cyber crime case study 2021

(1) Includes stand-alone policies and the cybersecurity portion of package policies. Does not include premiums from companies that cannot report premiums for cybersecurity coverage provided as part of package policies. (2) Before reinsurance transactions.

• Identity Theft Research Center (ITRC) 2022 Annual Data Breach Report
• Identity Theft Research Center (ITRC) Quarterly Data Breach Analysis and Other Publications
• Internet Crime Complaint Center  
• FBI Internet Crime Report 2022 
• Federal Trade Commission Consumer Sentinel Network Data Book 2022

Back to top

Trending News

Related Practices & Jurisdictions

• Communications Media Internet
• Corporate Business Organizations
• Litigation Trial Practice
• All Federal

2021 was another year of high activity in the realm of data event and cybersecurity litigations with several noteworthy developments.  CPW has been tracking these cases throughout the year.  Read on for key trends and what to expect going into the 2022.

Recap of Data Breach and Cybersecurity Litigations in 2020

2021 heralded several developments in data breach and cybersecurity litigations that may reshape the privacy landscape in the years to come.  However, in many ways 2021 litigation trends were congruent with the year prior.  Before delving into where we may be headed for this important area of data privacy litigation in 2022, let’s do a short recap of where we were at the end of 2020.

Recall that the number of data events in 2020 was more than  double  that of 2019, with industries that were frequent targets of cyberattacks including government, healthcare, retail and technology.  In this instance, correlation equaled causation—as more entities experienced crippling security breaches, the number of data breach litigations filed also increased.  There were three trends that marked the cybersecurity landscape that we covered in CPW’s 2020 Year in Review:

First , in 2020 plaintiffs bringing data breach litigations continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims ( although of course there were exceptions ).  Challenges to a plaintiff’s Article III standing in the wake of a data event were pervasive, with defendants arguing that allegations of future speculative harm were inadequate to establish federal subject matter jurisdiction.

Second , in spring 2020, a federal court ordered production of a forensic report prepared by a cybersecurity firm in the wake of a data breach.  The report was found  not  protected as attorney work product  despite having been prepared at the direction of outside counsel .  Commentators at the time wondered if this was a harbinger of future rulings regarding privilege in the context of privacy litigations.

And  third , there were several warning signs that the legal fallout from a data breach can extend to company executives and the board.  As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.

Perhaps unsurprisingly, these earlier trends signaled in part what was on the horizon in 2021 as discussed in greater detail below.

Article III Standing in Cybersecurity Class Action Litigations

The past several years have seen a not-so-quiet revolution in standing jurisprudence, and 2021 was no different.  Standing under Article III of the U.S. Constitution, in the Supreme Court’s oft-repeated phrasing, is an “irreducible constitutional minimum” requiring that a party be able to demonstrate: (1) an injury in fact; (2) that the injury was caused by defendant’s conduct; and (3) that the injury can likely be redressed by a favorable judicial decision.

The standing issue that defined 2021 was “speculative future harm.”  In February, the Eleventh Circuit highlighted a long-running circuit split regarding whether plaintiffs had standing to assert claims based solely on the disclosure of their information couples with an increased risk of future harm.  In  Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332 (11th Cir. 2021) , the court found that standing required a concrete and particularized injury that was actual or imminent.  The  Tsao  plaintiff based his injuries on fear of future harm, as well as preemptive steps taken to ward off potential identity theft.  In line with the majority of circuits to have addressed the issue, the court found that none of these potential injuries conferred standing.

Other courts likewise joined in this skepticism of standing based on speculative future harm.  The Central District of Illinois expressed doubt in  McGlenn v. Driveline Retail Merch., Inc. , 2021 U.S. Dist. LEXIS 9532 (C.D. Ill. Jan. 19, 2021)  whether speculative future harm could confer standing at all.  The Middle District of Florida, following  Tsao , recommended in  Hymes v. Earl Enters. Holdings , 2021 U.S. Dist. LEXIS 26534, (M.D. Fla. Feb. 10, 2021)  that approval for a settlement be withheld based on a lack of standing based on injuries similar to those alleged in  Tsao .  In March, the Eastern District of Pennsylvania likewise weighed in via  Clemens v. Execupharm, Inc ., No. 20-cv-3383, 2021 U.S. Dist. LEXIS 35178 (E.D. Pa. Feb. 25, 2021) , reaching the same conclusions regarding speculative future harm.  In April, the Ninth Circuit joined the party, again finding in  Pruchnicki v. Envision Healthcare Corp. , 845 F. App’x 613, 614 (9th Cir. 2021)  speculative future injury, coupled with lost time, worry, and purported loss of value of her information, was insufficient to confer standing.  Even some state courts got in on the fun: the Superior Court of Delaware, applying that state’s similar standing principles, found in  Abernathy v. Brandywine Urology Consultants, P.A. , No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021)  that the mere notice of a data breach coupled with speculative future harm was insufficient to confer standing.

In the midst of this growing chorus of cases rejecting speculative future harm as a basis for standing came the Second Circuit, which issued a massive opinion trying to harmonize years of precedent both finding and rejecting standing.   McMorris v. Carlos Lopez & Assocs., LLC , 995 F.3d 295, 297 (2d Cir. 2021)  held that, in the abstract, a plaintiff  could  establish standing based on a substantial risk of identity theft or fraud, but that such an argument would be fact and case-specific.

Then came June’s  Ramirez v. Transunion , 141 S. Ct. 2190 , in which the Supreme Court revisited the question of what constitutes an “injury in fact” in the data breach context.  The  Ramirez  class consisted of affected individuals who, in the main, alleged only that inaccurate information existed on their credit files, with no corresponding dissemination to a third party or any harm resulting from that dissemination.  The Supreme Court determined that where the vast majority of a putative class suffered no actual injury, let alone the type of injury suffered by a class representative, no standing existed.  The Supreme Court also determined that “the mere risk of future harm, without more, cannot qualify as a concrete harm in a suit for damages.”

On a related note, while commentators worried that  Ramirez  would preclude data breach litigations from being brought in federal courts, such concerns have not yet materialized.  The courts in  Blackbaud  and  Cotter v. Checkers Drive-In Restaurants, Inc. , 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021), distinguished  Ramirez  on procedural grounds.  Meanwhile, some courts have indicated that an impending injury or substantial risk could suffice for injury in fact in data breach litigation.  The court in  Griffey v. Magellan Health Inc. , 20210 U.S. Dist. LEXIS 184591 (D. Az. Sep. 27, 2021), found that plaintiffs alleged risks of future harm that were “certainly impending” and thus had standing.  All in all, however, pleading a data incident without something more probably does not survive a motion to dismiss.  That’s what happened in  Legg v. Leaders Life Ins. Co. , 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021), where plaintiffs’ allegations of  general  risks of harm did not suffice.

Ramirez  has also led to consideration of timing and cause-and-effect in data privacy litigation, with courts focusing not only on the existence of concrete harm, but whether the harm could have actually been caused by the breach itself.  The Eastern District of Missouri determined in  Mackey v. Belden, Inc. , 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021)  that the theft of a Social Security number, coupled with the filing of a false tax return after the theft occurred, was sufficient to confer standing, while the Central District of California determined in  Burns v. Mammoth Media, Inc ., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021)  that standing requires a plaintiff show an actual connection between his or her damages and the breach, rather than simply speculating that any purported harm that occurred must have been the result of the breach.

Discovery Disputes Over Work Product and Attorney Client Privilege

2021 has also seen a continuation and cementing of 2020’s developments in how courts treat the attorney-client privilege and work product doctrines in connection with data breach litigation.  Specifically, courts have continued to scrutinize closely whether and how clients may protect post-breach forensic reports from production in subsequent litigation.  Two decisions this year –  Wengui v. Clark Hill , 2021 U.S. Dist. LEXIS 5395 (D.D.C. Jan. 12, 2021)  and  In re Rutter’s Data Sec. Breach Litig ., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021)  – have addressed these issues.

As a reminder, 2020 brought us the  Capital One  decision,  In re Capital One Consumer Data Security Breach Litigation  (Capital One), 2020 U.S. Dist. LEXIS 91736 (E.D. Va. May 26, 2020), aff’d, 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020).  Capital One, though it logically followed from a number of attorney-client privilege and work product doctrine [1]  cases, shook up how counsel had to approach privilege in data breach remediation and subsequent litigation.

If you recall, the  Capitol One  decision involved a motion to compel a report on a data breach prepared by Capital One’s pre-established security consultant.   Capital One , 2020 U.S. Dist. LEXIS 91736, at *12.  This was probably Capitol One’s biggest mistake: This “long-standing” business relationship became the key dispositive liability for keeping that report protected under the work product doctrine.   Id .  The court in  Capital One  scrutinized that business relationship as well as prior reports prepared for cybersecurity purposes and, as a result, ascertained that the consultant’s report would have been prepared in a similar form regardless of the litigation.  Thus, the report did not meet the “because of” litigation standard for work product protection.  Presumably because of the preexisting relationship, that decision did not need to address the narrow  Kovel  test for whether the report would be protected under the attorney-client privilege as work essentially prepared by the litigation counsel’s expert or paralegal.

Relying on the  Capitol One  decision, a D.C. district court decided  Clark Hill  earlier this year.   Clark Hill  involved a cybersecurity attack directed at a law firm.  In attempting to avoid production of the breach report, Clark Hill sought to rely on the work product doctrine arguing that the report they sought to withhold was created “because of” anticipated litigation.   Clark Hill, PLC , 338 F.R.D. at 10.  Rather than simply assert that, given that case law exists noting that incident response reports serve business functions as well, Clark Hill attempted to make a more nuanced argument.  Specifically, Clark Hill argued, relying on a concept first introduced by  In re Target , that two reports existed; one which was prepared for litigation and the other of which was to be used to address security concerns.  That distinction, while accepted by the Court, failed Clark Hill because their other report was nowhere near as substantive, was not described in the interrogatory responses as a basis for their response, and the report Plaintiff sought had been circulated outside of the circle of employees and lawyers who needed to know about it for the litigation.   Id . at 12.  Clark Hill similarly lost on the attorney-client privilege because, in attempting to invoke the Kovel Doctrine.  Clark Hill failed to meet the criteria of this test because the numerous security improvement recommendations in the breach report at issue demonstrated that the report was not prepared by an expert advising litigators on how to provide legal advice but was rather the result of independent vendors working to cure a business issue – Clark Hill’s cybersecurity deficiencies.   Clark Hill, PLC , 338 F.R.D. at 11.

Issued this summer,  In Re Rutter  is the third federal court decision addressing these issues.  While  Clark Hill  cited  Capitol One  in its analysis,  In Re Rutter’s  presents an independent analysis and arrives at the same conclusion.  The potential data breach at issue in  In re Rutter’s  concerned payment card information at the point-of-sale (POS) devices used by defendants.  Rutter’s received two alerts on May 29, 2019, which “detail[ed] the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  In response, Rutter’s hired outside counsel, BakerHostetler, “to advise Rutter’s on any potential notification obligations.”  BakerHostetler in turn hired a third party security firm “to conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident.”     In re Rutter’s Data Sec. Breach Litig ., 2021 U.S. Dist. LEXIS 136220, at *3.

Plaintiffs in  In re Rutter’s  learned about the defendant’s investigation and resulting report during the Fed. R. Civ. P. 30(b)(6) deposition of Rutter’s ill-prepared Vice President of Technology.  Following that deposition and as a result of the deponents framing of the process underlying the report, Plaintiffs sought production of the security firm’s written report and related communications.  Rutter’s objected, citing the work product doctrine and attorney-client privilege.  Applying the general work product doctrine precedent described above, the court held that the work product doctrine did not protect the security firm’s report and related communications from disclosure in discovery largely because of how that report was characterized at deposition as indistinct from a factual report prepared without involvement of counsel.

Thus, both  Clark Hill  and  In re Rutter’s  serve as sobering reminders that while reports prepared for and at the request of counsel in anticipation of litigation can be privileged, compliance officers and counsel must scrupulously avoid blurring the lines between “ordinary course” factual reports and reports genuinely prepared for assisting trial counsel.   In re Rutter’s  also serves as a reminder that preparing 30(b)(6) witnesses can be critical as their testimony can be highly significant, if not dispositive, for a court when assessing assertions of privilege.

These two new cases further cement the widespread implications from  Capitol One  for both data privacy litigation strategy.   All three cases pose lessons for litigators and incident response counsel on the appropriate framing of incident response efforts before and during litigation.   For more a more in depth analysis of the facts underlying these cases and the take-away lessons from them, see our earlier publication here .

  Plaintiff-Side Developments

Data breach litigations continued to be filed at a brisk pace in 2021 in industries ranging from ecommerce, finance, mortgage providers, technology, and software cloud companies to healthcare, wellness, retail, and fast-food, among others.

Many of these litigations were dismissed at the pleadings stage, either for lack of Article III standing (discussed above) or for failure to plead a cognizable claim.   These cases reiterate that merely alleging that a data event or cyberattack occurred, without more, does not mean that plaintiffs automatically can go forward with a case.  Conclusory, ipse dixit allegations are not sufficient .  Plaintiffs are taking note of these decisions and increasingly relying on a blunderbuss pleading strategy (by raising multiple statutory and common law claims in a single complaint) in an effort to have their claims survive a motion to dismiss.

However, because plaintiffs (particularly those that allege merely speculative future harm as a result of a data event) have difficulty establishing the core elements of causation and damages, these efforts have met with mixed success.   Mere alleged misappropriation of personal information may not suffice for purposes of establishing a plaintiff’s damages .

Of course, it goes without saying that class action plaintiffs have also taken an expansive pleading strategy in the hopes that they will be able to cobble together a claim under one of the state or federal privacy statutes that provides for liquidated statutory damages upon establishment of a violation (the California Consumer Privacy Act (“CCPA”) and  federal Driver’s Privacy Protection Act  were two frequent targets).

Other Trends: Emergence of the Data Breach Consumer Pricing Dispute and a Decline in MDLs

Additionally, 2021 also saw the first instance in which a data event litigation was framed as a quintessential consumer pricing dispute—perhaps signaling that such cases may become more common.  In the wake of a ransomware attack involving the Colonial Pipeline, two groups of Plaintiffs filed suit alleging that the owners of the Colonial Pipeline failed “to properly secure the Colonial Pipeline’s critical infrastructure – leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021.”   See  Dickerson v. CDCP Colonial Partners , L.P., Case No. 1:21-cv-02098 (N.D. Ga.) ;  EZ Mart 1, LLC v. Colonial Pipeline Company , Case No. 1:21-cv-02522 (N.D. Ga.) .  This included the assertion that Defendants “failed to implement and maintain reasonable security measures, procedures, and practices appropriate to the nature and scope of [Defendants’ business operations].”  Plaintiffs sought to the Complaint seek to certify a nationwide class consisting of  “[a]ll entities and natural persons  who purchased gasoline from May 7, 2021 through Present and  who paid higher prices for gasoline as a result of the Defendant’s conduct alleged herein  (hereinafter the “Class”).”  Will we see more of this going forward?  Time will tell.

Finally, although  the Judicial Panel on Multidistrict Litigation (“JPML”) recently transferred and centralized over 40 data event and cybersecurity class actions brought against T-Mobile in the Western District of Missouri , data breach multidistrict litigations (“MDLs”) declined over prior years.  There were several instances in which the JPML declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event.  Justifications given by the JPML in declining consolidation this year included that “centralization under Section 1407 should be the last solution after considered review of all other options,” which include “agreeing to proceed in a single forum via Section 1404 transfer of the cases and voluntary cooperation and coordination among the parties and the involved courts to avoid duplicative discovery or inconsistent rulings.”  When cybersecurity litigations have been primarily filed in the same forum or the parties are already coordinating, the JPML especially was disinclined to order MDL formation in 2021.

Looking Forward

In many regards, 2021 demonstrated the axiom “the more things change, the more they stay the same.”  Cybersecurity litigation trends in 2021 were a continuation of 2020.  Article III standing, privilege considerations and novel pleading strategies used by plaintiffs to survive a well-crafted motion to dismiss are expected to remain key issues in data event litigations in 2022.  Additionally, a larger development on the horizon remains the specter of liability to corporate officers and the board in the wake of a widespread cyberattack.  While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2022 should be another interesting year for data event litigations and for data privacy litigations more broadly.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

Current Public Notices

Current legal analysis, more from squire patton boggs (us) llp, upcoming legal education events.

Sign Up for e-NewsBulletins

Programs submenu

Regions submenu, topics submenu, gaza's looming polio threat—gaza: the human toll, weapons in space: a virtual book talk with dr. aaron bateman, bolstering data center growth, resilience, and security.

• Abshire-Inamori Leadership Academy
• Aerospace Security Project
• Africa Program
• Americas Program
• Arleigh A. Burke Chair in Strategy
• Asia Maritime Transparency Initiative
• Asia Program
• Australia Chair
• Brzezinski Chair in Global Security and Geostrategy
• Brzezinski Institute on Geostrategy
• Chair in U.S.-India Policy Studies
• China Power Project
• Chinese Business and Economics
• Defending Democratic Institutions
• Defense-Industrial Initiatives Group
• Defense 360
• Defense Budget Analysis
• Diversity and Leadership in International Affairs Project
• Economics Program
• Emeritus Chair in Strategy
• Energy Security and Climate Change Program
• Europe, Russia, and Eurasia Program
• Freeman Chair in China Studies
• Futures Lab
• Geoeconomic Council of Advisers
• Global Food and Water Security Program
• Global Health Policy Center
• Hess Center for New Frontiers
• Human Rights Initiative
• Humanitarian Agenda
• Intelligence, National Security, and Technology Program
• International Security Program
• Japan Chair
• Kissinger Chair
• Korea Chair
• Langone Chair in American Leadership
• Middle East Program
• Missile Defense Project
• Project on Critical Minerals Security
• Project on Fragility and Mobility
• Project on Nuclear Issues
• Project on Prosperity and Development
• Project on Trade and Technology
• Renewing American Innovation
• Scholl Chair in International Business
• Smart Women, Smart Power
• Southeast Asia Program
• Stephenson Ocean Security Project
• Strategic Technologies Program
• Sustainable Development and Resilience Initiative
• Wadhwani Center for AI and Advanced Technologies
• Warfare, Irregular Threats, and Terrorism Program
• All Regions
• Australia, New Zealand & Pacific
• Middle East
• Russia and Eurasia
• American Innovation
• Civic Education
• Climate Change
• Cybersecurity
• Defense Budget and Acquisition
• Defense and Security
• Energy and Sustainability
• Food Security
• Gender and International Security
• Geopolitics
• Global Health
• Human Rights
• Humanitarian Assistance
• Intelligence
• International Development
• Maritime Issues and Oceans
• Missile Defense
• Nuclear Issues
• Transnational Threats
• Water Security
• Significant Cyber Incidents

This timeline records significant cyber incidents since 2006, focusing on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.

• Cloud Policy Agenda
• Staff and Affiliates

This timeline records significant cyber incidents since 2006. We focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars. If you think we’ve missed something, please send an email to [email protected] .

Available Downloads

• Significant Cyber Events List 818kb

July 2024:  South Korea’s military is investigating the leak of highly sensitive information on Seoul’s espionage activities and issued an arrest warrant for a suspect. The information included personal data on Seoul’s non-official agents conducting undercover espionage overseas. The information was transferred to the suspect’s personal laptop before being leaked. Lawmakers said the leak was first discovered in June and was not the result of a hack.

July 2024:  A faulty software update for Microsoft Windows issues by cybersecurity firm CrowdStrike caused a global IT outage that disrupted airline and hospital operations. It affected approximately 8.5 million machines and cost Fortune 500 companies $5.4 billion, according to reports. 

July 2024 : Germany accused China of directing a “serious” cyberattack against Germany’s Federal Office for Cartography and Geodesy (BKG), which conducts precision mapping of the entire country, in 2021. The findings come at the end of a three-year investigation into the incident and as Germany plans a rip-and-replace project for Chinese telecommunications infrastructure in Germany over security concerns.

July 2024: Australia, the United States, Canada, the United Kingdom, Germany, Japan, South Korea, and New Zealand issued a warning about malicious Chinese state-sponsored cyber activity in their networks. It marked the first time South Korea and Japan joined with Australia to attribute malicious cyber actions to China, and the first time Australia led a cyber attribution effort against China.

June 2024: Japan’s space agency has suffered a series of cyberattacks since last year, according to the Japanese government. Japan’s Chief Cabinet Secretary claimed the targeted networks did not contain sensitive rocket or satellite information, and that the attackers were “from outside of Japan.”

June 2024: Hackers deployed ransomware in Indonesia’s national data center which briefly disrupted a variety of immigration services, including immigration document management services at airports, and deleted information that was not backed up. The attack prompted Indonesia’s Director General of Informatics Applications at the Communications and Informatics Ministry to resign and initiated and a nation-wide audit of Indonesia’s national data centers.

June 2024: Belarusian state-sponsored hackers launched an espionage campaign Ukraine’s Ministry of Defense and a Ukrainian military base. The attackers sent targets phishing emails with drone image files a malicious Microsoft Excel spreadsheet.

June 2024: Germany’s main opposition party, the Christian Democratic Union, suffered a cyberattack just ahead of European Parliamentary elections. Germany’s interior ministry did not disclose the extend of the attack or the suspected perpetrator, but acknowledged it was “serious.” The attack occurred shortly after Germany’s Social Democratic party was attacked by Russian hackers. The party briefly took down parts of its IT service as a precaution.

June 2024: The government of Palau accused Chinese hackers of stealing over 20,000 government documents shortly after the island nation signed a 20-year economic and security deal with the United States in March 2024. Palau’s president said this was the first major attack on government records that the island has seen.

May 2024: A new report from Canada’s Communications Security Establishment detected Chinese espionage activity against eight members of Parliament and one senator starting in 2021. The spies likely attempted to obtain information from the targets’ personal and work devices but were unsuccessful, according to the report. The Parliamentarians were members of Canada’s Inter-Parliamentary Alliance on China, which focuses on how democracies should approach PRC-related issues. The report also mentioned this activity was similar to activity against 19 European countries dating back to 2020. 

May 2024: Recent media reports stated Pakistani cyber spies deployed malware against India’s government, aerospace, and defense sectors. The group sent phishing emails masquerading as Indian defense officials to infect their targets' devices and access sensitive information. The attack’s extent is unknown.

May 2024:  Chinese hackers hit Britain’s Ministry of Defense with a cyberattack that exposed sensitive information on every troop apart from the UK’s special forces. The attackers targeted a third-party contractor to access names and bank details of current and former members of the armed forces. The UK Minister of Defence stopped short of publicly naming China as the culprit. 

May 2024: Poland and the Czech Republic accused Russian cyber spies of targeting government and infrastructure networks. Both countries claim the attacks occurred around the same time Russian hackers attacked the German government. Hackers gained access by exploited a Microsoft Outlook vulnerability, and the extent of the compromised data is currently unknown.

May 2024: Germany accused Russian hackers of breaking into the emails of Germany’s Social Democrats, the leading party in its governing coalition, and recalled its ambassador from the country. The campaign started in March 2022 when hackers exploited vulnerabilities in Microsoft Outlook to target the party’s executive committee, as well as German defense and aerospace companies.

April 2024: Ukraine’s military intelligence agency launch a cyberattack against Russia’s ruling United Russia party the same day Russia hosted its Victory Dictation. Attackers launched a barrage of DDoS attacks against United Russia’s servers, websites, and domains to make them inaccessible. United Russia publicly admitted to suffering from a “massive” DDoS attack. 

April 2024: Belarusian pro-democracy hackers, known as the Belarusian Cyber-Partisans, crippled the website of Belarus’ main security service agency for over two months. The hackers also published a list of website administrators, its database, and server logs on its Telegram channel. This is the latest in a series of attacks against the Belarusian government by the group. 

April 2024: Police in the United Kingdom are investigating a series of “honey trap” attacks against British MPs. Attackers sent explicit messages allegedly of themselves over WhatsApp to their target for the apparent purpose of acquiring compromising images of the target. The perpetrators of these attacks are currently unknown. 

April 2024: Germany plans to create a cyber military branch as part of its military restructuring. Germany's defense minister, Boris Pistorius, stated the new Cyber and Information Domain Service (CIR) would help deter increasing cyber aggression from Russia against Germany and its NATO allies. 

April 2024: Hackers attacked El Salvador’s national cryptocurrency wallet Chivo and exposed over 144 GB of sensitive personal information of millions of Salvadorians. The hackers also released Chivo’s source code publicly. The Salvadorian government has not released an official public statement on the attack. 

March 2024: A “massive” cyberattack disrupted the African Union’s systems for over a week and infected over 200 user devices, according to the deputy chair of the AU Commission. The cause of the cyberattack is unknown.

March 2024: Iranian hackers compromised an IT network connected to an Israeli nuclear facility. Hackers leaked sensitive facility documents but did not compromise its operational technology network. 

March 2024: Russian hackers launched phishing attacks against German political parties. Hackers concealed ransomware in a fake dinner invitation from Germany’s Christian Democratic Union to install a backdoor in their victim’s computer.

March 2024: India’s government and energy sectors was breached in a cyber espionage campaign. Hackers sent a malicious file disguised as a letter from India’s Royal Air Force to offices responsible for India’s electronic communications, IT governance, and national defense. Researchers have not yet determined who conducted the attack. 

March 2024: A U.S. Department of Justice indictment revealed Chinese hackers targeted several EU members of the Inter-Parliamentary Alliance on China and Italian MPs. The attack was designed to detect IP addresses and the targets’ locations.

March 2024: Canada pulled its financial intelligence system FINTRAC offline after a “cyber incident” by a currently unidentified attacker. FINTRAC claims the attack does not involve its intelligence or classified systems but declined to disclose further details of the incident.

March 2024: Russian hackers leaked an intercepted conversation between German military officials about the country’s support for Ukraine. In the call, the head of Germany's Air Force discussed the possibility of supplying Taurus missiles to Ukraine and commented on German Chancellor Olaf Scholz's hesitance to send the missiles. Germany announced it would investigate the incident and believes the leak was intended to inflame divisions in Germany.

March 2024: Switzerland’s National Cyber Security Centre (NCSC) confirmed that leaded data from a May 2023 breach included 65,000 documents from the Federal Administration. The documents contained sensitive personal data, classified information, and passwords, and were from Switzerland’s federal police, judiciary, and migration offices. Swiss officials had originally assessed that breach only impacted non-government documents. 

March 2024: Microsoft claims Russian hackers stole its source code and are continuing to gain unauthorized access to its internal systems as part of their November 2023 campaign to spy on senior Microsoft executives. Microsoft also said attackers increased the volume of their “password spray” attacks by nearly tenfold between January and February 2024. The company did not disclose further details on the source code access or breached internal systems. 

February 2024: Russian hackers launched an espionage campaign against the embassies of Georgia, Poland, Ukraine, and Iran beginning in 2023. Hackers exploited a bug in a webmail server to inject malware into servers at the embassies and collect information on European and Iranian political and military activities. 

February 2024: Roughly 190 megabytes of data from a Chinese cybersecurity company were exposed online, revealing the company’s espionage efforts on the governments of the United Kingdom, India, Indonesia, and Taiwan. The leak’s source is unknown.

February 2024: The Royal Canadian Mounted Police suffered a cyberattack against its networks. The RCMP stated it is investigating this “alarming” incident and does not believe it had an impact on its operations or the safety and security of Canadians. It is so far unclear who is behind the attack and if it was a data breach or security incident. 

February 2024: U.S. officials hacked an Iranian military spy ship that was sharing intelligence with Houthi rebels who have been firing on ships in the Red Sea. According to U.S. officials, the attack was part of the Biden administration’s response to an Iranian drone stroke that killed three U.S. soldiers in Jordan.

February 2024: A data breach of French health insurance companies in January 2024 affected 33 million French citizens, or nearly half the country’s population. The attack compromised sensitive birth date, social security, and marital status information, but not medical history. The French data protection agency opened an investigation to determine if the companies complied with cybersecurity guidelines under the EU’s General Data Protection Regulations. 

February 2024: Chinese spies places malware in a Dutch military network in 2023. The network was not connected to the defense ministry’s main network, which reduced damage. This is the first time the Netherlands has publicly accused China of cyber espionage.

January 2024: Hackers breached Global Affairs Canada’s secure VPN in December 2023, allowing hackers to access sensitive personal information of users and employees. It affected staff emails, calendars, and contacts. It’s unclear if classified information was compromised or lost. The hacker's identity is currently unknown. 

January 2024: Russian hackers launched a ransomware attack against Sweden’s only digital service provider for government services. The attack affected operations for 120 government offices and came as Sweden prepared to join NATO. Sweden expects disruptions to continue for several weeks. 

January 2024: Microsoft announced that Russian hackers broke into its corporate systems. Hackers used a “password spray attack” to steal emails and documents from accounts of Microsoft’s senior leadership, cybersecurity, and legal teams back in November 2023.

January 2024: Russian hackers attacked 65 Australian government departments and agencies and stole 2.5 million documents in Australia’s largest government cyberattack. Hackers infiltrated an Australian law firm that worked with the government to gain access to government files. 

January 2024: The Australian government identified and sanctioned Aleksandr Ermakov as the Russian hacker who breached Medibank, the country’s largest private health insurance provider, in 2022. He stole information from 9.7 million current and former Medibank customers. This is the first time Australia has issued cyber sanctions against an individual since the framework was established in 2021. The U.S. and UK also sanctioned Ermakov. 

January 2024: Russian agents hacked residential webcams in Kyiv to gather information on the city’s air defense systems before launching a missile attack on Kyiv. Hackers changed the cameras’ angles to gather information on nearby critical infrastructure facilities and stream the footage on YouTube. Ukraine has since ordered webcam operators in the country to stop live broadcasts. 

December 2023:  Israeli-linked hackers disrupted approximately 70% of gas stations in Iran. Hackers claimed the attack was in retaliation for aggressive actions by Iran and its proxies in the region. Pumps restored operation the next day, but payment issues continued for several days. 

December 2023: Ukrainian state hackers crippled Russia’s largest water utility plant by encrypting over 6,000 computers and deleting over 50 TB of data. Hackers claimed their attack was in retaliation for the Russian Kyivstar cyberattack.

December 2023: Russian hackers hit Ukraine’s largest mobile phone provider, Kyivstar, disabling access to its 24 million customers in Ukraine. Hackers claim to have destroyed more than 10,000 computers and 4,000 servers, including cloud storage and backup systems. The attack began hours before President Zelenskyy met with President Biden in Washington D.C.

December 2023: Ukraine’s military intelligence service (the GRU) claims to have disabled Russia’s tax service in a cyberattack. According to the GRU, the attack destroyed the system’s configuration files, databases, and their backups, paralyzing Russia’s tax service.

November 2023: Suspected Chinese hackers launched an espionage campaign against Uzbekistan and the Republic of Korea. Hackers use phishing campaigns to gain access to their target’s systems and decrypt their information. 

November 2023: Chinese-linked hackers attacked Japan’s space agency during summer 2023 and compromised the organization’s directory. The agency shut down parts of its network to investigate the breach’s scope, but claims it did not compromise critical rocket and satellite operations information.

November 2023: Chinese hackers compromised Philippine government networks. Beginning in August 2023, hackers used phishing emails to imbed malicious code into their target’s systems to establish command-and-control and spy on their target’s activities.

November 2023: Trinidad and Tobago’s Prime Minister Dr. Keith Rowley declared the latest ransomware attack against the country’s telecommunications service to be a “national security threat.” Hackers stole an estimated six gigabytes of data, including email addresses, national ID numbers, and phone numbers.  

November 2023: Denmark suffered its largest cyberattack on record when Russian hackers hit twenty-two Danish power companies. The attack began in May 2023 and appeared to be aimed at gaining comprehensive access to Denmark’s decentralized power grid. Hackers exploited a critical command injection flaw and continued to exploit unpatched systems to maintain access.

November 2023: Chinese cybercriminals targeted at least 24 Cambodian government networks, including the National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources and Telecommunications agencies. Hackers disguised themselves as cloud storage services to mask their data exfiltration. Initial research indicates the attack is part of a broader Chinese espionage campaign. 

October 2023: Hacktivists stole 3,000 documents from NATO, the second time in three months that hacktivists have breached NATO’s cybersecurity defenses. Hackers described themselves as “gay furry hackers” and announced their attack was retaliation against NATO countries’ human rights abuses. NATO alleges the attack did not impact NATO missions, operations, or military deployments.  

October 2023:  Researchers discovered what appears to be a state-sponsored software tool designed for espionage purposes and used against ASEAN governments and organizations. 

October 2023:  Pro-Hamas and pro-Israeli hacktivists have launched multiple cyberattacks against Israeli government sites and Hamas web pages in the aftermath of Hamas’ attacks on Israel on October 7th. Russian and Iranian hacktivists also targeted Israeli government sites, and Indian hacktivists have attacked Hamas websites in support of Israel.  

October 2023: Vietnamese hackers attempted to install spyware on the phones of journalists, United Nations officials and the chairs of the House Foreign Affairs Committee and Senate Homeland Security and Governmental Affairs. The spyware was designed to siphon calls and texts from infected phones, and the unsuccessful deployment comes while Vietnamese and American diplomats were negotiating an agreement to counter China’s growing influence in the region.   

October 2023:  New reporting reveals Chinese hackers have been targeting Guyana government agencies with phishing emails to exfiltrate sensitive information since February 2023.  

October 2023: North Korean hackers sent malware phishing emails to employees of South Korea’s shipbuilding sector. South Korea’s National Intelligence Service suggested that the attacks were intended to gather key naval intelligence that could help North Korea build larger ships. 

September 2023: Indian hacktivists targeted Canada’s military and Parliament websites with DDoS attacks that slowed system operations for several hours. Hacktivists referenced Canadian Prime Minister Justin Trudeau’s public accusation against India of killing Sikh independence activist Hardeep Singh Nijjar as motivation for the hack. 

September 2023: Iranian hackers launched a cyberattack against Israel’s railroad network. The hackers used a phishing campaign to target the network’s electrical infrastructure. Brazilian and UAE companies were also reportedly targeted in the same attack. 

September 2023: U.S. and Japanese officials warn that Chinese state-sponsored hackers placed modifying software inside routers to target government industries and companies located in both countries. The hackers use firmware implants to stay hidden and move around in their target’s networks. China has denied the allegations. 

September 2023: A massive cyberattack hit Bermuda’s Department of Planning and other government services. The country’s hospitals, transportation, and education centers remained functional, but other services were down for several weeks. Bermuda announced that it is investigating the attack and declined to state if any sensitive data was compromised.  

September 2023: Cybercriminals targeted Kuwait’s Ministry of Finance with a phishing ransomware attack. Kuwait isolated the Ministry and other government systems to protect them from potential further attacks. 

September 2023: Russian is stepping up cyberattacks against Ukrainian law enforcement agencies, specifically units collecting and analyzing evidence of Russian war crimes, according to Ukrainian officials. Russian cyberattacks have primarily targeted Ukrainian infrastructure for most of the war.  

September 2023: Russian forces in occupied Crimea reported a cyberattack on Crimean Internet providers. The attack happened around the same time that a Ukrainian missile strike aimed at Russian naval headquarters in the area. Ukrainian officials have yet to comment.  

September 2023: Russian cybercriminals breached the International Criminal Court’s IT systems amid an ongoing probe into Russian war crimes committed in Ukraine.  

September 2023:  A new Microsoft report indicates an increase of Chinese cyber operations in the South China Sea, as well as increased attacks against the U.S. defense industrial base and U.S. critical infrastructure. The increase comes amid rising tensions between China and the U.S. 

September 2023: A Russian ransomware group leaked Australian federal police officers’ details on the dark web. The leak is the latest phase of a Russian attack which started in April 2023 against an Australian law firm that services several Australian government agencies.   

September 2023: The iPhone of a Russian journalist for the independent newspaper Meduza was infected with Pegasus spyware in Germany this year. The incident is the first known instance of the spyware being used against a prominent Russian target. The country behind the spyware placement is unknown, but Latvia, Estonia, Azerbaijan, Kazakhstan, and Uzbekistan are all suspects given past use of Pegasus spyware or their allegiance to Russia.  

September 2023: Suspected Chinese hackers attacked the national power grid of an unspecified Asian country earlier this year using Chinese malware. The group corrupted a Windows application that allowed them to move laterally within their target’s systems.  

September 2023: A ransomware attack wiped four months of Sri Lankan government data. The country’s cloud services system didn’t have backup services available for the data from May 17 to August 26, according to reporting. Malicious actors targeted Sri Lanka’s government cloud system starting in August 2023 by sending infected links to government workers.  

September 2023: An Indian cybersecurity firm uncovered plans from Pakistani and Indonesian hacking groups to disrupt the G20 summit in India. The hacktivists are expected to use DDoS attacks and mass defacement in their attacks, which are presumed to be the latest development in the hacktivist battle between these nations according to the firm’s research. 

September 2023: Russian hackers stole thousands of documents from the British Ministry of Defense and uploaded them to the dark web. The documents contained accessibility details for a nuclear base in Scotland, high-security prisons, and other national security details. Hackers acquired the documents by breaking into a British fencing developer and gaining backdoor access to Ministry files. 

September 2023:  Russian cyber criminals accessed sensitive information from South Africa’s Department of Defense, including military contracts and personnel information. The Department reversed its previous statement denying the data leak. 

August 2023: Russian hacktivists launched DDoS attacks against Czech banks and the Czech stock exchange. The hackers cut online banking access to the banks’ clients and demanded that the institutions stop supporting Ukraine. Bank representatives claim the hacks did not threaten their clients’ finances. 

August 2023: Unnamed hackers took X, formerly known as Twitter, offline in several countries and demanded that owner Elon Musk open Starlink in Sudan. Attackers flooded the server with traffic to disable access for over 20,000 individuals in the U.S., UK, and other countries.  

August 2023: Cybercriminals are allegedly selling a stolen dataset from China’s Ministry of State Security. The full data set purportedly includes personal identification information for roughly half a billion Chinese citizens and “classified document[s],” according to the criminals’ post about the sale. 

August 2023: Russian hacktivists launched several DDoS attacks that knocked the Polish government’s website offline, as well as the Warsaw Stock exchange and several Polish national banks. 

August 2023: Russian hacktivists disabled Poland’s rail systems by gaining access to the system’s railway frequencies and transmitted a malicious signal that halted train operations. Attackers blasted Russia’s national anthem and a speech from Putin on Russia’s military operation in Ukraine during the attack.  

August 2023: Chinese hackers targeted a U.S. military procurement system for reconnaissance, along with several Taiwan-based organizations. Attackers targeted high-bandwidth routers to exfiltrate data and establish covert proxy networks within target systems.  

August 2023: Ukrainian hackers claim to have broken into the email of a senior Russian politician and leaked medical and financial documents, as well as messages that allegedly connect him to money laundering and sanctions evasion plots. 

August 2023: Ecuador’s national election agency claimed that cyberattacks from India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia and China caused difficulties for absentee voters attempting to vote online in the latest election. The agency didn’t elaborate on the nature of the attacks. 

August 2023: Suspected North Korean hackers attempted to compromise a joint U.S.-South Korean military exercise on countering nuclear threats from North Korea. Hackers launched several spear phishing email attacks at the exercise’s war simulation center.   

August 2023: Bangladesh shut down access to their central bank and election commission websites amid warnings of a planned cyberattack by an Indian hacking group. The shutdown was intended to prevent a cyberattack similar to a 2016 incident in Bangladesh where hackers stole nearly $1 billion, according to the central bank’s statement. 

August 2023: Belarusian hackers targeted foreign embassies in the country for nearly a decade, according to new reporting. Hackers disguised malware as Windows updates to get diplomats to download it onto their devices.  

August 2023: Chinese hackers obtained personal and political emails of a U.S. Congressman from Nebraska. The hackers exploited the same Microsoft vulnerability that gave them access to emails from the State Department and Department of Commerce. 

August 2023: Iranian cyber spies are targeting dissidents in Germany, according to Germany’s domestic intelligence unit. The spies are using false digital personas tailored to victims to build a rapport with their targets before sending a malicious link to a credential harvesting page. 

August 2023: Ukraine’s State Security Service (SBU) claims that Russia’s GRU is attempting to deploy custom malware against Starlink satellites to collect data on Ukrainian troop movements. SBU members discovered malware on Ukrainian tablets that were captured by the Russians before being recovered by Ukrainian forces. 

August 2023: Russian hackers launched a ransomware attack against a Canadian government service provider, compromising the data of 1.4 million people in Alberta. The organization paid the ransom and claimed that very little data was lost. 

August 2023 : A Canadian politician was targeted by a Chinese disinformation campaign on WeChat. The attack included false accusations about the politician’s race and political views. The Canadian government believes the attacks are retaliation against the politician's criticism of China's human rights policies.  

August 2023:  The Canadian government accused a “highly sophisticated Chinese state-sponsored actor” of hacking a prominent Canadian federal scientific research agency.  

August 2023: Russia’s military intelligence service attempted to hack Ukrainian Armed Forces’ combat information systems. Hackers targeted Android tablets that Ukrainian forces use for planning and orchestrating combat missions.   

August 2023:  The United Kingdom’s Electoral Commission revealed that Russian hackers breached the commission’s network beginning in August 2021. They obtained information on tens of thousands of British citizens by accessing the commission’s email and file-sharing system.  

August 2023: According to a new report, North Korean hackers breached computer systems at a Russian missile developer for five months in 2022. Analysts could not determine what information may have been taken or viewed. 

July 2023:  China claims that an earthquake monitoring system in Wuhan was hacked by “U.S. cybercriminals.” Chinese state media asserts that a backdoor program with the capacity to steal seismic data was inserted into the program. 

July 2023: Kenya’s eCitizen service was disrupted by pro-Russian cybercriminals for several days. Kenya’s Ministry of Information, Communications, and the Digital Economy claimed that no data was accessed or lost. 

July 2023: Russian-linked cyber hackers have targeted Ukrainian state services such as the app “Diia” using malware and phishing attacks. The primary targets are Ukrainian defense and security services. 

July 2023:  The Ministry of Justice in Trinidad and Tobago was hit with a DDoS attack that disrupted court operations across the country. The ministry reported outages beginning in late June, which are believed to be linked to this same attack. 

July 2023: New Zealand’s parliament was hit by a cyberattack from a Russian hacking group. The group said their attack was retaliation against New Zealand’s support for Ukraine, such as its assistance with training Ukrainian troops and sanctions against Russia. Heckers temporarily shut down the New Zealand Parliament, Parliamentary Counsel Office (PCO) and Legislation websites in a DDoS attack. 

July 2023: Russian hackers targeted twelve government ministries in Norway to gain access to sensitive information. The hackers exploited a vulnerability in a software platform used by the ministries.

July 2023:  A South Korean government-affiliated institution fell victim to a phishing scandal that resulted in a loss of 175 million wons, reportedly the first phishing incident against a South Korean government public organization. 

July 2023: Chinese-linked hackers infected a Pakistani government app with malware. A state bank and telecoms provider were also targeted in the attack. 

July 2023: Chinese hackers breached the emails of several prominent U.S. government employees in the State Department and Department of Commerce through a vulnerability in Microsoft’s email systems.

July 2023: Russian hackers targeted numerous attendees of the latest NATO Summit in Vilnius. The assailants used a malicious replica of the Ukraine World Congress website to target attendees. 

July 2023: A Polish diplomat’s advertisement to purchase a used BMW was corrupted by Russian hackers and used to target Ukrainian diplomats. The hackers copied the flyer, imbedded it with malicious software and distributed it to foreign diplomats in Kyiv.

June 2023: A group allegedly tied to the private military corporation Wagner hacked a Russian satellite telecommunications provider that services the Federal Security Service (FSB) and Russian military units. The attack comes after Wagner’s attempted rebellion against President Vladimir Putin over the war in Ukraine. 

June 2023: A Pakistani-based hacker group infiltrated the Indian army and education sector in the group’s latest wave of attacks against Indian government institutions.The hack is the latest in a series of targeted attacks from this group that have intensified over the past year. 

June 2023: Pro-Russian hacktivists attacked several European banking institutions, including the European Investment Bank, in retaliation against Europe’s continued support of Ukraine. The hacktivists used a DDoS attack to disrupt EIB.

June 2023: Several U.S. federal government agencies, including Department of Energy entities, were breached in a global cyberattack by Russian-linked hackers. Cybercriminalstargeted a vulnerability in software that is widely used by the agencies, according to a US cybersecurity agent.

June 2023: An Illinois hospital became the first health care facility to publicly list a ransomware attack as a primary reason for closing. The attack, which occurred in 2021,permanently crippled the facility’s finances.

June 2023: Pro-Russian hackers targeted several Swiss government websites, including those for Parliament, the federal administration, andthe Geneva airport. The DDoS attacks coincide in conjunction with preparations for Ukrainian President Volodimir Zelensky’s virtual address before the Swiss parliament.

June 2023: According to new reporting,North Korean hackers have been impersonating tech workers or employers to steal more than $3 billion since 2018. The money has reportedly beenused to fundthe country’s ballistic missiles program, according to U.S. officials.

June 2023: Ukrainian hackers claimed responsibility for an attack on a Russian telecom firm that provides critical infrastructure to the Russian banking system. The attack occurred in conjunction with Ukraine’s counteroffensive. 

June 2023: Russia’s Federal Security Services (FSB) alleged that Apple worked closely with US intelligence agencies to hack thousands of iPhones belonging to Russian users and foreign diplomats. Apple denied theclaims, and the NSA declined to comment.

May 2023:  Belgium’s cyber security agency has linked China-sponsored hackers to a spearfishing attack on a prominent politician. The attack comes as European governments are increasingly willing to challenge China over cyber offences. 

May 2023:  Chinese hackers breached communications networks at a U.S. outpost in Guam. The hackers used legitimate credentials, making it harder to detect them.  

May 2023:  Chinese hackers targeted Kenyan government ministries and state institutions, including the presidential office. The hacks appeared to be aimed at gaining information on debt owed to Beijing. 

May 2023:  A likely Russia state group has targeted government organizations in Central Asia. The group is using previously unknown malware, and the attacks focused on document exfiltration.  

May 2023:  An unidentified group hacked targets in both Russia and Ukraine. The motive for the attacks was surveillance and data gathering, 

May 2023:  Russian-linked hackivist conducted an unsuccessful cyberattack against Ukraine’s system for managing border crossings by commercial trucks through a phishing campaign 

April 2023: Sudan-linked hackers conducted a DDoS attack on Israel’s Independence Day, taking the Israeli Supreme Court’s website offline for several hours. Israeli cyber authorities reported no lasting damage to network infrastructure. Hackers claimed to have also attacked several other Israeli government and media sites, but those attacks could not be confirmed. The group has been active since at least January 2023, attacking critical infrastructure in Northern Europe and is considered religiously motivated. 

April 2023:  NSA cyber authorities reported evidence of Russian ransomware and supply chain attacks against Ukraine and other European countries who have provided Ukraine with humanitarian aid during the war in Ukraine. There were no indications of these attacks against U.S. networks. 

April 2023: Iranian state-linked hackers targeted critical infrastructure in the U.S. and other countries in a series of attacks using a previously unseen customized dropper malware. The hacking group has been active since at least 2014, conducting social engineering and espionage operations that support the Iranian government’s interests. 

April 2023: Recorded Future released a report revealing data exfiltration attacks against South Korean research and academic institutions in January 2023. The report identified Chinese-language hackers. Researchers believe that this is a hacktivist group motivated by patriotism for China. 

April 2023: Researchers at Mandiant attributed a software supply chain attack on 3CX Desktop App software to North Korea-linked hackers. During its investigation, Mandiant found that this attack used a vulnerability previously injected into 3CX software. This is Mandiant’s first discovery of a software supply chain attack leveraging vulnerabilities from a previous software supply chain attack. 

April 2023: Chinese hackers targeted telecommunication services providers in Africa in an espionage campaign since at least November 2022. Researchers believe the group has targeted pro-domestic human rights and pro-democracy advocates, including nation-states, since at least 2014. Using the access from the telecom providers, the group gathers information including keystrokes, browser data, records audio, and captures data from individual targets on the network. 

April 2023: A Russia-linked threat group launched a DDoS attack against Canadian prime Minister Justin Trudeau, blocking access to his website for several hours. The operation’s timing coincided with the Canadian government’s meeting with Ukrainian Prime Minister Denys Shmyhal, suggesting that the operation was retaliation. 

April 2023: North Korea-linked hackers are operating an ongoing espionage campaign targeting defense industry firms in Eastern Europe and Africa. Researchers at Kaspersky believe the hacking group shifted its focus in 2020 from financially motivated coin-mining attacks to espionage.  

April 2023: Researchers discovered Israeli spyware on the iPhones of over 5 journalists, political opposition figures, and an NGO worker. Hackers initially compromised targets using malicious calendar invitations. The hackers’ origin and motivations are unclear. 

April 2023: Ukraine-linked hacktivists targeted the email of Russian GRU Unit26165’s leader, Lieutenant Colonel Sergey Alexandrovich, leaking his correspondence to a volunteer intelligence analysis group. The exfiltrated data contained Alexandrovich’s personal information, unit personnel files, and information on Russian cyberattack tools.  

April 2023: North Korean-linked hackers targeted people with expertise on North Korea policy issues in a phishing campaign. Hackers posed as journalists requesting interviews from targets, inviting them to use embedded links for scheduling and stealing their login credentials. The amount of information stolen and number of targets are unclear. 

March 2023. Russian hackers brought down the French National Assembly’s website for several hours using a DDoS attack. In a Telegram post, hackers cited the French government’s support for Ukraine as the reason for the attack.  

March 2023. CISA and FBI reported that a U.S. federal agency was targeted by multiple attackers, including a Vietnamese espionage group, in a cyberespionage campaign between November 2022 and January 2023. Hackers used a vulnerability in the agency’s Microsoft Internet Information Services (IIS) server to install malware.  

March 2023. A Chinese cyberespionage group targeted an East Asian data protection company who serves military and government entities that lasted approximately a year.  

March 2023: (3/24) A South  Asian  hacking group targeted firms in China’s nuclear energy industry in an espionage campaign. Researchers believe the group commonly targets the energy and government sectors of Pakistan, China, Bangladesh, and Saudi Arabia. 

March 2023. Estonian officials claim that hackers unsuccessfully targeted the country’s internet voting system during its recent parliamentary elections. Officials did not release details about the attacks or provide attribution.  

March 2023. North Korean hackers targeted U.S.-based cybersecurity research firms in a phishing campaign. The campaign was meant to deliver malware for cyberespionage.  

March 2023. A Chinese cyber espionage group targeted government entities in Vietnam, Thailand, and Indonesia, using newly developed malware optimized to evade detection.  

March 2023. Russian hackers launched social engineering campaigns targeting U.S. and European politicians, businesspeople, and celebrities who have publicly denounced Vladimir Putin’s invasion of Ukraine. Hackers persuaded victims to participate in phone or video calls, giving misleading prompts to obtain pro-Putin or pro-Russian soundbites. They published these to discredit victims’ previous anti-Putin statements.  

March 2023. Slovakian cybersecurity researchers discovered a new exploit from a Chinese espionage group targeting political organizations in Taiwan and Ukraine.  

March 2023. Poland blamed Russia hackers for a DDoS attack on its official tax service website. Hackers blocked users’ access to the site for approximately an hour, but no data was leaked in the attack. A pro-Russian hacking group had earlier published a statement on Telegram about its intention to attack the Polish tax service.  

February 2023. Russian hackers deployed malware to steal information from Ukrainian organizations in a phishing campaign. The malware is capable of extracting account information and files, as well as taking screenshots. Researchers believe the group is a key player in Russia’s cyber campaigns against Ukraine. 

February 2023. A pro-Russian hacking group claimed responsibility for DDoS attacks against NATO networks used to transmit sensitive data. The attack disrupted communications between NATO and airplanes providing earthquake aid to a Turkish airbase. The attack also took NATO’s sites offline temporarily.  

February 2023.  Polish officials reported a disinformation campaign targeting the Polish public. Targets received anti-Ukrainian refugee disinformation via email. Officials claimed these activities may be related to Russia-linked hackers.  

February 2023. A North Korean hacking group conducted an espionage campaign between August and November 2022. Hackers targeted medical research, healthcare, defense, energy, chemical engineering and a research university, exfiltrating over 100MB of data from each victim while remaining undetected. The group is linked to the North Korean government.  

February 2023. Latvian officials claimed that Russian hackers launched a phishing campaign against its Ministry of Defense. The Latvian Ministry of Defense stated this operation was unsuccessful.  

February 2023. Iranian hacktivists disrupted the state-run television broadcast of a speech by Iranian president Ebrahim Raisi during Revolution Day ceremonies. Hackers aired the slogan “Death to Khamenei” and encouraged citizens to join antigovernment protests.  

February 2023. An Iranian hacking group launched an espionage campaign against organizations in the Middle East. Hackers used a backdoor malware to compromise target email accounts. Researchers claim the hacking group is linked to Iranian intelligence services.  

February 2023. Iranian hacktivists claimed responsibility for taking down websites for the Bahrain international airport and state news agency.  

February 2023. Hackers launched a ransomware attack against Technion University, Israel’s top technology education program. Hackers demanded 80 bitcoin ($1.7 million USD) to decrypt the university’s files. Israeli cybersecurity officials blamed Iranian state-sponsored hackers for the attack.  

February 2023. Hackers disabled Italy’s Revenue Agency (Agenzia delle Entrane) website. While the website was disabled, users received phishing emails directing them to a false login page that mirrored the official agency site.  

February 2023. Chinese cyberespionage hackers performed a spear-phishing campaign against government and public sector organizations in Asia and Europe. The emails used a draft EU Commission letter as its initial attack vector. These campaigns have occurred since at least 2019. 

January 2023. Latvian officials claimed that Russia-linked hackers launched a cyber espionage phishing campaign against its Ministry of Defense. The Latvian Ministry of Defense stated this operation was unsuccessful. 

January 2023. CISA, the NSA, and the Multi-State Information Sharing and Analysis Center released a joint advisory warning of an increase in hacks on the federal civilian executive branch utilizing remote access software. This follows an October 2022 report on a financially motivated phishing campaign against multiple U.S. federal civilian executive branch agencies. 

January 2023. Russia-linked hackers deployed a ransomware attack against the UK postal service, the Royal Mail. The attack disrupted the systems used to track international mail. 

January 2023.  Iran-linked hackers executed ransomware attacks and exfiltrated data from U.S. public infrastructure and private Australian organizations. Australian authorities claim that the data exfiltrated was for use in extortion campaigns. 

January 2023.  Hackers used ransomware to encrypt 12 servers at Costa Rica’s Ministry of Public Works, knocking all its servers offline.  

January 2023. Albanian officials reported that its government servers were still near-daily targets of cyber-attacks following a major attack by Iran-linked hackers in 2022. 

January 2023.  Hackers launched a series of cyber-attacks against Malaysian national defense networks. Malaysian officials stated that the hacking activities were detected early enough to prevent any network compromise. 

January 2023. Hackers targeted government, military, and civilian networks across the Asia Pacific leveraging malware to obtain confidential information. The malware targeted both the data on victim machines as well as audio captured by infected machines’ microphones. 

January 2023 . Hackers sent over a thousand emails containing malicious links to Moldovan government accounts.  

December 2022. China-linked hackers launched phishing attacks against government, education, and research sector victims across the Asia Pacific. These attacks contained malware designed for espionage. 

December 2022. Hackers launched email phishing attacks against Ukranian government agencies and state railway systems. The emails included information on kamikaze drone identification and deployed malware designed for espionage onto victim machines. 

December 2022. Hackers obtained contact information for more than 80,000 members of FBI threat information sharing program, InfraGard. They then posted this information for sale on a cybercrime forum.  

December 2022. Microsoft reported that it observed a pattern of attacks targeting Ukranian critical infrastructure from Russian hacking group, Sandworm. These attacks were accompanied by pro-Russian propaganda.  

December 2022. The Human Rights Watch reported an ongoing, well-resourced cyber espionage, social engineering, and phishing campaign against human rights activists, journalists, diplomats, and politicians located across the Middle East. The organization attributed these operations to Iran-linked hackers.  

December 2022. Hackers made Italy’s Ministry of Agriculture website unavailable through a DDoS attack. Italian officials described the attacks as “demonstrative” and claim that no data was breached and that they expect no lasting damage. 

December 2022.  Russia-linked hackers leveraged the networks of healthcare organizations, businesses, and critical infrastructures across the U.S., UK, France, and other countries to attack targets in Ukraine. Hackers’ primary motivations appear to be information stealing and disruption. 

December 2022. Iran-linked hackers obtained and leaked data from government ministries in Saudi Arabia. 

December 2022. Russia-linked hackers launched a DDoS attack against Vatican City servers, knocking its official website offline. The attack came three days after Russian government officials criticized Pope Francis for his comments about the war in Ukraine. 

December 2022.  Hackers launched a DDoS attack against the Danish defense ministry that disrupted access to its websites.  

December 2022. Russia’s foreign minister claimed to be the target of coordinated cyber aggression by external intelligence agencies, IT companies, and hacktivists. According to Russian officials, such attacks have “doubled or tripled” over the past year. 

December 2022 . Chinese government-linked hackers stole at least $20 million in COVID-19 relief funds from the U.S. government, including Small Business Administration loans and unemployment insurance money. The U.S. Secret Service announced they retrieved half of the stolen funds thus far.  

December 2022. Chinese-linked hackers targeted Amnesty International of Canada in an apparent espionage operation.  

December 2022.  A U.S. lawmaker predicted spyware hacks of U.S. government employees could be in the hundreds, including diplomats in multiple countries. This follows a probe into how many devices spyware are affected in the U.S. government. 

November 2022. Hackers disrupted operations at an Indian hospital by cutting off access to its online networks and patient records. It took hospital officials and federal authorities nearly two weeks to regain access to hospital servers and recover lost data. 

November 2022. Microsoft and ESET attributed cyberattacks aimed at the energy sector and logistics industries in Ukraine and Poland to a Russian GRU hacking group. The campaign began in late September 2022.  

November 2022.  Hackers targeted Bahraini government websites with DDoS attacks prior the country’s parliamentary and local elections.  

November 2022.  Iranian government-sponsored hackers compromised the U.S. Merit Systems Protection Board, exploiting the log4shell vulnerability as early as February 2022. After breaching the network, hackers installed cryptocurrency-mining software and deployed malware to obtain sensitive data. 

November 2022.  Hackers damaged Danish State Railways’ network after targeting an IT subcontractor's software testing environment. The attack shut down train operations for several hours.  

November 2022.  An Indian-based hacking group targeted Pakistani politicians, generals and diplomats, deploying malware that enables the attacker access to computer cameras and microphones. 

November 2022.  State-sponsored hackers with possible ties to the Chinese government targeted multiple Asian countries in an espionage operation since March 2022, compromising a digital certificate authority in one country. 

November 2022.  Hackers disabled digital services of the Vanuatu government in a cyberattack. The attack affected all government services, disabling emails, websites, and government systems, with only partial access restored a month later. Australian sources stated the hack was a ransomware attack.  

November 2022.  Hackers targeted the Guadeloupe government, forcing the shutdown of all government computers to “protect data” during incident response and detect the scope of the attack. 

November 2022.  Indian hackers targeted Pakistani government entities, including the military, and companies since April 2020. The attacks enabled hackers to infiltrate systems and access computer controls.  

November 2022.  Suspected Chinese-linked hackers carried out an espionage campaign on public and private organizations in the Philippines, Europe, and the United States since 2021. The attacks used infected USB drives to deliver malware to the organizations.  

November 2022.  Chinese state-affiliated actors increased attacks on smaller nations in Southeast Asia for cyberespionage purposes.  

October 2022. Hackers targeted a communications platform in Australia, which handles Department of Defence data, in a ransomware attack. The government believes hackers breached sensitive government data in this attack.  

October 2022 . A Ukrainian newspaper published hacked data claiming to be sensitive information from Russian defense contractors. The hackers responsible are part of an anti-Putin group in Russia.  

October 2022.  Hackers targeted Bulgarian websites belonging to the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court in a DDoS attack. A pro-Russian hacking group claimed responsibility for the attack, stating it was punishment “for betrayal to Russia and the supply of weapons to Ukraine.” 

October 2022 . Hackers targeted several major U.S. airports with a DDoS attack, impacting their websites. A pro-Russian hacking group promoted the attack prior to its execution. 

October 2022 . Pro-Russian hackers claimed responsibility for an attack that knocked U.S. state government websites offline, including Colorado’s, Kentucky’s and Mississippi’s. 

October 2022 . CISA, the FBI, and NSA announced state-sponsored hacking groups had long-term access to a defense company since January 2021 and compromised sensitive company data. 

September 2022. Iranian hackers targeted Albanian computer systems, forcing Albanian officials to temporarily shut down the Total Information Management System, a service used to track individuals entering and exiting Albania. This attack closely followed Albania’s decision to sever diplomatic ties with Iran as well as the American sanctions and NATO’s condemnation of an Iranian cyberattack against Albania in July. In the July attack, Iranian actors deployed ransomware on Albanian Government networks that destroyed data and disrupted government services. 

September 2022.  A newly discovered hacking group targeted telecommunications, internet service providers, and universities in the Middle East and Africa. The group deploys malware platforms directly into systems’ memory, bypassing native security solutions.  

September 2022. Hackers targeted Montenegro’s government networks, rendering Montenegro’s main state websites and government information platforms inaccessible. Montenegrin officials blamed Russia for the attack. 

September 2022. Hackers targeted the state-level parliamentary website of Bosnia and Herzegovina, rendering the sites and servers inaccessible for multiple weeks. 

September 2022. China accused the U.S. National Security Agency (NSA) of numerous cyberattacks against China’s Northwestern Polytechnical University. Authorities claim the NSA stole user data and infiltrated digital communications networks.  

September 2022. The group Anonymous took responsibility for a series of cyberattacks against the Iranian government that took down two main Iranian government websites and the websites of several state media organizations. 

September 2022. Hackers targeted the Mexican Defense Ministry and accessed six terabytes of data, including internal communications, criminal data, and data that revealed Mexico’s monitoring of Ken Salazar, the U.S. Ambassador to Mexico. Mexican President Andres Manuel Lopez Obrador confirmed the authenticity of the data, including personal health data released to the public.  

September 2022. A Russian-based hacking group targeted the website of the United Kingdom’s intelligence agency MI5 with a DDoS attack that temporarily took the site offline. 

August 2022. Hackers breached Italy’s energy agency, Gestore dei Servizi Energetici (GSE), compromising servers, blocking access to systems, and suspending access to the GSE website for a week. 

August 2022.  Hackers used a DDoS attack to temporarily take down the website of Taiwan’s presidential office. The Taiwanese government attributed the attack to foreign hackers and stated normal operations of the website resumed after 20 minutes. Taiwan’s Foreign Ministry also noted hackers targeted their website and the main portal website for Taiwan’s government.  

August 2022.  Hackers targeted the Finnish Parliament with a DDoS attack that rendered the Parliamentary website inaccessible. A Russian group claimed responsibility for the attack on Telegram.  

August 2022.  Hackers targeted the website of Ukraine’s state energy agency responsible for the oversight of Ukraine’s nuclear power plants. The agency stated Russian hackers carried out the attack.  

August 2022.  Hackers targeted the website of the Latvian Parliament with a DDoS attack that temporarily paralyzed the website’s server. A Russian hacking group claimed responsibility for the attack on Telegram.  

August 2022.  Hackers targeted Greece’s largest natural gas distributor DESFA causing a system outage and data exposure.  

August 2022.  A Russian group claimed responsibility for breaching a privately owned UK water supply company South Staffordshire Water and leaking files in an extortion attempt. 

August 2022.  Hackers targeted Montenegro’s government institutions, breaching the computer systems of several state bodies. Montenegro’s Defense Minister stated there was sufficient evidence to suspect Russia was behind the attack.  

August 2022.  A DDoS campaign targeted the websites of both government and private Estonian institutions. Estonia stated that the attack was largely repelled, and the impact was limited. 

August 2022. Hackers used phishing emails to deploy malware in government institutions and defense firms throughout Eastern Europe in January 2022. A report by Russian-based company Kaspersky linked the campaign to a Chinese hacking group. 

July 2022.  Hackers targeted the Pakistan Air Force (PAF) in a spearfishing campaign to deploy malware and obtain sensitive files. Pakistani and Chinese organizations claimed the attack came from Indian-linked hackers. 

July 2022.  Hackers targeted Iran’s Islamic Culture and Communication Organization (ICCO). The attack took down at least 6 websites, placed images of Iranian resistance leaders on fifteen additional sites, wiped databases and computers, and allowed hackers to obtain access to sensitive ICCO data.  

July 2022.  A hacker claimed to acquire records on 1 billion Chinese from a Shanghai police database and posted the data for sale online.  

July 2022.  Belgium’s Foreign Ministry accused China of a cyberespionage campaign against Belgian targets, including Belgium’s Ministries of Interior and Defense. A spokesperson for the Chinese Embassy in Belgium denied the accusations. 

July 2022.  Hackers targeted social media accounts owned by the British Royal Army. The attack included the takeover of the British Army’s Twitter and YouTube accounts. 

July 2022.  Hackers targeted Lithuania’s state-owned energy provider in a DDoS attack. Killnet, which Lithuanian officials link to Russia, claimed responsibility for the attack. 

July 2022.  Hackers temporarily took down websites belonging to the Albanian Prime Minister's Office and the Parliament, and the e-Albania portal used to access public services. 

July 2022.  Hackers breached a Ukrainian media company to broadcast on multiple radio stations that Ukrainian President Volodymyr Zelenskyy was in critical condition. Zelenskyy refuted the claims and blamed Russia for the attack. 

July 2022. China stated the United States stole 97 billion pieces of global internet data and 124 billion pieces of telephone data in June, specifically blaming the National Security Agency (NSA)'s Office of Tailored Access Operations (TAO). 

June 2022.  Hackers targeted Lithuania’s state railway, airports, media companies, and government ministries with DDoS attacks. A Russian-backed hacking group claimed responsibility for the attack.  

June 2022.  The FBI, National Security Agency (NSA) and CISA announced that Chinese state-sponsored hackers targeted and breached major telecommunications companies and network service providers since at least 2020. 

June 2022.  Hackers targeted former Israeli officials, military personnel, and a former U.S. Ambassador to Israel. An Israeli cybersecurity firm stated Iranian-linked actors used a phishing campaign to gain access to the targets’ inboxes, personally identifiable information, and identity documents. 

June 2022.  Hackers targeted three Iranian steel companies, forcing the country’s state-owned plant to halt production. 

June 2022.  Hackers leaked files and photos known as “The Xinjiang Police Files” displaying human rights abuses committed by the Chinese government against the Uyghur population.  

June 2022.  An attack targeted users of Australia’s largest Chinese-language platform, Media Today. The hackers made over 20 million attempts to reset user passwords in the platform’s registration system. 

June 2022.  Hackers targeted municipal public address systems in Jerusalem and Eliat, triggering the air raid sirens systems throughout both cities. An Israeli industrial cybersecurity firm attributed the attack to Iran. 

June 2022.  A Chinese-linked disinformation campaign targeted an Australian mining company. The campaign included spreading disinformation on social media platforms and websites regarding the company’s alleged environmental record. 

June 2022.  A phishing campaign targeted U.S. organizations in military, software, supply chain, healthcare, and pharmaceutical sectors to compromise Microsoft Office 365 and Outlook accounts.  

June 2022.  Hackers compromised accounts belonging to officials in Germany’s Greens party, including ones used previously by Annalena Baerbock and Robert Habeck, who now serve as Minister for Foreign Affairs and Minister for Economic Affairs and Climate Action. 

June 2022.  Hackers targeted Norwegian public institutions with DDoS attacks, disrupting government websites. The Norwegian NSM security authority attributed the attack to pro-Russian hackers. 

May 2022.  A DDoS attack targeted the Port of London Authority, forcing its website to go offline. A group linked to Iran took responsibility for the hack. 

May 2022.  A phishing campaign targeted the Jordan Ministry of Foreign Affairs. Researchers attributed the attack to an Iranian cyber espionage actor. 

May 2022.   The Ethiopian Information Network Security Agency (INSA) stated hackers targeted the Grand Ethiopian Renaissance Dam (GERD). Ethiopia’s communications security agency thwarted the attacks before hackers could gain access to the networks.  

May 2022 . Hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island. While an initial diagnosis determined the attack did not damage or expose citizens’ data, it made health services severely limited. 

May 2022 . A Chinese hacking group stole intellectual property assets from U.S and European companies since 2019 and went largely undetected. Researchers believe the group is backed by the Chinese government.  

May 2022.  State-sponsored hackers took down RuTube, the Russian version of YouTube, according to the company.  

May 2022 . Russian hackers hit Italian websites with a DDoS attack, including the Senate, the Ministry of Defence, and the National Health Institute. The group states its goal was to target NATO countries and Ukraine.  

April 2022. The Romanian National Directorate of Cyber Security said that multiple public and private sector websites were hit with DDoS attacks. The victims included the ministry of defense, border police, national railway company, and the OTP Bank. A group claiming credit for the attack said on Telegram that it hacked the websites because Romania supported Ukraine since the Russian invasion of the country.  

April 2022. Cybersecurity researchers identified a new campaign by Russian-linked hackers that started in January and targets diplomats and embassy officials from France, Poland, Portugal, and other countries. The hacks started with a phishing email to deliver a malware-laden file to the target.  

April 2022. Iranian state television claimed that the government foiled cyber intrusions that targeted more than 100 public sector agencies. They provided no further information on the incident.  

April 2022 . Russian hackers targeted the Costa Rican Ministry of Finance in a cyberattack, crippling tax collection and export systems. The newly elected President of Costa Rica declared a national emergency as a result of the attack and the group asked for $20 million in ransom or it plans to leak the stolen data.  

April 2022. Hackers targeted members of the European Commission with spyware developed by NSO Group. An Apple notification from November to thousands of iPhone users stating they were targeted by state-sponsored actor alerted the Commission of this spyware use. 

April 2022. A North Korea-linked hacking campaign using phishing emails sent from fake job recruiters targeted chemical companies in South Korea. 

April 2022. A Citizen Lab study discovered actors used NSO Group spyware to target at least 65 Catalonian activists and political figures.  

April 2022. The U.S. Treasury Department’s Office of Foreign Assets Control attributed the March 29 hack of Ronin Network to a North Korean hacking group and announced sanctions against the hackers. The group stole over $540 million in Ethereum and USDC.  

April 2022. Hackers launched DDoS attacks against websites belonging to the Finnish Ministries of Defence and Foreign Affairs. The attack’s botnet used over 350 IP addresses from around the world and the denial of service was sustained for four hours.  

April 2022. Hackers targeted the Telegram accounts of Ukrainian government officials with a phishing attack in an attempt to gain access to the accounts.   

April 2022. Cybersecurity researchers observed hackers penetrating the networks of at least 7 Indian State Load Dispatch Centres (SLDCs) which oversee operations for electrical grid control. The SLDCs manage SCADA systems and researchers suggested that PLA-linked hackers may be involved. 

April 2022. A social media platform disrupted two Iranian-linked cyber espionage campaigns that targeted activists, academics, and private companies. The campaign targeted businesses in the energy, semiconductor, and telecom sectors in countries including the U.S., Israel, Russia, and Canada by using phishing and other social engineering techniques. 

April 2022. A group targeted several Ukrainian media organizations in an attempt to gain long-term access to their networks and collect sensitive information, according to researchers. The group has connections to the Russian GRU.  

April 2022 . The United States removed Russian malware from computer networks around the world, a move made public by Attorney General Merrick B. Garland. While it is unclear what the malware’s intention was, authorities noted it could be used from anything from surveillance to destructive attacks. The malware created a botnet controlled by the Russian GRU. 

April 2022 . Hackers targeted a Ukrainian energy facility, but CERT-UA and private sector assistance largely thwarted attempts to shutdown electrical substations in Ukraine. Researchers believe the attack came from the same group with ties to the Russian GRU that targeted Ukraine’s power grid in 2016, using an updated form of the same malware. 

April 2022:  Hackers targeted Ukraine’s National Post Office with a DDoS attack, days after releasing a new stamp honoring a Ukrainian border guard. Th attack affected the agency’s ability to run their online store.   

• Hackers and cybercrime prevention

Getty Images

Top 10 cyber crime stories of 2022

Cyber crime continued to hit the headlines in 2022, with impactful cyber attacks abounding, digitally enabled fraud ever more widespread and plenty of ransomware incidents.

• Alex Scroxton, Security Editor

High-profile cyber attacks elevated cyber security and cyber crime to dinner table conversation in 2021, and although there was no repeat of the Colonial Pipeline incident in 2022, awareness of cyber issues among the general public has never been higher.

And cyber criminals showed no sign of slowing down in 2022, even though ransomware attack volumes appeared to drop off for a time, in a trend likely linked to the war in Ukraine.

This year saw high-profile attacks on well-known organisations, disruption to the UK’s supply of crisps and new battles in the fight against digitally enabled fraud, while a cyber crime spree by a gang of troublesome kids caused consternation.

Here are Computer Weekly’s top 10 cyber crime stories of 2022.

1. Umbrella company Brookson self-refers to NCSC following cyber attack on its network

In January, contractor payroll service provider Brookson Group referred itself to the National Cyber Security Centre (NCSC) after an “extremely aggressive” cyber attack that forced it to take systems offline . Coming amid the ongoing IR35 controversy, this incident, and a separate attack on a different umbrella firm, disrupted salary payments for thousands.

2. Cyber attacks on European oil facilities spreading

In February, a series of cyber attacks targeting oil distribution terminals and other facilities in Europe  had authorities on high alert, given rising fuel prices and the threat of supply disruption as the political crisis in Ukraine escalated into conflict.

3. How Lapsus$ exploited the failings of multifactor authentication

A series of attacks on technology suppliers by a group known as Lapsus$ grabbed the headlines early in 2022, and although some gang members were arrested, these attacks have continued later into the year. In March, we explored how Lapsus$ attacks on Nvidia and Okta highlighted weak multifactor authentication  and the risks of employees being bribed or falling victim to social engineering.

4. Crisp supply shortage looms after KP Snacks hit by ransomware

Every so often, a cyber attack hits the front pages of the UK’s tabloid newspapers, and February’s Conti ransomware attack on the systems of KP Snacks , the company behind iconic brands such as Hula Hoops, Space Raiders and the eponymous peanuts, made the cut. Computer Weekly heard from security experts about the incident, one of whom spoke of a “dark day for crisp aficionados”.

5. Did the Conti ransomware crew orchestrate its own demise?

Conti hit the headlines again in May, when it shut down amid suggestions it had orchestrated its own downfall for its members to split off into new operations . Ransomware cartels come and go, but Conti was a particularly dangerous group, and its loss was not mourned.

6. Uber suffers major cyber attack

Ride-sharing service Uber was one of 2022’s high-profile cyber attack victims in September, when it suffered a supposed social engineering attack on an employee by an apparent teenage hacktivist who wanted the company to pay its drivers more money . The incident saw multiple systems at Uber disrupted, which later blamed the Lapsus$ collective.

7. South Staffs Water customer data leaked after ransomware attack

A somewhat botched Clop/Cl0p ransomware attack on South Staffordshire Water in August seemed to have been largely forgotten, until it emerged at the end of November that the gang had stolen customer data and leaked it on the dark web . The data included names and addresses, bank details including sort codes and account numbers, and possibly other personal data. Customers of sister company Cambridge Water also seem to have been hit.

8. TalkTalk hacker Daniel Kelley gives up his black hat for good

The Lapsus$ cyber crime spree put teenage hackers and so-called script kiddies, rather than advanced ransomware gangs, in the spotlight this year, and in June, Computer Weekly spoke to one of the UK’s most famous teenage hackers, Daniel Kelley, who was just 17 when he played a key role in the infamous TalkTalk cyber attack . Kelley is still laser-focused on cyber security, but is planning to pursue a legitimate career.

9. UK police arrest 120 in largest-ever cyber fraud crackdown

Ransomware gangs rarely directly target consumers, making digitally enabled fraud arguably the most likely way the average person is going to fall victim to cyber crime. The fight against fraud continued in 2022, and in November, the Metropolitan Police revealed details of its role in a major operation that took down a cyber criminal website  and saw more than 100 arrests.

10. Rackspace email outage confirmed as ransomware attack

At the beginning of December, a sudden drop in service for users of Rackspace’s Hosted Exchange business caused widespread chaos before being confirmed as a ransomware attack by an unspecified group . Full details of the incident are not yet known, but given how many Computer Weekly readers tuned in, it will likely prove one of the more disruptive cyber crime incidents of the year.

Read more on Hackers and cybercrime prevention

The 10 biggest ransomware attacks in history

AdvIntel: Conti rebranding as several new ransomware groups

Did the Conti ransomware crew orchestrate its own demise?

US offers $10M bounty for Conti ransomware information

The next U.S. president will set the tone on tech issues such as AI regulation, data privacy and climate tech. This guide breaks ...

A challenge companies are facing while preparing for compliance with climate risk reporting rules is a lack of consistency among ...

Key leadership decisions like poor architecture to rushed processes can lead to technical debt that will affect a company ...

Product updates announced at Black Hat USA 2024 can help security teams better manage constantly changing attack surfaces and ...

The global IT outage caused by an errant CrowdStrike channel file update dominated security news last month. But there were still...

Reports suggest billions of personal records could have been compromised in the attack against data aggregator National Public ...

Cisco cuts its workforce by 7% and forms one unit for networking, security and collaboration to energize AI and security sales. ...

OWC transfers data using highly directional light in free space. While OWC delivers high-speed data transfers, it is susceptible ...

Network architects face challenges when considering a network upgrade, but enterprises can keep problems to a minimum by ...

Configuration files are vital for system deployment and management. Consider improving file management with proper planning, ...

Broadcom shutters the VMware IT Academy and Academic Software Licensing programs on Aug. 15, leaving universities and trade ...

Nutanix and Dell are expanding their partnership with a new appliance out now and a new HCI model that melds Dell PowerFlex with ...

Pairing retrieval-augmented generation with an LLM helps improve prompts and outputs, democratizing data access and making ...

Vector databases excel in different areas of vector searches, including sophisticated text and visual options. Choose the ...

Generative AI creates new opportunities for how organizations use data. Strong data governance is necessary to build trust in the...

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 23 February 2023

Exploring the global geography of cybercrime and its driving forces

• Shuai Chen   ORCID: orcid.org/0000-0003-3623-1532 1 , 2 ,
• Mengmeng Hao   ORCID: orcid.org/0000-0001-5086-6441 1 , 2 ,
• Fangyu Ding   ORCID: orcid.org/0000-0003-1821-531X 1 , 2 ,
• Dong Jiang 1 , 2 ,
• Jiping Dong 1 , 2 ,
• Shize Zhang 3 ,
• Qiquan Guo 1 &
• Chundong Gao 4  

Humanities and Social Sciences Communications volume  10 , Article number:  71 ( 2023 ) Cite this article

13k Accesses

15 Citations

1 Altmetric

Metrics details

• Criminology
• Science, technology and society

Cybercrime is wreaking havoc on the global economy, national security, social stability, and individual interests. The current efforts to mitigate cybercrime threats are primarily focused on technical measures. This study considers cybercrime as a social phenomenon and constructs a theoretical framework that integrates the social, economic, political, technological, and cybersecurity factors that influence cybercrime. The FireHOL IP blocklist, a novel cybersecurity data set, is used to map worldwide subnational cybercrimes. Generalised linear models (GLMs) are used to identify the primary factors influencing cybercrime, whereas structural equation modelling (SEM) is used to estimate the direct and indirect effects of various factors on cybercrime. The GLM results suggest that the inclusion of a broad set of socioeconomic factors can significantly improve the model’s explanatory power, and cybercrime is closely associated with socioeconomic development, while their effects on cybercrime differ by income level. Additionally, results from SEM further reveals the causal relationships between cybercrime and numerous contextual factors, demonstrating that technological factors serve as a mediator between socioeconomic conditions and cybercrime.

Similar content being viewed by others

Rethinking the environmental Kuznets curve hypothesis across 214 countries: the impacts of 12 economic, institutional, technological, resource, and social factors

The Subnational Corruption Database: Grand and petty corruption in 1,473 regions of 178 countries, 1995–2022

Exposure to untrustworthy websites in the 2020 US election

Introduction.

Cybercrime is a broad term used by government, businesses, and the general public to account for a variety of criminal activities and harmful behaviours involving the adoption of computers, the internet, or other forms of information communications technologies (ICTs) (Wall, 2007 ). As an emerging social phenomenon in the information age, cybercrime has aroused growing concern around the world due to its high destructiveness and widespread influence. In 2017, the WannaCry ransomware attack affected more than 230,000 computers across 150 countries, resulting in economic losses of more than 4 billion dollars and posing a serious danger to the global education, government, finance, and healthcare sectors (Ghafur et al., 2019 ; Castillo and Falzon, 2018 ; Mohurle and Patil, 2017 ). Although there is currently no precise and universally accepted definition of cybercrime (Phillips et al., 2022 ; Holt and Bossler, 2014 ), it is generally acknowledged that the term covers both traditional crimes that are facilitated or amplified by utilising ICTs as well as new types of crimes that emerged with the advent of ICTs (Ho and Luong, 2022 ). Based on the role of technology in the commission of the crime, the most widely utilised typology divides cybercrime into cyber-dependent crime (such as hacking, distributed denial of service, and malware) and cyber-enabled crime (online fraud, digital piracy, cyberbullying) (Brenner, 2013 ; Sarre et al., 2018 ; McGuire and Dowling, 2013 ). Along with the rapid development of ICTs and the increasing prevalence of the internet, these criminal activities are significantly disrupting the global economy, national security, social stability, and individual interests. Although it is difficult to estimate the precise financial cost of cybercrime (Anderson et al., 2013 ; Anderson et al., 2019 ), statistical evidence from governments and industries indicates that the economic losses caused by cybercrime are extremely enormous and are still rising rapidly (McAfee, 2021 ).

Cybercrime is complicated in nature and involves many disciplines, including criminology, computer science, psychology, sociology, economics, geography, political science, and law, among others (Holt, 2017 ; Dupont and Holt, 2022 ; Payne, 2020 ). Computer science and cybersecurity efforts are primarily focused on applying technical approaches such as Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewalls, and anti-virus software to mitigate cyberattack threats (Kumar and Carley, 2016 ; Walters, 2015 ). These methods may help to some extent lessen the adverse impacts of cybercrime on both organisations and individuals. However, these technical solutions are largely unaware of the human and contextual factors that contribute to the issues, providing only reactive solutions, and are unable to keep up with the rapidly evolving modus operandi and emerging technologies (Clough, 2015 ; Neal, 2014 ). It is suggested that cybercrime is a complex social phenomenon driven by the compound interactions of underlying socioeconomic factors. Human and social factors play a substantial role in the formation of cybercrime agglomerations (Waldrop, 2016 ; Watters et al., 2012 ; Leukfeldt and Holt, 2019 ). They are also important aspects of cybercrime prevention and control (Dupont and Holt, 2022 ). The human factors influencing cybercrime have been the subject of an expanding body of sociological and psychological study in recent years. These studies, which covered cyberbullying, online harassment, identity theft, online fraud, malware infection, phishing, and other types of cybercrime, generally applied traditional criminological and psychological theories, such as routine activities theory, lifestyle-routine activities theory, self-control theory, and general strain theory, to explain the victimisation and offending of various cybercrimes (Bergmann et al., 2018 ; Mikkola et al., 2020 ; Ngo and Paternoster, 2011 ; Pratt et al., 2010 ; Williams, 2016 ). Results from these studies suggested that by altering criminal motivations and opportunity structures, individual factors (i.e., age, gender, ethnicity, education, socioeconomic status, and self-control) and situational factors (online activities, time spent online, risk exposure, deviant behaviours) may have an impact on cybercrime offence and victimisation. These findings advanced our knowledge in understanding the impact of technology on criminal behaviours, factors affecting the risk of cyber victimisation, and the applicability of traditional criminological theories to cybercrime (Holt and Bossler, 2014 ).

Cybercrime is a highly geographical phenomenon on a macro-level scale, with some countries accounting for a disproportionate amount of cybercrimes (Kigerl, 2012 ; Kigerl, 2016 ). This spatial heterogeneity is closely related to specific socioeconomic contexts (Kshetri, 2010 ). Academic efforts have been made to identify the clusters of high cybercrime countries and to explain the potential socioeconomic factors that led to the formation of these clusters. For example, Mezzour, Carley, and Carley ( 2014 ) found that Eastern European countries hosted a greater number of attacking computers due to their superior computing infrastructure and high levels of corruption. Similarly, Kumar and Carley ( 2016 ) found that higher levels of corruption and large internet bandwidth would favour attack origination. They also noted that countries with the greater gross domestic product (GDP) per capita and better ICT infrastructure were targeted more frequently. Meanwhile, Srivastava et al. ( 2020 ) pointed out that countries with better technology and economic capital were more likely to become the origins of cybercrime, but countries with better cybersecurity preparedness may reduce the frequency of the cybercrime originating within them. Moreover, Holt, Burruss, and Bossler ( 2018 ) suggested that nations with better technological infrastructure, greater political freedom, and fewer organised crime were more likely to report malware infections, while Overvest and Straathof ( 2015 ) suggested that the number of internet users, bandwidth, and economic ties were significantly related to cyberattack origin. Kigerl ( 2012 ) found that a higher unemployment rate and more internet users were linked to an increase in spam activities. However, these studies have tended to utilise a restricted range of predictor variables and only included certain aspects of cybercrime. Besides, most of the studies have been conducted at the national level, which could potentially hide many disparities within countries.

In this work, we construct a conceptual model to better represent the context from which cybercrime emerges, which is applied as a framework to analyse the underlying socioeconomic driving forces. A novel cybersecurity data set, the FireHOL IP blocklist, is adopted as a proxy to reflect the levels of cybercriminal activities within different areas. A set of social, economic, political, technological, and cybersecurity indicators is used as explanatory variables. Generalised linear models (GLMs) are used to quantify the effect of each factor on cybercrime, while structural equation modelling (SEM) is used to estimate the complex interactions among various factors and their direct and indirect effects on cybercrime.

Conceptual framework

We propose a conceptual framework for examining the driving forces of cybercrime by reviewing existing empirical literature and integrating different criminological theories. The conceptual framework includes five interrelated components: the social, economic, political, technological, and cybersecurity factors. The potential pathways by which each component may directly or indirectly influence cybercrime are illustrated in Fig. 1 .

The solid line indicates a direct effect, and a dashed line indicates indirect effect. H1–H5 refer to the five hypotheses, “+” indicates a positive effect, and “−” indicates a negative effect.

The social and economic factors depict the level of regional development, serving as the fundamental context in which cybercrime emerges. Given the intrinsic technological nature of cybercrime, global urbanisation, and the information technology revolution have promoted global connectivity and created unprecedented conditions and opportunities for cybercrime (UNODC, 2013 ). From the perspective of general strain theory, poverty, unemployment, income inequality, and other social disorders that are accompanied by social transformations could lead to cultures of materialism and stimulate motivations of cybercrime for illegal gains (Meke, 2012 ; Onuora et al., 2017 ). On the other hand, economically developed regions generally have superior ICT infrastructure, which can provide convenient and low-cost conditions for cybercriminals to commit crimes. High educational attainment is also likely to be associated with cybercrime, given that cybercrime usually requires some level of computer skills and IT knowledge (Holt and Schell, 2011 ; Asal et al., 2016 ). In general, better socioeconomic conditions are associated with more cybercriminal activities, which leads us to develop the first two hypotheses:

H1: Social factor is positively associated with cybercrime .

H2: Economic factor is positively associated with cybercrime .

The influence of political factors on cybercrime is mainly reflected in the regulation and intervention measures of governments in preventing and controlling cybercrime, such as legal system construction, government efficiency, control of corruption, and political stability. The offender’s decision to engage in illegal activity is a function of the expected probability of being arrested and convicted and the expected penalty if convicted (Ehrlich, 1996 ). As with traditional crimes, the lack of efficient social control and punishment mechanism will breed criminal behaviours. The deterrent effect of the legislation makes cybercriminals have to consider the consequences they need to bear. While the virtual and transnational nature of cyberspace makes it easier for perpetrators to avoid punishment, cybercrime can be deterred to some extent by increasing the severity of punishment and international law enforcement cooperation (Hall et al., 2020 ). On the other side, cybercriminals could seek protection through corrupt connections with the local institutional environment, which would weaken law enforcement operations and encourage cybercriminal activities (Hall et al., 2020 ; Lusthaus and Varese, 2021 ; Sutanrikulu et al., 2020 ). For instance, corruption in law enforcement authorities makes it hard for cybercriminals to be punished, while corruption in network operators or internet service providers (ISPs) makes it easier for cybercriminals to apply for malicious domain names or register fake websites. Some studies have shown that areas with high levels of corruption usually have more cybercriminal activities (Mezzour et al., 2014 ; Watters et al., 2012 ). Cybercrimes are typically attributed to political corruption, ineffective governance, institutional weakness, and weak rule of law across West Africa and East Europe (Asal et al., 2016 ). Therefore, we propose that:

H3: Political factor is negatively associated with cybercrime .

The technological environment, which is composed of communication conditions and underlying physical ICT infrastructure, serves as an essential medium through which cybercrime is committed. According to the rational choice theory, crime is the result of an individual’s rational consideration of the expected costs and benefits attached to their criminal activity (Mandelcorn et al., 2013 ; Brewer et al., 2019 ). Better internet infrastructure, greater internet penetration, and faster connection could facilitate cybercrimes by reducing crime costs, expanding opportunities, and increasing potential benefits. For example, in a majority of spam and DDoS attacks, cybercriminals often carry out large-scale coordinated attacks by sending remote commands to a set of compromised computers (also known as botnets). High-performance computers and high-bandwidth connectivity such as university, corporate, and government servers allow for more efficient attacks and could expand the scope of cybercrime, making them preferred by cybercriminals (Hoque et al., 2015 ; Van Eeten et al., 2010 ; Eslahi et al., 2012 ). We thus hypothesise that:

H4: Technological factor is positively related to cybercrime .

Cybersecurity preparedness reflects the capabilities and commitment of a country to prevent and combat cybercrime. According to the International Telecommunication Union (ITU), cybersecurity preparedness involves the legal, technical, organisation, capacity, and cooperation aspects (Bruggemann et al., 2022 ). Legal measures such as laws and regulations define what constitutes cybercrime and specify necessary procedures in the investigation, prosecution, and sanction of cybercrime, providing a basis for other measures. Technical measures refer to the technical capabilities to cope with cybersecurity risks and build cybersecurity resilience through national institutions and frameworks such as the Computer Incident Response Teams (CIRTs) or Computer Emergency Response Teams (CERTs). Organisation measures refer to the comprehensive strategies, policies, organisations, and coordination mechanisms for cybersecurity development. Capacity development reflects the research and development, awareness campaigns, training and education, and certified professionals and public agencies for cybersecurity capacity building. Cooperation measures refer to the collaboration and information sharing at the national, regional, and international levels, which is essential in addressing cybersecurity issues given the transnational nature of cybercrime. According to the general deterrence theory and routine activity theory of criminology (Leukfeldt and Holt, 2019 ; Hutchings and Hayes, 2009 ; Lianos and McGrath, 2018 ), cybersecurity preparedness serves as a deterrent or a guardianship of cybercrime. It is crucial in defending a country from external cybercrime as well as reducing cybercrime originating from within. Therefore, we hypothesise that:

H5: Cybersecurity preparedness is negatively associated with cybercrime .

The five hypotheses proposed in the conceptual model (Fig. 1 ) outline the direct effects of various contextual drivers on cybercrime. The social, economic, political, technological, and cybersecurity factors may interact in other ways, which could also have an indirect impact on cybercrime. Then, using a combination of two statistical methods and a set of explanatory covariates, we test the hypothesised pathways.

Cybercrime data

It is commonly acknowledged among cybercrime scholars that the lack of standardised legal definitions of cybercrime and valid, reliable official statistics makes it difficult to estimate the prevalence or incidence of cybercrime around the world (Holt and Bossler, 2015 ). Although in some countries, law enforcement agencies do collect data on cybercrime (e.g., police data and court judgement), there are inevitable under-reporting and under-recording issues with these official data (Holt and Bossler, 2015 ; Howell and Burruss, 2020 ). This has prompted some researchers to use alternative data sources to measure cybercrime, including social media, online forums, emails, and cybersecurity companies (Holt and Bossler, 2015 ). Among these data sources, technical data such as spam emails, honeypots, IDS/IPS or firewall logs, malicious domains/URLs, and IP addresses are often used as proxies for different aspects of cybercrime (Amin et al., 2021 ; Garg et al., 2013 ; Kigerl, 2012 ; Kigerl, 2016 ; Kigerl, 2021 ; Mezzour et al., 2014 ; Srivastava et al., 2020 ; Kshetri, 2010 ), accounting for a large proportion in the literature of macro-level cybercrime research. However, due to the anonymity and virtuality of cyberspace, cybercriminals are not restrained by national boundaries and could utilise compromised computers distributed around the world as a platform to commit cybercrime. Meanwhile, IP addresses can be faked or spoofed by using technologies such as proxy servers, anonymity networks, and virtual private networks (VPNs) to hide the true identity and location of cybercriminals (Holt and Bossler, 2015 ; Leukfeldt and Holt, 2019 ). As a result, the attribution of cybercriminal becomes extremely challenging and requires a high level of expertise and coordination from law enforcement agencies and cybersecurity teams (Lusthaus et al., 2020 ). Therefore, instead of capturing where cybercriminals reside in physical space, most studies using these technical data are measuring the possible locations where the cyberattacks or cybercrimes originate, even if part of them could be locations where cybercriminals choose to host their botnets or spam servers. Though there is partial support that certain types of cyberattacks originate from physically proximate IP addresses (Maimon et al., 2015 ), more elaborate and comprehensive research is lacking.

In this study, we used a novel cybersecurity data set, the IP addresses from FireHOL blocklist (FireHOL, 2021 ), as a proxy to measure cybercrime. The FireHOL IP blocklist is a composition of multiple sources of illegitimate or malicious IP addresses, which can be used on computer systems (i.e., servers, routers, and firewalls) to block access from and to these IPs. These IPs are related to certain types of cybercrime activities, including abuse, attacks, botnets, malware, command and control, and spam. We adopt FireHOL level 1 blocklist, which consists of ~2900 subnets and over 600 million unique IPs, with a minimum of false positives. The anonymous IPs, which are used by other parties to hide their true identities, such as open proxies, VPN providers, etc., were excluded from the analysis. Next, we applied an open-source IP geolocation database, IP2Location™ Lite, to map these unique IP addresses in specific geographic locations in the form of country/region/city and longitude/altitude pair. The location accuracy of the IP geolocation is high at the national and regional levels, with ~98% accuracy at the country level and 60% at the city level. In order to reduce uncertainty, we focused on the analysis at the state/region level. At last, we calculated the counts of unique IPs located within each subnational area to measure the global distribution of cybercrimes.

Although FireHOL IP blocklist has the same restrictions as other technical data, it was used in this study for several reasons. The basic function of IP addresses in the modern internet makes it an indispensable element in different phases of cybercrime, it is also the key ingredient of cybercrime attribution and digital evidence collection. As a result, an IP-based firewall is one of the most effective and commonly used preventive measures for cybersecurity defence. FireHOL IP blocklist has the advantage of global coverage and includes different cybercrime types. It dynamically collects cybercrime IPs from multiple sources around the world. Although it is difficult to determine whether the IPs in the blocklist are the real sources of cybercrime or come from infected machines, it does reflect the geographical distribution of the malicious IPs that are related to certain cybercrime activities. Besides, it provides a more fine-grained estimate of the subnational cybercrime geography than country-level statistics.

Explanatory variables

We adopted a broad set of explanatory variables to characterise the social, economic, political, technological, and cybersecurity conditions based on the conceptual model presented above (Fig. 1 ). The social environment is represented by population, the population aged 15–64, education index, nighttime light index, and human development index (HDI); The economic condition is measured by income index, GDP growth, Gini index, unemployment (% of the total labour force) and poverty rate; The political environment is measure by 5 dimensions of the World Governance Indicators (WGI), including control of corruption, government effectiveness, rule of law, political stability and absence of violence/terrorism, voice and accountability. The technological environment is reflected by the internet infrastructure (the number of internet data centres and internet exchange centres), internet users (% of the population), international bandwidth (per internet user), secure internet server (per 1 million people), and fixed broadband subscriptions (per 100 people). Moreover, we applied the five dimensions of the Global Cybersecurity Index (GCI) to assess the level of commitment among various nations to cybersecurity, including legal measures, technical measures, organisational measures, capacity development measures, cooperation measures, and one overall cybersecurity index (the sum of the 5 measures above). Population, income index, education index, HDI, nighttime light, and infrastructure data are collected at the subnational administrative level, while other variables are derived at the country level. Log transformations (base 10) were used to improve normality for variables with skewed distributions, including population, nighttime light, infrastructure, fixed broadband, secure internet server, and bandwidth. All variables were normalised for further analysis.

Generalised linear models (GLMs)

In this study, GLMs were used to assess the potential influence of various explanatory variables on cybercrime and to identify the most important factors. A GLM is an extension of a regular regression model that includes nonnormal response distributions and modelling functions (Faraway, 2016 ). GLM analyses were conducted at two scales: the global scale and the income group scale. All GLMs were built in R version 4.1.2 using the “glm” function of the “stats” package (R, Core Team, 2013 ), and a gaussian distribution is used as the link function. The Akaike information criterion (AIC), the determination coefficient ( R 2 ), and the significance level of the predictors ( p -value) are used to evaluate GLMs. The model with the lowest AIC and highest R 2 value is chosen as the optimal model. Variance inflation factors (VIFs) were calculated using the “car” package (Fox et al., 2012 ) to test for collinearity between quantitative explanatory variables prior to the GLM analysis. Variables with a VIF value greater than 10 (VIF > 10) were regarded as collinearity generators and were therefore excluded from further analysis. The relative contribution and coefficients of each GLM were plotted using the “GGally” package.

Structural equation modelling (SEM)

SEM was used to examine the causal relationships within the networks of interacting factors, thereby distinguishing the direct from indirect drivers of cybercrime. SEM is a powerful, multivariate technique found increasingly in scientific investigations to test and evaluate multivariate causal relationships (Fan et al., 2016 ). SEM differs from other modelling approaches in that it tests both the direct and indirect effects on pre-assumed causal relationships. The following fit indices were considered to evaluate model adequacy: (a) root mean square error of approximation (RMSEA), which is a “badness of fit” index in which 0 indicates a perfect fit while higher values indicate a lack of fit; (b) standardised root mean square residual (SRMR), which is similar to RMSEA and should be less than 0.09 for good model fit; (c) comparative fit index (CFI), which represents the amount of variance that has been accounted for in a covariance matrix ranging from 0.0 to 1.0, with a higher CFI value indicating better model fit; (d) Tucker–Lewis index (TLI), which is a non-normed fit index (NNFI) that proposes a fit index independent of sample size. In this study, SEM analysis was conducted using AMOS (Arbuckle, 2011 ).

Spatial distribution of cybercrime IPs

We mapped the subnational distribution of cybercrime IPs globally, which reveals significant spatial variability (see Fig. 2 ). On a global scale, most cybercrime IPs were located in North America, Central and Eastern Europe, East Asia, India, and eastern Australia. Meanwhile, areas with low numbers of cybercrime IPs were primarily found in large parts of Africa except for South Africa, western and northern parts of South America, Central America, some regions of the Middle East, southern parts of Central Asia, and some regions of Southeast Asia. On a continental scale, we found that the number of cybercrime IPs increased gradually from Africa to Europe. The two continents with the most cybercrime IPs were North America and Europe, with North America showing more variations. This trend seems to be closely associated with the regional socioeconomic development level. To further investigate this relationship, we grouped the subnational regions by income level according to the World Bank classification rules. We found a more evident pattern, with high-income regions hosting the majority of cybercrime IPs and lower-middle-income regions hosting the least.

a Number of cybercrime IPs at the subnational level. b Log-transformed cybercrime IP count by continent: Africa (AF), Asia/Oceania (AS/OC), South America (SA), North America (NA) and Europe (EU). c Log-transformed cybercrime IP count by income group: low-income (LI), lower-middle-income (LMI), upper-middle-income (UMI) and high-income (HI) groups. The centre line, boxes, and whiskers show the means, 1 standard error (SE), and 95% confidence interval (CI), respectively.

Major factors influencing cybercrime

GLMs were built based on the 5 categories of 26 representative influential variables identified in the conceptual framework. After excluding 8 collinear variables (i.e., government effectiveness, rule of law, HDI, and 5 cybersecurity measures) and 7 nonsignificant variables (GDP growth, unemployment, poverty, political stability, voice and accountability, bandwidth, and internet users), the global scale GLM model includes 11 variables with an R 2 value of 0.82. Figure 3 shows the relative contribution of each predictor variable to the model. Globally, the social and technological factors contribute most to the model, with relative contribution rates of 53.4% and 30.1%, respectively. Infrastructure alone explains up to 18.1% of the model variance in cybercrimes ( R 2 to 0.504). However, the inclusion of the population and education index improves the explanation of model variance by 18.3% and 28.5%, respectively ( R 2 to 0.596 and 0.766). This is also the case with GLMs of different income groups, indicating that despite the main effects of technological factors, the inclusion of a broad set of socioeconomic factors significantly improves the accuracy of models that attempt to quantify the driving forces of cybercrime.

Relative contribution of predictor variables to cybercrime.

When assessed by income group, we noted that although the social and technological factors were the most important factors in explaining cybercrime, the contribution of each variable varies by income group. For example, the contribution of the income index decreases gradually from low-income regions to wealthier regions, while the Gini index is more significant in upper-middle regions and high-income regions than in low-income regions and lower-middle-income regions. Fixed broadband subscriptions contributed the most in low-income regions and the least in high-income regions. Additionally, cybersecurity preparedness has a greater influence on low-income and lower-middle-income regions.

Estimated effect of factors on cybercrime

The coefficient values in Fig. 4 represent effect sizes from the GLMs for the relationship between cybercrime and the five categories of contextual factors. At the global scale, cybercrime is positively correlated with social, economic, and technological factors, suggesting that most cybercrimes are launched in regions with a higher population, higher urbanisation, better educational and economic conditions, and, most importantly, improved internet infrastructure and communication conditions. By contrast, cybercrime is negatively related to political and cybersecurity factors, indicating that the control of corruption and the commitment to cybersecurity show certain inhibitory effects on cybercrime.

The coefficient values are represented as dots, significant variables are represented as filled dots, nonsignificant variables are represented as hollow dots, and bars represent 95% CIs.

From the perspective of income groups, the ways contextual factors affect cybercrime remain basically consistent with the global results, but subtle differences are observed. In low-income countries, the influence of the income index on cybercrime is the strongest, and cybercrime is significantly associated with a higher income index, higher education index, better infrastructure, and higher fixed broadband subscriptions. This pattern may indicate that in low-income countries, wealthier areas tend to have more cybercrimes due to the existence of better communication conditions in these areas. However, in high-income countries, where the internet is universally available, the roles of income index and fixed broadband subscriptions gradually weaken. In contrast, the effects of the Gini index and education are stronger in wealthier countries, indicating that economic inequality and education in these countries can be important drivers of cybercrime. Moreover, the control of corruption is negatively related to cybercrime in lower-middle, upper-middle, and high-income regions.

Pathways of factors for cybercrime

To understand the intricate interactions among different predictors, we perform SEM based on the conceptual model. The SEM model is composed of five latent variables, representing the social, economic, political, technological, and cybersecurity context, and each latent variable has five components reflected by the explanatory variables. Overall SEM fit is assessed, showing a good fit (CFI = 0.917, TLI = 0.899, SRMR = 0.058). SEM confirms many of the hypotheses in the conceptual model, and all relationships are statistically significant. Fig. 5 shows the results of SEM.

Black arrows indicate a positive effect, red arrows indicate a negative effect, and values on the straight arrows between variables represent the standardised path coefficients.

According to the SEM, all the hypotheses are tested and supported. Specifically, social, economic, and technological factors have direct positive effects on cybercrime (standardised path coefficients of direct effect are 0.03, 0.10, and 0.61, respectively), indicating that when social, economic, and technological factors go up by 1 standard deviation, cybercrime goes up by 0.03, 0.10, and 0.61 standard deviations, respectively. By contrast, the political and cybersecurity factors have direct negative effects on cybercrime (standardised path coefficients of direct effect are −0.22 and −0.07, respectively), indicating that 1 standard deviation rise in political and cybersecurity factors are associated with 0.22 and 0.07 standard deviations decrease of cybercrime, respectively. It is worth noting that although the direct effects of social and economic factors on cybercrimes are relatively small, their indirect effects on cybercrime through the mediation of technological and political factors are non-negligible.

In sum, SEM quantifies the direct and indirect effects of social, economic, political, technological, and cybersecurity factors on cybercrime, consistent with the hypotheses outlined in the conceptual model. More importantly, the results suggest that even though cybercrimes are primarily determined by technological factors, the direct and indirect effects of underlying social, economic, political, and cybersecurity also play significant roles. This suggests that the technological factor is a necessary but not sufficient condition for the occurrence of cybercrime.

In the current study, we mapped the global subnational distribution of cybercrimes based on a novel cybersecurity data set, the FireHOL IP blocklist. Given the widespread difficulty in obtaining cybercrime data, the data sources used in this study could provide an alternative measure of the subnational cybercrime level on a global scale. Compared to country-level studies (Amin et al., 2021 ; Garg et al., 2013 ; Goel and Nelson, 2009 ; Solano and Peinado, 2017 ; Sutanrikulu et al., 2020 ), the results present a more fine-grained view of the spatial distribution of cybercrime. The map reveals high spatial variability of cybercrime between and within countries, which appears to be closely related to local socioeconomic development status.

To recognise the driving forces behind cybercrime, we proposed a theoretical framework that encompasses the social, economic, political, technological, and cybersecurity factors influencing cybercrime, drawing on existing theoretical and empirical research. On this basis, we used GLMs to identify the major factors and their contributions to cybercrime and SEM to quantify the direct and indirect effects of these driving forces. The GLM results show that using technological factors alone as explanatory variables is insufficient to account for cybercrime, and the inclusion of a broad suite of social, economic, political, technological, and cybersecurity factors can remarkably improve model performance. Global scale modelling indicates that cybercrime is closely associated with socioeconomic and internet development, as developed regions have more available computers and better communication conditions that facilitate the implementation of cybercrime. Some studies have argued that wealthier areas might have fewer incentives for cybercrime, while poorer areas could benefit more from cybercrime activities (Ki et al., 2006 ; Kigerl, 2012 ; Kshetri, 2010 ). However, our study shows that the technological factors constituted by the internet infrastructure and communication conditions are necessary for the production of cybercrime, rendering wealthier areas more convenient for committing cybercrime.

Meanwhile, the GLMs of the 4 income groups demonstrate important differential impacts of the explanatory variables on cybercrime. For example, in low-income countries, where the overall internet penetration rate is low, cybercrime originates mainly in more developed areas with better internet infrastructure, higher internet penetration, and higher education levels. A typical example is the “Yahoo Boys” in Nigeria, referring to young Nigerians engaged in cyber fraud through Yahoo mail, mostly well-educated undergraduates with digital skills (Lazarus and Okolorie, 2019 ). A range of factors, such as a high rate of unemployment, a lack of legitimate economic opportunities, a prevalence of cybercrime subculture, a lack of strong cybercrime laws, and a high level of corruption, have motivated them to obtain illegal wealth through cybercrime. In contrast, cybercrime in high-income regions originates in areas with a high Gini index and a high education level. One possible explanation for this finding may be that well-educated individuals who live in countries with a high Gini index are paid less for their skills than their counterparts, which motivates them to engage in cybercrimes to improve their lives.

Encouragingly, both the GLM and SEM results suggest that political factors and cybersecurity preparedness can mitigate the incidence of cybercrime to some extent, in agreement with the hypotheses. Though previous country-level studies suggest that countries facing more cybersecurity threats tend to have a high level of cybersecurity preparedness (Makridis and Smeets, 2019 ; Calderaro and Craig, 2020 ), our results indicate that cybersecurity preparedness could in turn reduce cybercrimes that originate from a country. This emphasises the importance of government intervention and cybersecurity capacity building. The necessary intervening measures may include the enactment and enforcement of laws, regulation of telecommunication operators and internet service providers (ISPs), strengthening of strike force by security and judicial departments, and improvement of cybersecurity capacity. Given the interconnectedness of cyberspace and the borderless nature of cybercrime, it must be recognised that cybersecurity is not a problem that can be solved by any single country. Thus, enhancing international cooperation in legal, technical, organisational, and capacity aspects of cybersecurity becomes an essential way to tackle cybersecurity challenges.

As presented through SEM, technological factors are closely associated with the development of socioeconomic development and serve as a mediator between socio-economic conditions and cybercrime. In the past decades, ICTs have developed unevenly across different parts of the world due to a range of geographic, socioeconomic, and demographic factors, which has led to the global digital divide (Pick and Azari, 2008 ). The disparities in internet access in different regions have largely determined the spatial patterns of cybercrime. Currently, developing countries (especially those within Asia, Africa, and Latin America) are the fastest-growing regions in terms of ICT infrastructure and internet penetration (Pandita, 2017 ). However, even in developed countries, the progress of technological innovation has outpaced the establishment of legal regulations, national institutions and frameworks, policies and strategies, and other mechanisms that could help manage the new challenges (Bastion and Mukku, 2020 ). Many developing countries are facing difficulties in combating cybercrime due to a lack of adequate financial and human resources, legal and regulatory frameworks, and technical and institutional capacities, providing a fertile ground for cybercrime activities. In this vein, it is extremely urgent and necessary to enhance the cybersecurity capacities of developing countries and engage them in the international cooperation of cybersecurity, ensuring that they can maximize the socio-economic benefits of technological development instead of being harmed by it.

Cybercrime is a sophisticated social phenomenon rooted in deep and comprehensive geographical and socioeconomic causes. This study offers an alternative perspective in solving cybersecurity problems instead of pure technical measures. We believe that improvements in cybersecurity require not only technological, legal, regulatory, and policing measures but also broader approaches that address the underlying social, economic, and political issues that influence cybercrime. While the results presented in this study are preliminary, we hope that this work will provide an extensible framework that can be expanded for future studies to investigate the driving forces of cybercrime.

However, our study has several limitations due to the disadvantages of data. First and foremost, the geo-localisation of cybercrimes or cybercriminals remains a major challenge for cybercrime research. Although the FireHOL IP blocklist has the potential to measure global cybercrime at a high spatial resolution, IP-based measures may not accurately capture the true locations of cybercriminals, as they may simply exploit places with better ICT infrastructure. Therefore, caution should be exercised in interpreting the associations between cybercrime and socioeconomic factors. Future studies combining survey data, police and court judgement data, and cybercrime attribution techniques are needed to further validate the accuracy and validity of IP-based technical data in measuring the geography of cybercrime and gain a deeper understanding of the driving forces of cybercrime. Besides, COVID-19 has greatly changed the way we live and work, and many studies have suggested that the pandemic has increased the frequency of cybercrimes within the context of economic recession, high unemployment, accelerated digital transformation, and unprecedented uncertainty (Lallie et al., 2021 ; Eian et al., 2020 ; Pranggono and Arabo, 2021 ). Unfortunately, the blocklist data cannot well capture this dynamic due to a lack of temporal attributes. Furthermore, different types of cybercrime can be influenced by different mechanisms. We use the total amount of all types of cybercrime IPs instead of looking into a specific type of cybercrime, given that such segmentation may result in data sparsity for some groups. Future studies are needed to determine how different categories of cybercrimes are affected by socioeconomic factors. At last, micro-level individual and behaviour characteristics and more fine-grained explanatory variables should be included to better understand cybercrime.

Data availability

The FireHOL IP lists data are publicly available at the FireHOL website ( https://iplists.firehol.org/ and https://github.com/firehol/blocklist-ipsets ); population, education index, income index, HDI, and subnational regions data are available from Global Data Lab ( https://globaldatalab.org ); nighttime light data are available from the Earth Observation Group ( https://eogdata.mines.edu/download_dnb_composites.html ); Population aged 15–64, Gini index, GDP growth, unemployment, poverty rate, control of corruption, government effectiveness, rule of law, political stability and absence of violence/terrorism, and voice and accountability, are obtained from World Bank ( https://databank.worldbank.org/home.aspx ), the internet users, international bandwidth, secure internet server, and fixed broadband subscriptions are available from International Telecommunication Union (ITU) ( https://www.itu.int/itu-d/sites/statistics ); the internet infrastructure are collected from TeleGeography ( https://www.internetexchangemap.com ) and the World Data Centers Database ( https://datacente.rs ); the legal measures, technical measures, organisational measures, capacity development, cooperation measures and overall cybersecurity index were obtained from the Global Cybersecurity Index (GCI) of the ITU ( https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx ).

Amin RW, Sevil HE, Kocak S, Francia G, Hoover P (2021) The spatial analysis of the malicious uniform resource locators (URLs): 2016 dataset case study. Information 12(1):2

Article   Google Scholar  

Anderson R, Barton C, Böhme R, Clayton R, Van Eeten MJ, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. In: The economics of information security and privacy. Springer, pp. 265–300

Anderson R, Barton C, Bölme R, Clayton R, Ganán C, Grasso T, Levi M, Moore T, Vasek M (2019) Measuring the changing cost of cybercrime. The 18th Annual Workshop on the Economics of Information Security. https://doi.org/10.17863/CAM.41598

Arbuckle JL (2011) IBM SPSS Amos 20 user’s guide. Amos Development Corporation, SPSS Inc. pp. 226–229

Asal V, Mauslein J, Murdie A, Young J, Cousins K, Bronk C (2016) Repression, education, and politically motivated cyberattacks. J Glob Secur Stud 1(3):235–247

Bastion G, Mukku S (2020) Data and the global south: key issues for inclusive digital development. https://doi.org/10.13140/RG.2.2.35091.50724

Bergmann MC, Dreißigacker A, von Skarczinski B, Wollinger GR (2018) Cyber-dependent crime victimization: the same risk for everyone? Cyberpsychol Behav Soc Network 21(2):84–90

Brenner SW (2013) Cybercrime: re-thinking crime control strategies. Crime online: Willan. pp. 12–28

Brewer R, de Vel-Palumbo M, Hutchings A, Holt T, Goldsmith A, Maimon D (2019) Cybercrime prevention: theory and applications. Springer

Bruggemann R, Koppatz P, Scholl M, Schuktomow R (2022) Global cybersecurity index (GCI) and the role of its 5 pillars. Soc Indic Res 159(1):125–143

Calderaro A, Craig AJ (2020) Transnational governance of cybersecurity: policy challenges and global inequalities in cyber capacity building. Third World Q 41(6):917–938

Castillo D, Falzon J (2018) An analysis of the impact of Wannacry cyberattack on cybersecurity stock returns. Rev Econ Financ 13:93–100

Google Scholar  

Clough J (2015) Principles of cybercrime. Cambridge University Press

Dupont B, Holt T (2022) The human factor of cybercrime. Soc Sci Comput Rev 40(4):860–864

Ehrlich I (1996) Crime, punishment, and the market for offenses. J Econ Perspect 10(1):43–67

Eian IC, Yong LK, Li MYX, Qi YH, Fatima Z (2020) Cyber attacks in the era of covid-19 and possible solution domains. Preprints 2020, 2020090630

Eslahi M, Salleh R, Anuar NB (2012) ‘Bots and botnets: an overview of characteristics, detection and challenges’. 2012 IEEE International Conference on Control System, Computing and Engineering. IEEE, pp. 349–354

Fan Y, Chen J, Shirkey G, John R, Wu SR, Park H, Shao C (2016) Applications of structural equation modeling (SEM) in ecological studies: an updated review. Ecol Process 5(1):1–12

Faraway JJ (2016) Extending the linear model with R: generalized linear, mixed effects and nonparametric regression models. Chapman and Hall/CRC

FireHOL (2021) FireHOL. FireHOL IP lists. https://iplists.firehol.org [Accessed on Aug 21, 2021]

Fox J, Weisberg S, Adler D, Bates D, Baud-Bovy G, Ellison S, Firth D, Friendly M, Gorjanc G, Graves,S (2012) Package ‘car’, Vienna: R Foundation for Statistical Computing, 16

Garg V, Koster T, Camp LJ (2013) Cross-country analysis of spambots. EURASIP J Inform Secur 2013(1):1–13

Ghafur S, Kristensen S, Honeyford K, Martin G, Darzi A, Aylin P (2019) A retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digit Med 2(1):1–7

Goel RK, Nelson MA (2009) Determinants of software piracy: economics, institutions, and technology. J Technol Transfer 34(6):637–658

Hall T, Sanders B, Bah M, King O, Wigley E (2020) Economic geographies of the illegal: the multiscalar production of cybercrime. Trend OrganCrime 24:282–307

Ho HTN, Luong HT (2022) Research trends in cybercrime victimization during 2010–2020: a bibliometric analysis. SN Soc Sci 2(1):1–32

Holt T, Bossler A (2015) Cybercrime in progress: Theory and prevention of technology-enabled offenses. Routledge

Holt TJ (2017) Cybercrime through an interdisciplinary lens. Routledge

Holt TJ, Bossler AM (2014) An assessment of the current state of cybercrime scholarship. Deviant Behav 35(1):20–40

Holt TJ, Burruss GW, Bossler AM (2018) Assessing the macro-level correlates of malware infections using a routine activities framework. Int J Offender Ther Comp Criminol 62(6):1720–1741

Article   PubMed   Google Scholar  

Holt TJ, Schell BH (2011) Corporate hacking and technology-driven crime. Igi Global

Hoque N, Bhattacharyya DK, Kalita JK (2015) Botnet in DDoS attacks: trends and challenges. IEEE Commun Surv Tutor 17(4):2242–2270

Howell CJ, Burruss GW (2020) Datasets for analysis of cybercrime. In: The Palgrave handbook of international cybercrime and cyberdeviance. Palgrave Macmillan. pp. 207–219

Hutchings A, Hayes H (2009) Routine activity theory and phishing victimisation: who gets caught in the ‘net’? Curr Issues Crim Justice 20(3):433–452

Ki E-J, Chang B-H, Khang H (2006) Exploring influential factors on music piracy across countries. J Commun 56(2):406–426

Kigerl A (2012) Routine activity theory and the determinants of high cybercrime countries. Soc Sci Comput Rev 30(4):470–486

Kigerl A (2016) Cyber crime nation typologies: K-means clustering of countries based on cyber crime rates. Int J Cyber Criminol10(2): 147–169

Kigerl A (2021) Routine activity theory and malware, fraud, and spam at the national level, Crime Law Soc Chang 76:109–130

Kshetri N (2010) Diffusion and effects of cyber-crime in developing economies. Third World Q 31(7):1057–1079

Kumar S, Carley KM (2016) ‘Approaches to understanding the motivations behind cyber attacks’. 2016 IEEE Conference on Intelligence and Security Informatics (ISI). IEEE, pp. 307–309

Lallie HS, Shepherd LA, Nurse JR, Erola A, Epiphaniou G, Maple C, Bellekens X (2021) Cyber security in the age of covid-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput Secur 105:102248

Article   PubMed   PubMed Central   Google Scholar  

Lazarus S, Okolorie GU (2019) The bifurcation of the Nigerian cybercriminals: Narratives of the Economic and Financial Crimes Commission (EFCC) agents. Telemat Informat 40:14–26

Leukfeldt R, Holt TJ (2019) The human factor of cybercrime. Routledge

Lianos H, McGrath A (2018) Can the general theory of crime and general strain theory explain cyberbullying perpetration? Crime Delinq 64(5):674–700

Lusthaus J, Bruce M, Phair N (2020) ‘Mapping the geography of cybercrime: a review of indices of digital offending by country’. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW): IEEE, pp. 448–453

Lusthaus J, Varese F (2021) Offline and local: the hidden face of cybercrime. Policing J Policy Pract 15(1):4–14

Maimon D, Wilson T, Ren W, Berenblum T (2015) On the relevance of spatial and temporal dimensions in assessing computer susceptibility to system trespassing incidents. Br J Criminol 55(3):615–634

Makridis CA, Smeets M (2019) Determinants of cyber readiness. J Cyber Policy 4(1):72–89

Mandelcorn S, Modarres M, Mosleh A (2013) An explanatory model of cyberattacks drawn from rational choice theory. Trans Am Nuclear Soc 109(1):1869–1871

McAfee (2021) McAfee and the Center for Strategic and International Studies (CSIS). The Hidden Costs of Cybercrime. https://www.csis.org/analysis/hidden-costs-cybercrime [Accessed on Aug 21, 2021]

McGuire M, Dowling S (2013) Cyber-crime: a review of the evidence summary of key findings and implications Home Office Research Report 75, Home Office, United Kingdom, Oct. 30p

Meke E (2012) Urbanization and cyber Crime in Nigeria: causes and consequences. Eur J Comput Sci Inform Technol 3(9):1–11

Mezzour G, Carley L, Carley KM (2014) Global mapping of cyber attacks. Available at SSRN 2729302

Mikkola M, Oksanen A, Kaakinen M, Miller BL, Savolainen I, Sirola A, Zych I, Paek H-J (2020) Situational and individual risk factors for cybercrime victimization in a cross-national context. Int J Offender Ther Comparat Criminol https://doi.org/10.1177/0306624X20981041

Mohurle S, Patil M (2017) A brief study of wannacry threat: ransomware attack 2017. Int J Adv Res Comput Sci 8(5):1938–1940

Neal S (2014) Cybercrime, transgression and virtual environments. Crime: Willan, pp. 71–104

Ngo FT, Paternoster R (2011) Cybercrime victimization: an examination of individual and situational level factors. Int J Cyber Criminol 5(1):773

Onuora A, Uche D, Ogbunude F, Uwazuruike F (2017) The challenges of cybercrime in Nigeria: an overview. AIPFU J School Sci 1(2):6–11

Overvest B, Straathof B (2015) What drives cybercrime? Empirical evidence from DDoS attacks. CPB Netherlands Bureau for Economic Policy Analysis

Pandita R (2017) Internet: a change agent an overview of internet penetration & growth across the world. Int J Inform Dissemination Technol 7(2):83

Payne BK (2020) Defining cybercrime. The Palgrave handbook of international cybercrime and cyberdeviance. Palgrave Macmillan. pp. 3–25

Phillips K, Davidson JC, Farr RR, Burkhardt C, Caneppele S, Aiken MP (2022) Conceptualizing cybercrime: definitions, typologies and taxonomies. Forensic Sci 2(2):379–398

Pick JB, Azari R (2008) Global digital divide: Influence of socioeconomic, governmental, and accessibility factors on information technology. Inform Technol Dev 14(2):91–115

Pranggono B, Arabo A (2021) COVID‐19 pandemic cybersecurity issues. Internet Technol Lett 4(2):e247

Pratt TC, Holtfreter K, Reisig MD (2010) Routine online activity and internet fraud targeting: extending the generality of routine activity theory. J Res Crime Delinquency 47(3):267–296

R (Core Team, 2013) R: A language and environment for statistical computing. R Core Team

Sarre R, Lau LY-C, Chang LY (2018) Responding to cybercrime: current trends. Taylor & Francis

Solano PC, Peinado AJR (2017) ‘Socio-economic factors in cybercrime: Statistical study of the relation between socio-economic factors and cybercrime’. 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA): IEEE, pp. 1–4

Srivastava SK, Das S, Udo GJ, Bagchi K (2020) Determinants of cybercrime originating within a nation: a cross-country study. J Glob Inf Technol Manag 23(2):112–137

Sutanrikulu A, Czajkowska S, Grossklags J (2020) ‘Analysis of darknet market activity as a country-specific, socio-economic and technological phenomenon’. 2020 APWG Symposium on Electronic Crime Research (eCrime): IEEE, pp. 1–10

UNODC (2013) Comprehensive study on cybercrime. United Nations, New York

Van Eeten M, Bauer JM, Asghari H, Tabatabaie S (2010) The role of internet service providers in botnet mitigation an empirical analysis based on spam data. TPRC

Waldrop MM (2016) How to hack the hackers: The human side of cybercrime. Nature 533: 164–167

Wall D (2007) Cybercrime: the transformation of crime in the information age. Polity

Walters GD (2015) Proactive criminal thinking and the transmission of differential association: a cross-lagged multi-wave path analysis. Crim Just Behav 42(11):1128–1144

Watters, PA, McCombie, S, Layton, R and Pieprzyk, J (2012) Characterising and predicting cyber attacks using the Cyber Attacker Model Profile (CAMP). J Money Laund Control . ISSN: 1368-5201

Williams ML (2016) Guardians upon high: an application of routine activities theory to online identity theft in Europe at the country and individual level. Br J Criminol 56(1):21–48

Download references

Acknowledgements

This research was funded by the National Key Research and Development Project of China, grant number 2020YFB1806500 and the Key Research Program of the Chinese Academy of Sciences, grant number ZDRW-XH-2021-3. We thank Yushu Qian, Ying Liu, Qinghua Tan for providing valuable suggestions.

Author information

Authors and affiliations.

Institute of Geographic Sciences and Nature Resources Research, Chinese Academy of Sciences, Beijing, China

Shuai Chen, Mengmeng Hao, Fangyu Ding, Dong Jiang, Jiping Dong & Qiquan Guo

College of Resources and Environment, University of Chinese Academy of Sciences, Beijing, China

Shuai Chen, Mengmeng Hao, Fangyu Ding, Dong Jiang & Jiping Dong

Big Data Center of State Grid Corporation of China, Beijing, China

Shize Zhang

The Administrative Bureau of Chinese Academy of Sciences, Beijing, China

Chundong Gao

You can also search for this author in PubMed   Google Scholar

Contributions

DJ, QQG and CDG designed the research; SC, FYD, DJ, SZZ and MMH performed the research; SC, FYD and JPD analysed the data; SC, FYD, DJ and MMH wrote the first draft of the paper; JPD, SZZ, QQG, CDG and DJ gave useful edits, comments and suggestions to this work.

Corresponding author

Correspondence to Dong Jiang .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Ethical approval

This article does not contain any studies with human participants performed by any of the authors.

Informed consent

Additional information.

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Chen, S., Hao, M., Ding, F. et al. Exploring the global geography of cybercrime and its driving forces. Humanit Soc Sci Commun 10 , 71 (2023). https://doi.org/10.1057/s41599-023-01560-x

Download citation

Received : 19 May 2022

Accepted : 14 February 2023

Published : 23 February 2023

DOI : https://doi.org/10.1057/s41599-023-01560-x

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Financial crime and fraud in the age of cybersecurity

In 2018, the World Economic Forum noted that fraud and financial crime was a trillion-dollar industry, reporting that private companies spent approximately $8.2 billion on anti–money laundering (AML) controls alone in 2017. The crimes themselves, detected and undetected, have become more numerous and costly than ever. In a widely cited estimate, for every dollar of fraud institutions lose nearly three dollars, once associated costs are added to the fraud loss itself. 1 World Economic Forum Annual Meeting, Davos-Klosters, Switzerland, January 23–26, 2018; LexisNexis risk solutions 2018 True Cost of Fraud study, LexisNexis, August 2018, risk.lexisnexis.com. Risks for banks arise from diverse factors, including vulnerabilities to fraud and financial crime inherent in automation and digitization, massive growth in transaction volumes, and the greater integration of financial systems within countries and internationally. Cybercrime and malicious hacking have also intensified. In the domain of financial crime, meanwhile, regulators continually revise rules, increasingly to account for illegal trafficking and money laundering, and governments have ratcheted up the use of economic sanctions, targeting countries, public and private entities, and even individuals. Institutions are finding that their existing approaches to fighting such crimes cannot satisfactorily handle the many threats and burdens. For this reason, leaders are transforming their operating models to obtain a holistic view of the evolving landscape of financial crime . This view becomes the starting point of efficient and effective management of fraud risk.

The evolution of fraud and financial crime

Fraud and financial crime adapt to developments in the domains they plunder. (Most financial institutions draw a distinction between these two types of crimes: for a view on the distinction, or lack thereof, see the sidebar “Financial crime or fraud?”) With the advent of digitization and automation of financial systems, these crimes have become more electronically sophisticated and impersonal.

Financial crime or fraud?

For purposes of detection, interdiction, and prevention, many institutions draw a distinction between fraud and financial crime. Boundaries are blurring, especially since the rise of cyberthreats, which reveal the extent to which criminal activities have become more complex and interrelated. What’s more, the distinction is not based on law, and regulators sometimes view it as the result of organizational silos. Nevertheless, financial crime has generally meant money laundering and a few other criminal transgressions, including bribery and tax evasion, involving the use of financial services in support of criminal enterprises. It is most often addressed as a compliance issue, as when financial institutions avert fines with anti–money laundering activities. Fraud, on the other hand, generally designates a host of crimes, such as forgery, credit scams, and insider threats, involving deception of financial personnel or services to commit theft. Financial institutions have generally approached fraud as a loss problem, lately applying advanced analytics for detection and even real-time interdiction. As the distinction between these three categories of crime have become less relevant, financial institutions need to use many of the same tools to protect assets against all of them.

One series of crimes, the so-called Carbanak attacks beginning in 2013, well illustrates the cyber profile of much of present-day financial crime and fraud. These were malware-based bank thefts totaling more than $1 billion. The attackers, an organized criminal gang, gained access to systems through phishing and then transferred fraudulently inflated balances to their own accounts or programmed ATMs to dispense cash to waiting accomplices (Exhibit 1).

Significantly, this crime was one simultaneous, coordinated attack against many banks. The attackers exhibited a sophisticated knowledge of the cyber environment and likely understood banking processes, controls, and even vulnerabilities arising from siloed organizations and governance. They also made use of several channels, including ATMs, credit and debit cards, and wire transfers. The attacks revealed that meaningful distinctions among cyberattacks, fraud, and financial crime are disappearing. Banks have not yet addressed these new intersections, which transgress the boundary lines most have erected between the types of crimes (Exhibit 2).

A siloed approach to these interconnected risks is becoming increasingly untenable; clearly, the operating model needs to be rethought.

As banks begin to align operations to the shifting profile of financial crime, they confront the deepening connections between cyber breaches and most types of financial crime. The cyber element is not new, exactly. Until recently, for example, most fraud has been transaction based, with criminals exploiting weaknesses in controls. Banks counter such fraud with relatively straightforward, channel-specific, point-based controls. Lately, however, identity-based fraud has become more prevalent, as fraudsters develop applications to exploit natural or synthetic data. Cyber-enabled attacks are becoming more ambitious in scope and omnipresent, eroding the value of personal information and security protections.

In a world where customers infrequently contact bank staff but rather interact almost entirely through digital channels, “digital trust” has fast become a significant differentiator of customer experience. Banks that offer a seamless, secure, and speedy digital interface will see a positive impact on revenue, while those that don’t will erode value and potentially lose business. Modern banking demands faster risk decisions (such as real-time payments) so banks must strike the right balance between managing fraud and handling authorized transactions instantly.

The growing cost of financial crime and fraud risk has also overshot expectations, pushed upward by several drivers. As banks focus tightly on reducing liabilities and efficiency costs, losses in areas such as customer experience, revenue, reputation, and even regulatory compliance are being missed (Exhibit 3).

Bringing together financial crime, fraud, and cyber operations

At leading institutions the push is on to bring together efforts on financial crime, fraud, and cybercrime. Both the front line and back-office operations are oriented in this direction at many banks. Risk functions and regulators are catching on as well. AML, while now mainly addressed as a regulatory issue, is seen as being on the next horizon for integration. Important initial steps for institutions embarking on an integration effort are to define precisely the nature of all related risk- management activities and to clarify the roles and responsibilities across the lines of defense. These steps will ensure complete, clearly delineated coverage—by the businesses and enterprise functions (first line of defense) and by risk, including financial crime, fraud, and cyber operations (second line)—while eliminating duplication of effort.

All risks associated with financial crime involve three kinds of countermeasures: identifying and authenticating the customer, monitoring and detecting transaction and behavioral anomalies, and responding to mitigate risks and issues. Each of these activities, whether taken in response to fraud, cybersecurity breaches or attacks, or other financial crimes, are supported by many similar data and processes. Indeed, bringing these data sources together with analytics materially improves visibility while providing much deeper insight to improve detection capability. In many instances it also enables prevention efforts.

In taking a more holistic view of the underlying processes, banks can streamline business and technology architecture to support a better customer experience, improved risk decision making, and greater cost efficiencies. The organizational structure can then be reconfigured as needed. (Exhibit 4).

From collaboration to holistic unification

Three models for addressing financial crime are important for our discussion. They are distinguished by the degree of integration they represent among processes and operations for the different types of crime (Exhibit 5).

Generally speaking, experience shows that organizational and governance design are the main considerations for the development of the operating model. Whatever the particular choice, institutions will need to bring together the right people in agile teams, taking a more holistic approach to common processes and technologies and doubling down on analytics—potentially creating “fusion centers,” to develop more sophisticated solutions. It is entirely feasible that an institution will begin with the collaborative model and gradually move toward greater integration, depending on design decisions. We have seen many banks identify partial integration as their target state, with a view that full AML integration is an aspiration.

• Collaborative model. In this model, which for most banks represents the status quo, each of the domains—financial crime, fraud, and cybersecurity—maintain their independent roles, responsibilities, and reporting. Each unit builds its own independent framework, cooperating on risk taxonomy and data and analytics for transaction monitoring, fraud, and breaches. The approach is familiar to regulators, but offers banks little of the transparency needed to develop a holistic view of financial-crime risk. In addition, the collaborative model often leads to coverage gaps or overlaps among the separate groups and fails to achieve the benefits of scale that come with greater functional integration. The model’s reliance on smaller, discrete units also means banks will be less able to attract top leadership talent.
• Partially integrated model for cybersecurity and fraud. Many institutions are now working toward this model, in which cybersecurity and fraud are partially integrated as the second line of defense. Each unit maintains independence in this model but works from a consistent framework and taxonomy, following mutually accepted rules and responsibilities. Thus a consistent architecture for prevention (such as for customer authentication) is adopted, risk-identification and assessment processes (including taxonomies) are shared, and similar interdiction processes are deployed. Deeper integral advantages prevail, including consistency in threat monitoring and detection and lower risk of gaps and overlap. The approach remains, however, consistent with the existing organizational structure and little disrupts current operations. Consequently, transparency is not increased, since separate reporting is maintained. No benefits of scale accrue, and with smaller operational units still in place, the model is less attractive to top talent.
• Unified model. In this fully integrated approach, the financial crimes, fraud, and cybersecurity operations are consolidated into a single framework, with common assets and systems used to manage risk across the enterprise. The model has a single view of the customer and shares analytics. Through risk convergence, enterprise-wide transparency on threats is enhanced, better revealing the most important underlying risks. The unified model also captures benefits of scale across key roles and thereby enhances the bank’s ability to attract and retain top talent. The disadvantages of this model are that it entails significant organizational change, making bank operations less familiar to regulators. And even with the organizational change and risk convergence, risks remain differentiated.

The imperative of integration

The integration of fraud and cybersecurity operations is an imperative step now, since the crimes themselves are already deeply interrelated. The enhanced data and analytics capabilities that integration enables are now essential tools for the prevention, detection, and mitigation of threats.

Most forward-thinking institutions are working toward such integration, creating in stages a more unified model across the domains, based on common processes, tools, and analytics. AML activities can also be integrated, but at a slower pace, with focus on specific overlapping areas first.

The starting point for most banks has been the collaborative model, with cooperation across silos. Some banks are now shifting from this model to one that integrates cybersecurity and fraud. In the next horizon, a completely integrated model enables comprehensive treatment of cybersecurity and financial crime, including AML. By degrees, however, increased integration can improve the quality of risk management, as it enhances core effectiveness and efficiency in all channels, markets, and lines of business.

Strategic prevention: Threats, prediction, and controls

The idea behind strategic prevention is to predict risk rather than just react to it. To predict where threats will appear, banks need to redesign customer and internal operations and processes based on a continuous assessment of actual cases of fraud, financial crime, and cyberthreats. A view of these is developed according to the customer journey. Controls are designed holistically, around processes rather than points. The approach can significantly improve protection of the bank and its customers (Exhibit 6).

To arrive at a realistic view of these transgressions, institutions need to think like the criminals. Crime takes advantage of a system’s weak points. Current cybercrime and fraud defenses are focused on point controls or silos but are not based on an understanding of how criminals actually behave. For example, if banks improve defenses around technology, crime will migrate elsewhere—to call centers, branches, or customers. By adopting this mind-set, banks will be able to trace the migratory flow of crime, looking at particular transgressions or types of crime from inception to execution and exfiltration, mapping all the possibilities. By designing controls around this principle, banks are forced to bring together disciplines (such as authentication and voice-stress analysis), which improves both efficacy and effectiveness.

Efficiencies of scale and processes

The integrated fraud and cyber-risk functions can improve threat prediction and detection while eliminating duplication of effort and resources. Roles and responsibilities can be clarified so that no gaps are left between functions or within the second line of defense as a whole. Consistent methodologies and processes (including risk taxonomy and risk identification) can be directed toward building understanding and ownership of risks. Integrating operational processes and continuously updating risk scores allow institutions to dynamically update their view on the riskiness of clients and transactions.

Data, automation, and analytics

Through integration, the anti-fraud potential of the bank’s data, automation, and analytics can be more fully realized. By integrating the data of separate functions, both from internal and external sources, banks can enhance customer identification and verification. Artificial intelligence and machine learning can also better enable predictive analytics when supported by aggregate sources of information. Insights can be produced rapidly—to establish, for example, correlations between credential attacks, the probability of account takeovers, and criminal money movements. By overlaying such insights onto their rules-based solutions, banks can reduce the rates of false positives in detection algorithms. This lowers costs and helps investigators stay focused on actual incidents.

The aggregation of customer information that comes from the closer collaboration of the groups addressing financial crime, fraud, and cybersecurity will generally heighten the power of the institution’s analytic and detection capabilities. For example, real-time risk scoring and transaction monitoring to detect transaction fraud can accordingly be deployed to greater effect. This is one of several improvements that will enhance regulatory preparedness by preventing potential regulatory breaches.

The customer experience and digital trust

The integrated approach to fraud risk can also result in an optimized customer experience. Obviously, meaningful improvements in customer satisfaction help shape customer behavior and enhance business outcomes. In the context of the risk operating model, objectives here include the segmentation of fraud and security controls according to customer experience and needs as well as the use of automation and digitization to enhance the customer journey. Survey after survey has affirmed that banks are held in high regard by their customers for performing well on fraud.

Unified risk management for fraud, financial crime, and cyberthreats thus fosters digital trust, a concept that is taking shape as a customer differentiator for banks. Security is clearly at the heart of this concept and is its most important ingredient. However, such factors as convenience, transparency, and control are also important components of digital trust. The weight customers assign to these attributes varies by segment, but very often such advantages as hassle-free authentication or the quick resolution of disputes are indispensable builders of digital trust.

A holistic view

The objective of the transformed operating model is a holistic view of the evolving landscape of financial crime. This is the necessary standpoint of efficient and effective fraud-risk management, emphasizing the importance of independent oversight and challenge through duties clearly delineated in the three lines of defense. Ultimately, institutions will have to integrate business, operations, security, and risk teams for efficient intelligence sharing and collaborative responses to threats.

How to proceed?

The target fraud-risk operating model: key questions for banks.

In designing their target risk operating model for financial crimes, fraud, and cybersecurity, leading banks are probing the following questions.

Processes and activities

• What are the key processes or activities to be conducted for customer identification and authentication, monitoring and detection of anomalies, and responding to risks or issues?
• How frequently should specific activities be conducted (such as reporting)?
• What activities can be consolidated into a “center of excellence”?

People and organization

• Who are the relevant stakeholders in each line of defense?
• What skills and how many people are needed to support the activities?
• What shared activities should be housed together (for example, in centers of excellence)?
• What is the optimal reporting structure for each type of financial crime—directly to the chief risk officer? To the chief operations officer? To IT?

Data, tools, and technologies

• What data should be shared across cybersecurity, fraud, and other financial-crime divisions? Can the data sit in the same data warehouses to ensure consistency and streamlining of data activities?
• What tools and frameworks should converge (for example, risk-severity matrix, risk-identification rules, taxonomy)? How should they converge?
• What systems and applications do each of the divisions use? Can they be streamlined?
• What are the governance bodies for each risk type? How do they overlap? For example, does the same committee oversee fraud and cybersecurity? Does committee membership overlap?
• What are the specific, separate responsibilities of the first and second lines of defense?
• What measurements are used to set the risk appetite by risk type? How are they communicated to the rest of the organization?

When banks design their journeys toward a unified operating model for financial crime, fraud, and cybersecurity, they must probe questions about processes and activities, people and organization, data and technology, and governance (see sidebar “The target fraud-risk operating model: Key questions for banks”).

Most banks begin the journey by closely integrating their cybersecurity and fraud units. As they enhance information sharing and coordination across silos, greater risk effectiveness and efficiency becomes possible. To achieve the target state they seek, banks are redefining organizational “lines and boxes” and, utility.

Most have stopped short of fully unifying the risk functions relating to financial crimes, though a few have attained a deeper integration. A leading US bank set up a holistic “center of excellence” to enable end-to-end decision making across fraud and cybersecurity. From prevention to investigation and recovery, the bank can point to significant efficiency gains. A global universal bank has gone all the way, combining all operations related to financial crimes, including fraud and AML, into a single global utility. The bank has attained a more holistic view of customer risk and reduced operating costs by approximately $100 million.

As criminal transgressions in the financial-services sector become more sophisticated and break through traditional risk boundaries, banks are watching their various risk functions become more costly and less effective. Leaders are therefore rethinking their approaches to take advantage of the synergies available in integration. Ultimately, fraud, cybersecurity, and AML can be consolidated under a holistic approach based on the same data and processes. Most of the benefits are available in the near term, however, through the integration of fraud and cyber operations.

Explore a career with us

Related articles.

The new frontier in anti–money laundering

Flushing out the money launderers with better customer risk-rating models

Cybersecurity and the risk function

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

• What We Investigate
• Counterintelligence
• Cyber Crime
• Public Corruption
• Civil Rights
• Organized Crime
• White-Collar Crime
• Violent Crime
• Environmental Crime
• Weapons of Mass Destruction
• How We Investigate
• Most Wanted
• FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements
• Business and Industry Partners

Results: 2793 Items

Press Release

Former Attorney Sentenced to 25 Years in Federal Prison on Embezzlement and Fraud Charges in Connection with Collapse of Washington Federal Bank

August 14, 2024

Second Defendant Charged in Fraudulent Refund Scheme Targeting Online Retailers

Russian citizen sentenced to 40 months for selling stolen financial information on the criminal internet marketplace slilpp, leader of international malvertising and ransomware schemes extradited from poland to face cybercrime charges.

August 13, 2024

International Investigation Leads to Shutdown of Ransomware Group

August 12, 2024

Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator

August 8, 2024

Albuquerque Woman Admits Guilt in Multi-Year Cyberstalking and Identity Theft Scheme

August 7, 2024

Pakistani National with Ties to Iran Charged in Connection with Foiled Plot to Assassinate a Politician or U.S. Government Officials

August 6, 2024

Federal Judge Sentences Chicago Man to 40 Years in Prison for Sex Trafficking Several Children

August 1, 2024

Chambersburg Man Sentenced to 22 Months in Prison for Hacking Into Social Media Accounts and Stealing Private Photographs

Rockford man sentenced to 60 years in prison for the production of child pornography.

July 31, 2024

Founder of “BitClout” Digital Asset Charged with Fraud in Connection with Sale of “BitClout” Tokens

July 30, 2024

Three Individuals Sentenced for Massive $88M Business Telephone System Software License Piracy Scheme

July 26, 2024

Columbia County Man Sentenced to Federal Prison for Bilking Customers for Purchase of Cryptocurrency Computers

July 24, 2024

Nigerian National Sentenced to More Than 12 Years in Federal Prison for Cyber Scams

July 23, 2024

Meet the Cyber Action Team

Member of violent online child pornography network pleads guilty to sexually exploiting a child.

July 19, 2024

Final Defendant in eBay Cyberstalking Case Sentenced

July 18, 2024

Two Foreign Nationals Plead Guilty to Participation in LockBit Ransomware Group

Chicago man sentenced in cyber fraud case.

July 17, 2024

Nigerian Man Pleads Guilty to Real Estate Phishing / Spoofing Scheme

Texas man sentenced to nine months in federal prison for operating website that offered computer attack services.

July 15, 2024

Former Chief Financial Officer of Chicago Hospital Among Three Defendants Charged in Alleged $15 Million Embezzlement Scheme

July 12, 2024

Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm

July 9, 2024

Federal Jury Finds Anchorage Man Guilty of Cyberstalking

July 1, 2024

Prominent Ghanaian “Influencer” Sentenced to One Year in Prison for Receiving Romance Scam Proceeds

Fbi, partners host cyber summit for washington metropolitan area law enforcement agencies and schools.

June 28, 2024

Retired Georgia Soldier Sentenced to 27 Months for Cyberstalking of Co-Worker

Department of justice seizes more than $1 million of collectible stamps as proceeds of criminal fraud scheme.

June 27, 2024

Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data

June 26, 2024

Kayenta Resident Sentenced to Seven Years in Prison for Making Hoax Calls to Elicit SWAT Responses

June 24, 2024

Maryland Man Pleads Guilty for Possession of Sex Abuse Videos of Infant and Prepubescent Children

Colorado man pleads guilty in crypto investment fraud scheme.

June 21, 2024

Five Men Convicted for Operating Major Illegal Streaming Service

June 20, 2024

Four Members of Notorious Cybercrime Group ‘FIN9’ Charged for Roles in Attacking U.S. Companies

Seeking victim information in richard michael roe investigation.

June 18, 2024

Michigan Man Who Orchestrated International Computer Fraud and Online Drug Distribution Schemes Sentenced to Decade in Prison

Mississippi man pleads guilty to cyberstalking and antisemitic harassment of synagogues, jewish-owned businesses, fbi miami field office and doj join european partners in major takedown of critical online infrastructure to disrupt isis propaganda.

June 17, 2024

Two Men Plead Guilty to Computer Intrusion and Aggravated Identity Theft for Hacking into Federal Law Enforcement Web Portal

Owners of “empire market” charged in chicago with operating $430 million dark web marketplace.

June 14, 2024

FBI Director Travels to Africa to Meet with Vital Law Enforcement and Intelligence Partners

Fbi director wray travels to nigeria, meets with president tinubu and senior officials, athens, georgia, woman indicted on cyberstalking and threat offenses.

June 12, 2024

Massachusetts Man Sentenced to More Than Seven Years in Prison for Threatening and Harassing Interracial Couple and Obstructing Justice

June 10, 2024

Maryland Man Sentenced for Relentlessly Cyberstalking Victims

Ghanian citizen sentenced to six years for money laundering.

June 7, 2024

Three United Kingdom Nationals Charged in Connection with “Evolved Apes” NFT Scam

June 6, 2024

FBI Warns Public to Beware of Scammers Impersonating FBI Agents and Other Government Officials

June 5, 2024

FBI Cyber Lead Urges Potential LockBit Victims to Contact Internet Crime Complaint Center

Fbi cyber assistant director bryan vorndran's remarks at the 2024 boston conference on cyber security, special agent in charge jodi cohen's remarks at the eighth annual boston conference on cyber security, fbi assistant director to keynote cyber security conference at boston college, bremerton washington, man sentenced to three years in prison for extensive swatting campaign targeting victims in us and canada.

June 4, 2024

Operation Endgame: Coordinated Worldwide Law Enforcement Action Against Network of Cybercriminals

May 30, 2024

Two Estonian Defendants Indicted in Massive Cryptocurrency Ponzi Scheme Extradited to U.S.

911 s5 botnet dismantled and its administrator arrested in coordinated international operation.

May 29, 2024

Former Seattle Man Who Used Fraud to Obtain More Than $500,000 in COVID Benefits Sentenced to Three Plus Years in Prison

California man indicted on federal fraud charges for allegedly swindling suburban chicago resident out of $2 million.

May 24, 2024

Stalker Arrested for Cyberstalking and Transmitting Interstate Threats to University of Arizona Student

May 23, 2024

Indian National Pleads Guilty to Wire Fraud Conspiracy for Stealing More Than $37 Million by Spoofing Coinbase’s Website

May 22, 2024

Two Former Board Members of Failed Washington Federal Bank in Chicago Sentenced to Prison for Falsifying Records and Obstructing Regulators

Chicago man pleads guilty to cyberstalking, sextortion, president and owner of baltimore county business convicted after seven day trial for honest services wire fraud and bribery, dark web drug vendor and clandestine lab manufacturer sentenced to prison for trafficking in methamphetamine and fentanyl.

May 21, 2024

Florida Man Admits Defrauding Zelle Users

Five members of multi-state gas pump skimming device and fuel theft ring arrested on aggravated identity theft and fraud charges.

May 20, 2024

Six Defendants Indicted on Federal Fraud Charge for Allegedly Staging Robberies to Apply for Immigration Visas

May 17, 2024

Convicted Ponzi Schemer Sentenced to More Than 14 Years in Prison for $11 Million Fraud and Absconding Before Sentencing

Criminal complaint charges two men with conspiracy to commit wire fraud.

May 16, 2024

Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea

Justice department announces arrest, premises search, and seizures of multiple website domains to disrupt illicit revenue generation efforts of democratic people’s republic of korea, chelsea woman pleads guilty to using counterfeit identifications as part of account takeover scheme.

May 15, 2024

Tracy Resident Sentenced to Serve Home Confinement and Probation for Computer Attack on Discovery Bay Water Treatment Facility

May 13, 2024

Three Individuals Facing Federal Charges for Swatting Activities

May 9, 2024

FBI Warns of Increasing Threat of Cyber Criminals Utilizing Artificial Intelligence

May 8, 2024

Cryptocurrency Futures Market CEO Pleads Guilty to Violating Bank Secrecy Act

May 7, 2024

U.S. Charges Russian National with Developing and Operating Lockbit Ransomware

Fbi releases 2023 elder fraud report with tech support scams generating the most complaints and investment scams proving the costliest.

May 2, 2024

Five Plead Guilty in Multimillion-Dollar Conspiracy to Launder Computer Fraud Proceeds Offshore to Chinese Companies

Sodinokibi/revil affiliate sentenced for role in $700 million ransomware scheme.

May 1, 2024

Extradited Nigerian National Convicted of Business Email Compromise Scheme

Exploitation of elderly increases—remains fbi priority.

April 30, 2024

Buffalo Man Pleads Guilty to Child Pornography and Cyberstalking Charges

April 29, 2024

FBI Warns of Cryptocurrency Token Impersonation Scam

April 26, 2024

Asset Forfeiture Actions Result in More Than $2.28 Million Returned to Victims of Two Business Email Compromise Scams

Second defendant pleads guilty to hacking fantasy sports and betting website.

April 25, 2024

Justice Department Announces Charges Against Four Iranian Nationals For Multi-Year Cyber Campaign Targeting U.S. Companies

April 23, 2024

Justice Department Seizes Four Web Domains Used to Create Over 40,000 Spoofed Websites and Store the Personal Information of More Than a Million Victims

April 18, 2024

Wray: Chinese Government Poses 'Broad and Unrelenting' Threat to U.S. Critical Infrastructure

Man convicted of $110 million cryptocurrency scheme, maryland man sentenced to 140 months in prison for attempting to arrange sex with a 14-year-old child, director wray's remarks at the vanderbilt summit on modern conflict and emerging threats, moldovan botnet operator indicted for role in conspiracy to unlawfully access thousands of infected computers throughout the united states.

April 16, 2024

Nebraska Man Indicted for Multimillion-Dollar 'Cryptojacking' Scheme

April 15, 2024

On Tax Day, U.S. Attorney's Office Heeds Warning About IRS Imposter Scams and Other Financial Schemes Targeting Older Adults

Delaware woman arrested for international sextortion and money laundering scheme.

April 12, 2024

St. Charles County Man Admits Child Pornography, Enticement Charges

Protecting quantum science and technology.

1 - 100 of 2793 Results Show 100 More Items

• Ten Most Wanted
• Kidnappings / Missing Persons
• Seeking Information
• Bank Robbers
• Submit a Tip
• Crime Statistics
• Scams & Safety
• Press Releases
• Podcasts and Radio
• Español
• How We Can Help You
• Law Enforcement
• Parents and Caregivers
• Safety Resources
• Need an FBI Service or More Information?
• Mission & Priorities
• Leadership & Structure
• Partnerships
• Community Outreach
• Field Offices
• FBI Headquarters
• Visit the FBI Experience
• Overseas Offices
• Additional Resources
• Accessibility
• eRulemaking
• Freedom of Information / Privacy Act
• Legal Notices
• Legal Policies & Disclaimers
• Privacy Policy
• White House
• No FEAR Act
• Equal Opportunity

federal bureau of investigation

Fbi.gov contact center, email updates.

What happened in the Kolkata rape case that triggered doctors’ protests?

Activists and doctors in India demand better safeguarding of women and medical professionals after a trainee medic was raped and murdered in Kolkata.

Activists and doctors across India continued to protest on Wednesday to demand justice for a female doctor, who was raped and murdered while on duty in a hospital in the eastern city of Kolkata.

Feminist groups rallied on the streets in protests titled “Reclaim the Night” in Kolkata overnight on Wednesday – on the eve of India’s independence day – in solidarity with the victim, demanding the principal of RG Kar Medical College resign. Some feminist protesters also marched well beyond Kolkata, including in the capital Delhi.

Keep reading

Doctors across india protest rape and murder of medic in kolkata, india supreme court to monitor investigations into manipur sexual violence, goals not guns: how a girls football team in india’s manipur beats violence, four arrested after spanish blogger on india motorcycle tour gangraped.

While the protests were largely peaceful, a small mob of men stormed the medical college and vandalised property. This group was dispersed by the police.

This comes after two days of nationwide protests by doctors following the incident at RG Kar Medical College in West Bengal’s capital city. “Sit-in demonstrations and agitation in the hospital campus will continue,” one of the protesting doctors, identified as Dr Mridul, told Al Jazeera.

Services in some medical centres were halted indefinitely, and marches and vigils shed light on issues of sexual violence, as well as doctors’ safety in the world’s most populous nation.

What happened to the doctor in Kolkata?

A 31-year-old trainee doctor’s dead body, bearing multiple injuries, was found on August 9 in a government teaching hospital in Kolkata.

The parents of the victim were initially told “by hospital authorities that their daughter had committed suicide,” lawyer and women’s rights activist Vrinda Grover told Al Jazeera. But an autopsy confirmed that the victim was raped and killed.

Grover has appeared for victims in sexual violence cases in India in the past, including Bilkis Bano , a Muslim woman who was gang-raped during the 2002 Gujarat riots, and Soni Sori, a tribal activist based in Chhattisgarh state.

Thousands of doctors marched in Kolkata on Monday, demanding better security measures and justice for the victim.

On Tuesday, the Kolkata High Court transferred the case to the Central Bureau of Investigation (CBI).

The Federation of Resident Doctors Association (FORDA) called for a nationwide halting of elective services in hospitals starting on Monday. Elective services are medical treatments that can be deferred or are not deemed medically necessary.

On Tuesday, FORDA announced on its X account that it is calling off the strike after Health Minister Jagat Prakash Nadda accepted protest demands.

One of these demands was solidifying the Central Protection Act, intended to be a central law to protect medical professionals from violence, which was proposed in the parliament’s lower house in 2022, but has not yet been enacted.

FORDA said that the ministry would begin working on the Act within 15 days of the news release, and that a written statement from the ministry was expected to be released soon.

Press release regarding call off of strike. In our fight for the sad incident at R G Kar, the demands raised by us have been met in full by the @OfficeofJPNadda , with concrete steps in place, and not just verbal assurances. Central Healthcare Protection Act ratification… pic.twitter.com/OXdSZgM1Jc — FORDA INDIA (@FordaIndia) August 13, 2024

Why are some Indian doctors continuing to protest?

However, other doctors’ federations and hospitals have said they will not back down on the strike until a concrete solution is found, including a central law to curb attacks on doctors.

Those continuing to strike included the Federation of All India Medical Associations (FAIMA), Delhi-based All India Institute Of Medical Sciences (AIIMS) and Indira Gandhi Hospital, local media reported.

Ragunandan Dixit, the general secretary of the AIIMS Resident Doctors’ Association, said that the indefinite strike will continue until their demands are met, including a written guarantee of the implementation of the Central Protection Act.

Medical professionals in India want a central law that makes violence against doctors a non-bailable, punishable offence, in hopes that it deters such violent crimes against doctors in the future.

Those continuing to protest also call for the dismissal of the principal of the college, who was transferred. “We’re demanding his termination, not just transfer,” Dr Abdul Waqim Khan, a protesting doctor told ANI news agency. “We’re also demanding a death penalty for the criminal,” he added.

“Calling off the strike now would mean that female resident doctors might never receive justice,” Dr Dhruv Chauhan, member of the National Council of the Indian Medical Association’s Junior Doctors’ Network told local news agency Press Trust of India (PTI).

Which states in India saw doctors’ protests?

While the protests started in West Bengal’s Kolkata on Monday, they spread across the country on Tuesday.

The capital New Delhi, union territory Chandigarh, Uttar Pradesh capital Lucknow and city Prayagraj, Bihar capital Patna and southern state Goa also saw doctors’ protests.

Who is the suspect in the Kolkata rape case?

Local media reported that the police arrested suspect Sanjoy Roy, a civic volunteer who would visit the hospital often. He has unrestricted access to the ward and the police found compelling evidence against him.

The parents of the victim told the court that they suspect that it was a case of gang rape, local media reported.

Why is sexual violence on the rise in India?

Sexual violence is rampant in India, where 90 rapes were reported on average every day in 2022.

Laws against sexual violence were made stricter following a rape case in 2012, when a 22-year-old physiotherapy intern was brutally gang-raped and murdered on a bus in Delhi. Four men were hanged for the gang rape, which had triggered a nationwide protests.

But despite new laws in place, “the graph of sexual violence in India continues to spiral unabated,” said Grover.

She added that in her experience at most workplaces, scant attention is paid to diligent and rigorous enforcement of the laws.

“It is regrettable that government and institutions respond only after the woman has already suffered sexual assault and often succumbed to death in the incident,” she added, saying preventive measures are not taken.

In many rape cases in India, perpetrators have not been held accountable. In 2002, Bano was raped by 11 men, who were sentenced to life imprisonment. In 2022, the government of Prime Minister Narendra Modi authorised the release of the men, who were greeted with applause and garlands upon their release.

However, their remission was overruled and the Supreme Court sent the rapists back to jail after public outcry.

Grover believes that the death penalty will not deter rapists until India addresses the deeply entrenched problem of sexual violence. “For any change, India as a society will have to confront and challenge, patriarchy, discrimination and inequality that is embedded in our homes, families, cultural practices, social norms and religious traditions”.

What makes this case particularly prominent is that it happened in Kolkata, Sandip Roy, a freelance contributor to NPR, told Al Jazeera. “Kolkata actually prided itself for a long time on being really low in the case of violence against women and being relatively safe for women.”

A National Crime Records Bureau (NCRB) report said that Kolkata had the lowest number of rape cases in 2021 among 19 metropolitan cities, with 11 cases in the whole year. In comparison, New Delhi was reported to have recorded 1, 226 cases that year.

Prime Minister Modi’s governing Bharatiya Janata Party (BJP) has called for dismissing the government in West Bengal, where Kolkata is located, led by Mamata Banerjee of All India Trinamool Congress (AITC). Banerjee’s party is part of the opposition alliance.

Rahul Gandhi, the leader of the opposition in parliament, also called for justice for the victim.

“The attempt to save the accused instead of providing justice to the victim raises serious questions on the hospital and the local administration,” he posted on X on Wednesday.

Roy spoke about the politicisation of the case since an opposition party governs West Bengal. “The local government’s opposition will try to make this an issue of women’s safety in the state,” he said.

Have doctors in India protested before?

Roy explained to Al Jazeera that this case is an overlap of two kinds of violence, the violence against a woman, as well as violence against “an overworked medical professional”.

Doctors in India do not have sufficient workplace security, and attacks on doctors have started protests in India before.

In 2019, two junior doctors were physically assaulted in Kolkata’s Nil Ratan Sircar Medical College and Hospital (NRSMCH) by a mob of people after a 75-year-old patient passed away in the hospital.

Those attacks set off doctors’ protests in Kolkata, and senior doctors in West Bengal offered to resign from their positions to express solidarity with the junior doctors who were attacked.

More than 75 percent of Indian doctors have faced some form of violence, according to a survey by the Indian Medical Association in 2015.

What happens next?

The case will now be handled by the CBI, which sent a team to the hospital premises to inspect the crime scene on Wednesday morning, local media reported.

According to Indian law, the investigation into a case of rape or gang rape is to be completed within two months from the date of lodging of the First Information Report (police complaint), according to Grover, the lawyer.

The highest court in West Bengal, which transferred the case from the local police to the CBI on Tuesday, has directed the central investigating agency to file periodic status reports regarding the progress of the investigation.

The FIR was filed on August 9, which means the investigation is expected to be completed by October 9.

Bengal women will create history with a night long protest in various major locations in the state for at 11.55pm on 14th of August’24,the night that’ll mark our 78th year as an independent country. The campaign, 'Women, Reclaim the Night: The Night is Ours', is aimed at seeking… pic.twitter.com/Si9fd6YGNb — purpleready (@epicnephrin_e) August 13, 2024