Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape?
Introduction: One view on the scattered fight against cybercrime
The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., “Operation Endgame”)[1], and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture. Therefore, no publicly available summary exists that we are aware of that systematically aggregates information on law enforcement actions.
To address this gap, this analysis introduces a systematically constructed dataset of 418 publicly announced law enforcement activities conducted between 2021 and mid-2025. The data was collected by Orange Cyberdefense intelligence teams, which continuously monitor and assess cyber threats to identify emerging trends and the evolution of cyber incidents.
In our dataset each entry represents a verified law enforcement action collected from official announcements and media reports, then manually enriched by the Orange Cyberdefense Security Research Center team by cross-referencing each entry to include contextual and demographic details when available.
A central focus lies on the type of law enforcement action taken, such as arrests, extraditions, takedowns of illicit platforms, seizures, or sanctions. The type of illicit activity was also documented by noting which type of activity the law enforcement action addressed, e.g., Hacking, Distributed Denial of Service (DDoS) Attack, IT Worker Fraud, or Cyber Extortion, and then translated into the actual criminal act of such attacks.
Which Criminal Acts Were Addressed?
This chart shows the top 10 criminal acts most frequently addressed by law enforcement in publicly reported operations.
The data reveals that Extortion (including ransomware) is the most addressed criminal act, followed closely by Installation or Distribution of Malicious Software (Malware) and Unauthorized Access or Intrusion (Hacking). Together, these three categories dominate the landscape and illustrate law enforcement’s continued focus on Cyber Extortion operations and the technical intrusions that enable them.
Other prominent criminal acts, including Unauthorized Access for Espionage (Cyber Espionage), Provision of Criminal Infrastructure (Dark Web Marketplace / Sites or Infrastructure and Hosting Services), and Deceptive Acquisition of Financial Assets (Fraud), suggest that authorities are also targeting the enablers and facilitators of cybercrime. While less frequent, offenses like Data/ Information Trafficking (Selling Stolen Goods (Data), Use of Cryptocurrency to Conceal or Facilitate Crime (Cryptocurrency Misuse), and Concealment of Criminal Proceeds via ICT (Money Laundering) reflect law enforcement’s increasing attention to the financial transactions and laundering mechanisms that underpin cyber operations.
Security Navigator 2026 is Here – Download Now
The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.
What’s Inside?
- 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.
- 🔮 Future-Ready: Equip yourself with security predictions and stories from the field.
- 🧠 Stories from security practitioners across the world.
- 👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography.
Stay one step ahead in cybersecurity. Your essential guide awaits!
🔗 Get Your Copy Now
While financial gain remains a central driver of cyber offenses[2,3,4], the lines between motivations have become increasingly blurred, in some cases shifting in response to geopolitical events, as we have continuously been reporting on in the past two years[5,6]. Activities initially framed as financially motivated can quickly take on political or ideological dimensions. These fluid boundaries illustrate how financial, political, and cognitive motives increasingly coexist, challenging traditional distinctions between criminal and ideological cyber activity.
What Actions Were taken by Law Enforcement?
Arrests account for the largest share (29%) of law enforcement actions, illustrating law enforcement’s continued focus on individual accountability and prosecution. Takedowns (17%) and Charges (14%) indicate a strong emphasis on disrupting operational networks and bringing offenders to justice, and together represent nearly one-third of all activity. Complementary measures such as Sentences (11%), Sanctions (7%), and Seizures (4%) show that law enforcement is addressing both criminal actors and the economic infrastructure sustaining their activities. Specifically, sanctions have shown a steady increase over recent years and reflect a growing use of non-traditional enforcement mechanisms for the inclusion of economic and diplomatic tools within the law enforcement arsenal.
Actions like investigations, wanted notices, and extraditions demonstrate cross-border cooperation and the procedural depth behind each publicized enforcement effort. Wanted notices represent a non-coercive enforcement measure focused on public identification and pursuit. They bridge the gap between investigation and arrest by facilitating cross-border coordination and sustaining pressure on suspects. Through public attribution, they also serve a deterrent function, signalling law enforcement capability and reach even when direct apprehension is not immediately possible.
If we combine the data showing the type of illicit activity addressed with the type of law enforcement action, we can see that Arrests dominate across nearly all crime types, particularly Cyber Extortion (22) and Hacking (19).
Charges and Sentences are the next most frequent responses, which demonstrates that many cases progress through the judicial process. Cyber Extortion, Malware, Hacking, and Cyber Espionage attract the most diverse range of responses (including arrests, charges, sentences, and sanctions).
Takedowns are strongly linked with Dark Web sites or marketplaces[7,8,9] and malware infrastructure[10,11,12] which makes sense given the operational logic behind such actions. These operations typically involve the coordinated dismantling of online infrastructure, such as servers, domains, or communication platforms that enable criminal activity. In the case of Dark Web Marketplaces, takedowns often include seizure of servers, arrests of administrators, and replacement of website landing pages with law enforcement banners, signalling control and deterrence.
