Security

Hacked Honors: Uncovering the Digital Dirt – The Cyber Chronicle

Published

2 months ago

January 31, 2026

Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape?

Introduction: One view on the scattered fight against cybercrime

The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., “Operation Endgame”)^[1], and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture. Therefore, no publicly available summary exists that we are aware of that systematically aggregates information on law enforcement actions.

To address this gap, this analysis introduces a systematically constructed dataset of 418 publicly announced law enforcement activities conducted between 2021 and mid-2025. The data was collected by Orange Cyberdefense intelligence teams, which continuously monitor and assess cyber threats to identify emerging trends and the evolution of cyber incidents.

In our dataset each entry represents a verified law enforcement action collected from official announcements and media reports, then manually enriched by the Orange Cyberdefense Security Research Center team by cross-referencing each entry to include contextual and demographic details when available.

A central focus lies on the type of law enforcement action taken, such as arrests, extraditions, takedowns of illicit platforms, seizures, or sanctions. The type of illicit activity was also documented by noting which type of activity the law enforcement action addressed, e.g., Hacking, Distributed Denial of Service (DDoS) Attack, IT Worker Fraud, or Cyber Extortion, and then translated into the actual criminal act of such attacks.

Which Criminal Acts Were Addressed?

This chart shows the top 10 criminal acts most frequently addressed by law enforcement in publicly reported operations.

The data reveals that Extortion (including ransomware) is the most addressed criminal act, followed closely by Installation or Distribution of Malicious Software (Malware) and Unauthorized Access or Intrusion (Hacking). Together, these three categories dominate the landscape and illustrate law enforcement’s continued focus on Cyber Extortion operations and the technical intrusions that enable them.

Other prominent criminal acts, including Unauthorized Access for Espionage (Cyber Espionage), Provision of Criminal Infrastructure (Dark Web Marketplace / Sites or Infrastructure and Hosting Services), and Deceptive Acquisition of Financial Assets (Fraud), suggest that authorities are also targeting the enablers and facilitators of cybercrime. While less frequent, offenses like Data/ Information Trafficking (Selling Stolen Goods (Data), Use of Cryptocurrency to Conceal or Facilitate Crime (Cryptocurrency Misuse), and Concealment of Criminal Proceeds via ICT (Money Laundering) reflect law enforcement’s increasing attention to the financial transactions and laundering mechanisms that underpin cyber operations.

Security Navigator 2026 is Here – Download Now

The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

What’s Inside?

📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.

🔮 Future-Ready: Equip yourself with security predictions and stories from the field.

🧠 Stories from security practitioners across the world.

👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

While financial gain remains a central driver of cyber offenses^[2,3,4], the lines between motivations have become increasingly blurred, in some cases shifting in response to geopolitical events, as we have continuously been reporting on in the past two years^[5,6]. Activities initially framed as financially motivated can quickly take on political or ideological dimensions. These fluid boundaries illustrate how financial, political, and cognitive motives increasingly coexist, challenging traditional distinctions between criminal and ideological cyber activity.

What Actions Were taken by Law Enforcement?

Arrests account for the largest share (29%) of law enforcement actions, illustrating law enforcement’s continued focus on individual accountability and prosecution. Takedowns (17%) and Charges (14%) indicate a strong emphasis on disrupting operational networks and bringing offenders to justice, and together represent nearly one-third of all activity. Complementary measures such as Sentences (11%), Sanctions (7%), and Seizures (4%) show that law enforcement is addressing both criminal actors and the economic infrastructure sustaining their activities. Specifically, sanctions have shown a steady increase over recent years and reflect a growing use of non-traditional enforcement mechanisms for the inclusion of economic and diplomatic tools within the law enforcement arsenal.

Actions like investigations, wanted notices, and extraditions demonstrate cross-border cooperation and the procedural depth behind each publicized enforcement effort. Wanted notices represent a non-coercive enforcement measure focused on public identification and pursuit. They bridge the gap between investigation and arrest by facilitating cross-border coordination and sustaining pressure on suspects. Through public attribution, they also serve a deterrent function, signalling law enforcement capability and reach even when direct apprehension is not immediately possible.

If we combine the data showing the type of illicit activity addressed with the type of law enforcement action, we can see that Arrests dominate across nearly all crime types, particularly Cyber Extortion (22) and Hacking (19).

Charges and Sentences are the next most frequent responses, which demonstrates that many cases progress through the judicial process. Cyber Extortion, Malware, Hacking, and Cyber Espionage attract the most diverse range of responses (including arrests, charges, sentences, and sanctions).

Takedowns are strongly linked with Dark Web sites or marketplaces^[7,8,9] and malware infrastructure^[10,11,12] which makes sense given the operational logic behind such actions. These operations typically involve the coordinated dismantling of online infrastructure, such as servers, domains, or communication platforms that enable criminal activity. In the case of Dark Web Marketplaces, takedowns often include seizure of servers, arrests of administrators, and replacement of website landing pages with law enforcement banners, signalling control and deterrence.

Sanctions primarily target Cyber Espionage and state-aligned operations at the government level, rather than individuals. The United States leads in global cyber law enforcement, followed by Germany, the United Kingdom, Russia, Ukraine, the Netherlands, Spain, and France. Private organizations also play a significant role in supporting cybercrime disruption efforts. Offenders in cybercrime activities are predominantly in the age groups of 18-24, 25-34, and 35-44, with varying crime types across these age ranges. Russian, American, Chinese, Ukrainian, and North Korean nationals are the most common offenders, with British nationals also being notable contributors. Other Western nations are also involved in cyber operations, indicating a trend towards more home-grown threat actors in Europe and North America. When considering lower numerical representations, it is important to acknowledge that they may not necessarily indicate lower levels of activity. Instead, they could be attributed to differences in detection, exposure, or attribution.

In summary, the research provides a comprehensive view of the ongoing battle against cybercrime, focusing on both the perpetrators and the efforts of law enforcement agencies to combat them.

Regarding the offenders, the data reveals consistent disparities. The majority of identified offenders are male, aligning with common trends in cybercrime studies. Age-wise, cyber offenses are most prevalent among adults aged in their mid-20s to mid-40s, with fewer cases involving younger or older individuals. Offense types vary across age groups, with younger offenders often participating in technical activities like hacking and DDoS attacks, while older individuals are more involved in profit-driven operations such as cyber extortion and data theft.

Nationality data indicates a concentration within specific groups, with Russian nationals comprising a significant portion of cases. Although nationality alone cannot fully explain the origins of cybercrime, it provides valuable insights into the socio-political and regional contexts in which offenders operate. The most commonly prosecuted criminal acts, including cyber-enabled financial crime, extortion, ransomware, and unauthorized access, suggest that financial motives drive the majority of cybercriminal activities.

Analysis of 418 publicly reported law enforcement actions from 2021 to mid-2025 demonstrates a growing and diverse global response from law enforcement agencies. Key players include the U.S. Department of Justice, FBI, Europol, Germany’s BKA, and authorities in the Netherlands and France. Collaboration from countries like Ukraine, Russia, Australia, Singapore, Japan, and Nigeria highlights the international nature of enforcement efforts. The involvement of seventy-four private companies underscores the importance of public-private partnerships in disrupting cybercrime activities.

For more in-depth coverage on current cybersecurity topics, including Generative AI, post-quantum cryptography, Vulnerability management, Cyber Extortion, CyberSOC statistics, and security predictions, consider reading the Security Navigator 2026. To access the full article and detailed insights, visit the download page.

Please note that this article was expertly written by Diana Selck-Paulsson, a Senior Security Researcher at Orange Cyberdefense.

If you found this article intriguing, stay updated on exclusive content by following us on Google News, Twitter, and LinkedIn. This contributed piece is from one of our esteemed partners.