The growing sophistication and diversification of cybercrime have pushed law enforcement agencies across the world to respond through increasingly visible and coordinated operations, yet public understanding of these efforts remains fragmented. Information on cybercrime enforcement is scattered across national agencies, multinational task forces, and case specific announcements, offering only isolated snapshots rather than a comprehensive global view. To address this gap, Orange Cyberdefense intelligence teams have compiled and analyzed a dataset of 418 publicly announced law enforcement activities carried out between 2021 and mid 2025. Each entry in the dataset represents a verified action sourced from official statements and media reporting, then manually enriched with contextual and demographic details by the Orange Cyberdefense Security Research Center to provide a structured overview of how cybercrime is being addressed worldwide.
The analysis shows that cyber extortion, including ransomware, is the most frequently addressed criminal act, followed closely by the installation or distribution of malware and unauthorized access or intrusion. These three categories dominate reported enforcement activity and underline a sustained focus on financially motivated cyber operations and the technical intrusions that enable them. Authorities are also targeting enabling activities such as the provision of criminal infrastructure, including dark web marketplaces and hosting services, as well as cyber espionage and various forms of online fraud. Less frequent but increasingly visible are actions linked to data trafficking, cryptocurrency misuse, and digital money laundering, reflecting growing attention to the financial ecosystems that sustain cybercrime operations. While financial gain remains the primary driver behind most offenses, the analysis highlights how motivations have become more fluid, with some activities shifting toward political or ideological dimensions in response to geopolitical developments.
In terms of enforcement measures, sacked actions account for the largest share of publicly reported activity, representing nearly one third of all cases and underscoring a continued emphasis on individual accountability. Takedowns and formal charges together represent another significant portion, signaling a parallel focus on dismantling criminal infrastructure and advancing cases through judicial systems. Sentences, sanctions, and seizures illustrate how authorities are increasingly targeting not only individuals but also the economic foundations of cybercrime. Sanctions in particular have grown steadily over recent years, pointing to the expanding use of economic and diplomatic tools alongside traditional policing. Investigations, extraditions, and wanted notices further demonstrate the depth of cross border cooperation involved, with wanted notices serving both as a coordination mechanism and a deterrent by publicly attributing criminal activity even when immediate apprehension is not possible.
Geographically, the United States emerges as the most prominent actor, appearing as the primary participant in nearly half of all recorded actions, led by agencies such as DOJ and FBI. A second tier of countries including Germany, the United Kingdom, the Netherlands, France, Spain, Russia, and Ukraine reflects strong enforcement capacity outside the US, often coordinated through Europol, Eurojust, and Interpol frameworks. The data also highlights the growing role of multinational task forces and international collaborations where leadership is shared across jurisdictions. Private organizations play a significant supporting role, with 74 distinct companies identified as contributors across investigations, infrastructure takedowns, and technical assistance, underscoring the importance of public private partnerships in cybercrime disruption.
Offender demographics reveal that cybercrime activity is concentrated largely among adults aged 18 to 44, with the highest representation in the 35 to 44 age group. Younger offenders are more commonly linked to technically driven activities such as hacking and DDoS attacks, while older cohorts are more frequently associated with cyber extortion, malware deployment, cyber espionage, and money laundering. Nationality data, while limited in explanatory power due to the transnational nature of cyber activity, shows a concentration among a small number of countries, with Russian, American, Chinese, Ukrainian, and North Korean nationals accounting for over half of disclosed cases. The analysis notes that visibility biases, particularly the high transparency of US prosecutions, influence these figures and that lower representation does not necessarily indicate lower levels of activity.
Overall, the dataset presents a picture of an increasingly active yet uneven global response to cybercrime, marked by strong leadership from a handful of countries, expanding international cooperation, and deeper involvement of private sector actors. While enforcement actions are becoming more diverse in scope and method, the fragmented nature of public reporting continues to limit a unified understanding of how cybercrime is being confronted worldwide.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
