In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve.

In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake.

Attributed to a unit of the Russian government Security Service, called Turla, the Snake malware operated for close to 20 years, stealing documents from governments, journalists and others in at least 50 countries and “laundering” that data through infected computers in the United States as part of a broad, ongoing cyber espionage operation.

To facilitate the success of Operation MEDUSA, the FBI created PERSEUS. This tool caused Snake malware to overwrite its own components, thereby hobbling itself.

In short, the FBI and its partners created something like malware with a payload that altered software on target computers. However, the altered software itself was the real malware.

It’s not the only time the FBI beat hackers by hacking. But this kind of aggressive, effective action might have been unthinkable ten years ago.

How the FBI Approaches Cyberattacks

The FBI maintains a division called the Cyber Division (CyD), responsible for investigating and prosecuting cyber crimes. The organization focuses on threats not only to the government and citizens but also to American companies.

More than 1,000 CyD agents and analysts work in 56 US field offices and over 350 sub-offices. They also travel globally in Cyber Action Teams to help foreign nations with cyber crime and learn about threats to US interests. The FBI also works with the major three-letter U.S. agencies, including the CIA, DHS and the NSA.

The bureau formally partners with U.S. industry. More than 600 Fortune 1000 companies participate in the FBI’s Domestic Security Alliance Council for sharing best practices and knowledge about emerging threats. The bureau’s InfraGuard program connects some 70,000 US professionals to protect the infrastructure of private industry. The bureau is part of numerous other groups for learning, teaching and coordinating cybersecurity practices.

CyWatch is the bureau’s 24/7, 365 days-a-year cyber center. There, professionals with a widely diverse set of skills coordinate domestic law enforcement responses to cyberattacks. It also manages the FBI’s own response to attacks.

The bureau’s Internet Crime Complaint Center (IC3) offers an open invitation to report cyber crimes, which the FBI may choose to investigate.

The FBI also maintains a Cyber’s Most Wanted list. This helps the global public identify and report the bureau’s most infamous suspects.

And, of course, the FBI uses its credibility and reach to warn the public about emerging threats, with guidance on what to do about them.

A great many organizations, governments and agencies fight cyber crime. But the FBI is in a unique position in part because of all the help it gets from tips, collaboration with US corporations and tech companies, foreign law enforcement agencies and other US agencies.

And in recent years, it’s utilized that cooperation to even greater effect.

Major FBI Disruptions Over the Past Ten Years

Here are just a few of the FBI’s cases that disrupted cyberattacks globally.


Silk Road: The FBI took over the darknet marketplace that specialized in the sale of illegal drugs and other contraband, called Silk Road, and arrested founder Ross Ulbricht.

Citadel Botnet: The FBI and international law enforcement agencies took out more than 1,400 instances of the banking fraud Citadel Botnet, which installed a keylogger on some five million computers with the end goal of stealing money from banks. The perpetrator, Dimitry Belorossov, was arrested in Spain, extradited to the United States, tried, convicted and imprisoned.


Cryptolocker and Gameover Zeus: The FBI was part of an international effort to disrupt the Gameover Zeus banking fraud botnet that distributed Cryptolocker ransomware.


Darkode dark web forum: The FBI coordinated an effort among law enforcement agencies in 20 countries called Operation Shrouded Horizon to take down an online forum called Darkode, which brought together people looking to buy or sell credit card information, server credentials, hacking tools, malware, botnets and other resources useful for malicious criminal behavior. It was also a forum for the sharing of knowledge and ideas for committing cyber crimes. After law enforcement infiltrated the closed site and gathered evidence there, they arrested dozens of Darkode associates and charged them. A dozen were indicted by the United States.


Avalanche Network: The FBI and international law enforcement agencies dismantled the Avalanche network, which was used for worldwide crime sprees based on phishing attacks and the distribution of malware. Estimates say Avalanche infected some 500,000 computers and caused hundreds of millions of dollars in losses. Threat actors specifically designed it to block detection by law enforcement and cybersecurity specialists.


AlphaBay and Hansa: The FBI and international partners shut down these dark web marketplaces, which were both used for the sale of illegal products like drugs, weapons, stolen data and more. Major players were arrested and convicted.


Operation reWired: Working with international law enforcement, the FBI disrupted a global business email compromise (BEC) fraud scheme. Some 281 suspects were arrested in multiple countries.


REvil/Sodinokibi: The FBI disrupted the REvil/Sodinokibi ransomware group, which compromised the global meat processing company JBS and also the Kaseya software company.

Emotet and NetWalker: The FBI neutralized the Emotet malware spread and a ransomware variant called NetWalker.


Hive Ransomware Group: A global law enforcement operation spearheaded by the FBI shut down a Russia-linked Ransomware-as-a-Service (RaaS) group called Hive. The group had been selling ransomware services and tools since the Summer of 2021, raking in some $100 million from over 1,500 victims (including hospitals) in 80 countries. The operation lawfully “hacked the hackers,” according to Deputy Attorney General Lisa O. Monaco. The FBI took over Hive’s digital infrastructure completely, locking the perpetrators out. The FBI also distributed encryption keys to victims.

Definitive Guide to Ransomware

Barriers to More Effective FBI Cyber Law Enforcement

Former and disgruntled employees have criticized the FBI over its approach to cyber crime. First and foremost, the FBI has a long history of expecting all agents to be able to do just about any job within the agency, with non-technical people sometimes working in the cyber division and cyber experts working other kinds of crime in the field. This doesn’t work for a highly specialized realm like cybersecurity, say critics.

Also, some cybersecurity pros claim that the FBI isn’t culturally compatible with fighting cyber crimes. The culture of the FBI, they say, favors fast, thorough investigations resulting in arrests and convictions. Cyber investigations can take years and result in zero arrests when the perpetrators are in non-cooperating nations. And so those inside wanting to pursue such cases have needless internal barriers.

And the FBI itself has been hacked; databases of FBI personnel and its partners were recently breached in two separate attacks in one week, for example.

Despite these barriers, the bureau’s track record remains impressive.

How the FBI’s Approach to Cyber Crime Has Changed

Ten years ago, financial frauds and dark web marketplaces dominated the cyber crime landscape. Over the years, it transitioned to a larger threat from ransomware attacks, which grew increasingly “professional,” pernicious and costly. Business email compromise, investment scams, call center fraud and, of course, ransomware remain the most common threats. Most of these involve social engineering.

Some of the most sophisticated and broadly harmful attacks originated with state-sponsored actors, primarily Russia, China, Iran and North Korea.

Over time, most cyberattacks have three main goals. The biggest is money. From fraud to ransomware attacks, malicious actors in the “private sector” and also from cash-strapped North Korea are looking for huge paydays facilitated by cryptocurrencies. Ransomware is extremely lucrative. So when law enforcement shuts down ransomware gangs, they tend to come back.

The other two goals are pursued by state-sponsored actors looking to steal intellectual property and government secrets. In the case of China, they want everything from hospital patient records to the personal information of Americans with security clearances. State-sponsored actors want to learn about U.S. networks where the knowledge could be useful during a future hot war or cold cyber warfare.

As we enter a new world of AI-enhanced cyber crime, the FBI’s role will doubtlessly prove more vital than ever.

More from Government

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

The Pentagon’s 2023 cyber strategy: What you need to know

5 min read - In May 2023, the Department of Defense (DoD) released an unclassified fact sheet detailing its latest cyber strategy. This latest update is another indication of the Pentagon’s intent to combat threat actors, coming fast on the heels of the 2022 National Security Strategy and the 2022 National Defense Strategy. A more complete summary of the strategy will follow in a few months. For now, let’s unpack what we know so far about the Department of Defense’s 2023 cybersecurity strategy. Reinforcing…