

In a novel development, a victim of cyber-extortion — the crypto exchange operator Coinbase — recently offered a reward of $20M in exchange for information leading to the identification and capture of the criminal or criminals who acquired sensitive customer data and demanded that same amount in exchange for not disclosing it publicly.

What happened is someone bribed some of Coinbase’s customer-support staff to steal and hand over a bunch of data — customer names, phone numbers, addresses, email addresses, account balances, partial account numbers, and more (but no passwords or private keys). Then they emailed Coinbase to tell them that they would not make the data public if they were paid $20M.

This data could easily be used to launch phishing scams that might fool customers into, for example, moving deposits from their real Coinbase accounts to other, fraudulent accounts. It’s not clear whether any customers have been affected or suffered any losses, but Coinbase has pledged to cover any such losses if they occur.

Coinbase responded by announcing the theft and refusing to pay the ransom. The company’s blog post on the matter said, in part:

“We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.” 

Coinbase estimates that the total cost of recovering from the attack could be as high as $400M. And they warn customers to “expect imposters” trying to defraud them of their crypto holdings.

Good or bad?

Good on Coinbase for refusing to pay the ransom. That’s what law enforcement and cybersecurity professionals have long urged ransomware victims to do, and the same applies to data extortion that, as in this case, does not involve any malware. 

But there is a question to be asked about the long-term effects of setting the precedent of offering a bounty. If this becomes a common response to extortion attempts, will it have overall positive or negative effects on the cyberthreat landscape? 

On the plus side, it does seem likely that this bounty will make it easier to apprehend specific cybercriminals. There’s no honor among thieves, someone knows who did this, and $20M is nothing to sneeze at.

But history teaches that there are definite risks to systematically offering bounties. The emergence of bounty-hunting as a profession has never been an unalloyed good. You don't have to look closely at history to see that bounty systems have driven lawlessness and violence throughout the past. Furthermore, crooks don’t care whether their $20M payday comes as a ransom payment or a reward. And I guarantee you that right now there are cybercriminals scheming to get that money by whatever means necessary.

So if bounties for hackers become commonplace, it’s entirely possible that they will mark the emergence of a whole new category of cyberfraud, ultimately increasing overall threat levels rather than lowering them. 

There’s no way to know whether that tavernkeeper in Pompeii got his pot back or caught the thief. But if he did, then there’s at least a chance that his reward led to him being robbed again and again.