Badges, Bytes and Blackmail
Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape?
Introduction: One view on the scattered fight against cybercrime
The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., “Operation Endgame”)[1], and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture. Therefore, no publicly available summary exists that we are aware of that systematically aggregates information on law enforcement actions.
To address this gap, this analysis introduces a systematically constructed dataset of 418 publicly announced law enforcement activities conducted between 2021 and mid-2025. The data was collected by Orange Cyberdefense intelligence teams, which continuously monitor and assess cyber threats to identify emerging trends and the evolution of cyber incidents.
In our dataset each entry represents a verified law enforcement action collected from official announcements and media reports, then manually enriched by the Orange Cyberdefense Security Research Center team by cross-referencing each entry to include contextual and demographic details when available.
A central focus lies on the type of law enforcement action taken, such as arrests, extraditions, takedowns of illicit platforms, seizures, or sanctions. The type of illicit activity was also documented by noting which type of activity the law enforcement action addressed, e.g., Hacking, Distributed Denial of Service (DDoS) Attack, IT Worker Fraud, or Cyber Extortion, and then translated into the actual criminal act of such attacks.
Which Criminal Acts Were Addressed?
This chart shows the top 10 criminal acts most frequently addressed by law enforcement in publicly reported operations.
The data reveals that Extortion (including ransomware) is the most addressed criminal act, followed closely by Installation or Distribution of Malicious Software (Malware) and Unauthorized Access or Intrusion (Hacking). Together, these three categories dominate the landscape and illustrate law enforcement’s continued focus on Cyber Extortion operations and the technical intrusions that enable them.
Other prominent criminal acts, including Unauthorized Access for Espionage (Cyber Espionage), Provision of Criminal Infrastructure (Dark Web Marketplace / Sites or Infrastructure and Hosting Services), and Deceptive Acquisition of Financial Assets (Fraud), suggest that authorities are also targeting the enablers and facilitators of cybercrime. While less frequent, offenses like Data/ Information Trafficking (Selling Stolen Goods (Data), Use of Cryptocurrency to Conceal or Facilitate Crime (Cryptocurrency Misuse), and Concealment of Criminal Proceeds via ICT (Money Laundering) reflect law enforcement’s increasing attention to the financial transactions and laundering mechanisms that underpin cyber operations.
Security Navigator 2026 is Here – Download Now
The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.
What’s Inside?
- 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.
- 🔮 Future-Ready: Equip yourself with security predictions and stories from the field.
- 🧠 Stories from security practitioners across the world.
- 👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography.
Stay one step ahead in cybersecurity. Your essential guide awaits!
While financial gain remains a central driver of cyber offenses[2,3,4], the lines between motivations have become increasingly blurred, in some cases shifting in response to geopolitical events, as we have continuously been reporting on in the past two years[5,6]. Activities initially framed as financially motivated can quickly take on political or ideological dimensions. These fluid boundaries illustrate how financial, political, and cognitive motives increasingly coexist, challenging traditional distinctions between criminal and ideological cyber activity.
What Actions Were taken by Law Enforcement?
Arrests account for the largest share (29%) of law enforcement actions, illustrating law enforcement’s continued focus on individual accountability and prosecution. Takedowns (17%) and Charges (14%) indicate a strong emphasis on disrupting operational networks and bringing offenders to justice, and together represent nearly one-third of all activity. Complementary measures such as Sentences (11%), Sanctions (7%), and Seizures (4%) show that law enforcement is addressing both criminal actors and the economic infrastructure sustaining their activities. Specifically, sanctions have shown a steady increase over recent years and reflect a growing use of non-traditional enforcement mechanisms for the inclusion of economic and diplomatic tools within the law enforcement arsenal.
Actions like investigations, wanted notices, and extraditions demonstrate cross-border cooperation and the procedural depth behind each publicized enforcement effort. Wanted notices represent a non-coercive enforcement measure focused on public identification and pursuit. They bridge the gap between investigation and arrest by facilitating cross-border coordination and sustaining pressure on suspects. Through public attribution, they also serve a deterrent function, signalling law enforcement capability and reach even when direct apprehension is not immediately possible.
If we combine the data showing the type of illicit activity addressed with the type of law enforcement action, we can see that Arrests dominate across nearly all crime types, particularly Cyber Extortion (22) and Hacking (19).
Charges and Sentences are the next most frequent responses, which demonstrates that many cases progress through the judicial process. Cyber Extortion, Malware, Hacking, and Cyber Espionage attract the most diverse range of responses (including arrests, charges, sentences, and sanctions).
Takedowns are strongly linked with Dark Web sites or marketplaces[7,8,9] and malware infrastructure[10,11,12] which makes sense given the operational logic behind such actions. These operations typically involve the coordinated dismantling of online infrastructure, such as servers, domains, or communication platforms that enable criminal activity. In the case of Dark Web Marketplaces, takedowns often include seizure of servers, arrests of administrators, and replacement of website landing pages with law enforcement banners, signalling control and deterrence. Sanctions appear primarily tied to Cyber Espionage and state-aligned operations, reflecting government-level actions rather than addressing individuals.
Who Are the Leading Institutions in Law Enforcement?
The United States’ global leadership in cyber law enforcement is demonstrated by its listing as the primary participant in nearly half of all actions (45%).
The second cluster, namely Germany, the United Kingdom, Russia, Ukraine, the Netherlands, Spain, and France, represents the core of global cyber enforcement capacity outside the U.S. Active EU member-state participation in Europol and Eurojust-facilitated operations demonstrates the Union’s emphasis on a joint, cross-border enforcement approach.
The presence of Russia and Ukraine near the top of this list is noteworthy. These states are frequently targets of global law enforcement actions but also conduct their own domestic prosecutions and counter-cybercrime operations, often involving politically sensitive cases. Entries such as International and European Countries reflect the role of multinational task forces where leadership attribution is shared. These include Europol-coordinated takedowns, Interpol operations, and Five Eyes collaborations. In some cases, law enforcement announcements did not go into detail and only described these multinational actions by European nations or International ones; whenever countries were listed on their own, they were documented as such in our data.
The distribution of participating national authorities naturally reflects the same geographic patterns observed in the country-level analysis.
A study of the top 20 institutions involved in reported law enforcement actions highlights the clear dominance of U.S. agencies. The U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) lead by a wide margin, followed by private organizations, which appear as a major supporting actor in cybercrime disruption efforts. The presence of OFAC[13] further illustrates the integration of financial and political instruments into cybercrime responses.
The strong representation of private organizations among the supporting entities is particularly noteworthy. In this dataset, private organizations rank among the top three most frequently mentioned participants. Across the 169 institutions analyzed, 74 distinct private entities were identified as supporting efforts in one way or another. This is a significant indicator of the expanding scale of public-private collaboration, which illustrates its growing importance in the fight against cybercrime.
Cybercrime Typologies Overall and Across Age Groups
The distribution across actors engaging in cybercrime activity by age group reveals notable variation in crime types across the lifespan.
It is noteworthy that some age groups are represented by very few cases, limiting possible interpretation. In our dataset (n=193 offenders with verified age data), the 35-44 age group accounts for 37%, followed by 25-34 years (30%), and 18-24 years (21%), together representing nearly 90% of all identified offenders. By contrast, younger (12-17 years) and older (55 years and above) groups each account for less than 5% of cases, making statistical analysis of those categories less meaningful. Especially in the case of 12–17-year-olds and younger, it is noteworthy that younger offenders are likely underrepresented, since minors are often shielded from prosecution and public disclosure under national legal frameworks, limiting their visibility in law enforcement reporting.
Accordingly, we will focus primarily on the three core age ranges (18-24, 25-34, and 35-44 years), where offender representation is most robust.
Among young adults (18-24 years), cyber offense appears highly diverse yet predominantly technically oriented. Hacking clearly dominates this cohort (30%), followed by Selling Stolen Goods (data) and DDoS attacks (10% each), activities that often rely on technical skill and may serve reputational or exploratory purposes rather than immediate financial gain. A secondary cluster of offenses-malware, fraud, telecom fraud, dark web marketplace activity, and cyber extortion (each 8%)-illustrates the experimental and multifaceted nature of this age group’s engagement in cybercrime.
A shift becomes evident among offenders aged 25-34, where activities such as Selling Stolen Goods (Data) (21%), Cyber Extortion (14%), and Malware deployment (12%) dominate. This may indicate a move toward profit-motivated activities among actors of this age.
The trend intensifies with the 35-44 cohort, which is the largest group in this dataset showing the highest diversities of types. Within this group, Cyber Extortion (22%) is the dominant offense, followed by Malware (19%), Cyber Espionage (13%), Hacking (10%), and Money Laundering (7%). Together, these categories account for the vast majority of activities perpetrated by this age group, potentially indicating a focus on high-impact, financially and politically significant actions.
Nationality
The nationality of the offender was disclosed in 365 cases. The dataset contains offenders from 64 distinct nationalities, suggesting a wide geographical and cultural spread. Although nationality can provide valuable insight into the geographic and sociopolitical context of offenders, it offers only a partial view in an interconnected digital landscape.
Given the transnational nature of the internet and the complex, fluid identities of actors operating across jurisdictions, nationality alone cannot reliably describe the true origin or alignment of cyber operators.
The distribution is heavily skewed toward a small number of countries. Russian nationals dominate the dataset, accounting for 85 individuals (23%), followed by American (11%), Chinese (11%), Ukrainian (9%), and North Korean (5%) offenders. Together, these five nationalities represent over half of all cases (58%). Notably, one explanation for the relatively high number of American offenders could be explained by jurisdictional and reporting bias: U.S. authorities conduct and publicly disclose far more cybercrime prosecutions than most other countries, making American cases more visible in open data.
Offenders of British nationality (n=17) also represent a notable share of contributors. The involvement of Western nations shows two things: the continuous efforts and transparency they offer, and at the same time, that cyber operations and related offenses are not confined to states typically implicated in cybercriminal activity. One explanation could be that we might be seeing a trend towards more home-grown threat actors that are based in Europe, the United Kingdom, and North America, and therefore English-speaking, as a recent article points out[14].
Beyond the top five, offenders represent many other nationalities, the Dutch, French, German, Canadian, Australian, Singaporean, and more. However, we need to note that lower numerical representation does not necessarily correspond to lower levels of activity, but may instead reflect differences in detection, exposure, or attribution.
Key Takeaways
Taken together, the findings offer a dual perspective on the fight against cybercrime that examines both the offenders and the law enforcement actors working to counter them.
On the offender side, the data highlights persistent asymmetries. The overwhelming majority of identified offenders are male, reflecting trends widely observed in cybercrime research. Age data indicate that cyber offense is concentrated among adults in their mid-20s to mid-40s, with comparatively few cases involving younger or older individuals. Offense types vary across these age ranges, with younger offenders often engaged in technical and exploratory activities like hacking and DDoS attacks, while older cohorts were more frequently involved in profit-driven or complex operations such as cyber extortion, data theft, and malware deployment.
Nationality data shows a strong concentration within a few groups, with Russian nationals alone accounting for nearly a quarter of cases. While nationality cannot fully describe the origins of cybercrime in an interconnected digital space, it provides useful insight into the sociopolitical and regional contexts in which offenders operate. The types of criminal acts most frequently prosecuted such as cyber-enabled financial crime, extortion and ransomware, and unauthorized access, suggest that most cybercriminal activities remain primarily financially motivated.
The analysis of 418 publicly reported law enforcement actions (2021-mid-2025) shows an increasingly active and diversified global law enforcement response. The U.S. Department of Justice and FBI are the most visible, joined by leading European agencies like Europol, Germany’s BKA, and authorities in the Netherlands and France. Participation from Ukraine, Russia, Australia, Singapore, Japan, and Nigeria illustrates how enforcement has become truly international. Private organizations also play a critical role: seventy-four private companies supported operations in some capacity, showing that public-private partnerships are now essential to ongoing disruption efforts.
This is just an excerpt of the coverage on current topics in cyber security. For the full story and in-depth articles on the use and abuse of Generative AI, post-quantum cryptography, Vulnerability management and Cyber Extortion as well as CyberSOC statistics and security predictions, you should check out the Security Navigator 2026! Head over to the download page and get a copy.
Note: This article was expertly written and contributed by Diana Selck-Paulsson, Senior Security Researcher at Orange Cyberdefense.
About Author
