The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place?

As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.

Takedowns and their ripple effects

USDoD, also known as EquationCorp, was apprehended in Brazil following years of high-profile hacks, including the FBI’s InfraGard portal. But his arrest isn’t an isolated case. In recent years, international task forces have relentlessly pursued major cyber crime rings with mixed results.

Consider the 2021 takedown of the Clop ransomware group, whose members were arrested in Ukraine after causing an estimated $500 million in damages. Despite the high-profile arrests, the Clop gang returned with renewed vigor, exploiting new vulnerabilities like the GoAnywhere zero-day​.

This pattern of cyber crime’s persistence, regardless of major arrests, was also seen with Emotet, the infamous malware network. After law enforcement agencies across multiple countries dismantled Emotet’s infrastructure in 2021, it seemed like a triumph. Yet, despite the immediate disruption, Emotet has since evolved, and cyber criminals have found new ways to exploit the same techniques​.

What makes USDoD different?

While takedowns are increasingly common, USDoD’s case stands apart for both its scale and the attacker’s audacity. Not only did the National Public Data breach expose personal data from 2.9 billion U.S. citizens — one of the largest data breaches in history — but USDoD also flaunted his actions. After being doxed by CrowdStrike, USDoD openly confirmed his identity, a bold move that eventually aided Brazilian authorities in his capture.

This arrest strikes at the heart of the threat actor’s operational security — a weak point many seasoned cyber criminals avoid exposing. USDoD’s combination of arrogance and scale sets him apart from other attackers, who typically work diligently to avoid being identified, let alone publicly confirming their identities.

Broader landscape of arrests and their limits

USDoD’s capture is a significant win, but cyber crime remains deeply resilient. For example, when the Lapsus$ hacker group was targeted in 2023, a series of arrests followed. Notably, 18-year-old Arion Kurtaj, a member of the group, was convicted in connection with attacks on Uber, Microsoft and Rockstar Games. Despite the disbanding of some Lapsus$ members, other cyber gangs didn’t seem to notice as attacks continued at high rates.

Similarly, the takedown of Hive ransomware in 2023, which involved the seizure of servers and the provision of decryption keys to victims, was a triumph for law enforcement. However, as seen with Clop and other ransomware groups, these efforts often do little to curb the broader trend of organized cyber crime​.

Are arrests a deterrent?

Despite the attention-grabbing nature of arrests like that of USDoD, the overall effect on cyber crime remains uncertain. While high-profile takedowns send a clear message that law enforcement is capable of reaching even the most elusive criminals, they do little to halt the broader, decentralized nature of cyber crime. Criminal groups have demonstrated a remarkable ability to adapt and reemerge, often learning from the mistakes of their captured peers.

One notable trend in 2024 has been the rise of unaffiliated ransomware actors. Coveware reported a significant increase in attacks by unaffiliated actors, often referred to as “lone wolves.” These attackers operate independently of established ransomware brands like LockBit or BlackCat. And their stealth may make them more difficult to apprehend.

The fight goes on

USDoD’s arrest is a testament to the global reach and determination of law enforcement. However, as with past takedowns of major cyber criminal groups, it serves as a reminder that the fight against cyber crime is far from over.

While these victories disrupt operations and bring justice to individual criminals, they are not a panacea for a problem that continues to evolve and expand. Organizations must remain vigilant, as the arrest of one threat actor will not prevent the rise of others eager to exploit new opportunities.