September 19, 2023 By Mike Elgan 5 min read

In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve.

In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake.

Attributed to a unit of the Russian government Security Service, called Turla, the Snake malware operated for close to 20 years, stealing documents from governments, journalists and others in at least 50 countries and “laundering” that data through infected computers in the United States as part of a broad, ongoing cyber espionage operation.

To facilitate the success of Operation MEDUSA, the FBI created PERSEUS. This tool caused Snake malware to overwrite its own components, thereby hobbling itself.

In short, the FBI and its partners created something like malware with a payload that altered software on target computers. However, the altered software itself was the real malware.

It’s not the only time the FBI beat hackers by hacking. But this kind of aggressive, effective action might have been unthinkable ten years ago.

How the FBI Approaches Cyberattacks

The FBI maintains a division called the Cyber Division (CyD), responsible for investigating and prosecuting cyber crimes. The organization focuses on threats not only to the government and citizens but also to American companies.

More than 1,000 CyD agents and analysts work in 56 US field offices and over 350 sub-offices. They also travel globally in Cyber Action Teams to help foreign nations with cyber crime and learn about threats to US interests. The FBI also works with the major three-letter U.S. agencies, including the CIA, DHS and the NSA.

The bureau formally partners with U.S. industry. More than 600 Fortune 1000 companies participate in the FBI’s Domestic Security Alliance Council for sharing best practices and knowledge about emerging threats. The bureau’s InfraGuard program connects some 70,000 US professionals to protect the infrastructure of private industry. The bureau is part of numerous other groups for learning, teaching and coordinating cybersecurity practices.

CyWatch is the bureau’s 24/7, 365 days-a-year cyber center. There, professionals with a widely diverse set of skills coordinate domestic law enforcement responses to cyberattacks. It also manages the FBI’s own response to attacks.

The bureau’s Internet Crime Complaint Center (IC3) offers an open invitation to report cyber crimes, which the FBI may choose to investigate.

The FBI also maintains a Cyber’s Most Wanted list. This helps the global public identify and report the bureau’s most infamous suspects.

And, of course, the FBI uses its credibility and reach to warn the public about emerging threats, with guidance on what to do about them.

A great many organizations, governments and agencies fight cyber crime. But the FBI is in a unique position in part because of all the help it gets from tips, collaboration with US corporations and tech companies, foreign law enforcement agencies and other US agencies.

And in recent years, it’s utilized that cooperation to even greater effect.

Major FBI Disruptions Over the Past Ten Years

Here are just a few of the FBI’s cases that disrupted cyberattacks globally.


Silk Road: The FBI took over the darknet marketplace that specialized in the sale of illegal drugs and other contraband, called Silk Road, and arrested founder Ross Ulbricht.

Citadel Botnet: The FBI and international law enforcement agencies took out more than 1,400 instances of the banking fraud Citadel Botnet, which installed a keylogger on some five million computers with the end goal of stealing money from banks. The perpetrator, Dimitry Belorossov, was arrested in Spain, extradited to the United States, tried, convicted and imprisoned.


Cryptolocker and Gameover Zeus: The FBI was part of an international effort to disrupt the Gameover Zeus banking fraud botnet that distributed Cryptolocker ransomware.


Darkode dark web forum: The FBI coordinated an effort among law enforcement agencies in 20 countries called Operation Shrouded Horizon to take down an online forum called Darkode, which brought together people looking to buy or sell credit card information, server credentials, hacking tools, malware, botnets and other resources useful for malicious criminal behavior. It was also a forum for the sharing of knowledge and ideas for committing cyber crimes. After law enforcement infiltrated the closed site and gathered evidence there, they arrested dozens of Darkode associates and charged them. A dozen were indicted by the United States.


Avalanche Network: The FBI and international law enforcement agencies dismantled the Avalanche network, which was used for worldwide crime sprees based on phishing attacks and the distribution of malware. Estimates say Avalanche infected some 500,000 computers and caused hundreds of millions of dollars in losses. Threat actors specifically designed it to block detection by law enforcement and cybersecurity specialists.


AlphaBay and Hansa: The FBI and international partners shut down these dark web marketplaces, which were both used for the sale of illegal products like drugs, weapons, stolen data and more. Major players were arrested and convicted.


Operation reWired: Working with international law enforcement, the FBI disrupted a global business email compromise (BEC) fraud scheme. Some 281 suspects were arrested in multiple countries.


REvil/Sodinokibi: The FBI disrupted the REvil/Sodinokibi ransomware group, which compromised the global meat processing company JBS and also the Kaseya software company.

Emotet and NetWalker: The FBI neutralized the Emotet malware spread and a ransomware variant called NetWalker.


Hive Ransomware Group: A global law enforcement operation spearheaded by the FBI shut down a Russia-linked Ransomware-as-a-Service (RaaS) group called Hive. The group had been selling ransomware services and tools since the Summer of 2021, raking in some $100 million from over 1,500 victims (including hospitals) in 80 countries. The operation lawfully “hacked the hackers,” according to Deputy Attorney General Lisa O. Monaco. The FBI took over Hive’s digital infrastructure completely, locking the perpetrators out. The FBI also distributed encryption keys to victims.

Definitive Guide to Ransomware

Barriers to More Effective FBI Cyber Law Enforcement

Former and disgruntled employees have criticized the FBI over its approach to cyber crime. First and foremost, the FBI has a long history of expecting all agents to be able to do just about any job within the agency, with non-technical people sometimes working in the cyber division and cyber experts working other kinds of crime in the field. This doesn’t work for a highly specialized realm like cybersecurity, say critics.

Also, some cybersecurity pros claim that the FBI isn’t culturally compatible with fighting cyber crimes. The culture of the FBI, they say, favors fast, thorough investigations resulting in arrests and convictions. Cyber investigations can take years and result in zero arrests when the perpetrators are in non-cooperating nations. And so those inside wanting to pursue such cases have needless internal barriers.

And the FBI itself has been hacked; databases of FBI personnel and its partners were recently breached in two separate attacks in one week, for example.

Despite these barriers, the bureau’s track record remains impressive.

How the FBI’s Approach to Cyber Crime Has Changed

Ten years ago, financial frauds and dark web marketplaces dominated the cyber crime landscape. Over the years, it transitioned to a larger threat from ransomware attacks, which grew increasingly “professional,” pernicious and costly. Business email compromise, investment scams, call center fraud and, of course, ransomware remain the most common threats. Most of these involve social engineering.

Some of the most sophisticated and broadly harmful attacks originated with state-sponsored actors, primarily Russia, China, Iran and North Korea.

Over time, most cyberattacks have three main goals. The biggest is money. From fraud to ransomware attacks, malicious actors in the “private sector” and also from cash-strapped North Korea are looking for huge paydays facilitated by cryptocurrencies. Ransomware is extremely lucrative. So when law enforcement shuts down ransomware gangs, they tend to come back.

The other two goals are pursued by state-sponsored actors looking to steal intellectual property and government secrets. In the case of China, they want everything from hospital patient records to the personal information of Americans with security clearances. State-sponsored actors want to learn about U.S. networks where the knowledge could be useful during a future hot war or cold cyber warfare.

As we enter a new world of AI-enhanced cyber crime, the FBI’s role will doubtlessly prove more vital than ever.

More from Government

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today