New research from over 400 law enforcement bodies reveals a boring truth: cybercrime is dominated by middle-aged offenders, not teenagers. The report also shows how reliant the world has become on US law enforcement.
Everyone loves a young protagonist — especially when it comes to cybercrime. The lone teen in their bedroom trope has persisted since the 80s, with movies like WarGames and Hackers.
But while threat research and books charting the profiles of criminal groups such as ScatteredSpider have uncovered valuable datasets about so-called Advanced Persistent Teenagers (APTs) and their motivations, this may be skewing our perception of who the criminals actually are.
New data compiled by Orange Cyberdefense, as part of its Security Navigator 2026 threat landscape analysis, shows that cybercrime is largely driven by experienced adults, often in their thirties and forties, rather than the teenagers who typically dominate headlines.
Orange’s dataset catalogues 418 publicly announced law-enforcement cases between 2021 and mid-2025, which, it claims, is the first structured attempt to aggregate such actions internationally.
The dataset shows that offenders aged between 35 and 44 represent the single largest group worldwide, accounting for 37% of identified individuals.
Another 30% of offenders fall into the 25 to 34 bracket. Teenagers and older adults, by contrast, make up fewer than 5% each.
This chapter of the research, compiled by senior threat researcher Diana Selck-Paulsson, suggests that cybercrime has a very different developmental trajectory from traditional offending, with practitioners accumulating the technical capability, operational discipline and criminal networks required to sustain activity well into midlife.
The behavior of these age groups also differs sharply. Younger adults (18–24) tend to commit technically expressive offenses such as hacking, DDoS or small-scale data theft, often driven by curiosity or reputation. By their mid-twenties, financial motives begin to dominate.
The 35-to-44 cohort then emerges as the most strategically impactful: their involvement centres on cyber extortion, malware development, cyber espionage and money laundering.
Orange notes that offenders in this bracket know full well what they are doing, and their motives are financial.
“The prevalence of middle-aged offenders indicates a form of criminal engagement that is deliberate and cognitively informed, rather than impulsive or situational"
Orange Cyberdefence
The report does confirm one long-held assumption, which is backed up by the stats: most publicly identified offenders — 90% — are male. However, some researchers Cybernews has spoken with recently say that this is another trope that needs to be challenged — or at least explored with more nuance.
Who are the most prolific cybercriminals and where are they based?
Data relating to the nationality of cybercriminals reflects geopolitical fault lines: 23% are Russian, followed by Americans and Chinese at around 11% each, Ukrainians at 9% and North Koreans at 5%.
Orange notes that the higher transparency in the US may inflate its apparent share.
This demographic landscape aligns closely with the cyber extortion ecosystem, which is continuing to expand. Between October 2024 and September 2025, Orange documented over 6,000 victims of cyber extortion, which was linked to 90 groups – a year-on-year increase of almost 45%.
Qilin retains its title as one of the most active cybercriminal threats globally. Orange has linked this prominent Russia-linked ransomware-as-a-service group to 600 victims over the last year, a dramatic 324% rise from the previous period.
The gang’s targeting pattern focuses heavily on small and medium-sized businesses – 221 small, 192 medium, 151 large – reflecting what Orange describes as a “mid-tier” strategy: firms large enough to pay but insufficiently resourced to withstand sophisticated intrusions.
Russian-speaking Akira follows next with 550 victims, up 168% on last year, with a similar small-to-medium business-heavy footprint.
Cl0p, long associated with mass exploitation, caused 473 victims. One of its campaigns, exploiting a vulnerability in Cleo file-transfer software, accounted for 18% of all cyber extortion victims in Q1 alone.
Because mass exploitation opportunities are few and far between, Orange's head of security research, Charl van der Walt, notes that this gang goes into a kind of hibernation until it has a useful vulnerability to exploit.
“It then runs a campaign with significant impact before withdrawing again. This does appear to be happening more frequently. The model makes sense if an actor can obtain a suitable exploit.”
The world’s most targeted nations
Ransomhub – whose activities has reportedly ceased after a hostile "takeover" by the DragonForce cartel in early April 2025 – recorded 471 victims, while Play reached 407 and also skewed toward medium-sized companies.
Geographically, the pressure is uneven. North America had 3,780 victims – a 56% increase since last year, keeping it the most targeted region in the world.
In Europe, Germany saw the steepest growth at 58%, with 230 victims, followed by Italy (141) and France (129). The UK ran counter to the trend with a 13% decline.
The techniques enabling these attacks remain consistent: phishing and spear-phishing, credential reuse and exploitation of vulnerabilities, including in security appliances such as VPNs and firewalls.
Global dependency on US law enforcement
Not only is the US the most targeted country, but it is also the biggest patroller of cybercriminals when it comes to law enforcement. The nation is involved in 45% of all recorded disruption actions, vastly outpacing any other jurisdiction.
By institution, the US Department of Justice (DOJ) appears in roughly 16% of cases and the FBI in 12%. German authorities contribute nearly 7% of recorded actions, Europol around 5% and UK bodies about 3%.
Private-sector participation accounts for around 12% reflecting the degree to which cybercrime disruption is becoming a shared responsibility across state and industry boundaries.
Orange says reliance on the US extends beyond law enforcement into vulnerability management, infrastructure visibility and platform-level telemetry.
While European initiatives such as the European Vulnerability Database indicate movement toward greater autonomy, the capabilities gap remains wide.
As Orange’s van der Walt notes, a shift in US political priorities or resource allocation could have a disproportionately global impact, reducing both visibility and disruptive capacity for other regions.
“A meaningful reprioritization would represent a significant setback for cybersecurity efforts everywhere, and send absolutely the wrong signals to both state and criminal threat actors,” he warns.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked