Badges, Bytes and Blackmail  The Hacker News  Jan 30, 2026 Cybercrime / Threat Intelligence Behind the scenes of law enforcement in cyber: what do we know about caught cybercriminals? What brought them in, where do they come from and what was their function in the crimescape? Introduction: One view on the scattered fight against cybercrime The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., “Operation Endgame”) [1] , and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture. Therefore, no publicly available summary exists that we are aware of that systematically aggregates information on law enforcement actions. To address this gap, this analysis introduces a systematically constructed dataset of 418 publicly announced law enforcement activities conducted between 2021 and mid-2025. The data was collected by Orange Cyberdefense intelligence teams, which continuously monitor and assess cyber threats to identify emerging trends and the evolution of cyber incidents. In our dataset each entry represents a verified law enforcement action collected from official announcements and media reports, then manually enriched by the Orange Cyberdefense Security Research Center team by cross-referencing each entry to include contextual and demographic details when available. A central focus lies on the type of law enforcement action taken, such as arrests, extraditions, takedowns of illicit platforms, seizures, or sanctions. The type of illicit activity was also documented by noting which type of activity the law enforcement action addressed, e.g., Hacking, Distributed Denial of Service (DDoS) Attack, IT Worker Fraud, or Cyber Extortion, and then translated into the actual criminal act of such attacks. Which Criminal Acts Were Addressed? This chart shows the top 10 criminal acts most frequently addressed by law enforcement in publicly reported operations. The data reveals that Extortion (including ransomware) is the most addressed criminal act, followed closely by Installation or Distribution of Malicious Software (Malware) and Unauthorized Access or Intrusion (Hacking). Together, these three categories dominate the landscape and illustrate law enforcement’s continued focus on Cyber Extortion operations and the technical intrusions that enable them. Other prominent criminal acts, including Unauthorized Access for Espionage (Cyber Espionage), Provision of Criminal Infrastructure (Dark Web Marketplace / Sites or Infrastructure and Hosting Services), and Deceptive Acquisition of Financial Assets (Fraud), suggest that authorities are also targeting the enablers and facilitators of cybercrime. While less frequent, offenses like Data/ Information Trafficking (Selling Stolen Goods (Data), Use of Cryptocurrency to Conceal or Facilitate Crime (Cryptocurrency Misuse), and Concealment of Criminal Proceeds via ICT (Money Laundering) reflect law enforcement’s increasing attention to the financial transactions and laundering mechanisms that underpin cyber operations. Security Navigator 2026 is Here - Download Now The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape. What's Inside? 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance. 🔮 Future-Ready: Equip yourself with security predictions and stories from the field. 🧠 Stories from security practitioners across the world. 👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography. Stay one step ahead in cybersecurity. Your essential guide awaits! 🔗 Get Your Copy Now While financial gain remains a central driver of cyber offenses [2,3,4] , the lines between motivations have become increasingly blurred, in some cases shifting in response to geopolitical events, as we have continuously been reporting on in the past two years [5,6] . Activities initially framed as financially motivated can quickly take on political or ideological dimensions. These fluid boundaries illustrate how financial, political, and cognitive motives increasingly coexist, challenging traditional distinctions between criminal and ideological cyber activity. What Actions Were taken by Law Enforcement? Arrests account for the largest share (29%) of law enforcement actions, illustrating law enforcement’s continued focus on individual accountability and prosecution. Takedowns (17%) and Charges (14%) indicate a strong emphasis on disrupting operational networks and bringing offenders to justice, and together represent nearly one-third of all activity. Complementary measures such as Sentences (11%), Sanctions (7%), and Seizures (4%) show that law enforcement is addressing both criminal actors and the economic infrastructure sustaining their activities. Specifically, sanctions have shown a steady increase over recent years and reflect a growing use of non-traditional enforcement mechanisms for the inclusion of economic and diplomatic tools within the law enforcement arsenal. Actions like investigations, wanted notices, and extraditions demonstrate cross-border cooperation and the procedural depth behind each publicized enforcement effort. Wanted notices represent a non-coercive enforcement measure focused on public identification and pursuit. They bridge the gap between investigation and arrest by facilitating cross-border coordination and sustaining pressure on suspects. Through public attribution, they also serve a deterrent function, signalling law enforcement capability and reach even when direct apprehension is not immediately possible. If we combine the data showing the type of illicit activity addressed with the type of law enforcement action, we can see that Arrests dominate across nearly all crime types, particularly Cyber Extortion (22) and Hacking (19). Charges and Sentences are the next most frequent responses, which demonstrates that many cases progress through the judicial process. Cyber Extortion, Malware, Hacking, and Cyber Espionage attract the most diverse range of responses (including arrests, charges, sentences, and sanctions). Takedowns are strongly linked with Dark Web sites or marketplaces [7,8,9] and malware infrastructure [10,11,12] which makes sense given the operational logic behind such actions. These operations typically involve the coordinated dismantling of online infrastructure, such as servers, domains, or communication platforms that enable criminal activity. In the case of Dark Web Marketplaces, takedowns often include seizure of servers, arrests of administrators, and replacement of website landing pages with law enforcement banners, signalling control and deterrence. Sanctions appear primarily tied to Cyber Espionage and state-aligned operations, reflecting government-level actions rather than addressing individuals. Who Are the Leading Institutions in Law Enforcement? The United States’ global leadership in cyber law enforcement is demonstrated by its listing as the primary participant in nearly half of all actions (45%). The second cluster, namely Germany, the United Kingdom, Russia, Ukraine, the Netherlands, Spain, and France, represents the core of global cyber enforcement capacity outside the U.S. Active EU member-state participation in Europol and Eurojust-facilitated operations demonstrates the Union’s emphasis on a joint, cross-border enforcement approach. The presence of Russia and Ukraine near the top of this list is noteworthy. These states are frequently targets of global law enforcement actions but also conduct their own domestic prosecutions and counter-cybercrime operations, often involving politically sensitive cases. Entries such as International and European Countries reflect the role of multinational task forces where leadership attribution is shared. These include Europol-coordinated takedowns, Interpol operations, and Five Eyes collaborations. In some cases, law enforcement announcements did not go into detail and only described these multinational actions by European nations or International ones; whenever countries were listed on their own, they were documented as such in our data. The distribution of participating national authorities naturally reflects the same geographic patterns observed in the country-level analysis. A study of the top 20 institutions involved in reported law enforcement actions highlights the clear dominance of U.S. agencies. The U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) lead by a wide margin, followed by private organizations, which appear as a major supporting actor in cybercrime disruption efforts. The presence of OFAC [13] further illustrates the integration of financial and political instruments into cybercrime responses. The strong representation of private organizations among the supporting entities is particularly noteworthy. In this dataset, private organizations rank among the top three most frequently mentioned participants. Across the 169 institutions analyzed, 74 distinct private entities were identified as supporting efforts in one way or another. This is a significant indicator of the expanding scale of public-private collaboration, which illustrates