The threat cybercrime poses to nations, businesses and individuals has reached a critical juncture — and it’s time to recognize that cybercriminals are operating freely in countries that provide them shelter, causing economic harm and undermining global security.
The United States International Cyberspace and Digital Policy Strategy, published by the State Department in May, introduces the concept of “digital solidarity” to collaboratively battle malicious cyber activity. However, this strategy overlooks a critical tool for combating cybercrime: the designation of state sponsors of cybercrime.
To close this gap and get ahead of increasing cyber threats, the United States must take the lead in identifying and designating nations that harbor cybercriminal organizations.
The exponential rise of cybercrime demands an escalated international response. Ransomware attacks alone reaped record payouts in 2023 and are projected to cost the world more than $40 billion in 2024. Nation-states, major corporations, critical infrastructure providers, schools, hospitals and ordinary citizens have all fallen victim. The ubiquity of cybercrime has normalized what was once a niche threat reserved for high-value targets.
This normalization stems from the proliferation of cybercrime safe havens — nations that allow cybercriminal syndicates to operate within their borders without fear of extradition or prosecution. By “looking the other way,” these countries provide cybercriminals the stability and infrastructure to plan complex attacks and safely store illicit proceeds. Likely emboldened by state protection, hackers based in safe havens can escalate their attacks with deepening sophistication.
Russia epitomizes this model of state cyber sanctuary. Despite issuing public condemnations of cybercrime, the Kremlin is quietly supporting hacking groups as long as those groups don’t target Russian interests and are willing to do Moscow’s bidding when called upon. Symbiotic relationships have developed, with hackers sharing stolen data with Russian intelligence and the state providing legal safe harbor and access to money laundering services.
The scale of this problem is significant. According to a recently released TRM Labs report, Russian-speaking ransomware groups accounted for at least 69% of all cryptocurrency proceeds from ransomware in 2023, exceeding $500 million.
North Korea has embraced cybercrime on an institutional scale to circumvent international sanctions and fund its nuclear program. Unlike traditional scenarios where organized crime attempts to infiltrate the state, North Korea represents a reversal of this dynamic: The state itself has penetrated and co-opted organized cybercrime.
North Korean hacking units act as pillars of a massive state-sponsored criminal enterprise. These groups have conducted sophisticated ransomware attacks explicitly at the direction of North Korea’s Reconnaissance General Bureau, as noted in a recent US indictment against a North Korean hacker sought by the FBI. Notably, North Korean hackers often operate from other countries, including China, to obscure their origins and exploit lax cybersecurity environments. Pyongyang’s nuclear ambitions are supported by the very cybercrime it claims to prohibit, with the state acting as the orchestrator of these illicit activities.
By allowing cybercrime safe havens to proliferate unchecked, the international community has acquiesced to a perpetual escalation of costly and destabilizing cyber attacks. This issue extends beyond well-known actors such as Russia and North Korea to include a number of countries across various regions that turn a blind eye to cybercriminal activities within their borders. Impunity has become an incentive for hackers to migrate to safe-haven countries.
This self-reinforcing cycle jeopardizes not just the digital security and economic prosperity of the US and other nations that play by the rules but also the long-term viability of an open internet. Addressing these challenges requires a comprehensive approach drawing on all instruments of statecraft, including economic sanctions, diplomatic measures, intelligence capabilities, law enforcement cooperation, disruption of cybercriminals’ activities and strategic communications.
Designating states as sponsors of cybercrime, much like the State Department designates state sponsors of terrorism, would initiate a long-overdue course correction. This strategy is in line with legislation being put forward by Senate Intelligence Committee Chairman Mark Warner of Virginia, who aims to classify ransomware as a threat akin to terrorism.
While Warner’s provision in the Intelligence Authorization Act for Fiscal Year 2025 focuses specifically on ransomware, our suggestion to designate state sponsors of cybercrime would encompass a broader range of malicious cyber activities. Explicit criteria such as active non-cooperation with cybercrime investigations, profiting from cybercriminal safe harbors or aiding hackers with training, resources and infrastructure should trigger designation. Just as with designations for state sponsors of terrorism, this would allow the US to leverage coordinated sanctions, diplomatic penalties, foreign aid restrictions and other accountability measures.
By allowing cybercrime safe havens to proliferate unchecked, the international community has acquiesced to a perpetual escalation of costly and destabilizing cyber attacks.”
Frank Cilluffo and Joshua Whitman
This approach builds upon established precedents in combating global threats. For decades, Congress has mandated that the State Department produce annual reports detailing patterns of global terrorism and naming top terrorist groups. A similar framework for cybercrime could prove equally effective.
Annual reports on state-sponsored cybercrime could identify major cybercriminal syndicates and document their most significant attacks while designating nations that provide safe haven as state sponsors of cybercrime. Additionally, large cybercrime syndicates could be designated as Transnational Criminal Organizations, a classification that would unleash additional law enforcement and Treasury Department tools to combat these groups; for example, last month Treasury’s Office of Foreign Assets Control designated two Russian hackers whose group, Cyber Army of Russia Reborn, claimed attacks on US critical infrastructure targets including water facilities in Texas.
This designation would provide a consistent basis for expanded actions against cyber threats, leveraging the full range of US government capabilities to tackle this growing menace.
Some may argue that such designations could dangerously escalate tensions between cyber superpowers that already engage in antagonistic hacking operations. Others may claim that proving explicit state sponsorship is an unnecessarily high legal bar. However, these risks pale in comparison to the existential threat that cyber safe havens pose to the rules-based international order.
Admittedly, effective cyber designations require rigorous evidence-gathering and multilateral cooperation. But the US intelligence community has persistently tracked the Kremlin’s cyber reserve forces and Pyongyang’s institutionalized hacking kleptocracy, along with other countries with active state-sponsored cyber warfare such as China and Iran.
The United States has both the justification and capabilities to productively initiate an international cyber designation regime now, particularly as a constant barrage of cyber attacks collectively poses a significant threat to our security. Just as previous counterterrorism and anti-crime designations have isolated rogue states, multilateral cyber designations could compel Russia, North Korea and those aspiring to offer hackers safe haven to rethink the efficacy of their current criminal-harboring models.
Holding nations accountable for sponsoring cybercrime is a critical first step on the long path toward establishing a collective cyber deterrence rooted in the rule of law. Continuing to allow shadowy hacking havens to exist in the gray spaces of geopolitics all but ensures an ever-escalating future of cyber insecurity and instability. Designations may not halt cybercrime overnight, but they initiate a long-overdue process of creating international accountability.
Strategic inaction is no longer an option for the integrity of the internet, economic prosperity and collective security of all nations committed to a more democratic and prosperous world.