Cybercrime activity is rapidly escalating as attackers continue to explore both established and novel methods to defraud victims of their assets. The "FBI Internet Crime Report 2025" logged more than one million cybercrime complaints for the first time in the agency's history, with reported losses reaching $20.87 billion, a 26% year-over-year increase.
Yet the enforcement record against those criminals is thin. The U.S. Sentencing Commission's September 2024 report, "Cyber Technology in Federal Crime," the most current government analysis available, found that between 2014 and 2021, only 2,590 individuals were federally sentenced for offenses involving hacking, cryptocurrency or dark-web activity.
For CISOs and security teams, that gap has direct implications for how risk is modeled and where defensive investment should be allocated.
Why most attacks go unpunished
Attackers are well aware of the scanty rates of prosecution and often use that information to their advantage.
"Much of the decision-making around who they target and how is based on whether prosecution would be difficult," said Ken Bagnall, CEO of cyberdefense company Silent Push. "How they set up and manage the attack also goes through that thought process, as it's possible to host infrastructure across noncolluding jurisdictions and make it harder for everyone trying to take down the malicious infrastructure."
Bagnall, whose firm works alongside the FBI, Treasury Department and Europol, called the practice "infrastructure laundering." Russia-aligned groups, he noted, commonly target Western victims to exploit the resulting jurisdictional gap.
The structural barriers to prosecution compound the picture. The U.S. has no extradition treaty with dozens of countries, including Russia and China, and mutual legal assistance requests frequently run too slowly to preserve volatile digital evidence.
"Law enforcement agencies struggled to keep up, hampered by jurisdictional boundaries, global geolocations and the challenges of establishing reliable digital evidence for prosecution," said Morey Haber, chief security advisor at identity security firm BeyondTrust. "What one nation considers state-sponsored cybercrime, another might view as a legitimate revenue stream for a foreign government."
Technical sophistication and operations
Operational aspects also make it difficult to track down and punish cybercriminals. Malware-as-a-service platforms let affiliates with limited technical skills run sophisticated attacks that are difficult to attribute and prosecute. Additionally, when law enforcement takes down a major group, affiliates often move to alternative methods or start new operations. Breachsense's annual ransomware report identified 138 distinct ransomware groups claiming victims in 2025, up from 98 in 2024.
Attackers are also using private forums and enhanced encryption to avoid detection. Europol's "Internet Organised Crime Threat Assessment 2026" documented how criminal markets have migrated from dark web forums to end-to-end encrypted platforms. Each takedown produces successor infrastructure within weeks. The same report identified persistent legal gaps -- for example, the absence of mandatory data retention requirements in many jurisdictions can result in evidence disappearing before investigators can act. Another gap is weak know-your-customer enforcement at peer-to-peer crypto exchanges, enabling funds to move without traceable identities.
Encryption is what ransomware is all about, and when it comes to tracing ransomware proceeds to find attackers, there is no easy path. TRM Labs' "2026 Crypto Crime Report" documented widespread cross-chain laundering designed to frustrate blockchain analytics.
AI has also lowered the skill threshold for launching effective phishing campaigns. KnowBe4's 2026 "Phishing Threat Trends Report" confirmed AI-generated elements in 85.76% of phishing emails, creating more convincing messages that lack the grammar and spelling errors that historically helped recipients easily identify malicious messages.
Defender shortfall
Another reason many attacks go unpunished is due to a cybersecurity skills shortage. The "ISC2 Cybersecurity Workforce Study 2025" found that 88% of respondents had experienced at least one significant security consequence from a skills shortage. The investigator pipeline at law enforcement agencies is under comparable pressure. As a result, victim organizations often lack the forensic records needed to support a prosecution.
"The less-discussed gap is operational readiness on the side of the defender. Many organizations just aren't prepared to preserve the forensic evidence needed to support attribution or prosecution," said Dana Simberkoff, chief risk, privacy and information security officer at data security company AvePoint. "Strong logging, retention and data protection are needed to determine accountability for the attack."
Attribution is also key to prosecution -- and one of the reasons attackers work so hard to remain anonymous.
"Once a cybercriminal group is identified, named and a country is associated with the source of the attack, law enforcement gains the potential to catch up, and time may be ticking for the threat actors," Haber said. "Therefore, cybercrime syndicates strive to retain anonymity for the sheer purpose of operating in the dark."
The prosecution track record
When cyberattackers are identified and there is enough evidence, law enforcement will move to prosecute when possible. Every significant cybercrime conviction of recent years has one thing in common: the defendant was in a country that cooperated with a U.S. extradition request. Convictions have concentrated on affiliates and midtier operators, not group leadership. Some recent key prosecutions include:
- Deniss Zolotarjovs, a ransomware negotiator linked to Conti, Karakurt and Royal, was sentenced to eight and a half years in U.S. prison in May 2026 following extradition from Georgia.
- Ryan Goldberg of Sygnia and Kevin Martin of DigitalMint were each sentenced to four years in April 2026 for deploying ALPHV/BlackCat ransomware against U.S. victims while employed as cybersecurity professionals.
- Sébastien Raoult of ShinyHunters was sentenced to three years plus more than $5 million in restitution in Seattle in January 2024 after extradition from Morocco.
- Noah Urban of the Scattered Spider group was sentenced to 10 years in federal prison in August 2025 and ordered to repay $13 million in restitution.
At the top levels of cybercrime syndicates, there are many indictments without arrests:
- Dmitry Khoroshev was indicted in May 2024 as the alleged administrator of LockBit, a ransomware group that has extracted more than $500 million from over 2,500 victims. Khoroshev is believed to remain in Russia.
- Maksim Yakubets of Evil Corp was indicted in 2019 with a $5 million reward. He is believed to be in Moscow, where the group continues cybercriminal activity.
- North Korea's Lazarus Group has a long and lucrative criminal history. In February 2025, the group executed the $1.5 billion Bybit heist, the largest single crypto theft on record. The UN Security Council estimated that cybertheft funds roughly 40% of North Korea's weapons development program. Indictments are on file; arrests are not.
How agencies are fighting back
When prosecution is out of reach, the goal becomes disruption. Most operators behind major attacks are beyond the reach of extradition, so agencies have instead focused on the infrastructure they can reach -- the server networks, botnets and dark web markets on which criminal groups depend. Some examples include:
- Operation Cronos dismantled LockBit's server network across 10 countries in February 2024. Ransom payments to the group fell 79% in the following months.
- Operation Endgame has targeted multiple botnet and infostealer networks since 2024, with its November 2025 phase alone taking down 1,025 servers.
- Operation Talent shut down Cracked and Nulled in January 2025, the two largest cybercrime forums in the world, with more than 10 million users combined.
Raising diplomatic pressure
When criminal groups operate under state protection, arrest is rarely an option. Executive Order 14390, signed March 6, 2026, uses legal and economic tools instead, directing U.S. agencies to use commercial cybersecurity firms' threat intelligence for attribution and disruption, and instructing the State Department to apply economic and diplomatic pressure on jurisdictions that shelter cybercriminals.
Getting ahead of fraud
Not all enforcement happens after the fact. The FBI Cyber Division's Operation Level Up contacts crypto fraud victims while schemes are still active. According to the FBI's 2025 IC3 report, the program has notified more than 8,000 victims and prevented more than $500 million in losses since its January 2024 launch. The FBI's Recovery Asset Team froze $679 million in 2025 through rapid IC3 reporting, with a 58% success rate on its Financial Fraud Kill Chain.
Raising the cost of cybercrime
The math for attackers is simple. As long as cybercrime is profitable, they will continue. Disruption operations and financial recovery programs help, but as long as prosecution remains low and most operators remain beyond legal reach, cybercrime stays profitable. The changes that would shift those odds run deeper than any single operation.
Treaty frameworks
Better international agreements are needed, and efforts are underway. The UN Convention against Cybercrime, adopted in December 2024 and opened for signature in Hanoi in October 2025, had 74 signatories but only three ratifications as of mid-2026, against a threshold of 40 to enter into force. The Budapest Convention, with more than 80 ratifying parties, remains the more operational instrument, but Russia and China do not participate, limiting its reach and enforcement.
"We need mechanisms to ensure faster cross-border cooperation, clearer legal standards and easier sharing of evidence across jurisdictions, as many have discussed," Simberkoff said.
Information sharing
Intelligence is another critical aspect in raising the cost of cybercrime. The FBI's National Cyber Investigative Joint Task Force now coordinates more than 30 partnering agencies, and CISA's Joint Cyber Defense Collaborative has expanded public-private intelligence sharing. Bug bounty programs through platforms such as HackerOne and Bugcrowd channel offensive security expertise into legitimate investigations.
Defender preparation
It's also vital for enterprises to be prepared in the event of an incident. Most victim organizations enter a cross-border investigation without a forensic record to support it.
"That's why it's important to have data protection frameworks in place before you're attacked," Simberkoff said. "Even if attackers get access, proactive backup and data protection will give you documentation to make international collaboration less fraught."
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
