Cybercrime and Punishment: Who’s Answerable?

By 2027, the annual cost of cybercrime is expected to surpass $23 trillion, more than doubling from recent years, according to Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technologies. As ransomware, phishing, and state-sponsored attacks continue to rise, the question of who should be held accountable becomes more urgent.

Is it the hackers who carry out the attacks, the developers who create malicious tools, or the organizations that fail to secure their systems? Cybercrime accountability remains a complex legal challenge, with no clear answers.

In this blog, we will explore the key players responsible for cybercrimes, the legal frameworks governing cybercrime across different regions, real-life cases where cybercriminals have been prosecuted, and the ethical dilemmas surrounding cybercrime accountability.

Key Players in Cybercrime

Cybercrime involves more than just hackers; it includes criminal groups, tool developers, state-sponsored attackers, and negligent insiders. Each plays a role in enabling breaches, whether through direct attacks, supplying malicious software, or failing to follow security protocols. Recognizing the roles of these actors helps in developing targeted cybersecurity strategies and enforcing accountability.

Hackers and Cybercriminals

Cybercriminals are the primary offenders, carrying out attacks that cause financial, operational, and reputational damage. They are legally accountable when identified and prosecuted, but many operate from jurisdictions that provide little enforcement.

Some of the most infamous cybercriminal groups include:

• REvil: A ransomware group responsible for high-profile attacks on global organizations.
• Conti: A prolific ransomware gang known for targeting critical infrastructure.
• APT38: A North Korean cyber group implicated in large-scale financial thefts to fund state operations.

Developers of Malicious Tools

Those who develop and distribute hacking tools, malware, and spyware enable cybercrime, even if they claim their software is for security research. If their products are knowingly misused, they share ethical and legal responsibility for the resulting cyberattacks.

Examples include:

• NSO Group – Created Pegasus spyware, which was allegedly used to monitor journalists and activists.
• Hacking Team – Sold spyware to oppressive governments for mass surveillance.
• FinFisher – Provided surveillance tools used against dissidents.

State Actors

Governments often sponsor cyberattacks for espionage or economic gain, making them difficult to prosecute under international law. State-backed hackers target critical infrastructure, intellectual property, and financial systems to advance national interests.

Notable state-sponsored hacking groups that have been linked to major cyber espionage and financial crimes include:

• APT29: A group linked to Russian state-backed cyber espionage.
• APT41: A Chinese state-sponsored group known for targeting intellectual property.
• Lazarus Group: A North Korean cybercrime entity implicated in numerous high-profile financial thefts and espionage campaigns.

Negligent Insiders

Employees and contractors can unintentionally aid cybercriminals through weak security practices, mishandling sensitive data, or falling for scams. While they may not face criminal charges, their actions can cause major breaches and financial losses.

Examples include:

• Edward Snowden (2013) – A former NSA contractor who leaked classified U.S. surveillance documents, exposing global intelligence programs and raising concerns over insider threats.
• Bank Employees Selling Client Data (2024) – Bank workers were caught selling customer data to fraudsters, enabling large-scale financial scams. (New York Post)
• North Korean IT Worker Infiltration (2024) – North Korean operatives posed as remote IT freelancers to access sensitive systems in Western companies. (The Australian)
• Pentagon Leak by Air National Guardsman (2023) – A U.S. Air National Guardsman leaked classified Pentagon documents online, exposing the risks of insider access. (ISACA)

Legal Frameworks and Challenges

Combatting cybercrime requires strong legal frameworks, which vary by region but share a common goal: to prevent, regulate, and penalize cyber offenses. Below are key legislative measures in major jurisdictions:

United States

The U.S. has implemented several laws and regulations to combat cybercrime, focusing on preventing unauthorized access, enhancing threat intelligence sharing, and strengthening cybersecurity for critical infrastructure.

• Computer Fraud and Abuse Act (CFAA) – The primary federal law against unauthorized computer access and hacking. (Congress.gov)
• Cybersecurity Information Sharing Act (CISA) – Encourages private sector companies to share cyber threat intelligence with the government. (Congress.gov)
• Executive Order 14028 (2021) – Issued by President Biden, this order enhances cybersecurity for federal agencies and critical infrastructure, focusing on modernizing defenses and improving information sharing. (NIST)

United Kingdom

The UK has established strict cybersecurity laws to combat hacking, protect personal data, and ensure compliance with privacy regulations. These laws impose significant penalties for cyber offenses and data breaches.

• Computer Misuse Act 1990 – Criminalizes unauthorized computer access and hacking, with strict penalties. (Legislation.gov.uk)
• Data Protection Act 2018 (DPA 2018) – Regulates personal data processing and aligns with UK-GDPR standards. (Legislation.gov.uk)

European Union

The EU has implemented comprehensive cybersecurity and data protection regulations to strengthen digital resilience, protect critical industries, and safeguard personal data across member states.

• NIS2 Directive (Directive (EU) 2022/2555) – Mandates higher cybersecurity standards for critical industries across the EU. (Eur-Lex.europa.eu)
• General Data Protection Regulation (GDPR) – Imposes strict data protection and privacy requirements, with heavy fines for non-compliance. (GDPR)

These laws shape global cybersecurity policies, ensuring that individuals, businesses, and governments are held accountable for cyber risks and data protection.

Major Cybercrime Arrests and Prosecutions

As cyber criminals attack businesses and governments, law enforcement agencies worldwide are working to stop them by arresting hackers, shutting down ransomware groups, and breaking up fraud networks. Below are examples of recent operations that led to arrests and disrupted major cybercrime networks.

Operation Cronos (2024)

In February 2024, a coordinated effort led by Europol and law enforcement agencies from 12 countries targeted the LockBit ransomware group. The operation, known as Operation Cronos, resulted in the arrest of four individuals, the seizure of nine servers, and financial sanctions against affiliates, significantly disrupting the group's operations. (Europol)

Scattered Spider Indictments (2024)

In November 2024, U.S. prosecutors charged five individuals, aged between 20 and 25, linked to the Scattered Spider hacking group. This group has been responsible for high-profile cyberattacks, including breaches at MGM Resorts International and Caesars Entertainment, causing significant financial losses. The indictments marked a major crackdown on social engineering and ransomware attacks. (Reuters)

Ethical Dilemmas in Cybercrime Accountability

Cybercrime raises complex legal and ethical questions, making it difficult to determine responsibility. Key challenges include:

• Platform Liability – Should social media, cloud services, and hosting platforms be held responsible for allowing cybercriminals to operate on their networks?
• Encryption vs. Law Enforcement – How can authorities access encrypted data to investigate cybercrimes without violating user privacy?
• AI and Deepfakes – How should laws adapt to AI-generated scams, deepfake fraud, and automated cyberattacks?

As technology evolves, policymakers must find a balance between security, privacy, and accountability.

Who Is Responsible for Cybercrime?

Cybercrime accountability is a shared responsibility among hackers, tool developers, organizations, insiders, and governments, each contributing to or preventing cyber threats.

• Hackers and cybercriminals commit attacks like ransomware and phishing, causing financial and reputational damage. They face prosecution when caught.
• Developers of malicious tools create hacking software and spyware. If knowingly misused, they share legal and ethical responsibility.
• Organizations must secure their systems and data. Poor cybersecurity can make them liable under laws like GDPR.
• Negligent insiders (employees falling for scams or misusing credentials) increase security risks, even if not criminally liable.
• Governments must enforce laws, prosecute cybercriminals, and regulate security practices to prevent unchecked threats.

Fighting cybercrime requires stronger policies, accountability, and global cooperation to minimize risks and hold the right parties responsible.

Key Steps to Prevent Cybercrime

Preventing cybercrime requires action from organizations, governments, and individuals. By strengthening cybersecurity, improving global cooperation, and updating laws, we can reduce cyber threats and create a safer digital world.

Strengthening Organizational Security

Businesses must invest in strong cybersecurity measures, train employees, and comply with regulations to prevent breaches. Keepnet's Adaptive Security Awareness Training helps organizations protect against social engineering attacks using a scientific behavior change model, AI-driven phishing simulations, and executive reports.

Enhancing International Cooperation

Law enforcement agencies must work together across borders to track and prosecute cybercriminals. Faster email threat detection and response tools, such as Keepnet’s Incident Responder, enable security teams to analyze and mitigate threats 48.6 times faster, improving response times to cyber incidents.

Adapting Legal Frameworks to Emerging Threats

Laws must evolve to address new cyber threats like AI-driven phishing and advanced hacking techniques. Organizations can strengthen their defenses using Keepnet’s Phishing Simulator, which provides AI-powered phishing simulations with over 6,000+ realistic campaign templates to enhance security awareness.

A proactive approach, combined with advanced security training and real-time threat response, is key to minimizing cyber risks and holding the right parties accountable.