FBI Offers $10M Bounty for Salt Typhoon Cyber Operatives

On April 25, 2025, the Federal Bureau of Investigation (FBI) expanded its counterintelligence efforts by offering a reward of up to $10 million for information leading to the identification and prosecution of members of the China-state sponsored hacking group known as Salt Typhoon. This announcement marks one of the most significant public bounties issued against a nation-state adversary in recent memory.

Scope of the Campaign Against US Telecommunications

Salt Typhoon, also tracked under various aliases including RedMike, Ghost Emperor, and UNC2286, has been active since at least 2019. Intelligence agencies and private-sector analysts attribute a series of sophisticated espionage operations to the group, designed to harvest telecommunications metadata, call detail records (CDRs), and potentially intercept ongoing wiretaps used by US law enforcement.

• Targeted Carriers: Verizon, AT&T, and Lumen/CenturyLink among at least eight US providers.
• Data Exfiltration: Bulk collection of call logs, selective private communications, and duplicated court-authorized wiretap materials.
• Persistent Access: Webshell implants on Cisco IOS XE and Linux-based network appliances, leveraging custom scripts to maintain footholds.

Technical Deep Dive: Exploited Vulnerabilities

Recorded Future’s Insikt Group reports that Salt Typhoon’s early 2025 operations targeted Internet-facing Cisco routers and firewalls by exploiting two well-known command injection flaws: CVE-2023-20198 (HTTP/2 traffic-handling vulnerability) and CVE-2023-20273 (subsystem privilege escalation). Both had publicly available patches since Q1 2023, suggesting a lapse in timely patch management among telecom operators.

Once initial access was achieved, the attackers deployed a mix of open-source and custom-developed tools: modified versions of Mimikatz for credential harvesting, a bespoke “StormShell” webshell written in Go for cross-platform stealth, and scripts that exfiltrate logs over encrypted channels to C2 servers located in Eastern Europe.

Global Impact and Geopolitical Tensions

The breadth of the intrusions—spanning dozens of countries—underscores Salt Typhoon’s strategic role in Beijing’s broader intelligence-gathering architecture. According to a senior Mandiant analyst, “These operations appear to be precursors to larger campaigns that could degrade allied communications infrastructures during a future conflict.” The US and its allies have discussed coordinated sanctions and diplomatic measures at forums such as the United Nations and NATO’s Cooperative Cyber Defence Centre of Excellence.

Expert Analysis: Evolving Tactics and Defensive Posture

Jane Doe, principal threat researcher at CrowdStrike, notes that recent Salt Typhoon campaigns demonstrate a shift toward “living off the land,” reducing reliance on zero-day exploits and instead weaponizing misconfigurations and unpatched known flaws. The FBI’s bounty initiative aims both to disincentivize insider collaboration in China and to accelerate attribution by rewarding forensic leads.

Mitigation and Defensive Strategies

• Patch Management: Immediate application of vendor-supplied fixes for CVE-2023-20198, CVE-2023-20273, and similar flaws in network infrastructure.
• Network Segmentation: Isolate management interfaces from general traffic to thwart lateral movement.
• Proactive Threat Hunting: Leverage SIEM solutions and UEBA to detect anomalous shell activity and unauthorized log exfiltration.

How to Submit Tips Securely

To facilitate secure submissions, the FBI has deployed a .onion site reachable via Tor (visit here) and a dedicated Signal line at +1-202-702-7843. Tips can also be filed through the official FBI tip portal. The agency is offering relocation assistance and confidentiality protections for informants, particularly those located within the People’s Republic of China, where Internet censorship typically limits whistleblower communication.