The FBI considers Evgeniy Bogachev one of the world’s most prolific and brilliant cybercriminals, slapping his photos – bald, beefy-faced and smiling faintly – on “Wanted” fliers posted online. The Russian would be an ideal target for prosecution – if only the Justice Department could find him.
Unable to capture him in the 10 months since his indictment, the government has turned to a time-honored technique long used for more conventional crime: putting a bounty on Bogachev’s head.
It’s too soon to say whether the $3 million reward for information leading to his arrest, offered under a special State Department program, will pay off. But federal officials say they intend to use the strategy in additional cyber cases involving international hackers whose whereabouts are either unknown to the U.S. government or who are holed up in nations that have little or no diplomatic relations with the United States.
“We’ve really not done something like this” in cyber cases, Robert Anderson, an FBI executive assistant director, said in announcing the reward. “All of a sudden, somebody’s putting an ‘x’ on somebody, saying, ‘Bring him to justice, you get $3 million.’ ”
The reward is also a reminder of how many accused masterminds of cyberattacks on U.S. targets remain out of reach for law enforcement.
Five Chinese military officials were indicted last spring on charges of siphoning away corporate secrets from computer systems of major American business. Federal officials say they’re committed to bringing them to justice, but they won’t speak publicly about what they’re doing to nab them. Experts are skeptical that the military officials will ever see the inside of a courtroom.
Roman Zolotarev, charged in Nevada with masterminding a massive underworld marketplace of credit-card fraud and identity theft, also is not in federal custody, even though lower-level members of the operation, called Carder.Su, have been convicted.
The culprits behind the Sony Pictures Entertainment hacking have not been publicly identified, though the FBI has linked it to the North Korean government.
Some defense lawyers for more-peripheral players charged in cybercrimes have seized on the absence of accused ringleaders, highlighting a potential vulnerability in the government’s cases. The argument was raised in the 2013 trial of David Ray Camez, who was ultimately sentenced to 20 years in prison for his role in the Carder.su organization.
“And they talk about all these people that created Carder.su, the real people, the bad guys in this case, where are they at?” Camez’s lawyer, Chris Rasmussen, told jurors. “They don’t have any of these Russians here. There’s no Russians in this courtroom. Where are they?”
There’s generally limited recourse against hackers committing crimes from countries like Russia and China, where the U.S. lacks formal extradition treaties. Justice Department officials say they’re hopeful that as more countries are harmed by international cybercrime, there will be fewer sanctuaries for such criminals. And sometimes, the best hope is for criminals to become careless over time and travel to countries where they’re exposed to arrest.
“It can be a long, cold winter in Russia. A lot of these people have a lot of money. It’s pretty tempting to travel somewhere warmer,” Assistant Attorney General Leslie Caldwell, chief of the Justice Department’s criminal division, said in an interview.
There are isolated examples of that happening, though not as many as the U.S. would like.
Roman Seleznev, the son of a Russian lawmaker, was arrested last July after he traveled to the Maldives and is awaiting trial in Seattle on charges that he led a marketplace for stolen credit cards that raked in millions of dollars.
Vladimir Drinkman was arrested in Amsterdam in 2012 and extradited to New Jersey last month to face charges in a massive computer-hacking scheme involving the theft of credit- and debit-card numbers from entities including JC Penney and 7-Eleven.
Bogachev was indicted in Pittsburgh last year, accused of running two schemes that authorities say caused widespread financial losses. One, Cryptolocker, was a ransom-demanding virus that infected hundreds of thousands of computers. Another, Gameover Zeus, involved malicious software that intercepted customer bank-account numbers and passwords that victims typed in. Both have been dismantled.
The FBI hasn’t revealed much about the 31-year-old Bogachev, but the agency says he’s believed to be in Russia and may travel by boat to locations along the Black Sea.
The $3 million reward is offered under a 2-year-old State Department program that so far has paid out more than $20 million and has posted rewards for people suspected of wildlife trafficking and international smuggling, among other crimes. This is the first reward offered under the program for this type of cybercrime.
Shawn Henry, a retired executive assistant director of the FBI and president of CrowdStrike Services, a security technology company, said it’s challenging to find suspects in cyber cases, and a reward can attract tips. But other tactics, such as negotiations among governments, also are needed to deter attacks, he said.
“Time will tell whether this is a successful tactic or not,” Henry said. “It’s a strategy, and it’s certainly not the sole strategy.”