For years, cybersecurity professionals, prosecutors, and policymakers viewed cybercrime through a relatively simple lens. There were hackers and there were victims. The hacker breached a network, stole data, deployed malware, or extorted payment. The victim was the company, government agency, or individual whose systems had been compromised. Recent Department of Justice prosecutions suggest that the model is increasingly obsolete.

A series of criminal cases announced over the past month reveals a fundamental shift in the cybercrime ecosystem. Increasingly, the most legally significant actors are not necessarily the individuals writing malware, exploiting vulnerabilities, or penetrating networks. Instead, prosecutors are targeting the facilitators, negotiators, insiders, and enablers who transform technical intrusions into profitable criminal enterprises.

In other words, cybercrime is becoming organized crime.

The DOJ’s recent prosecutions involving the ALPHV/BlackCat ransomware operation, Karakurt extortion group, and insider-access conspiracies demonstrate that federal law enforcement is increasingly focused on the entire cybercrime supply chain rather than merely the initial intrusion. That evolution has important implications not only for criminal enforcement but also for cybersecurity governance, insider threat programs, and corporate risk management.

The Ransomware Negotiator as Criminal Actor

Perhaps the most striking development is the growing focus on individuals who never touch the victim’s systems. On May 4, 2026, federal prosecutors announced the sentencing of Latvian national Deniss Zolotarjovs to 102 months imprisonment for his role as a negotiator associated with the Karakurt, TommyLeaks and SchoolBoys extortion groups. Traditionally, one might think of a ransomware negotiation as occurring after the crime has already been committed. The intrusion has occurred. The data has been stolen. The malware has been deployed. The negotiator merely communicates demands.

The Department of Justice clearly does not see it that way. Instead, prosecutors increasingly characterize negotiators as integral participants in the criminal enterprise itself. Without negotiators, ransomware groups would have difficulty converting stolen data into revenue. The extortion process is not an ancillary component of the crime; it is the business model.

The same principle appeared in the April 30, 2026, sentencing of two U.S. cybersecurity professionals associated with the ALPHV/BlackCat ransomware operation. Although public attention often focuses on malware developers or intrusion specialists, federal prosecutors devoted substantial attention to the financial and operational mechanisms through which the criminal enterprise monetized victim organizations. The legal significance is substantial.

Under traditional organized crime theory, the getaway driver is often as culpable as the bank robber. Cybercrime prosecutions increasingly apply the same logic. The individual who manages victim communications, coordinates payments, launders cryptocurrency, or facilitates access may face exposure comparable to the person who launched the attack.

For corporate security teams, this development highlights an uncomfortable reality: modern cybercrime organizations increasingly resemble multinational businesses with specialized functions, management structures, customer-service operations, and revenue optimization strategies.

The Rise of the Insider Threat Economy

If ransomware demonstrates the industrialization of cybercrime, the May 7, 2026, conviction of Sohaib Akhter demonstrates another trend: the commodification of access. According to DOJ allegations, Akhter participated in a conspiracy involving computer fraud and password trafficking connected to the deletion of government databases.

What makes such cases particularly important is that they blur the distinction between external attacks and insider threats. Historically, organizations focused heavily on perimeter defenses. Firewalls, intrusion detection systems, endpoint protection platforms, and vulnerability management programs all operate from the assumption that the threat originates outside the organization.

But many contemporary cybercriminal operations do not begin with a technical exploit. Instead, they begin with credentials. Credentials may be purchased, borrowed, stolen, rented, shared, or otherwise acquired through social engineering, insider recruitment, credential marketplaces, or criminal partnerships. The result is that organizations increasingly face adversaries who possess legitimate access rather than unauthorized access.

From a legal perspective, this trend presents significant challenges because many federal computer crime statutes were drafted around concepts of unauthorized access.

The Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), significantly narrowed the interpretation of the Computer Fraud and Abuse Act (CFAA), holding that misuse of authorized access is not necessarily equivalent to unauthorized access. As insider-threat prosecutions increase, courts will continue confronting difficult questions regarding authorization, credential sharing, delegated access, and password trafficking. The result may be a renewed emphasis on conspiracy, fraud, theft, extortion, and wire fraud theories rather than reliance exclusively on the CFAA.

Cybercrime’s Service Economy

Taken together, these prosecutions reveal a broader transformation.

Cybercrime increasingly operates through a service economy.
Initial access brokers sell credentials.
Malware developers create tools.
Affiliates deploy ransomware.
Negotiators manage victims.
Cryptocurrency specialists launder proceeds.
Data brokers market stolen information.
Insiders provide access.

Each participant may perform a highly specialized function while never personally compromising a network. The structure increasingly resembles legitimate commercial enterprises. Indeed, ransomware organizations now routinely maintain help desks, customer support channels, payment portals, service-level expectations, affiliate programs, and profit-sharing arrangements.

From a criminological perspective, the most important development may not be technical sophistication but organizational sophistication. Cybercrime has evolved from individual misconduct into an ecosystem.

Why This Matters for Corporate Defenders

This evolution creates practical challenges for defenders. Traditional cybersecurity programs focus heavily on preventing technical compromise. Yet many contemporary threats arise from relationships rather than exploits. Organizations can patch vulnerabilities. They cannot patch employees.

Nor can they easily patch contractors, vendors, consultants, former employees, or business partners who possess legitimate access. Consequently, insider-risk programs are increasingly becoming as important as vulnerability management programs.

Access governance becomes as important as intrusion detection. Credential monitoring becomes as important as malware detection. Behavioral analytics become as important as signature-based defenses. These developments also reinforce the importance of supply-chain security. A threat actor may never directly attack a target organization if access can be acquired through a vendor, service provider, or trusted partner.

The Enforcement Message

The most significant lesson from these prosecutions may be the message DOJ is sending. Federal prosecutors appear increasingly willing to pursue every participant in the cybercrime ecosystem, regardless of whether that individual personally executed the technical intrusion. The negotiator may be prosecuted. The access broker may be prosecuted. The credential trafficker may be prosecuted. The insider may be prosecuted. The financial facilitator may be prosecuted.

This approach mirrors strategies historically employed against organized crime, narcotics trafficking, and money laundering enterprises. Rather than focusing solely on the individual who commits the underlying act, enforcement targets the infrastructure that enables the crime. For cybersecurity professionals, this is a notable development because it reflects an official recognition that modern cybercrime is no longer primarily a technical problem.

It is an economic one.

The malware, exploit, or stolen credential is merely the entry point. The real threat is the increasingly mature criminal ecosystem that transforms those tools into scalable, repeatable, and highly profitable enterprises. And as these recent prosecutions demonstrate, law enforcement is beginning to adapt accordingly. The future of cybercrime enforcement may be less about catching hackers and more about dismantling the business models that make hacking profitable in the first place.

Recent Articles By Author

• Flock You! Pushback on License Plate Readers
• Magnifica Humanitas – Pope Leo’s Take on Intelligence – Artificial and Otherwise
• Health Entities and Ransomware — HHS Adopts a “Blame the Victim” Strategy. Let’s See if It Works.

More from Mark Rasch