To comprehend the challenges of fighting cybercrime today, you need to first understand that, in the digital world, crime is a business, and cybercriminal operations often look a lot like legitimate companies.
In any industry, businesses rely on a distributed supply chain to operate efficiently at scale, and the same is true for cybercrime. The lone hacker is a thing of the past. Now, any type of cyberattack relies on a network of specialized providers that make up the cybercrime-as-a-service (CaaS) economy.
The CaaS ecosystem functions as a supply chain for cybercrime, with different vendors offering interconnected tools and services. Upstream providers sell access—different ways to break into a system, including stolen login credentials, malware, and phishing kits. Midstream providers sell infrastructure like servers, hosting, and proxy networks. Downstream providers support specific attacks with ransom negotiations, payment systems, and cryptocurrency laundering. This distributed network makes cybercrime efficient, coordinated, and scalable. No single actor needs to be able to do everything; they can simply tap into the network.
“These are business models run by criminals to enable other criminals,” says Jason Lyons, Director of Investigations at Microsoft’s Digital Crimes Unit (DCU). The DCU has been disrupting cybercrime for more than a decade and has learned that fighting this industrialized criminal system is not about taking out individual cyberattackers. It’s about dismantling the infrastructure that facilitates attacks.
“Recently, we have started going after enablers, people who aren’t necessarily carrying out the attacks but are providing a service to those who are,” says Maurice Mason, Principal Cybercrime Investigator with the DCU. By taking out the upstream providers in the supply chain, the team aims to prevent the damage a criminal can do once they gain access to a system—attacks like ransomware, extortion, and social engineering.
In the last nine months alone, the DCU has taken down five large-scale global cybercrime operations, each part of the scaffolding that supports the CaaS economy.
- September 2025: RaccoonO365, a newly launched phishing-as-a-service platform that sold phishing kits used by cybercriminals to steal Microsoft 365 usernames and passwords. The DCU’s disruption led to the arrest of the leaders of the RaccoonO365 operation and successfully eradicated the service.
- January 2026: RedVDS, a subscription-based provider of cheap, disposable virtual computers that were used as launchpads for phishing and financial fraud. Coordinated legal action between the US and the UK—the DCU’s first joint civil case—took down the domains RedVDS used to host its marketplace and customer portal. The DCU worked with German law enforcement to seize RedVDS’s backend server and collaborated with international law enforcement to dismantle the network of servers and payment systems used by RedVDS customers, shutting down the service.
- March 2026: Tycoon 2FA, a widely used phishing-as-a-service platform that enabled cybercriminals to bypass multifactor authentication and gain access to victims’ systems by using fraudulent sign-in pages that mimicked legitimate login sites for Microsoft services. The DCU seized 330 active domains that powered Tycoon 2FA, cutting off the pipeline for attacks such as data theft, ransomware, business email compromise, and financial fraud. The team coordinated with international partners to seize or disable thousands of additional domains globally.
- May 2026: Fox Tempest, a service that evaded antivirus protections, allowing cybercriminals to disguise malware as trustworthy software by abusing tools designed to verify legitimacy. The DCU’s takedown, which seized Fox Tempest’s website, blocked access to a site hosting the underlying code, and took hundreds of virtual machines running the operation offline, has completely stopped Fox Tempest’s activity.
- June 2026: Amadey and StealC, two different malware variants that worked together to infect systems and harvest credentials for everything from email accounts to bank accounts. Leveraging a suite of AI tools, the DCU conducted a single court-authorized disruption that seized the infrastructure powering both malware families at once.
Each of these takedowns is significant in its own right, but together, they tell a larger story about how cybercrime operates today and what it takes to fight it: In this environment, it’s not enough to take out individual threats. Stopping cybercrime means breaking down the infrastructure that powers it. These five disruptions show how the DCU is fighting the system as a whole, targeting the providers in the CaaS supply chain that make the most damaging attacks possible.
The DCU’s multidisciplinary team of investigators and legal experts recently got together to discuss how this unprecedented series of disruptions reflect the team’s strategic approach to the CaaS economy and what that means for the future of fighting digital crime. These are their takeaways.
It takes an ecosystem to combat an ecosystem
As cybercrime has evolved from lone actors to a distributed network of tools and services, collaboration with partners in both the public and private sectors has become increasingly central to the DCU’s work.
“The heart of the challenge is the willingness among threat actors to cooperate with each other,” says Sean Ensz, Principal Investigator with the DCU. “They realize that cooperation is the key to more successful, scalable attacks. The same has to be true for us as defenders. If they’re going to cooperate and be scalable, we have to cooperate and be scalable as well.”
That means working with industry partners, particularly cybersecurity and threat research companies, to increase both the scale and speed of investigations. “Often our partners have different visibility than we do,” Lyons says. He teams up with peers at companies that provide antivirus tools to get a view of threat activity that’s more complete than what they would see if they only looked at data from their own users and products. Additionally, he says security companies like Cloudflare have been key to the DCU’s disruptions because of their ability to identify servers used to host criminal operations.
“When tech companies come together, we, through economies of scale, will have more capabilities than the bad actors,” Lyons says. “That should give us an asymmetric advantage over time, but only if we work together.”
The DCU also collaborates closely with law enforcement, including domestic partnerships with the US Secret Service and the FBI, cooperation with Europol to investigate cross-border criminal networks, and sharing information with national and regional police around the world.
The takedown of Tycoon 2FA points to the increasingly collaborative nature of fighting cybercrime. It was the first DCU takedown coordinated through Europol’s Cyber Intelligence Extension Programme (CIEP) and brought together more than a dozen public and private-sector partners to share information, coordinate legal action across jurisdictions, identify victims, and lead emergency response.
Follow the links in the blockchain
Over the last year, the DCU has systematically incorporated blockchain analysis into its toolkit. Virtually all CaaS vendors transact in cryptocurrency for supposed anonymity. But if they want to get paid, they need to create a wallet and share the address with customers. Blockchains are open source, and over time, users have developed tools that can trace the flow of funds to individual wallets. Now, whenever the DCU looks at a new target, investigators go undercover and make a purchase. Then they follow the money.
It’s notoriously difficult for law enforcement to trace cybercrime to the individuals who are responsible, but attribution is a crucial deterrent. Blockchain analysis has become a powerful way to help law enforcement identify and arrest cybercriminals.
“CaaS providers will use all kinds of obfuscation techniques on the blockchain to disguise their activity and make it harder for us to trace the flow of funds, but we’ve learned how to follow our purchases all the way to the threat actor’s wallet,” Mason says. “We then provide this intelligence to law enforcement, which enables them to work with cryptocurrency exchanges to gain additional insights into the threat actor—and that also gives them the ability to seize illicit proceeds.”
DCU investigations have contributed to the seizure of millions of dollars in cryptocurrency, making business less lucrative for CaaS operators, and even helping some victims get their money back.
Blockchain analysis in the RaccoonO365 investigation uncovered at least $100,000 in cryptocurrency payments and ultimately revealed the identities of the people who were running the service. This intelligence supported the arrest of the operators by Nigerian law enforcement. The operation didn’t just disrupt RacoonO365’s operations, it completely dismantled it.
“Actors get spooked when real individuals are named and arrested,” says Sean Farrell, Assistant General Counsel at the DCU. “They go offline. It sends a strong message.”
Investigate the landscape, not just the threat
The DCU’s investigations used to focus on a single cyberthreat at a time, but the goal of dismantling the enablers of cybercrime has driven a shift in strategy that gives investigators a broader, more holistic view of the CaaS ecosystem.
“We don’t think of these services as individual silos,” Ensz says. “We look at how they are interdependent and interrelated.”
Threat actors use CaaS services in combination. For example, RaccoonO365 and Tycoon 2FA both provided tools for phishing campaigns. But to use those tools, cybercriminals needed to send mass emails to get the phishing lures to potential victims. Investigators saw that customers of both RaccoonO365 and Tycoon 2FA frequently used virtual servers provided by RedVDS to deliver phishing campaigns.
“The interdependence we found in these cases expanded our understanding of the connections in the CaaS supply chain,” Ensz says. “The same patterns will show up every time services are filling these gaps in the chain.”
The DCU’s strategic shift toward this holistic understanding of cybercrime has also brought a new focus on “victimology”—identifying and understanding cybercrime victims. The network of partners on recent disruptions has expanded to include the Better Business Bureau, the American Association of Retired People, the FBI’s Internet Crime Complaint Center, and sector-specific organizations such as Health-ISAC to understand the people and industries being targeted.
“If you go after malware, you look at the bits and bytes, but if you shift the lens to targeting fraud, that’s humans attacking humans,” Ensz says. “Understanding the victim experience gives us a more comprehensive view of the threat.”
Find new applications of old laws
Since its inception over a decade ago, the DCU has pioneered the use of legal tactics to disrupt cybercrime. The law has not kept pace with the rapid evolution of technology and digital crime, so the DCU has innovated ways to apply existing laws to cybercrime—laws that were intended for things like divorce proceedings and abuse of rental property.
The DCU’s litigators have made fruitful use of the Racketeer Influenced and Corrupt Organizations (RICO) Act, which was created to fight organized crime. RICO allows prosecutors to target multiple people in a single charge if they’re all engaged in the same criminal activity. The DCU’s legal team has successfully used RICO to justify legal action against cyberthreats like malware with a single charge that targets the developers, the distributors, and the users.
Prior to this year, the DCU had only used RICO to target one malware or botnet at a time. But that changed when the team launched an investigation into Amadey, a malware designed to infect a system in order to deliver subsequent payloads of malware. DCU engineers built a “crawler,” a simulation of a system infected with Amadey that let them observe how the malware communicated with its command-and-control server. They watched as the server used Amadey to drop a malware called StealC onto the crawler.
Amadey and StealC were two different malware families, created by two different CaaS providers, but they used the same servers and were clearly operating in concert. The legal team saw an opportunity to expand their use of RICO to charge anyone involved in either malware family with participating in a single criminal conspiracy.
This was the first time the DCU targeted more than one CaaS provider in one legal complaint. “The evolution of cybercrime has driven us to be very creative,” says Richard Boscovich, the DCU’s Assistant General Counsel and lead litigator.
Although the new application of RICO was legally and technically difficult, it’s a breakthrough that arms the DCU for the future. Boscovich points out that the CaaS ecosystem is becoming more atomized, with smaller groups providing niche services that are increasingly interdependent with other vendors. This makes it easier for them to slip under the radar, and harder for the DCU to knock out significant parts of the CaaS infrastructure. The ability to use RICO to target multiple CaaS services with a single charge will be a powerful tool for the DCU in this new environment.
Keep the pressure on
The DCU’s approach to cybercrime today is the result of more than 15 years of proactively confronting threats to Microsoft customers and the broader digital ecosystem. The team has taken down countless cybercriminal operations since its creation in 2008, including 39 civil disruption actions against prominent cyberthreats. This experience provides a deep and nuanced understanding of how cybercrime works. As the CaaS economy has expanded and become more specialized, the DCU has incorporated additional tools and tactics that let the team disrupt threats persistently, not just at the moment of an individual takedown.
One example is an internal disruption strategy to take down Microsoft accounts that are being used for cybercriminal activity. “During DCU disruptions, we get a really good understanding of how our internal infrastructure is being used by these actors,” says Jacklynne Sienicki, Director of Data Analytics at Microsoft. “We deliver those insights to our threat hunting teams so they can detect the behaviors on an ongoing basis across all our products. It’s a way we can put continuous pressure on the ecosystem.”
The DCU has also created the Statutory Automated Disruption (SAD) program, which leverages laws against copyright and trademark violations. The program automatically sends notices to hosting providers when their domains are used to host services like RedVDS, which abused Windows licenses. SAD lets the DCU target CaaS infrastructure on an ongoing basis.
Boscovich says the DCU’s approach represents “a complete, holistic approach to the problem”—one that responds to the realities of industrialized crime.
“Since day one, when the DCU program started, we’ve always viewed cybercrime as a business,” Boscovich says. “We do everything we can to make the cost of doing business super high.”
Click Here For The Original Source.
