Non-Lawyers Summary

This module catalogs the most significant cybercriminal prosecutions from 1988 to 2025, with emphasis on the last decade. Each entry extracts the controlling legal doctrine, the technical conduct alleged, and the actual sentence — giving security researchers a map of exactly where the law has drawn lines and what it looks like when it draws them wrong.

How to Read This Module

Each entry follows: alias → real name → charges → verdict → sentence → doctrine extracted. Cases marked [AT LARGE] are indicted but not in U.S. custody. Cases marked [EXTRADITION FIGHT] went through contested extradition proceedings. The Legal Lesson row is what every security researcher should internalize.

Era 1: The Mythmakers (1988–2002)

The Calm — A World Before Cyberlaw

In 1988, there was no federal computer crime precedent. No case law. No Sentencing Guideline adjustments for "sophisticated means." A graduate student at Cornell thought he was running an experiment. What he was actually doing was writing the first chapter of a legal canon that would define the next 40 years.

Robert Tappan Morris — The Morris Worm (1988)

Just before midnight on November 2, 1988, machines across the ARPANET started behaving strangely. Processes multiplied. Systems slowed. At MIT, Berkeley, Stanford, and hundreds of research sites — roughly 6,000 UNIX machines — the same thing was happening. No one knew why. No one had ever seen anything like it.

The worm had three attack vectors: a sendmail debug mode vulnerability, rsh/rexec trust relationships, and a fingerd buffer overflow. It was self-replicating and did not discriminate. It wasn't designed to destroy — and yet it destroyed. The damage happened because the infection rate exceeded what its author had modeled.

That author was Robert Tappan Morris, a 23-year-old graduate student and son of the NSA's chief scientist.

What happened next would define the law for decades.

  • Conviction: CFAA § 1030(a)(5) — first federal cybercrime conviction
  • Sentence: 3 years probation, 400 hours community service, $10,050 fine
  • Doctrine: United States v. Morris, 928 F.2d 504 (2d Cir. 1991) — "intentional" in § 1030(a)(5) modifies access, not damage; unintended damage still satisfies the statute
  • Legal lesson: Releasing exploit code that causes damage you didn't intend is still a federal crime. Intent to access + resulting damage = conviction. Morris went on to co-found Y Combinator. The law he created never went away.

Kevin Poulsen (Dark Dante) — Phone Line Hijacking (1989–1993)

He was known as Dark Dante. He didn't just hack systems — he owned them. When a Los Angeles radio station ran a call-in contest for a Porsche 944, Poulsen seized control of the station's entire phone switching system and guaranteed the winning call would be his. He did it again for a trip to Hawaii. Again for $20,000 in cash. All while simultaneously tunneling through ARPANET systems, accessing FBI databases, and compromising ARPANET infrastructure.

For two years, the FBI hunted him. He became the first hacker to have his face flashed on Unsolved Mysteries — and then the TV show's phone lines mysteriously went down. He vanished for 17 months before his arrest.

  • Conviction: Wire fraud, computer fraud, money laundering, obstruction of justice
  • Sentence: 51 months prison (longest hacker sentence at the time), $56,000 restitution
  • Doctrine: Computer access + wire fraud stacking; government computer access adds obstruction exposure
  • Legal lesson: Monetizing access — even indirectly through prize winnings — triggers wire fraud on top of CFAA. Poulsen later became editor of WIRED's Threat Level; now works in journalism.

Kevin Mitnick (Condor) — The Legend Who Couldn't Stop (1988–1995)

The name became myth before the arrest. Kevin Mitnick — "Condor" — was described by federal prosecutors as the most dangerous hacker in the United States. He had penetrated Digital Equipment Corporation, Motorola, Nokia, Sun Microsystems, and Pacific Bell. He cloned cell phones to evade tracking. He social-engineered his way through security that no technical exploit could crack.

Tsutomu Shimomura, the computer security expert whose machines Mitnick had compromised on Christmas Day 1994, tracked him personally. The pursuit became a book. The book became a film. The arrest — in a Raleigh, North Carolina apartment building on February 15, 1995 — became front-page news worldwide.

What the myth obscured: Mitnick's worst weapon was a phone call. His best exploit was a human voice.

  • Conviction: Wire fraud, computer fraud (multiple counts)
  • Sentence: 5 years prison + 3 years supervised release; banned from using computers without probation officer approval until 2003
  • Doctrine: Social engineering is not a defense; probation conditions restricting computer use upheld; supervised release violations charged separately
  • Legal lesson: Social engineering that results in unauthorized access is still unauthorized access. Post-conviction computer bans are real and enforced. Mitnick became the world's most famous security consultant before his death in 2023.

Matthew Bevan (Kuji) & Richard Pryce (Datastream Cowboy) — Pentagon Intrusions (1994–1996) [UK]

Without warning, in the spring of 1996, U.S. Air Force investigators realized something impossible: their secure research facility at Rome Laboratory had been breached by what appeared to be a Korean military intrusion. The alarms cascaded up the chain of command. War-gaming scenarios were activated. The Pentagon braced.

Then the truth emerged: it was two teenagers in Britain, routing through Korean networks to mask their trail. Richard Pryce — "Datastream Cowboy" — was 16. Matthew Bevan — "Kuji" — was 21. They had accessed USAF Rome Laboratory, Wright-Patterson AFB, and the Korean Atomic Research Institute via dial-up modems, for curiosity and thrill.

What the incident nearly triggered was a diplomatic catastrophe. What it actually produced was a landmark in jurisdictional doctrine.

  • Verdict: Pryce: guilty plea (UK), fined £1,200. Bevan: charges dropped 1997 (UK).
  • Doctrine: UK Computer Misuse Act 1990 § 1/§ 3; territorial jurisdiction when attack originates abroad but hits U.S. infrastructure
  • Legal lesson: Routing through a third country's systems does not provide cover — it can make the situation diplomatically worse. Bevan's acquittal hinged on lack of criminal intent, not lack of access.

Jonathan James (c0mrade) — NASA / DTRA Intrusions (1999–2000)

He was 15 years old. He installed a backdoor on a Defense Threat Reduction Agency network and intercepted over 3,300 emails — usernames and passwords included. Then he turned his attention to NASA. He stole source code for the International Space Station life support systems. NASA valued it at $1.7 million. They shut down the life support computers for 21 days while they assessed the damage.

When the FBI came, they found a teenager.

  • Conviction: Juvenile adjudication (CFAA, wire fraud equivalent)
  • Sentence: 6 months detention (first juvenile incarcerated for cybercrime in U.S.)
  • Doctrine: Juvenile jurisdiction does not reduce federal charging authority; valuation of software at replacement cost accepted for loss calculation
  • Legal lesson: Age does not protect you from federal prosecution. NASA valued the stolen code at $1.7M — prosecutors used that number for sentencing. James died by suicide in 2008, age 24, amid Secret Service investigation into TJX breach (he denied involvement).

Adrian Lamo (Homeless Hacker) — New York Times, Microsoft, Excite@Home (2001–2003)

He was called the Homeless Hacker because he worked from coffee shops, libraries, and Kinko's. He didn't have a fixed address. He didn't have a regular life. He had unpatched proxies, a methodical mind, and a habit of contacting his victims after their systems were breached — not to extort them, but to explain what he'd found.

He called himself a Good Samaritan. Prosecutors called him a criminal. Both were correct.

  • Conviction: CFAA § 1030 — unauthorized computer access
  • Sentence: 6 months house arrest, 2 years probation, $65,000 restitution
  • Doctrine: Disclosure of discovered vulnerabilities to the press does not constitute authorization; "I could have done worse" is not a legal defense
  • Legal lesson: Telling the victim what you found does not cure unauthorized access. Lamo later reported Chelsea Manning to FBI in 2010, a decision that defined his controversial legacy until his death in 2018.

Era 2: When Organized Crime Found a Keyboard (2003–2012)

The Disruption — Scale Meets Greed

In the early 2000s, hacking stopped being a subculture and became an industry. The tools were commoditized. The targets were credit cards. The distribution was global forums. What had been an underground of brilliant eccentrics became a criminal marketplace — and the law started building infrastructure to match it.

Albert Gonzalez (soupnazi) — TJX, Heartland, Hannaford (2003–2008)

He drove around parking lots with a laptop. He called it wardriving. He was looking for unencrypted wireless networks — specifically the kind that connected to point-of-sale systems. TJX Companies had one. He found it in a Marshalls parking lot in Miami. What followed was the largest retail data breach in history at the time: 170 million credit and debit card numbers, sucked out through a wireless backdoor nobody noticed for months.

But the full story was worse. Gonzalez was simultaneously working as an FBI informant. He was being paid to help catch other hackers. While receiving that check, he was running his own criminal empire.

  • Conviction: CFAA, wire fraud, aggravated identity theft (18 U.S.C. § 1028A)
  • Sentence: 20 years prison (longest sentence for computer crime at time of sentencing)
  • Doctrine: Concurrent vs. consecutive sentencing for stacked charges; cooperation credit reversed when defendant found to be double agent; § 1028A mandatory consecutive 2 years
  • Legal lesson: Being an FBI informant while running your own criminal operation is not a sustainable position. Gonzalez's cooperation credit was effectively nullified by his parallel criminal activity.

Gary McKinnon (Solo) — NASA / Pentagon Intrusions (2001–2002) [EXTRADITION FIGHT]

He was looking for UFOs. He told everyone that, even after he accessed 97 U.S. military and NASA computers, deleted files on Army systems, and posted "YOUR SECURITY IS CRAP" on a compromised Army website. He was a Scottish systems administrator with a broadband connection and, he claimed, a sincere belief that the U.S. military was concealing evidence of extraterrestrial contact.

The U.S. government saw it differently. They calculated $700,000 in damages and sought extradition under the Extradition Act 2003. What followed was a decade-long legal battle that changed British law.

  • Outcome: Extradition blocked by UK Home Secretary Theresa May in 2012 on human rights grounds (Asperger's diagnosis, suicide risk). Never prosecuted in UK due to insufficient UK nexus.
  • Alleged conduct: Accessed 97 U.S. military and NASA computers; deleted files; posted "YOUR SECURITY IS CRAP" on Army website; caused $700K+ in damages
  • Doctrine: Extradition Act 2003 (UK); Article 8 ECHR (private life); forum bar doctrine; "forum bar" introduced into UK Extradition Act post-McKinnon
  • Legal lesson: Human rights law can block extradition even for serious cybercrime. The McKinnon case directly caused the UK to legislate a forum bar allowing UK courts to block extradition where the offense has a substantial UK connection.

Hector Monsegur (Sabu) — LulzSec / Anonymous (2011–2012)

He was the most wanted hacker in the country. He was also, from the moment of his arrest, the FBI's most valuable asset. Hector Monsegur — "Sabu" — leader of LulzSec, orchestrator of attacks against Sony, Fox, PBS, the U.S. Senate, the CIA, and Stratfor — flipped within 24 hours of being identified. For ten months, he operated with FBI agents watching his every keystroke, recording over 300 hours of chat sessions, guiding his former comrades into traps they never saw coming.

Jeremy Hammond. Jake Davis. Ryan Cleary. Ryan Ackroyd. All arrested. All convicted. All because the man they trusted most had chosen survival.

  • Conviction: CFAA, computer hacking conspiracy (guilty plea)
  • Sentence: 7 months time served (extraordinary cooperation credit)
  • Doctrine: Cooperation can reduce a 10-year+ sentence to time served; cooperation must include active assistance in new investigations, not just pleading guilty
  • Legal lesson: Sabu's cooperation led to arrests of Jeremy Hammond, Jake Davis, Ryan Cleary, Ryan Ackroyd, and others. He remains the most consequential cooperator in hacking history.

Jeremy Hammond (sup_g) — Stratfor / LulzSec (2012)

He believed in what he was doing. He said so at sentencing, standing before a judge who would give him the maximum allowed by his plea agreement. He had hacked Stratfor, a private intelligence firm, and handed five million emails to WikiLeaks. He had hacked police fusion centers. He had targeted foreign government sites. He had done it for politics, for ideology, for what he described as a moral duty.

The judge sentenced him to 10 years. The ideology counted for nothing.

  • Conviction: CFAA § 1030 — unauthorized access, damage
  • Sentence: 10 years federal prison (maximum under plea agreement)
  • Doctrine: Scope of hacking into foreign governments counted in U.S. sentencing despite occurring abroad; political motivation is not a mitigating factor at sentencing; restitution to Stratfor and banks totaling $2.5M+
  • Legal lesson: Ideological motivation does not reduce federal sentencing. Hammond's 10 years was the maximum allowed under his plea — the government sought more.

Andrew Auernheimer (weev) — AT&T iPad Email Harvest (2010)

No authentication was required. That was the point. AT&T's website returned iPad users' email addresses in response to any GET request that included a valid ICC-ID — a device identifier that followed a predictable sequential pattern. Auernheimer and Daniel Spitler wrote a script. They iterated through hundreds of thousands of ICC-IDs. They harvested 114,000 email addresses. Senators. Military officers. CEOs.

They gave the list to a journalist.

The government charged them with CFAA violations. The jury convicted on the merits. Then the Third Circuit vacated the conviction — not because the CFAA theory was wrong, but because the case was tried in the wrong state.

  • Initial conviction: CFAA § 1030, identity fraud (2012); Reversed on appeal (2014) — improper venue, not on CFAA merits
  • Doctrine: United States v. Auernheimer, 748 F.3d 525 (3d Cir. 2014): venue must be where the offense was committed, not where the victim is located. The 3d Circuit did NOT hold the CFAA conduct was lawful — only that venue was improper in New Jersey.
  • Legal lesson: Auernheimer's conviction was not a vindication — it was a venue error. The underlying CFAA theory on publicly accessible APIs survived appellate scrutiny on the merits. Security researchers routinely misread this case.

Era 3: Nation-State Shadows (2013–2018)

The Mystery — Who Is Really Running These Operations?

By 2013, the lines between criminal hacker and state-sponsored operator had blurred beyond recognition. The men running billion-dollar cyberfraud operations lived openly, in countries that wouldn't extradite them, sometimes appearing to operate with government protection. U.S. indictments landed like press releases. The names on the wanted posters weren't hiding — they just weren't reachable.

Evgeniy Bogachev — GameOver Zeus / Cryptolocker [AT LARGE]

The FBI placed a $3 million bounty on his head — the largest reward ever offered for a cybercriminal. Evgeniy Bogachev operated the GameOver Zeus botnet, a network of 500,000 to 1,000,000 infected machines, and used it to steal over $100 million from banks, businesses, and individuals. When a victim's account was drained, GameOver Zeus would launch a DDoS attack against the bank's fraud department to prevent them from noticing in time to reverse the transaction. Then Bogachev deployed Cryptolocker through the same infrastructure — one of the first ransomware operations at scale.

He operated from Russia. Reports suggest he operated with FSB awareness, possibly assistance. He is reportedly still in Russia. Possibly on a yacht on the Black Sea.

  • Indicted: 2014 (W.D. Pa.), CFAA, wire fraud, bank fraud, money laundering conspiracy
  • FBI Reward: $3,000,000 (highest ever for a cybercriminal at the time of designation)
  • Doctrine: Joint FBI/Europol botnet takedown (Operation Tovar 2014) established precedent for international botnet disruption without suspect custody; civil forfeiture of domain infrastructure
  • Legal lesson: DOJ can indict, seize infrastructure, and freeze assets without ever arresting the defendant. Bogachev remains free in Russia.

Andrei Tyurin + Gery Shalon + Joshua Aaron — JPMorgan / Dow Jones Hacks (2014–2015)

The breach of JPMorgan Chase affecting 83 million accounts was a feat of scale that stunned investigators. But it wasn't the end goal. It was the raw material. Tyurin and Shalon used the stolen customer data to identify investors and run pump-and-dump schemes — buying stocks in obscure companies, sending the stolen data to spam lists promoting those companies, and selling at the peak. Simultaneously, they operated an unlicensed Bitcoin exchange to launder the proceeds.

The charging combination — computer intrusion + securities fraud — had never been seen before.

  • Conviction: Tyurin: 12 years (2021). Shalon: 12 years (2021). Aaron: 2.5 years (2019).
  • Doctrine: Computer intrusion + securities fraud = unprecedented charging combination; market manipulation using stolen PII treated as wire fraud and securities fraud simultaneously
  • Legal lesson: Data stolen from financial institutions can fuel securities fraud charges entirely separate from the CFAA counts.

Lauri Love [EXTRADITION FIGHT]

He had hacked NASA, the U.S. Army, the FBI, the Federal Reserve, and the Missile Defense Agency — gigabytes of data exfiltrated through SQL injection across dozens of U.S. government targets between 2012 and 2013. The U.S. government wanted him extradited. The UK court blocked it. The reason: Lauri Love suffered from Asperger's syndrome and severe depression, and the court found that extradition to a U.S. federal prison would create an unacceptable risk of suicide.

The UK's Crown Prosecution Service ultimately declined to prosecute domestically in 2023. The case sits unresolved — never tried, never acquitted, never closed.

  • Outcome: Extradition to U.S. blocked by UK Court of Appeal in 2018 (Asperger's, suicide risk). UK CPS declined prosecution in 2023.
  • Doctrine: UK Extradition Act 2003 § 91 (oppression); Article 3 ECHR (inhuman/degrading treatment); the forum bar applied
  • Legal lesson: The UK now has two landmark cases (McKinnon + Love) establishing that severe mental illness / suicide risk can block extradition even for serious cybercrime. This does NOT apply in most other extradition treaties.

Ardit Ferizi — The Hacker Who Armed ISIS (2015)

He was a hacker in Kosovo who found a target he could sell. He breached a U.S. retailer, pulled the personal information of 1,351 U.S. military and government personnel — names, addresses, passwords — and handed the data to ISIS fighter Junaid Hussain. Hussain published it as a "kill list."

The FBI killed Hussain in a drone strike. Ferizi was arrested in Malaysia and extradited to the United States.

  • Conviction: CFAA § 1030, providing material support to terrorist organization (18 U.S.C. § 2339B)
  • Sentence: 20 years federal prison
  • Doctrine: First prosecution combining CFAA with material support for terrorism; data theft used as terrorist weapon; extraterritorial CFAA jurisdiction (Ferizi arrested in Malaysia, extradited)
  • Legal lesson: Using stolen data as a weapon for a terrorist organization triggers material support charges that dwarf CFAA penalties. 20 years is the maximum for § 2339B.

Aleksei Burkov — Cardplanet Carding Forum (2015 arrested, 2020 conviction)

Russia tried to use him as a bargaining chip. In 2019, while Burkov sat in an Israeli jail awaiting extradition to the United States, Russian authorities arrested a young American-Israeli dual citizen named Naama Issachar on drug charges — charges that critics alleged were timed to create leverage. Russia offered to trade Issachar for Burkov.

The U.S. and Israel both refused. Burkov was extradited. Issachar was eventually pardoned by Vladimir Putin — but not before Burkov was convicted.

  • Conviction: Access device fraud (18 U.S.C. § 1029), wire fraud, computer intrusion conspiracy
  • Sentence: 9 years prison
  • Doctrine: Russia attempted diplomatic pressure (held U.S. citizen Naama Issachar in Russia as leverage); U.S. extradited Burkov from Israel despite Russian pressure
  • Legal lesson: Russia using a criminal defendant as a geopolitical bargaining chip did not prevent extradition. Israel honored the U.S. extradition request.

Marcus Hutchins (MalwareTech) — Kronos Banking Trojan (2014–2017, arrested 2017)

In May 2017, Marcus Hutchins registered a domain name he found buried in WannaCry's code — a kill switch that the ransomware checked before encrypting files. By registering it, he stopped the global spread of the worst ransomware attack in history. He was 22 years old, working from his bedroom in Devon.

Three months later, the FBI arrested him at Las Vegas airport as he was flying home from DEF CON. The charge: creating and selling the Kronos banking trojan three years earlier, before he became a defender.

The man who stopped WannaCry had written malware. Both things were true simultaneously.

  • Conviction: CFAA, wiretapping (guilty plea 2019)
  • Sentence: Time served + supervised release (no prison after WannaCry kill-switch heroism considered)
  • Doctrine: Pre-fame criminal conduct is prosecutable regardless of subsequent heroism; cooperation + time served + extraordinary circumstances drove near-zero sentence
  • Legal lesson: Stopping WannaCry did not erase prior criminal liability — but it clearly influenced sentencing. Hutchins is the clearest example of sentencing discretion working in a defendant's favor.

Era 4: The New Regime — Ransomware, SIM Swaps, and the Age of Indictment (2019–2025)

The Reveal — The Industrialization of Cybercrime

By 2019, cybercrime had become a corporate structure. Ransomware-as-a-Service platforms. Affiliate programs. Revenue-sharing models. Customer support. Press releases from criminal organizations. And on the other side: a U.S. government that had built specialized task forces, international partnerships, and the capability to seize infrastructure across continents without ever making an arrest.

Paige Thompson (erratic) — Capital One Breach (2019, convicted 2022)

She had worked at Amazon Web Services. She knew how the cloud was built. When she discovered a misconfigured AWS WAF at Capital One — a server-side request forgery vulnerability that allowed her to query the instance metadata service — she used her institutional knowledge to navigate the architecture and reach the S3 buckets containing data on 106 million customers.

Then she accessed 30 other companies the same way. She bragged about it on Slack. Someone reported it.

  • Conviction: CFAA § 1030(a)(2), wire fraud (7 counts); acquitted on identity theft counts
  • Sentence: 5 years probation, time served
  • Doctrine: Former employee with institutional knowledge = "exceeds authorized access" under Van Buren; IMDSv2-equivalent exploitation is CFAA-covered; jury acquitted on identity theft counts (no evidence of intent to use data)
  • Legal lesson: Cloud SSRF via IMDS is CFAA-covered unauthorized access. Thompson's light sentence (no prison despite 106M records) reflects absence of monetization intent and time served pretrial detention.

Joseph James O'Connor (PlugwalkJoe) — Twitter Hack / SIM Swap / Extortion (2020, convicted 2023)

July 15, 2020. Barack Obama, Joe Biden, Elon Musk, Bill Gates, Apple, Uber — verified Twitter accounts, all of them suddenly posting the same message: "Send Bitcoin to this address and I'll double it." The hack that hijacked the platform's most prominent accounts was not an advanced persistent threat. It was a 22-year-old in his bedroom, social engineering Twitter employees into giving him admin tool access.

O'Connor was arrested in Spain in 2021. He was extradited to the United States in 2023 and pleaded guilty. The accounts he'd hijacked for a $120,000 Bitcoin scam were only part of his record — he'd also SIM-swapped TikTok accounts for extortion, and cyberstalked minors.

  • Conviction: CFAA, wire fraud, cyberstalking, extortion (guilty plea)
  • Sentence: 5 years federal prison
  • Doctrine: Extradited from Spain (2023); SIM swapping targeting telecom systems = CFAA unauthorized access; social engineering telecom employees to swap SIMs = computer fraud conspiracy
  • Legal lesson: SIM swapping by social engineering a carrier employee is federal computer fraud — you don't personally touch the computer, but you cause someone authorized to access it to do so on your behalf.

Graham Ivan Clark — Twitter Hack (2020)

He was 17. He orchestrated it. While O'Connor provided the social engineering infrastructure, Graham Clark was the mastermind who brokered the insider access, changed email addresses, bypassed 2FA, and ran the Bitcoin scam. Florida prosecutors chose to charge him as a juvenile — a decision that capped his sentence at maximums far below what federal law would have imposed.

  • Conviction: 30 counts (Florida state charges — wire fraud, identity theft, unauthorized computer access)
  • Sentence: 3 years juvenile detention + 3 years probation (prosecuted as juvenile at 17 in Florida)
  • Doctrine: Florida's decision to charge as juvenile (despite federal options) limited sentence to maximum under juvenile law
  • Legal lesson: State prosecutors' choice to charge as juvenile capped Clark's sentence significantly. Federal authorities could have sought far more — they let Florida lead because Clark was 17 and local.

Nima Fazeli (Rolex) + Mason Sheppard (Chaewon) — Twitter Hack Co-Conspirators (2020)

They didn't access the systems. They brokered access. They connected buyers to the Twitter admin tools that Clark controlled. Under CFAA conspiracy theory, that was enough.

  • Fazeli: Guilty plea, 3 years probation. Sheppard: Guilty plea, 3 years probation + $748K restitution.
  • Doctrine: Brokers who don't directly access systems but facilitate SIM swaps and account takeovers are co-conspirators under CFAA conspiracy theory (§ 1030(b))

Arion Kurtaj + Co. — Lapsus$ / Rockstar Games (2022, convicted 2023) [UK]

He had already been arrested once. He was under police supervision. His bail conditions prohibited him from going online. He booked a hotel room, connected through his phone's hotspot, and launched another attack — this time against Rockstar Games, leaking 90 clips of GTA6 gameplay footage that had never been seen by the public.

Kurtaj was 18. He had previously hacked Microsoft, Okta, Nvidia, Samsung, Ubisoft, T-Mobile, and Globant, exfiltrating source code and credentials through SIM swapping and social engineering. The UK court found him guilty but not criminally responsible — he suffered from a mental disorder severe enough to result in a hospital order rather than a prison sentence.

  • Conviction: UK Computer Misuse Act 1990 §§ 1, 2, 3; blackmail; fraud
  • Outcome: Kurtaj found not criminally responsible (mental disorder); indefinite hospital order. Other Lapsus$ members: youth rehabilitation orders.
  • Doctrine: UK CMA applies extraterritorially to attacks on foreign systems; mental disorder at time of offense ≠ acquittal; hospital order replaces prison for dangerous mentally ill defendants
  • Legal lesson: Lapsus$ demonstrates that even teenagers with apparent impunity eventually get caught through digital forensics. Kurtaj was committing attacks from his hotel room after prior arrest.

Mikhail Matveev (Wazawaka / m1x) — Ransomware Operator [AT LARGE]

After DOJ indicted him in 2023 and OFAC designated him, Matveev gave an interview to a journalist. He laughed. He said he lived "on the border of legal and illegal." He posted memes about the indictment. He called the $10 million FBI reward poster a "cool wallpaper." He was still in Russia. He is still in Russia.

  • Indicted: 2023 (D.N.J., D.D.C.) — LockBit, Babuk, Hive ransomware
  • FBI Reward: $10,000,000
  • Alleged conduct: Hacked D.C. Metropolitan Police Department (Babuk), healthcare providers, critical infrastructure; demanded multi-million dollar ransoms
  • Doctrine: OFAC designated; DOJ used dual-track approach (criminal indictment + sanctions); Matveev publicly taunted U.S. law enforcement after indictment
  • Legal lesson: Matveev is the clearest example of "indicted but untouchable in Russia" — the indictment matters for asset freezing and travel, not for actual custody.

Dmitry Khoroshev (LockBitSupp) — LockBit Admin [AT LARGE]

For years, LockBitSupp was the most feared name in ransomware. The persona ran LockBit, the most prolific ransomware-as-a-service platform in history — 2,000+ attacks in 120 countries, $500 million in ransom payments, $100 million in personal earnings.

Then in February 2024, law enforcement from the U.S., UK, and Australia launched Operation Cronos. They didn't just seize the infrastructure — they took over LockBit's own website and used it to publish Khoroshev's identity, photograph, and legal history. The criminal empire's own platform became the press release announcing its collapse.

  • Indicted: 2024 (multiple jurisdictions, simultaneous U.S./UK/Australia announcement)
  • FBI Reward: $10,000,000
  • Doctrine: Operation Cronos (2024) seized LockBit infrastructure, decryption keys, 194 affiliate servers, and $110M in cryptocurrency before indictment unsealed; law enforcement used LockBit's own website to publish Khoroshev's identity
  • Legal lesson: Even when you can't arrest the operator, seizing infrastructure and publishing identity effectively destroys the criminal enterprise. LockBit's brand credibility collapsed post-Operation Cronos.

Vladislav Klyushin — Russian Insider Trading via Hacked Earnings (convicted 2023)

He had connections to Russian military intelligence. He had a Moscow cybersecurity firm with government contracts. And he had a scheme so elegant it deserved to be studied: hack the filing agents — Donnelley Financial Solutions and Toppan Merrill — that processed corporate earnings reports before public release. Obtain the reports. Trade on them. Repeat.

$93 million in illegal profits, earned by knowing what Pepsi and Tesla and Microsoft were about to tell the world before they told anyone else. He was arrested in Switzerland on a ski vacation. Russia applied pressure. Switzerland extradited him anyway.

  • Conviction: CFAA, securities fraud, wire fraud
  • Sentence: 9 years federal prison
  • Doctrine: Computer intrusion used to commit securities fraud creates CFAA + securities fraud stacking; extradited from Switzerland despite Russian diplomatic pressure
  • Legal lesson: Computer intrusion to gain material non-public information is securities fraud. Klyushin's 9-year sentence is the longest ever for a securities fraud scheme using computer intrusion.

Conti / Trickbot Members — Russian Ransomware Syndicate (indicted 2023)

The internal communications leaked themselves. In February 2022, days after Russia invaded Ukraine, an anonymous Ukrainian researcher published 160,000 internal Conti group chat messages — a year's worth of operational communications, personnel conflicts, salary disputes, technical discussions, and attack planning. The leak exposed the organization's structure and gave U.S. prosecutors extraordinary evidence.

The group had attacked hospitals during COVID-19. They had encrypted medical records while patients were being treated. The critical infrastructure sentencing enhancement under 18 U.S.C. § 1030(c)(4)(B) featured prominently in the charging documents.

  • Key defendants: Mikhail Tsarev (indicted, AT LARGE), Maksim Galochkin (indicted, AT LARGE), Andrey Zhuykov (indicted, AT LARGE)
  • Alleged conduct: Developed and deployed Trickbot banking trojan and Conti ransomware; attacked hospitals during COVID-19 pandemic; extorted $180M+ from victims
  • Doctrine: Critical infrastructure attacks (hospitals during pandemic) cited for sentencing enhancement under 18 U.S.C. § 1030(c)(4)(B); OFAC designations accompanied indictments
  • Legal lesson: Conti group's internal chat logs — leaked by a Ukrainian researcher — provided prosecutors with extraordinary evidence. Opsec failure through insider betrayal is a recurring theme.

REvil Members — Kaseya Attack and Sodinokibi Ransomware

July 4, 2021. Independence Day weekend. REvil hit Kaseya VSA — a remote monitoring tool used by managed service providers — and through it, reached 1,500+ businesses simultaneously. The ransom demand: $70 million in Bitcoin for a universal decryptor.

Yaroslav Vasinskyi — "Rabotnik" — was arrested in Poland at the U.S. government's request. He was extradited. He faced CFAA counts for each of the 2,500+ ransomware attacks in his indictment. The scale of the charges was staggering. The sentence reflected it.

  • Yaroslav Vasinskyi (Rabotnik): 13 years + $16M restitution (2024). Yevgeniy Polyanin: Indicted, AT LARGE, $6.1M seized.
  • Conviction: Vasinskyi: CFAA, wire fraud, money laundering (guilty plea)
  • Doctrine: Supply chain attack through MSP software = CFAA unauthorized access to each downstream victim; money laundering charges for Bitcoin conversion; Vasinskyi arrested in Poland at U.S. request, extradited
  • Legal lesson: Supply chain ransomware operators face CFAA counts for every downstream victim system, not just the initial target.

Joseph Sullivan — Uber CISO Cover-Up (2022, convicted)

He wasn't the hacker. He was the security executive who decided what to do about the hackers. When two attackers breached Uber's systems in 2016 and demanded money, Sullivan authorized a $100,000 Bitcoin payment. He classified it in the company's books as a bug bounty payment. He did not disclose the breach to the Federal Trade Commission — which was, at that exact moment, conducting an active investigation into Uber's data security practices.

In 2022, Sullivan became the first corporate CISO convicted of a crime related to breach response decisions.

  • Conviction: Obstruction of justice, misprision of felony (concealing a crime)
  • Sentence: 3 years probation + 200 hours community service
  • Doctrine: First criminal conviction of a corporate CISO for breach response decisions; concealing a breach from regulators while a regulatory investigation is pending = obstruction; paying hackers as "bug bounty" without disclosure = misprision
  • Legal lesson: Calling a ransom payment a "bug bounty" and hiding it from regulators is federal obstruction. Sullivan's case fundamentally changed how CISOs manage breach decisions.

Recidivism and Cooperation Patterns

PatternExamplesOutcome
Cooperation → minimal sentenceMonsegur (Sabu), HutchinsTime served / probation
Double agent (FBI informant + criminal)GonzalezCooperation credit voided
Political motivation citedHammond, AuernheimerNo mitigation at sentencing
Russian state protectionBogachev, Matveev, YakubetsIndicted, never extradited
Mental health blocking extraditionMcKinnon, LoveExtradition blocked (UK)
Post-arrest reoffendingKurtaj (Lapsus$)Attacks from hotel room after prior arrest

Sentencing Range Reference

Conduct TypeTypical Federal RangeHighest Actual Sentence
Simple unauthorized access (no monetization)Probation – 2 years5 years (Mitnick)
Large-scale data theft with sale5–15 years20 years (Gonzalez)
Ransomware operator10–20 years13+ years (Vasinskyi, sentencing pending higher)
Nation-state-adjacent financial fraud9–12 years12 years (Tyurin/Shalon)
Material support for terrorism via hacking20 years20 years (Ferizi)
CISO cover-up (no actual hacking)Probation3 years probation (Sullivan)

Key Doctrine Summary — The Rules the Legends Wrote

Van Buren (2021): "Exceeds authorized access" requires circumventing a technical gate, not just violating a use policy. This narrowed CFAA but did not eliminate it for researchers who access systems they have no right to access at all.

Cooperation: The single most reliable sentence reducer in hacker cases. Monsegur (Sabu) got time served on charges carrying 10+ years. Hutchins got no prison. The pattern is consistent.

Russia protection: If a hacker operates from Russia and maintains favor with Russian state, U.S. indictment means very little practically. Bogachev (2014), Yakubets (2019), Matveev (2023), Khoroshev (2024) — all indicted, none in custody.

Infrastructure seizure without arrest: Operation Cronos (LockBit), Operation Tovar (GameOver Zeus), REvil server seizure — DOJ can destroy criminal infrastructure without custody of the operator. This is increasingly the real consequence of cybercrime indictments.

Age: Jonathan James (juvenile, 6 months). Graham Clark (juvenile, 3 years). Age affects forum (state vs. federal) and sentencing ceiling. It does not prevent prosecution.

Resources

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →