Federal Cybercrime Defense

The government reported $16.6 billion in cybercrime losses in 2024, a thirty-three percent increase from the year prior, and the Department of Justice has reorganized its prosecution apparatus to match the scale of the problem.

What that figure does not convey is the number of individuals who were charged under statutes written before the internet existed, prosecuted under theories that treat ambiguous digital conduct as felonious, and sentenced according to loss calculations derived from numbers they had no hand in computing. The Computer Fraud and Abuse Act became law in 1986. It has been amended six times. It has never been adequate to the complexity it purports to govern, and that inadequacy cuts in both directions. Prosecutors exploit the ambiguity. So does competent defense counsel.

This is a practice area where the distance between indictment and acquittal is measured in technical precision.

The Statutes Are Plural, and They Overlap

Federal cybercrime prosecution does not rest on a single statute. The CFAA, codified at 18 U.S.C. Section 1030, is the most recognizable instrument, but the government routinely charges wire fraud under Section 1343, identity theft under Section 1028A, economic espionage under Section 1831, and, where ransomware is involved, extortion under the Hobbs Act. A single intrusion can generate a six-count indictment. The statutory maximums accumulate: ten years under the CFAA for a first offense, twenty for a repeat violation, twenty for wire fraud, a mandatory consecutive two years for aggravated identity theft. The arithmetic is the punishment before the sentencing hearing begins.

Prosecutors prefer the stacking method. It produces plea agreements.

The CFAA itself contains seven distinct subsections of criminal conduct, ranging from unauthorized access to a protected computer (subsection (a)(2)) to trafficking in passwords (subsection (a)(6)). Each subsection carries its own mens rea requirement, its own damage threshold, and its own maximum penalty. The statute does not read as a single prohibition. It reads as a collection of prohibitions assembled over four decades by legislators responding to different panics at different moments. Coherence was not the objective.

What Van Buren Altered and What It Left Intact

In 2021, the Supreme Court decided Van Buren v. United States and imposed the first meaningful limit on the CFAA’s reach in three decades. The question was whether a police officer who accessed a license plate database for an unauthorized purpose had “exceeded authorized access” within the meaning of the statute. Six Justices held that he had not. The phrase, the Court determined, refers to obtaining information from areas of a computer to which access is prohibited, not to misusing information obtained from areas to which access was permitted.

The distinction is between gates and purposes.

Before Van Buren, the government had argued, with considerable success in the lower courts, that any access undertaken for an improper reason satisfied the statute. An employee who queried a database for personal curiosity rather than professional necessity could be charged with a federal crime. Van Buren rejected that theory. Access, not motive, defines the violation.

The decision was a genuine constraint. It eliminated an entire category of prosecution. But it left the core of the CFAA untouched, and in the four years since, the Department of Justice has adapted. The focus has shifted from authorization disputes to cases involving unambiguous intrusion: ransomware deployment, credential theft, exploitation of zero-day vulnerabilities, network infiltration by foreign actors. These are the cases where the statute operates with the force its drafters intended, and where the defense must be constructed from different materials.

Ransomware Prosecution Has Become a Separate Discipline

The Phobos ransomware administrator, a Russian national named Evgenii Ptitsyn, pleaded guilty in early 2025 to wire fraud conspiracy after extradition from South Korea. The operation had collected over $39 million in ransom payments from more than one thousand public and private entities. He faces twenty years. Two former cybersecurity professionals, Ryan Goldberg and Kevin Martin, admitted to moonlighting as BlackCat ransomware affiliates and extorting five companies, three of them healthcare organizations. Their sentencing is scheduled for March 2026. A Ukrainian national pleaded guilty to conspiracy for deploying Nefilim ransomware against international targets and faces ten years.

The pattern is instructive. These are not prosecutions born from domestic investigations that matured over months. They are the products of international coordination between the FBI, Europol, and allied intelligence services, often involving years of surveillance, blockchain tracing, and undercover operations on dark web markets before a single arrest is made. By the time the indictment is unsealed, the government has assembled evidence of a kind that traditional criminal defense was not designed to contest.

That observation is not a concession. It is a description of the terrain.

Ransomware defendants face a particular prosecutorial construction: the computer intrusion charge establishes the predicate act, and the wire fraud or extortion charge captures the financial demand. Two crimes from one event. The sentencing calculation incorporates the total ransom demanded, not merely the amount received, which inflates the loss figure and drives the Guidelines range toward the statutory maximum. Defense in this context requires forensic accountants as much as attorneys. The loss amount is contestable. It is almost always contested.

Digital Evidence Carries Its Own Fragility

The government’s cybercrime cases rest on digital forensics, and digital forensics rest on assumptions that can be examined. Chain of custody for electronic evidence is more complex than for physical objects. A hard drive imaged sixty days after seizure raises questions that a firearm collected from a crime scene does not. Metadata can be altered. Logs can be incomplete. The attribution of network activity to a specific individual, as opposed to a specific IP address or device, requires inferential work that a qualified expert can interrogate under oath.

In 2025, the DOJ charged twelve Chinese contract hackers in connection with global computer intrusion campaigns dating to 2013. The indictment alleged that the defendants operated through front companies and used commercial malware toolkits. Attribution in state-sponsored hacking cases relies on classified intelligence, commercial threat intelligence reports, and behavioral analysis of malware signatures. Each source presents distinct evidentiary problems. Classified material may be unavailable to the defense under the Classified Information Procedures Act. Threat intelligence reports are opinion evidence. Malware attribution is probabilistic, not deterministic.

The prosecution presents a story of certainty. The underlying evidence supports something less absolute.

The Investigation Precedes the Indictment by Years

Federal cybercrime investigations are slow by design. The FBI Cyber Division operates through fifty-six field offices and maintains relationships with private sector threat intelligence firms that function as force multipliers. Operation RapTOR, a joint initiative with Europol, dismantled dark web narcotics markets operating on Tor infrastructure. Operation Grayskull shut down exploitation networks that the FBI described as one of the most significant enforcement actions of its kind. These operations involved months or years of passive monitoring before a single warrant was served.

For the individual who suspects they are under investigation, this timeline creates a paradox. The optimal moment to engage counsel is the moment one learns of the investigation. The difficulty is that the government does not announce its investigations; it conducts them. A target letter, when it arrives, signals that the investigation is substantially complete. The window for pre-indictment advocacy has already begun to close. But it has not closed entirely, and the interventions available during that window, presentations to the assigned AUSA, negotiated document productions, proffer sessions structured to limit exposure, remain the most consequential decisions in the lifecycle of the case.

The clients who contact this firm earliest receive the widest range of options. That is not a platitude. It is a structural feature of federal prosecution.

Defense Constructed from Technical Ground

The viable defenses in a cybercrime case are both legal and technical, and the two cannot be separated. Authorization under the CFAA is a question of fact that depends on computer architecture: how access controls were configured, whether credentials were shared or segmented, what the terms of service or employment agreement specified, and whether those specifications were enforced through code or merely through policy. After Van Buren, the distinction between a technical barrier and a written policy has constitutional weight.

Intent is the second axis. The CFAA requires, for most subsections, that the defendant acted “knowingly” or “intentionally.” Automated processes, shared credentials, misconfigured systems, and the ordinary ambiguity of permission structures in large organizations all provide ground on which intent can be contested. A systems administrator who accesses a server segment outside the scope of an assignment has not necessarily committed a federal crime. The government must prove that the access was knowing and unauthorized, and in environments where authorization is informal, distributed, or poorly documented, that proof is harder to assemble than the indictment suggests.

The fourth amendment remains operative. Warrants for digital evidence must satisfy particularity requirements that courts are still refining. The seizure of an entire email account to locate three relevant messages raises overbreadth concerns that suppression motions can exploit. Geofence warrants, tower dumps, and compelled decryption orders each present unresolved constitutional questions. The law is not settled. Unsettled law benefits the defense.

DEFENSE TEAM SPOTLIGHT

Todd Spodek

Lead Attorney & Founder

Featured on Netflix's "Inventing Anna," Todd Spodek brings decades of high-stakes criminal defense experience. His aggressive approach has secured dismissals and acquittals in cases others deemed unwinnable.

NY Bar Admitted Multi-State Licensed Federal Courts

Meet the Full Team

Sentencing in the Algorithmic Register

The United States Sentencing Commission published its updated Computer Crimes Primer in August 2025, and the 2025 Guidelines Manual incorporated amendments effective November of that year. Section 2B2.3 governs trespass offenses; Section 2B1.1 governs fraud offenses that involve computers as instrumentalities. The two sections produce different base offense levels and different enhancement structures, and the selection between them can alter the Guidelines range by years.

Loss amount, as in all federal fraud sentencing, is the dominant variable. But in cybercrime cases, the computation of loss is unusually contested. Is the loss the cost of remediation? The value of the stolen data? The ransom demanded but never paid? The market value of trade secrets that were exfiltrated but never sold? The government selects the methodology that produces the highest figure. The defense selects the one that produces the lowest. The court decides, and the decision is reviewable only for clear error.

Enhancements for critical infrastructure, for the number of victims, for the use of sophisticated means, and for the involvement of a protected computer can each add two to four offense levels. They accumulate. A case that begins at a base offense level of six can reach twenty-four before the loss table is applied. The resulting Guidelines range may recommend a sentence that exceeds the statutory maximum, at which point the maximum becomes the sentence.

This is the arithmetic that produces twenty-year recommendations for first-time offenders with no prior criminal history.

The Consultation Is the Intervention

The Department of Justice expanded its cybercrime prosecution capacity by over thirty percent in fiscal year 2025. The FBI processed 859,532 internet crime complaints in the same period. Nine new ransomware task forces were operational by year’s end. The apparatus is not contracting.

Against that apparatus, the individual defendant possesses one structural advantage: the burden of proof remains with the government, and in cases that depend on digital evidence, technical attribution, and contested loss calculations, that burden is heavier than it appears. The CFAA was written broadly. The case law has narrowed it. The defense begins in the space between the statute’s text and the court’s interpretation of what that text permits.

Spodek Law Group has defended federal cybercrime cases in the Southern District of New York, the Eastern District, the District of New Jersey, and in federal courts across the country. The consultation is direct, confidential, and specific to the facts of the matter. The exposure is assessed. The available defenses are identified. The timeline is established. That first conversation determines what comes after it, and what comes after it determines the rest.