DOJ to up tempo of cybercrime operations in 2024, senior official says

After a year of high-profile cybercrime busts, a senior Justice Department official said Tuesday that he expects more to come in 2024.

At the 10th International Conference on Cybersecurity in New York City this week, several top prosecutors within the Justice Department spoke about cybersecurity trends throughout 2023 and what this year may bring.

“I do foresee a more increased tempo of U.S. government disruption operations in cybersecurity,” Sean Newell, chief of the National Security Cyber Section at the Department of Justice told the audience on Tuesday.

“Many are public and many are not public, but that is something where … you will have regular temporal operation in 2024.”

Newell highlighted several operations in 2023, including the takedown of ransomware gangs like Hive and AlphV, as well as actions against popular botnets like Snake and Qakbot.

His comments came after the U.S. Attorneys for the Eastern and Southern Districts of New York — Breon Peace and Damian Williams — spoke at length about their priorities for the year.

Williams said the Southern District would prioritize prosecutions in the cryptocurrency hacking space after their most recent action against Shakeeb Ahmed — a former security engineer who pleaded guilty last month for stealing more than $12 million from hacking two decentralized cryptocurrency exchanges.

In addition to cryptocurrency platform thefts, his office is also looking into other crypto scams and fraudulent coins, he said.

Peace, from New York’s Eastern District, explained that his office would focus on dismantling the infrastructure around cybercriminal activity as a supplement to cases against cybercriminals.

“In the past, we've brought cases directly against people who commit these crimes. We are in fact actively investigating multiple ransomware cases where literally authorities abroad are going house to house to try to find our targets,” he said.

“Those are crucial prosecutions and they will continue and we will continue to pursue them. But we think it's equally important to target the individuals and companies that make these crimes possible by providing the services and infrastructure that cyber criminals rely on. Cyber criminals do not operate in a vacuum. They depend on an ecosystem that allows them to thrive.”

He mentioned several recent operations, including the takedown of the Bizlato platform last month. Bizlato had become “a haven for illicit transactions by ransomware criminals,” according to the Department of Justice. Peace also referenced the May 2023 takedown of Try2Check, the primary service offering “card-checking” to cybercriminals in the stolen credit card trade.

It is “important to impose the rule of law on the places where market participants can cash out,” Peace explained.

He also said that law enforcement plans to conduct more disruptions that don’t involve criminal charges, like the Snake malware takedown in May 2023.

In that case, there were no prosecutions and the activity was not attributed to any specific individuals, but they were able to stop an effective Russian government espionage campaign nonetheless, Peace said.

“Attributing cyber criminal activity to specific criminal actors is generally the hardest part of building a successful prosecution and where we can act to disrupt criminal activity even without identifying specific criminal actors or bringing criminal charges we will do so,” he said.

“Disruption is critical in combating cybercrime and cyber espionage in particular.”

Time to exploit

Peace noted that one alarming trend his office continues to see is that hackers are getting quicker at exploiting new vulnerabilities.

They continue to opportunistically scan for unpatched software with known vulnerabilities, and the time it takes them to exploit them is dropping each year.

Both Williams and Peace urged victims of cyberattacks and ransomware incidents to report them to the FBI or DOJ, even if they have paid a ransom, because any information provided is valuable.

Peace noted that in situations where a victim pays a ransom, it is helpful for law enforcement agencies to identify the cryptocurrency address where it was paid so that funds may be recovered.

He added that decryption tools developed by the U.S. government, or others, are increasingly becoming available, and coming forward as a victim would allow organizations to get the help they need.

Peace also addressed a new Securities and Exchange Commission rule requiring notice of “material” cyber incidents within four days. The Justice Department will be able to issue disclosure delays for companies that are important to national security.

While Peace said the disclosure delays issued by the U.S. Attorney General will be “rare and sparingly used,” companies should still come forward to request them.

Easier than ever

Both Williams and Peace said a concerning trend they are seeing is the plummeting barrier to entry into cybercrime — allowing less skilled actors to increasingly participate in complicated hacks.

The tools for cybercrime are getting cheaper and easier to deploy, helping younger and less experienced people commit harmful cyberattacks that would have been beyond their reach a few years ago.

“In particular, we're seeing younger offenders, some of whom are minors, engaged in swatting, doxing, sim swapping, sextortion and even soliciting violence for hire,” Peace said.

Cybercrime, Williams said, is more professionalized and available for those without technical skill.

“You can really pay someone to hack a target for you or you can pay someone to hold a company's data ransom for you,” he said. “The barriers to entry to cybercrime are dropping substantially and that is very concerning.”