To Catch a Cybercriminal -- and the Fallout That Follows

How does law enforcement identify the people behind cybercrimes, and what happens afterward?

Carrie Pallardy, Contributing Reporter

April 25, 2024

13 Min Read
Special Cybersecurity Forces Soldier Arrests and Handcuffs Highly Dangerous Hacker. Hideout is Dark and Full of Computer Equipment.
Aleksei Gorodenkov / Alamy Stock Photo

The people behind cyberattacks are usually faceless, bearing only the names of the groups they represent. Even when law enforcement disrupts a threat actor's activity, the people behind it are often left to regroup and continue. The annual global cost of cybercrime is estimated to reach $10.5 trillion dollars in 2025, according to Cybercrime Magazine. Yet, the rate of prosecution for cybercrimes is as low as 0.05%, according to the World Economic Forum’s The Global Risks Report 2020.  

The majority of threat actors operating in the shadowy world of cybercrime evade identification and capture, but arrests have been made. People have gone to trial and been sentenced.  

Five cybersecurity experts spoke to InformationWeek about the process of putting a name to cyber threat actors, how law enforcement agencies can take action, and what life can look like for people after they have been identified.  

Identifying Individuals 

Putting a name to a cybercrime is often a painstaking process that requires technical tools, forensic analysis, and patience. “It's a constant cat and mouse effort of trying to follow these bread crumbs and seemingly dead ends … sometimes you have to wait and wait for a mistake or another victim, multiple victims to help you [put] this mosaic together,” Michael McPherson, senior vice president of security operations at cybersecurity company ReliaQuest and former Special Agent in Charge of the FBI’s Tampa Field Office, tells InformationWeek.  

Related:Multinational Op Takes Down a Cybercriminal Botnet Infrastructure

Threat actors obfuscate their digital tracks, but mistakes happen, whether technical or human.  

John Fokker, principal engineer and head of threat intelligence at threat detection and response company Trellix and a former member of the Dutch National High-Tech Crime Unit, was involved in takedown operations of the REvil ransomware gang and criminal marketplace Genesis Market.  

Fokker shares how his team studied a piece of REvil malware and connected with a disgruntled cybercriminal who hadn’t been paid. “We uncovered the accounting mechanism of this ransomware gang,” he explains. “We [saw], ‘Hey, this number occurs quite often.’ So, we know which affiliate was most active. We shared this this information, and we blogged about this.” 

Those published findings caught the attention of a cybercriminal who hadn’t been paid by the identified individual. He reached out to Fokker’s team and started talking.  

“Who calls the shots? What's the structure like? Who makes decisions? How does the decryption work? How do you log into the panel? All these open-ended questions, and he was very forthcoming. He gave a lot of information,” says Fokker.  

Related:Cybersecurity Must Focus on the Goals of Criminals

Players from REvil and Gensis Market were arrested as part of the two disruption campaigns.  

Operations like this demonstrate the importance of collaboration between law enforcement and the private sector. Private sector companies can help gather the evidence that law enforcement agencies will use to build a case against threat actors.  

“Always have the end in mind,” says Theresa Payton, CEO and founder of Fortalice Solutions, a cybersecurity consulting company, and former CIO of the White House. “So, if you believe you are experiencing some type of a cybersecurity incident, the best thing to do is to have a playbook for how you will not only be recoverable and resilient, but also how will you log and collect your information.” 

It is up to law enforcement to actually make arrests once individuals have been identified, but it is difficult to do that if private organizations don’t have collaborative relationships with these agencies.  

When McPherson led the FBI’s Tampa Field Office, his team was involved in investigating the Hive ransomware gang. 

“If you talk about in the aftermath of Hive, we can look at the number of victims that were hit by working backwards, and we know how many reported it. You're talking maybe 20, 25% of victims are actually engaging with law enforcement saying ‘I'm [a] victim,’” he says. “So, it's pretty hard to fight an adversary when 75% of the time you're not even in the fight.” 

Related:Cybercriminals Propagate Tax Scams: Ways to Spot and Combat Them

Making Arrests 

Once an individual is clearly linked to a cybercrime, how does law enforcement act? The answer will depend on jurisdiction. And in the case of cyber threat actors, that is often complicated. 

“Look at cybercrime. It's borderless,” says Erik Avakian, technical counselor at Info-Tech Research Group, an IT research company, and former CISO for the Commonwealth of Pennsylvania. Cybercriminals target victims all over the world, which means law enforcement agencies are often faced with the prospect of negotiating extradition.  

Though complicated, extradition does happen. In February 2024, a Ukrainian man, Vyacheslav Igorevich Penchukov, pled guilty in US federal court to charges relating to his role in two cyberattacks, according to The New York Times. He was arrested in Switzerland in 2022, followed by extradition to the US in 2023.  

But countries such as Russia and China do not have extradition treaties with the US. “That's why a lot of these folks operate in countries and in locations around the world where it's a lot tougher to do … extradition or any type of prosecution,” Avakian points out.  

When cybercriminals cannot be arrested, law enforcement agencies may take a “name and shame” approach. In March, the Justice Department named and indicted seven hackers linked to a People’s Republic of China (PRC)-backed hacking group.  

By indicting individuals outside of their reach, law enforcement restricts these individuals’ ability to travel. If they ever travel to a country that does have an extradition treaty with the US, they could be arrested.  

“Law enforcement has a long memory. So, if they cannot arrest somebody immediately now [they have] no problem [waiting] until they have an opportunity, and they seize it,” says Fokker.  

ArrestedHacker_VictoriaGnatiuk-AlamyStockPhoto.jpg

Going to Trial 

The legal proceedings following an arrest can include arraignments, bail hearings, trials, and sentencing hearings. Whether a cybercriminal actually faces a trial will depend.  

“It really just depends on the case, the jurisdiction, the extent of the damages and the ties the operative has. Are they a lone wolf? Are they tied to cybercriminal syndicates or nation state syndicates?” says Payton.  

It is possible that individuals arrested for cybercrimes will plead guilty, meaning there will be no lengthy trial. Yaroslav Vasinskyi, a Ukrainian national, was charged for his involvement in ransomware attacks, including the attack on IT software company Kaseya. He was arrested in Poland and extradited to the US where he ultimately pled guilty.  

“He got extradited to the US, and he confessed,” says Fokker. “So, there was no large trial.”  

Sentencing 

While cybercrime has been happening for decades, it is relatively new for the legal system. “Many judges have cases coming before them on topics they didn’t study in law school, and they are just building their body of knowledge and experience,” Payton points out.  

Payton was involved in the investigation of an insider threat; an individual was stealing secrets from his employer and passing them on to handlers in China. “When the FBI had enough cause to do a search … on his house, it was determined at that time that his previous employers were also victims of [this] insider threat,” she shares.  

Only one victim company was willing to be involved in the investigation. Ultimately, the individual charged served five years. The judge found it difficult to determine an economic value for the victim company’s losses.  

“We were really hoping … that the judge would be able to find a way to have a longer sentencing to send a message,” says Payton.  

McPherson points out that cybercrime is often treated as “white collar crime.” But as cyberattacks continue to ramp up against critical infrastructure, sentencing for the individuals arrested and charged could become harsher. 

“It's not just some people hacking in, stealing some money. It's devastating effects to healthcare organizations, for example, or critical infrastructure,” says McPherson. “You will start seeing enhanced sentencing beyond what you would see in some three-year, five-year sentences on … a white-collar action.”  

Penchukov, the Ukrainian man who recently pled guilty to cybercrime charges, was involved in a ransomware attack that hit a hospital in Vermont in 2020, disrupting its operations and causing millions in losses, according to The New York Times. His sentencing is set for May 9, and he could get up to 20 years in prison for each count he faces, according to the report.  

Long sentences like this are not without precedent. Albert Gonzalez was arrested for hacking and identity theft. In 2010, he was sentenced to 20 years and one day in prison. Gonzalez (inmate number: 25702-050) was released in 2023, according to the Federal Bureau of Prisons.  

Prison time is a potential element of sentencing, but individuals charged with cybercrimes may also find themselves subject to monitoring and restrictions. “You may find yourself banned from actually being able to use technology without monitoring and surveillance, or perhaps at all,” says Payton.  

Sentencing for cybercrimes could also be impacted by plea bargains. An individual may have valuable information about a cybercriminal group or network that could be exchanged for a shorter sentence.  

Getting the Law Up to Speed 

Law enforcement is making progress. “You're starting to see infiltrating networks, sitting on networks for a month at a time, getting decrypting keys, pushing them off, identifying people, arrests are starting to, I'd say, pick up slowly,” says McPherson.  

But there are still many challenges along the road to prosecution. One issue is the cost of collecting evidence, according to Payton. “Much of the technology deployed as cybersecurity solutions focuses on alerting, detection, remediation, but it really doesn't focus on collection of evidence to even go to law enforcement or to court,” she explains.  

Without evidence, law enforcement cannot build a compelling case against threat actors. “Forensic analysis is so important, because it really has to be [a] clean chain of custody, everything to show that this is definitely what it is,” says Avakian.  

When cases do make it in front of a judge, the legal system may struggle to keep up with the technology involved in the crime. “Legal systems must adapt. We need a dynamic legal framework because the technology is ever-changing,” says Payton.  

Payton points to the value of increased global cooperation in the fight against cybercrime. “If we can’t do a better job with finding these people, extraditing them, prosecuting them, and keeping them in jail, let's pivot and go find them where they are and let's take them out of business,” she says.  

International operations disrupting big players in the cybercrime space have been gaining steam. In October 2023, a coordinated effort hit the Ragnar Locker ransomware group. In December 2023, the FBI was able to offer more than 500 ALPHV/Blackcat ransomware victims a decryption tool as part of a disruption campaign. At the beginning of this year, 11 countries worked together on Operation Cronos, disrupting LockBit. This operation led to the arrest of two threat actors, located in Poland and Ukraine. 

Dismantling a cybercrime group’s infrastructure or disrupting its operations is a victory but likely a temporary one. Operations that involve seizing assets and people are more effective. “Anytime you can grab money or people, that is the real impact of doing an operation,” says McPherson.  

Looking at Life After Cybercrime 

What happens to people after they serve their sentences for cybercrime? Some people may pick up where they left off. “I’ve personally had some cases in the Netherlands where we've arrested somebody and then later on they were reoffenders,” says Fokker.  

There are also many examples of people arrested for cybercrimes who have decided to redirect their talents and employ them for the benefit of the cybersecurity community. Kevin Mitnick is one well-known example of a hacker-turned-cybersecurity consultant.  

Marc Maiffret, CTO of BeyondTrust, an identity and access security company, started hacking as a teenager, an escape from a chaotic home life.  

“When I first got introduced through some friends from school through kind of like older phone freaking and the … early days of hacking, that was something that I really dove into because it was not only this kind of place to explore, but [it brought] some sense of control back into my life,” he tells InformationWeek.  

He found some like-minded friends in the hacking group Rhino9. His activities caught the attention of the FBI, which raided his home when he was about 17 years old. He woke to find agents in his room. 

“My neighbors described it as various cars and vans pulling up and people scaling the exterior fences and full on like something out of a movie,” Maiffret shares. “It was the literal and figurative kind of wake-up call for me.”  

After that experience, he and a friend, Firas Bushnaq, founded eEye Digital Security. During the first two years of building that company, Maiffret was unsure if he would be charged with any crimes. He did not profit from his hacking, but it had been disruptive. He eventually received a call from the FBI’s lead investigator who informed him that his case would be closed without any charges.  

“It was kind of a crazy thing to go from just the few years prior, [a] teenager up to no good, getting raided to a few years later, presenting at places like the NSA, having the DoD select my company’s software to be used on every DoD system in the world,” he shares.  

Maiffret’s story illustrates how skills that can be used in cybercrime can be put to work in a different way. During his teenage years, there were few legitimate outlets to explore hacking. But today that is different.  

“These days, there're so many different [options], like online capture the flag competitions,” he says. Vulnerability research is a highly sought after skill, and many enterprises have bug bounty programs. The concept of a “white hat” or ethical hacker is well known today. He hopes younger people who turn to hacking as an escape, like he did, will find these legitimate outlets.  

Hacking and other cybercrimes are fueled by many different motivations: financial, political, curiosity. Once someone has been caught and serves their sentence -- whether it be prison time, victim restitution, community service, monitoring, or some combination -- how can life look different? 

“We should have a conversation around rehabilitation for digital crimes,” says Payton. “How do we take their gifts and talents and rehabilitate them in a way that they have a propensity to want to protect and defend others and leverage those skill sets in a way that has a positive impact not only on everybody else's lives, but also on their own, personally?”

About the Author

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights