Border crossing: Global cooperation
Border crossing: Global cooperation
The Dridex and Simda botnets. The JPMorgan Chase hackers. Darknode.

Although cybercrime is nothing new, this year produced international coordination on digital criminal investigations like no year prior. Law enforcement agencies around the world, including Europol and the FBI, came together to take down multiple big-name botnets, arrest people suspected of committing cybercrimes and then extradited them abroad to face trial.

Citing the enormous amount of media attention given to cybercrime and the variety of law enforcement activities in tracking down suspected criminals, Jeff Brannigan, special agent with U.S. Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI), called this year a “significant” one in terms of the history of cyberlaw enforcement, cybersecurity generally, and cyberlegislation.

“This year offered a lot of landmarks on how we need to address these [cyber] threats going forward,” Brannigan (left) says. “Not just in the government, but in the private sector and on personal levels. Organizations of all sizes and types are more aware now than ever before of threats that exist out there on the internet.”

It's easy to see why more people are aware. Data breaches at the Office of Personnel Management (OPM) impacted millions of federal workers. Millions of U.S. citizens had their data compromised in the data breach at Anthem health care. Millions more have had credit card information stolen from retailer databases. Data breaches are weekly news stories. With this increased frequency comes an increased demand for law enforcement to take action by tracking down suspected criminals and bringing them to justice.

And with that comes unique challenges. “Finding an individual actor online is perhaps more challenging in a lot of respects than finding someone in the physical world,” Brannigan says. 

Primarily, cyberattackers can target law enforcement from anywhere in the world. Hackers have no geographic limits and can easily “travel away from the scene of a crime,” as Brannigan puts it, which is why international coordination is essential. Plus, additional anonymity protection provided by encryption and other footprint-covering services don't exactly make law enforcement's job an easy one.

With that in mind, the U.S. government and its agencies rely on training to keep agents operating at the same pace as cybercriminals or, ideally, ahead of them. “The techniques that we use are constantly evolving to match those of the criminals,” Brannigan says. “Technologies we employ are crucial to ensure we are pursuing the right actors who are doing these activities.”

Not only the government but private sector companies as well have been hesitant to attribute attacks to specific people or groups. The OPM data breaches, for instance, were said to be the work of China, but the Obama administration never retaliated against the country. The attacks on Sony, on the other hand, which crippled the company and cost it millions of dollars in damages, was ultimately blamed on North Korea. President Obama issued economic sanctions against the country shortly after, definitively attributing the attack. 

There have been greater successes with regard to pursuing individual attackers who operate dark web marketplaces or conduct bigger scam operations. Ross Ulbricht, the operator behind the Silk Road marketplace, was sentenced to life in prison earlier this year, for example, after a long investigation by federal authorities. Ulbricht was arrested at a San Francisco public library branch after authorities staged a domestic violence dispute that allowed them to grab Ulbricht's computer while it was open to Silk Road operational web pages. An agent on the case said if Ulbricht had closed his computer, it would have automatically encrypted all his data.

Later in the year, when an unaffiliated Silk Road 2.0 marketplace sprung up, the FBI worked with multiple international agencies to take it down. During that investigation, an agent went undercover to infiltrate the support staff running the site, which provided access to the most essential site operators. This coordination ultimately led to the arrest of the site's supposed administrator, Blake Benthall.