December 2, 2024 By Jonathan Reed 3 min read

The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place?

As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.

Takedowns and their ripple effects

USDoD, also known as EquationCorp, was apprehended in Brazil following years of high-profile hacks, including the FBI’s InfraGard portal. But his arrest isn’t an isolated case. In recent years, international task forces have relentlessly pursued major cyber crime rings with mixed results.

Consider the 2021 takedown of the Clop ransomware group, whose members were arrested in Ukraine after causing an estimated $500 million in damages. Despite the high-profile arrests, the Clop gang returned with renewed vigor, exploiting new vulnerabilities like the GoAnywhere zero-day​.

This pattern of cyber crime’s persistence, regardless of major arrests, was also seen with Emotet, the infamous malware network. After law enforcement agencies across multiple countries dismantled Emotet’s infrastructure in 2021, it seemed like a triumph. Yet, despite the immediate disruption, Emotet has since evolved, and cyber criminals have found new ways to exploit the same techniques​.

What makes USDoD different?

While takedowns are increasingly common, USDoD’s case stands apart for both its scale and the attacker’s audacity. Not only did the National Public Data breach expose personal data from 2.9 billion U.S. citizens — one of the largest data breaches in history — but USDoD also flaunted his actions. After being doxed by CrowdStrike, USDoD openly confirmed his identity, a bold move that eventually aided Brazilian authorities in his capture.

This arrest strikes at the heart of the threat actor’s operational security — a weak point many seasoned cyber criminals avoid exposing. USDoD’s combination of arrogance and scale sets him apart from other attackers, who typically work diligently to avoid being identified, let alone publicly confirming their identities.

Read the Cost of a Data Breach Report

Broader landscape of arrests and their limits

USDoD’s capture is a significant win, but cyber crime remains deeply resilient. For example, when the Lapsus$ hacker group was targeted in 2023, a series of arrests followed. Notably, 18-year-old Arion Kurtaj, a member of the group, was convicted in connection with attacks on Uber, Microsoft and Rockstar Games. Despite the disbanding of some Lapsus$ members, other cyber gangs didn’t seem to notice as attacks continued at high rates.

Similarly, the takedown of Hive ransomware in 2023, which involved the seizure of servers and the provision of decryption keys to victims, was a triumph for law enforcement. However, as seen with Clop and other ransomware groups, these efforts often do little to curb the broader trend of organized cyber crime​.

Are arrests a deterrent?

Despite the attention-grabbing nature of arrests like that of USDoD, the overall effect on cyber crime remains uncertain. While high-profile takedowns send a clear message that law enforcement is capable of reaching even the most elusive criminals, they do little to halt the broader, decentralized nature of cyber crime. Criminal groups have demonstrated a remarkable ability to adapt and reemerge, often learning from the mistakes of their captured peers.

One notable trend in 2024 has been the rise of unaffiliated ransomware actors. Coveware reported a significant increase in attacks by unaffiliated actors, often referred to as “lone wolves.” These attackers operate independently of established ransomware brands like LockBit or BlackCat. And their stealth may make them more difficult to apprehend.

The fight goes on

USDoD’s arrest is a testament to the global reach and determination of law enforcement. However, as with past takedowns of major cyber criminal groups, it serves as a reminder that the fight against cyber crime is far from over.

While these victories disrupt operations and bring justice to individual criminals, they are not a panacea for a problem that continues to evolve and expand. Organizations must remain vigilant, as the arrest of one threat actor will not prevent the rise of others eager to exploit new opportunities.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today