Cybercrime has evolved into a massive global problem, and it’s no longer limited to isolated hackers or small scams. Today’s threats range from ransomware gangs and malware networks to cyber espionage and underground marketplaces that operate across borders. As the problem grows, law enforcement agencies worldwide have stepped up with more frequent and more visible operations.
But there’s a major challenge: the information about these cybercrime crackdowns is scattered everywhere.
One country might announce arrests. Another might publish takedown details. Some operations are reported under major names like Operation Endgame, while many others quietly appear in local press releases. The result is that the world gets pieces of the story, not the full picture.
To address this gap, security researchers from Orange Cyberdefense built a dataset designed to show what law enforcement has actually been doing globally.
A Dataset of 418 Cybercrime Operations
Orange Cyberdefense intelligence teams compiled a structured dataset of 418 publicly announced law enforcement actions carried out between 2021 and mid-2025.
Each entry was collected from official announcements and media reports, then manually reviewed and enriched with extra details where possible such as:
- the type of action taken
- the kind of cybercrime targeted
- offender demographics (when available)
- institutions involved
This approach helps create something that’s been missing for years: a clearer view of law enforcement activity against cybercrime at scale.
Top Cybercrimes Law Enforcement Is Targeting
One of the clearest findings is that law enforcement is still heavily focused on the most damaging and profitable crimes.
The most frequently targeted criminal acts include:
✅ 1) Extortion (especially ransomware)
Cyber extortion continues to dominate because ransomware attacks cause serious disruption, financial loss, and public panic.
✅ 2) Malware distribution
Authorities are spending major effort going after the malware ecosystem—especially the infrastructure that spreads malware and supports criminal operations.
✅ 3) Unauthorized access (hacking/intrusion)
Many high-impact crimes begin with illegal access, so law enforcement is treating intrusion activity as a major core threat.
Cybercrime “Enablers” Are Now Getting Hit Too
Beyond the “main crimes,” the data shows something important: agencies are increasingly targeting the people and systems that enable cybercrime, not just the attackers.
That includes:
- cyber espionage-related access and intrusions
- dark web marketplaces and criminal hosting services
- fraud and financial theft
- selling stolen data
- crypto misuse
- money laundering
In other words: law enforcement isn’t only chasing ransomware groups. They’re also going after the infrastructure and financial pipelines that keep cybercrime alive.
Security Navigator 2026 Highlights the Bigger Trend
Orange Cyberdefense’s broader Security Navigator 2026 release supports the same direction of travel: cybersecurity threats are increasing and becoming more complex.
The report highlights:
- 139,373 documented incidents
- 19,053 confirmed breaches
It also explores key emerging risks like generative AI abuse, operational technology threats, and post-quantum cryptography challenges.
What Actions Are Law Enforcement Taking Most Often?
Looking at response types, the data shows that agencies are using a mix of hard enforcement and strategic disruption.
Here’s what stands out:
✅ Arrests lead the way (29%)
Arrests remain the most common action, showing a continued priority on identifying individuals and pushing cases through the courts.
✅ Takedowns and charges are also major tools
- Takedowns (17%) focus on dismantling infrastructure such as servers, marketplaces, or botnet networks
- Charges (14%) show many cases are moving toward prosecution, even when suspects are not immediately arrested
✅ Sentences, sanctions, and seizures are growing
Sanctions are especially interesting. The dataset shows sanctions rising steadily, suggesting governments are increasingly using economic and diplomatic pressure in addition to traditional arrests.
This is especially common when state-linked cyber operations or politically sensitive actors are involved.
Ransomware and Hacking Still Get the Most Arrests
When the dataset matches action type with crime type, one pattern becomes obvious:
- arrests dominate almost every category
- ransomware/extortion and hacking are among the top drivers of arrest activity
- malware, espionage, and extortion cases also attract the widest mix of responses (arrests, charges, sentences, sanctions)
Meanwhile:
- takedowns strongly connect to dark web markets and malware infrastructure
- sanctions appear mostly tied to cyber espionage and state-aligned operations
That split makes sense: some targets can be arrested. Others are better disrupted through sanctions and infrastructure removal.
Which Countries Lead the Global Fight Against Cybercrime?
According to the dataset, the United States remains the most visible leader.
The U.S. is listed as a primary participant in nearly half of all documented actions (45%).
A strong second cluster includes:
- Germany
- United Kingdom
- Netherlands
- Spain
- France
- Russia
- Ukraine
Europol and Eurojust-supported coordination plays a major role in European operations, reinforcing that cross-border teamwork is now standard in serious cybercrime investigations.
The presence of Russia and Ukraine is also notable since both are frequent cybercrime hotspots, but also run domestic enforcement operations, sometimes involving highly political cases.
Top Institutions: DOJ and FBI Dominate
In the dataset of major institutions involved in global cyber enforcement actions:
- The U.S. Department of Justice (DOJ) leads
- The FBI follows closely behind
- OFAC appears frequently, showing how sanctions and finance tools are being integrated into cybercrime response
Another interesting development: private organizations show up as a major supporting force.
Private Companies Play a Bigger Role Than Many People Realize
This dataset found that private organizations rank among the most frequently mentioned supporting participants in cybercrime operations.
Out of 169 institutions studied:
- 74 different private entities were identified supporting efforts in some form
This is a strong sign that public-private collaboration is no longer optional. It’s one of the main ways modern takedowns, disruption operations, and tracking efforts succeed.
Who Are the Offenders? Age Patterns Tell a Story
Age data was available for 193 offenders, and most cases fall into three age ranges:
- 35–44 years: 37%
- 25–34 years: 30%
- 18–24 years: 21%
Together, these represent nearly 90% of known offenders.
The data suggests:
🔹 18–24: technical and experimental crimes
This group shows more hacking, DDoS, and mixed “trial-and-error” cyber activity.
🔹 25–34: shift toward profit
More involvement in data theft, malware deployment, and extortion begins here.
🔹 35–44: high-impact operations
This group shows the most cyber extortion, malware, espionage, and laundering connections—basically more structured, mature cybercrime.
Younger minors (12–17) likely appear less because many countries limit public disclosure and prosecution details for juveniles.
Nationality Trends: Global Crime, But Concentrated Visibility
Nationality was disclosed in 365 cases, showing offenders from 64 nationalities.
Still, the dataset is heavily concentrated. The top nationalities include:
- Russian (23%)
- American (11%)
- Chinese (11%)
- Ukrainian (9%)
- North Korean (5%)
It’s important to note: nationality doesn’t always show true “origin” in cybercrime. Digital operations are often multinational and anonymized.
Also, American cases likely appear high partly due to reporting bias: U.S. agencies publish more detailed and frequent public enforcement updates compared to most countries.
Key Takeaways
This analysis offers a useful reality check on cybercrime enforcement:
✅ law enforcement is increasingly active and coordinated globally
✅ ransomware/extortion is still the top priority
✅ malware and intrusion activities remain central targets
✅ takedowns hit infrastructure while sanctions target larger networks and state-aligned operations
✅ private companies are now a major part of cybercrime disruption
✅ offenders are mainly adults aged mid-20s to mid-40s
✅ most activity still appears profit-driven, even when motivations sometimes blend with politics and ideology