Non-Lawyers Summary

After a cyber incident, different government bodies do different jobs. The FBI investigates crimes, CISA helps with defense and coordination, regulators like the FTC and SEC look at the company's conduct, and OFAC can turn ransomware into a sanctions problem. This post maps that enforcement lineup.

The Day Everything Converged

Picture a Tuesday morning. A Fortune 500 company's security operations center lights up at 3 a.m. — ransomware, encrypting file servers faster than anyone can pull plugs. By 5 a.m., the CISO is on the phone with outside counsel. The lawyer asks one question first: "Who do we call?"

That question has no single answer. And the gap between knowing that fact and understanding why could be the difference between a controlled response and a catastrophe.

Federal cybercrime enforcement is not one agency. It is a coordinated — and sometimes competing — network of investigators, prosecutors, regulators, intelligence professionals, and international liaisons. Each one carries different tools, pursues different targets, and can make your client's life dramatically better or significantly worse depending on which call comes first.

Understanding who sits at which table is not an academic exercise. It determines who comes through the door next.

Key Concepts

Criminal vs. Regulatory Enforcement

Criminal enforcement: Aimed at punishing and deterring the attacker. Run by prosecutors (DOJ) with investigators (FBI). Outcome: indictment, conviction, prison, forfeiture, restitution.

Regulatory enforcement: Aimed at correcting the breached organization's security failures. Run by sector regulators (FTC, SEC, FCC, DHS, sector-specific agencies). Outcome: consent decrees, injunctions, fines, mandated security improvements.

Both can run simultaneously — and the victim organization may face regulatory action even while cooperating with criminal investigators pursuing the attacker.

The Reporting Problem

Here is the paradox no one tells victims upfront: reporting to the FBI does not satisfy your state breach notification law. Reporting to your state regulator does not satisfy the SEC. And going public to notify your customers — as multiple state laws require within 30 days — can blow an active federal investigation and warn the attacker to destroy evidence.

The collision of these obligations is not a flaw in the system. It is the system. State breach notification statutes include law-enforcement delay provisions — but these are time-limited and require active requests from investigators, in writing. "Law enforcement told us to wait" must be documented, renewed, and specific. It is not a blank check.

U.S. Federal Enforcement Actors

Department of Justice (DOJ) — The Charging Authority

Somewhere in a secure DOJ conference room, a prosecutor is reviewing a 47-count indictment against a hacker who has never set foot on American soil. She knows she may never see him in a courtroom. She charges him anyway — because indictments shape the legal landscape even when defendants are unreachable.

Role: Charging authority for federal cybercrime prosecutions. Policy and strategy for cyber enforcement.

Key components:

  • Computer Crime and Intellectual Property Section (CCIPS): DOJ's primary cybercrime policy and litigation unit. Prosecutes major cases, trains prosecutors across the country, advises on legal and policy issues in cyber investigations.
  • National Security Division (NSD): Handles state-sponsored hacking, espionage, and sanctions evasion — the North Korean, Chinese, Russian, and Iranian hacker indictments run through NSD.
  • U.S. Attorneys' Offices: Local prosecutors who charge cyber cases in their districts. Major cyber prosecution hubs include EDVA (Eastern District of Virginia), SDNY (Southern District of New York), and NDCA (Northern District of California).
  • Office of International Affairs (OIA): Manages MLAT requests, extradition proceedings, and international evidence requests. The operational gateway for cross-border evidence in cybercrime cases.

Key tools: Grand jury subpoenas, search warrants, court orders (18 U.S.C. § 2703 for electronic data), criminal complaints, indictments, plea agreements, asset seizure warrants, forfeiture proceedings.

Federal Bureau of Investigation (FBI) — The Case Builders

Just before dawn, FBI agents in tactical gear stack up outside an apartment in suburban Cleveland. Inside, a 24-year-old sits at his keyboard, unaware that the FBI has been tracking his Bitcoin wallets for two years. The knock comes at 6 a.m.

That moment — the arrest — is the visible end of a process that started the day the victim reported the breach.

Role: Primary federal investigative agency for cybercrime. Builds the factual case that becomes the DOJ prosecution.

Key components:

  • Cyber Division (CD): Headquarters-level coordination of cyber investigations.
  • Cyber Task Forces: Field-level operations in FBI field offices, often with state/local law enforcement partners.
  • Internet Crime Complaint Center (IC3): Receives public cybercrime complaints; analyzes trends and refers cases to investigators.

Key tools: Search warrants for physical evidence and electronic data, pen registers/trap-and-trace orders, Title III wiretaps (for content interception), undercover operations, National Security Letters (for counterintelligence-related investigations), cryptocurrency tracing, infrastructure seizures (domains, servers), coordinated disruption operations.

Investigation timeline: Major cybercrime investigations typically take 2-5 years from initial detection to sentencing. Attribution — technically and legally establishing the defendant's identity — is the longest phase. This is not a sprint. It is a siege.

Cybersecurity and Infrastructure Security Agency (CISA) — The Shield, Not the Sword

CISA does not arrest people. It does not issue indictments. What it does is something both less dramatic and more quietly powerful: it coordinates the defense of the systems that keep the country running.

Role: Not a criminal investigator — a cybersecurity defense and coordination agency within DHS.

Key functions:

  • CIRCIA administration: Implementing the Cyber Incident Reporting for Critical Infrastructure Act (rulemaking ongoing); will require critical infrastructure entities to report cyber incidents.
  • Binding Operational Directives: Issues mandatory cybersecurity directives to federal civilian agencies (e.g., BOD 20-01 requiring VDPs; BOD 22-01 on known exploited vulnerabilities).
  • CISA Advisories: Publishes threat intelligence, malware analysis, and mitigation guidance. Frequently co-authors advisories with NSA, FBI, international partners.
  • Vulnerability Disclosure Policy coordination: Supports federal agencies in implementing VDPs; advocates for coordinated disclosure norms.
  • Joint Cyber Defense Collaborative (JCDC): Public-private partnership for collective cyber defense.

Regulatory significance: CIRCIA when fully implemented will create mandatory incident reporting obligations for critical infrastructure sectors — a major expansion of federal reporting requirements beyond the sector-specific regimes currently in place.

Securities and Exchange Commission (SEC) — The Regulator That Followed the Money

No one predicted the SEC would become one of the most feared names in a post-breach boardroom. But cyber incidents produce disclosures, and disclosures — if they misrepresent what a company knew — become securities fraud.

Role: Civil securities regulator for public companies, public-company officers, and the disclosure ecosystem around the securities markets.

Cybersecurity relevance:

  • The SEC regulates what public companies say about cyber risk, incidents, governance, and controls to investors.
  • The SEC's 2023 cyber-disclosure rules are the clearest current rule set, but SEC cyber enforcement did not begin there. The agency has long used antifraud, reporting, books-and-records, and controls theories when it believes a public company painted a materially misleading picture of its cybersecurity posture.
  • SEC enforcement matters because cyber incidents can become securities cases even when no privacy regulator is involved and even when the attack itself was committed by a nation-state or criminal actor.

Key enforcement tools: Civil complaints in federal court, administrative proceedings, cease-and-desist orders, civil penalties, officer-and-director bars, reporting undertakings, and remedial governance obligations.

Current anchor case — SEC v. SolarWinds: The SEC sued SolarWinds and CISO Timothy G. Brown in October 2023, alleging misleading statements about cybersecurity controls and known risks, plus internal accounting controls and disclosure controls failures. In July 2024, the Southern District of New York allowed only the Security Statement-based securities-fraud theories to proceed and dismissed the other statement, post-SUNBURST, internal accounting controls, and disclosure controls claims. In November 2025, the SEC and defendants stipulated to dismissal with prejudice as to the conduct alleged in the amended complaint.

Practical significance for cyber counsel: SolarWinds is a reminder that a company's cybersecurity marketing, trust-center language, and investor-facing risk text can all be parsed together in a securities case. But it is equally a reminder that courts may reject attempts to turn every cybersecurity controls problem into a freestanding disclosure controls or internal accounting controls violation.

Federal Trade Commission (FTC) — The Regulator of Last Resort

The FTC does not wait for a hacker to be caught. It does not require a breach to have occurred. It comes for the companies that had terrible security long before the attacker arrived.

Role: Regulatory enforcement against companies with inadequate data security. Does NOT pursue hackers criminally.

Legal authority: Section 5 of the FTC Act (15 U.S.C. § 45) — "unfair or deceptive acts or practices." FTC has used this authority to pursue companies that:

  • Made representations about their security practices that were false
  • Failed to maintain "reasonable" security given the sensitivity of data held
  • Failed to patch known vulnerabilities despite reasonable opportunity to do so

Key enforcement tools: Administrative complaints, consent orders, civil penalties (in some cases), injunctive relief, required security improvements with independent monitoring. FTC enforcement actions result in multi-year consent orders with ongoing compliance monitoring.

Note on cybercrime: FTC Act § 5 does not require proving a breach occurred — the FTC can act on security failures alone. But breaches are typically the catalyst for FTC investigation.

Current enforcement pattern (2024-2026): The FTC's privacy and security docket now reaches well beyond classic "company got breached" cases. The agency's current enforcement pages and case library show active matters involving geolocation brokerage, connected-car telematics, anonymous messaging apps aimed at teens, child-directed video labeling, mobile app privacy, and broad platform surveillance practices. The through-line is still Section 5, but the operational theories increasingly focus on deceptive privacy claims, excessive data collection, weak retention/deletion controls, and failure to protect children and teens in data-driven products.

Why this matters for cyber lawyers: The FTC is not waiting for a standalone federal privacy or AI statute before acting. A platform can face privacy-and-security enforcement because it misrepresented its controls, used personal data in opaque automated systems, or failed to respect heightened children's privacy obligations under COPPA and a prior consent order.

Illustrative current matters:

  • TikTok/ByteDance (pending, C.D. Cal. 2:24-cv-06535): DOJ sued on the FTC's behalf in August 2024 alleging COPPA and 2019 order violations. The FTC case materials frame the matter as a repeat-offender privacy-and-security case involving millions of children under 13, "age unknown" accounts, Kids Mode data collection, and retargeting practices using third-party services.
  • Kochava (pending): The FTC's second amended complaint continues the agency's push against data brokers whose products allegedly enable sensitive geolocation tracking to clinics, shelters, and houses of worship.
  • Disney (order approved December 2025): The FTC obtained a $10 million COPPA resolution tied to allegedly mislabeled child-directed YouTube videos, reinforcing that children's data collection through ad-tech and platform settings remains a live FTC enforcement priority.
  • FTC staff surveillance report (September 2024): In a separate but related policy track, the FTC reported that major social-media and video-streaming companies used user and non-user data in algorithms, data analytics, and AI with inadequate controls and especially weak protections for kids and teens.

Office of Foreign Assets Control (OFAC) — The Sanctions Trap

Here is the scenario no ransomware victim expects: you pay to get your files back, and then the federal government tells you that you just committed a federal violation. Not the hacker. You.

This is not hypothetical. It is how OFAC works.

Role: U.S. Treasury sanctions authority. Administers economic sanctions against individuals, entities, and countries.

Cybersecurity relevance:

  • OFAC has designated major ransomware groups (including portions of the LockBit and REvil ecosystems) as Specially Designated Nationals (SDNs).
  • Paying a ransom to a designated ransomware group is a potential OFAC violation — even if the payer is the victim.
  • OFAC has issued advisories warning that ransomware payments to sanctioned actors can create civil penalty liability for victims, insurers, and incident response firms involved in facilitating payment.

Practical significance for practitioners: Before advising a client to pay ransomware, counsel must conduct OFAC screening of the ransomware group. If the group is designated or suspected of designation, payment may be illegal without an OFAC license.

What the OFAC program looks like now: OFAC's current cyber-related sanctions page still centers the updated 2021 ransomware advisory, virtual-currency compliance guidance, cyber FAQs, specific-license procedures, and the legal framework in 31 CFR Part 578 plus Executive Orders 13694, 13757, 14144, and 14306. In other words: ransomware payment analysis is no longer just a "bad facts" problem; it sits inside a standing sanctions program with licensing, SDN screening, and enforcement architecture.

Current example: Treasury's August 14, 2025 action against Garantex is a useful illustration of how cyber sanctions and ransomware risk now intersect with the digital-asset ecosystem. Treasury said the exchange had facilitated ransomware actors and other cybercriminals and processed more than $100 million in illicit-linked transactions since 2019, then tied the redesignation to cyber authorities under E.O. 13694 as amended. For practitioners, that means the sanctions analysis often turns on the payment rails and facilitators, not only on the named ransomware crew.

Financial Crimes Enforcement Network (FinCEN) — The Transaction Watchers

Role: U.S. Treasury bureau that collects and analyzes financial intelligence. Administers the Bank Secrecy Act (BSA).

Cybersecurity relevance:

  • Financial institutions that process ransomware payments or transactions through cryptocurrency exchange have BSA/AML reporting obligations (Suspicious Activity Reports — SARs).
  • FinCEN has issued advisories on ransomware-related financial activity, establishing that ransomware payments are high-risk transactions requiring enhanced due diligence and SAR filing.
  • Cryptocurrency exchanges that facilitate ransomware payment laundering face FinCEN enforcement action.

National Security Agency (NSA) — The Shadow Intelligence Layer

The NSA does not send agents to arrests. Its name does not appear on indictments. But often, the intelligence that made the indictment possible came from signals collection that can never be fully disclosed in court. It is the ghost in every major nation-state prosecution — present everywhere, attributable nowhere.

Role: Foreign signals intelligence collection and cybersecurity (SIGINT and Information Assurance). Does not conduct domestic law enforcement.

Cybersecurity relevance:

  • NSA intelligence often provides the initial attribution for nation-state hacking — intelligence that is then "declassified" (through parallel construction or other means) to support DOJ indictments.
  • NSA's Cybersecurity Directorate issues advisories on nation-state threat tactics and mitigations.
  • NSA operates the Vulnerability Equities Process (VEP) for determining whether to disclose or retain discovered vulnerabilities.

International Cooperation Mechanisms

The attacker's servers are in Bucharest. The logs that prove it are in Amsterdam. The suspect is in Moscow. American investigators know all of this. What they cannot do — yet — is legally compel any foreign authority to hand over a single byte.

The formal bilateral or multilateral treaties for sharing evidence in criminal investigations. The DOJ Office of International Affairs manages U.S. MLAT requests.

How it works:

  1. U.S. investigator needs evidence from abroad (server logs, subscriber records, emails)
  2. Prosecutor drafts MLAT request documenting legal basis, relevance, and need
  3. OIA submits to foreign central authority
  4. Foreign authority processes under its national law (may require judicial authorization)
  5. Evidence transmitted (if approved) for use in U.S. proceedings

Timeline reality: MLAT requests average months to over a year. For volatile digital evidence — logs that auto-delete, servers that may be seized by suspects — MLAT speed is often inadequate.

The Budapest Convention 24/7 network: Article 35 of the Budapest Convention creates a 24/7 contact point in each Party country for emergency evidence preservation — separate from the formal MLAT process. Within hours, a U.S. investigator can request that a foreign country preserve (not produce) evidence while the formal MLAT request is processed.

The Enforcement Toolkit: Infrastructure Seizure + Crypto Tracing

When prosecution cannot reach a defendant, disruption may. And when disruption cannot reach the money, blockchain forensics might — years after the attack, across a hundred wallet hops, through exchanges in six jurisdictions.

Domain and server seizure: Courts can issue seizure orders for domains and servers used in cybercrime operations. Major ransomware infrastructure (LockBit's leak site, Hive's payment portal, REvil's infrastructure) has been seized through coordinated multinational operations involving U.S., European, and other law enforcement.

Cryptocurrency seizure: The FBI's Virtual Asset Exploitation Unit (VAEU) and DOJ's NCET (National Cryptocurrency Enforcement Team) specialize in tracing and seizing cryptocurrency. Every Bitcoin transaction is recorded on a public blockchain — forensic firms like Chainalysis and Elliptic trace funds through complex laundering chains. Once wallets are identified, courts issue seizure warrants.

Practical effect: Ransomware groups that successfully conduct an attack and collect payment may find their proceeds seized years later when forensic tracing completes — as in the Colonial Pipeline (63 BTC recovered) and Bitfinex (94,000 BTC recovered) cases.

No one told the Colonial Pipeline hackers they had already lost the money. They just did not know it yet.

Enforcement Process Flowchart

mermaid
flowchart TD
  A[Incident discovered by victim or third party] --> B[Containment + forensics]
  B --> C[Preserve evidence: logs, images, chain of custody]
  C --> D[Notification decisions: regulators, consumers, insurers]
  C --> E[Engage law enforcement: IC3 report / direct FBI contact]
  E --> F[Investigation: subpoenas, warrants, undercover, infrastructure + crypto tracing]
  F --> G[Attribution: technical + legal identification of defendant]
  G --> H[Indictment / arrest / extradition or fugitive status]
  H --> I[Litigation: motions, discovery, plea or trial]
  I --> J[Sentencing: prison, restitution, forfeiture]
  D --> K[Civil litigation / regulatory enforcement against victim org]
  J --> L[Asset seizure distributed as restitution where collectible]

Typical Penalty Mix in Major Prosecutions

Because cyber incidents blend intrusion and monetization, sentences reflect combined exposure. The numbers are not theoretical — they are what prosecutors put in front of juries:

ComponentStatuteTypical Range
Unauthorized access/damageCFAA1–10 years depending on subsection and harm
Wire fraud18 U.S.C. § 1343Up to 20 years per count
Aggravated identity theft18 U.S.C. § 1028A+2 years MANDATORY CONSECUTIVE
Money laundering18 U.S.C. § 1956Up to 20 years
RICO18 U.S.C. § 1963Up to 20 years + forfeiture
Restitution18 U.S.C. § 3663AMandatory in many cases; amount = victim losses
ForfeitureVariousAll proceeds of crime; all instrumentalities

Aggregate reality: The Vasinskyi (REvil) sentence of 13+ years reflects multiple counts — CFAA violations, wire fraud, and money laundering stacked together. In the most serious cases, defendants face 20-40+ years of potential exposure before plea negotiations reduce this to more typical sentencing ranges.

That is not a typo. That is the penalty stack that makes defendants plead.

Practitioner Takeaways

1. Know which agency does what before making the first call. Calling the FBI starts a criminal investigation. Calling CISA gets you defensive support and may not start a criminal referral. Calling your sector regulator (DHS, OCC, DFS, SEC) triggers regulatory oversight. These are different tracks with different consequences. Advise your client on which call they want to make — and in what order.

2. Law enforcement cooperation buys delay on public notification — but not indefinitely. State breach notification statutes allow law-enforcement delay when investigators request it. But these delays are time-limited and require active, documented requests from law enforcement. "Law enforcement said don't notify" must be in writing and must be renewed.

3. OFAC screening is now mandatory before any ransomware payment advice. With multiple ransomware groups designated as SDNs, counsel advising on ransomware payments must conduct and document OFAC screening. Payment to a designated group without a license is a civil (and potentially criminal) violation — even for the victim.

4. The forensics firm is building the criminal case, not just the civil one. When a company retains a forensics firm post-breach, the forensics report and supporting data may be sought by law enforcement in subsequent criminal proceedings. The attorney-client privilege and work product doctrine questions around forensics reports in the criminal context require careful management from day one.

5. Cryptocurrency seizure may deliver victim recovery when prison does not. In ransomware cases where the attacker is beyond criminal reach, DOJ's cryptocurrency tracing capability may eventually result in asset seizure that reaches victims through restitution — years after the attack. Advise clients to preserve records of losses for restitution proceedings that may come long after the initial incident.

6. Public-company cyber cases are still securities cases first. When the SEC shows up, the core question is not whether the company had a bad security week. It is whether the company made materially misleading statements about cyber risk, cyber governance, cybersecurity controls, or disclosure controls to investors. SolarWinds is the current cautionary example.

Quiz

See: artifacts/quizzes/quiz-01e.md

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →