First LockBit, now BreachForums: Are cops winning the war or just a few battles? On Wednesday the FBI and international cops celebrated yet another cybercrime takedown – of ransomware brokerage site BreachForums – just a week after doxing and imposing sanctions on the LockBit ransomware crew's kingpin, and two months after compromising the gang's website. While the BreachForums shutdown didn't have quite …
Arrest, trial and lengthy sentences would be what I'd term a "more aggressive" method of takedown.
20 years of supervised release doesn't seem as much of a deterrent as 20 years imprisonment although I suspect there might have been quite a bit of trading to get there.
And with a $10m reward I wouldn't rule out someone ordinarily resident in Russian suddenly turning up somewhere more accessible to arrest.
i agree completely with hard prison sentences for this kind of scum.
I'm just not convinced that any Russian national is going to give up one of his compatriots to the country that has been Russia's enemy since the Cold War.
Would you give up some hacker you knew to Xi Ping ?
Plus : a reward in dollars isn't going to be much of an incentive to a Russian, these days . . .
"Would you give up some hacker you knew to Xi Ping ?"
You're thinking as a law-abiding person, not as a criminal to whom the $10m is very likely aimed.
Several possibilities.
First, just considering Russian criminals: Criminals don't really stick together and some would easily be tempted by $10m if he could be kidnapped and transported across the border. There might even be the possibility of eliminating a rival or getting their own back if they've been cheated.
Secondly the $10m might be enough for a non-Russian gang to attempt the same.
Thirdly, there's the possibility of a sting operation, say somebody in a neighbouring country looking for help to st up a new operation and offering to cut him in. There are one or two countries where he might feel safe to visit.
"20 years of supervised release doesn't seem as much of a deterrent as 20 years imprisonment although I suspect there might have been quite a bit of trading to get there."
The deterrent is mainly in the perp's view of the probability of being caught rather than the sentence. If there were a 100% chance of being caught, then really light sentences would suffice. Say it was 200 hours litter picking - not much of sentence, yet if EVERY time you tried to commit a crime that was your outcome, you'd soon learn the game wasn't worth the candle. If there's a 50% chance of being caught then criminals may well see that as a chance worth taking if the potential payoff is high, for lower payoffs they'd be more circumspect. As the expected probability of conviction declines, the potential maximum sentence becomes less and less relevant.
Note as well that the perp's view of probability is not going to be informed by common sense or facts. I suspect all cyber crims think they're genius hackers, able to ghost in and out of systems without leaving a trace, truly untouchable. So I don't believe a few big takedowns are going to have any deterrent effect. The fact that online fraud in the UK doubled year on year in 2023 to a value of £2.3bn shows that there's more cyber crims and they're mostly getting away with it.
"The fact that online fraud in the UK doubled year on year in 2023 to a value of £2.3bn shows that there's more cyber crims and they're mostly getting away with it."
This is not surprising.
Take, for instance dodgy phone calls. There is no single reporting mechanism. The subscriber is supposed to triage the call themselves and then decide which of the reporting sites is appropriate. Receive and attempted fraudulent call? AFAICS there is no site for reporting this. If you have actually been defrauded there's a site to report it. Not collecting details of attempted frauds tells me there is no attempt to collect intelligence that might enable fraud operations to be detected and closed down sooner.
Take, as another instance, clickable links in spam. Are the public being discouraged from clicking them? No some financial institutions are routinely sending unsolicited emails with valuable marketing information spam to customers, training them to believe that a link in an unsolicited and unexpected email that appears to be from that institution can be safely clicked.
Are TPTB discouraging this? No, they're at it as well. IME a visit to any NHS service will be followed up by a text* with a link for feedback. And let's not forget sending texts to a landline where the text can be picked up by whoever's nearest the phone but their interpretation of GDPR prevents them, when queried, from saying who it was intended for.
* There's a great deal else wrong with this. The text doesn't say who it's intended for and just says "your recent visit" so anyone wanting to fake it can just spam them out blindly. Even for its intended purpose this fails if there have been a few appointments in quick succession before the first text arrives. Also any hospital appointment will ask for next of kin contact details and my local trust would (I think I have now dissuaded them) treat this as the contact information for the patient.
Its not just the hacker community. Many years ago driving to a client meeting I had R4 on. There was a discussion on criminality and the opinion was pretty much as you put it, the criminals don't think they'll be caught so even if there was a death penalty for most crimes it wouldn't make a lot of difference.
The ONLY way ransomware is going to be stopped is to make paying ransom a crime. And it's got to come with actual prison time for CEOs who pay, not just fines that companies will treat as a cost of doing business.
Sure, keep going after the perps, but it's not going to fix the problem, you're just playing whack-a-mole.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
