When we think of hackers, we usually picture shadowy figures operating beyond the reach of law enforcement agencies. The moment agencies get a whiff of who and where they are, they vanish into the shadows again.
-
The main barrier to catching cybercriminals is jurisdictional friction and lack of international cooperation, not their technical sophistication.
-
The FBI received over 880,000 cybercrime complaints in 2023, but only a tiny fraction led to prosecution, making cybercrime highly profitable with minimal consequences.
-
Many wanted hackers operate openly from countries like Russia and China that refuse extradition, remaining identified but untouchable.
It’s not always like this, however. For instance, in 2021, American and European authorities were able to snare the REvil ransomware group that had plundered hundreds of millions from organizations around the world. The effort was a rare example of transatlantic cooperation that showed what could be possible.
Unfortunately, such successes are all too infrequent. For every hacker that is caught, dozens operate with impunity. This isn’t so much because of any technical mastery on their part, but rather because of institutional friction, jurisdictional fog, and the curious economics of attribution.
Of course, that’s not to say that the popular image of hackers doesn’t have a grain of truth to it. They are usually extremely technically proficient and use these skills to mask their activity, whether via virtual private networks, browsers such as Tor, encrypted comms channels, or cryptocurrency to launder the proceeds.
It’s all designed to be untraceable. But security researchers have long argued that it is not the technical barriers that make hackers hard to catch. Instead, it’s the political and legal barriers.
The attribution problem
When we try to prosecute someone for a crime, we need to be able to attribute that criminal activity to a specific individual. We can’t prosecute a nation-state or a criminal syndicate. People can easily spoof their IP address. They can easily reuse malware. They can easily plant misleading digital fingerprints to distract law enforcement.
It’s a problem that Thomas Rid and Ben Buchanan refer to as the “attribution problem.” They argued that achieving public attribution with any confidence is usually a political challenge rather than a technical one, and is shaped by intelligence sources that governments are often reluctant to bring to the surface and compromise.
Prosecuting individuals is extremely difficult, even when suspects can be confidently identified. Modern cybercrime is an international affair, with many hackers operating from countries that neither the United States nor the European Union has extradition treaties with.
Russia is the most obvious example, but the same is also true of China. These authorities have typically protected domestic cybercriminals, just so long as their targets remain overseas rather than local.
A bleak story
Putting numbers to the prosecution of cybercrime is notoriously difficult, but the data that does exist paints a sobering story. For instance, in 2023, the FBI's Internet Crime Complaint Center (IC3) received over 880,000 complaints, which collectively reported losses of over $12.5 billion. A minuscule fraction of these complaints was ever prosecuted.
This was further reinforced by research from Microsoft, which showed that the potential cost of committing cybercrime, including the likelihood of being both found and prosecuted, was incredibly low compared to the potential rewards. If we’re expecting cybercriminals to be rational and be deterred by the possible consequences, then the current state of affairs is laughably ineffective.
Law enforcement agencies have responded by prioritizing the ecosystems that support cybercriminals rather than the individuals themselves. This includes the hosting providers, cryptocurrency platforms, and the dark web marketplaces. These operations aim to raise the cost of committing cybercrime, in the belief that this will do more good than targeting isolated actors.
A good example of this was the seizure of Hydra Market, a Russian darknet marketplace, by German authorities in 2022 in an operation that disrupted billions of illegal transactions. The problem is that, as with the original Hydra in Greek mythology, a successor soon emerged.
Even cooperation has limits
The effectiveness of international cooperation has improved significantly in recent years. It was only a few decades ago that national cybercrime units would barely communicate with their peers elsewhere. This began to change in 2013 with the launch of Europol's European Cybercrime Centre (EC3), which has successfully coordinated dozens of takedowns.
Check if your data has been leaked
There is also a legal framework for the sharing of evidence across borders in the Budapest Convention on Cybercrime. The 68 signatories provide a significant signal of intent, but it’s noticeable that the likes of China and Russia remain absent.
This fissure means that catching hackers is not so much a technical challenge as it is a geopolitical one. Catching cybercriminals is often because they make mistakes rather than because of any excellence on the part of law enforcement agencies.
Evgeny Bogachev, alleged creator of the GameOver Zeus botnet and on the FBI's most wanted list since 2014, reportedly vacations in plain sight on the Black Sea coast. He is out of reach, not because he cannot be identified, but because he cannot be touched.
In the early days of the internet, many commentators argued that it would see the erosion of the laws of geopolitics. As Harvard’s Lawrence Lessig famously rebutted, however, in reality, it has merely relocated the frontier.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked