Cybercrime Investigations: Industry-Specific Insights

Cybercrime is a consequence of the all-encompassing digitalization of modern society, requiring an adequate response from the state. It affects a wide range of areas—property rights of citizens, critical infrastructure, individual rights, and causes damage to both commercial organizations and the government as a whole. Cybercriminals are becoming increasingly aggressive, taking measures to thoroughly conceal their tracks, maintain anonymity, and plan their actions to complicate evidence collection and avoid responsibility. These factors make proving such cases legally and practically complex.

“Traditional approaches to investigating crimes do not fully address this fundamentally new type of threat. For successful work in this area, law enforcement officers must understand the specifics of the cybersphere, its cross-border nature, be able to operate in the information environment, communicate with IT company representatives and other specialists, know how and where to look for evidence, and how to document it. Ultimately, they must also be able to conduct effective dialogue with participants in criminal proceedings, and properly question witnesses, suspects, and defendants in such cases,” says Konstantin Komarda, head of the Cybercrime and High-Tech Crime Investigation Department of the Investigative Committee of the Russian Federation.

Numerous institutions, organizations, businesses, and individuals—both domestically and internationally—including criminal justice and national security agencies, international organizations, the private sector, and civil society, may be involved in cybercrime investigations in various ways.

The Latency of Cybercrime

Today, computer-related crimes are among the most latent types of offenses. The detection rate is low, partly because victims often do not know a crime has occurred or only find out much later. For example, illegal copying of information often goes unnoticed, and the introduction of a computer virus is usually attributed to user error. The high degree of latency is also due to victims (especially large commercial organizations and banks) being reluctant to report incidents to law enforcement, fearing damage to their business reputation.

This reluctance can be explained by the expected utility theory proposed by economist Gary Becker (1968), which states that people engage in actions when the expected benefit outweighs the expected benefit of alternative actions (Maras, 2016). In the context of cybercrime, victims do not report incidents if the expected benefit of doing so is low (Maras, 2016).

Current research identifies several reasons for this, including feelings of shame or embarrassment (such as in romance scams); reputational risks associated with publicizing the incident (especially for businesses or when consumer trust is at stake); lack of awareness that a crime has occurred; low confidence in law enforcement’s ability to help; the time and effort required to report; and not knowing whom to contact (Wall, 2007; McGuire and Dowling, 2013; Tcherni et al., 2016; Maras, 2016).

Cross-Border Nature of Cybercrime

Another feature of cybercrime is its cross-border nature—cybercrimes are rarely confined to a single country. When the perpetrator and victim are in different countries, international cooperation is required. Challenges include differences in national legal systems and varying levels of legislative development regarding cybercrime. Some countries have successfully entered into international agreements on cooperation in preventing and investigating cybercrimes. However, there is still no unified global legal framework for combating cybercrime.

High Degree of Anonymity

Cybercrime is also characterized by a high degree of perpetrator anonymity. Modern VPN/VPS services, virtual phone numbers, and cryptocurrency wallets (which do not require personal identification) allow individuals to almost completely hide their identity. Even if investigators identify a device used in a crime, linking it to a specific person is often difficult.

Challenges in Investigation Procedures

One of the main problems in investigating cybercrimes is the inability to apply standard investigative algorithms. Traditional investigative actions, as outlined in criminal procedure law, are often ineffective for these types of crimes. For example, the crime scene inspection, usually central to investigations, has unique challenges in cyberspace. What constitutes the “scene” of a cybercrime? Is it the hacker’s location during the attack, the place where malicious software was written, the victim’s address, the location where stolen funds are cashed out, or somewhere else?

Given that cybercrimes occur in “virtual space,” some researchers suggest considering a specific range of virtual (information) space as the crime scene. Even so, investigators face the problem of how to conduct an inspection when cyberspace is not subject to geographic (and thus legal) boundaries. The inspection process itself is also unique: traditional forensic techniques are ineffective, as the work involves electronic traces (“digital footprints”), which can be active (information entered by the user, such as name and date of birth on social networks) or passive (traces left unintentionally by software activity).

Similarly, investigative experiments (to reconstruct the crime scene) lose their meaning in cybercrime cases, as changes in the physical environment do not affect the cyber environment, which is the essence of these crimes.

Interrogation Difficulties

Even interrogating suspects or defendants in cybercrime cases presents challenges. The main issue is that suspects often use technical jargon that is difficult for those without specialized knowledge to understand. Investigators must work with experts to translate these terms into legal language that is clear to all participants in the proceedings.

The presence of an expert during interrogation can negatively affect the outcome for several reasons: it may hinder psychological rapport between the investigator and the suspect, and it may signal to the suspect that the investigator does not fully understand the crime, potentially encouraging attempts to mislead the investigation. Witness interrogations are also challenging, as most witnesses lack the specialized knowledge needed to fully understand what happened.

Seizure and Examination of Equipment

Almost always, cybercrime investigations involve the seizure of equipment (computers, peripherals, and other electronic media) for forensic examination. Investigators must rely on experts, as the seizure and transportation of such items have unique requirements. Witnesses to the seizure usually only understand the removal of the device, not the presence of forensically significant information on it. There is also a constant risk of data loss during the process. Investigators and experts must decide on the necessity of seizing each item, balancing the need for thorough investigation with the principle of reasonable necessity—since computers and phones are essential tools for many professionals, their long-term seizure can cause significant harm.

Forensic Expertise

An important stage in cybercrime investigations is the appointment of computer-technical forensic examinations. Since this field is relatively new, there are few expert institutions with specialists in this area, leading to high workloads and longer examination times. Another challenge is formulating precise questions for the experts, as investigators often lack specialized knowledge in computer technology and information systems.