The Myth of Cyber Borders: Why Cross-Jurisdictional Challenges Aren’t the Real Obstacle to Prosecuting Cybercrime

Cross-jurisdictional Challenges in Cybercrime Prosecution

Cybercrime is inherently borderless. A single attack may involve a perpetrator in one country, a command-and-control server in another, hosting infrastructure spread across several continents, and victims scattered worldwide. This fragmented geography creates profound cross-jurisdictional challenges for investigators, prosecutors, and courts trying to hold offenders accountable.

Recent research by cybersecurity firm Kaspersky illustrates how accessible cybercrime has become: the median dark web job seeker is just 24 years old. This statistic reveals more than youth involvement—it reflects how underground forums have systematized recruitment and training across borders. On platforms like Exploit and XSS, experienced criminals offer "mentorship programs" where young recruits in Eastern Europe, Southeast Asia, or Latin America learn to conduct attacks targeting Western financial institutions, often without ever meeting their collaborators or fully understanding the international legal exposure they face.

The scale of the challenge is staggering. According to Europol's 2023 Internet Organised Crime Threat Assessment, over 80% of cybercrime cases now involve cross-border elements, yet successful prosecution rates remain below 5% globally. When compared to traditional crimes, where extradition succeeds approximately 60% of the time, cyber offenses see success rates closer to 15-20%, primarily due to the jurisdictional complexities explored below.

Different Legal Definitions and Thresholds

One of the most basic obstacles in cross-border cybercrime cases is the lack of harmonized legal definitions. What counts as a crime, how serious it is, and how it is categorized can vary significantly between jurisdictions—differences that sophisticated criminals actively exploit.

• Divergent criminal codes: Some countries have detailed computer misuse laws (covering hacking, malware distribution, data interference), while others rely on older fraud or property statutes that may not map cleanly to modern attacks. For instance, unauthorized access to computer systems carries a maximum sentence of 10 years in the United States under the Computer Fraud and Abuse Act, but similar conduct in certain jurisdictions may be classified as a misdemeanor with minimal penalties.
• Inconsistent treatment of related conduct: Activities like selling stolen data, renting out botnets, or offering "hacking-as-a-service" may be prosecuted as cybercrime in one place, organized crime in another, and barely addressed elsewhere. The Silk Road prosecution demonstrated this complexity—while U.S. authorities charged operator Ross Ulbricht with narcotics trafficking and money laundering, many jurisdictions lacked legal frameworks to address the cryptocurrency-based marketplace model itself.

International efforts such as the Council of Europe's Budapest Convention on Cybercrime have pushed toward standardization, but participation is not universal (notably excluding China and Russia, sources of significant cybercrime activity), and implementation varies widely even among signatories. This patchwork makes it hard to construct cases that stand up simultaneously in multiple legal systems. As former U.S. Department of Justice prosecutor John Carlin notes, "We're essentially fighting 21st-century crime with 19th-century legal tools designed for territorial sovereignty."

Jurisdiction and Applicable Law

Jurisdiction—who has the legal right to investigate, prosecute, and adjudicate a case—is a central challenge. In cybercrime, multiple states can plausibly claim jurisdiction based on different connections to the offense, creating both competition and gaps in enforcement.

• Location of offender: The state where the primary suspect resides or acts will usually assert jurisdiction, but suspects often operate under aliases and through anonymizing technologies (VPNs, Tor). Russian cybercriminals indicted by U.S. authorities for the 2017 NotPetya attack remain beyond reach, as Russia's constitution prohibits extradition of its nationals and the country has shown no willingness to prosecute crimes targeting foreign entities.
• Location of victim(s): Countries where victims suffer financial loss, data breaches, or disruption also have a strong interest in prosecuting, especially when critical infrastructure is affected. The 2021 Colonial Pipeline ransomware attack saw U.S. authorities take the lead, but the DarkSide operators were believed to be in Russia or former Soviet states, creating an immediate jurisdictional impasse.
• Transiting data: Data packets routinely cross many states. If every transit country claimed jurisdiction, conflicts would be unavoidable. In practice, transit alone is rarely sufficient for jurisdiction, but it complicates evidence collection when data momentarily resides on servers in non-cooperative states.

The result is overlapping and sometimes conflicting claims to jurisdiction. States may compete to prosecute high-profile offenders, or, conversely, all assume that another country is better placed to act, leading to enforcement gaps. To address this, prosecutors increasingly employ a practical decision framework considering: (1) location of primary harm and victim concentration; (2) strength of available evidence and ability to preserve it; (3) existence of extradition treaties and likelihood of cooperation; (4) severity of potential penalties; and (5) resources and expertise of the prosecuting jurisdiction. However, this remains an ad hoc approach rather than a formalized international standard.

Evidence Collection Across Borders

• Mutual Legal Assistance Treaties (MLATs): Traditional mechanisms for cross-border evidence requests are slow, bureaucratic, and ill-suited to fast-moving cyber investigations. Data from the U.S. Department of Justice shows average MLAT response times of 10 months for requests to European countries and over 18 months for requests to Latin America or Asia—timelines during which crucial evidence routinely disappears. In one documented case involving a business email compromise scheme, critical server logs in Singapore were automatically deleted after 90 days while the MLAT request took 14 months to process.
• Data localization and privacy laws: Some states restrict the export of data, require local storage, or enforce strict privacy protections that limit what can be shared with foreign authorities. The EU's General Data Protection Regulation (GDPR), while strengthening privacy rights, has complicated transatlantic investigations by imposing strict conditions on data transfers that may conflict with U.S. law enforcement needs.
• Corporate policies of tech providers: Global tech firms may face conflicting legal obligations: one country demands data, another prohibits disclosure. Providers must navigate complex compliance dilemmas. Microsoft's challenge to a U.S. warrant for data stored in Ireland (later resolved by the CLOUD Act) exemplified these tensions, with the company caught between U.S. law enforcement demands and EU data protection requirements.
• Integrity and admissibility: Evidence collected abroad has to meet domestic rules of admissibility, including chain-of-custody requirements. Inconsistent procedures can render crucial evidence unusable in court. Forensic standards that are acceptable in one jurisdiction may fail to meet evidentiary thresholds in another, particularly regarding timestamping, hash verification, and examiner qualifications.

These obstacles incentivize offenders to exploit jurisdictions with weaker cooperation frameworks or strong data-protection barriers, knowing that cross-border access to evidence will be difficult or delayed. Emerging technologies offer some hope: the U.S. CLOUD Act and similar bilateral agreements aim to streamline data access, while blockchain forensics tools from companies like Chainalysis and CipherTrace now enable investigators to trace cryptocurrency flows across jurisdictions in near real-time—something impossible just five years ago. AI-driven attribution platforms are also emerging, using machine learning to identify threat actor patterns across disparate attacks, though their evidentiary weight in court remains under development.

Attribution and Anonymity

Attributing cyberattacks to specific individuals is technically and legally difficult. Modern cybercriminals rely on tools and infrastructure designed to obscure identity and location, including:

• Encrypted communications and end-to-end messaging (Signal, Telegram channels)
• Proxy servers, VPNs, and anonymity networks (e.g., Tor)
• Compromised devices used as intermediate "hops" or botnets
• Cryptocurrencies and mixers to launder proceeds
• Stolen credentials and identity obfuscation across multiple personas

From a legal standpoint, prosecutors must link actions on a device or network to a specific person beyond a reasonable doubt. When multiple actors in multiple countries share credentials, tools, and infrastructure, or when devices are hijacked to carry out attacks, establishing that connection becomes painstaking. The Mirai botnet case demonstrated both the challenges and possibilities: investigators tracked the malware to three young defendants in the United States through painstaking analysis of code comments, online forum posts, and Minecraft server disputes—but only after the defendants made operational security mistakes. Most sophisticated actors avoid such errors.

Moreover, cross-border attribution can have diplomatic ramifications, especially when state-sponsored or state-tolerated actors are suspected. The U.S. indictment of five Chinese military officers in 2014 for economic espionage, and subsequent indictments of Russian intelligence officers for election interference and the NotPetya attack, illustrate how attribution becomes a foreign policy tool as much as a legal one. Some governments may resist foreign investigations, restrict cooperation, or deny involvement, making prosecution practically impossible. As cybersecurity researcher Thomas Rid observes, "Attribution is not a technical problem that has a technical solution. It's a political problem that requires political will."

Extradition and Safe Havens

Even when suspects are identified and evidence is gathered, physically bringing them before a court can be problematic. Extradition depends on treaties and political will; it is not an automatic consequence of a warrant.

• Absence of treaties: Many country pairs lack comprehensive extradition agreements, leaving authorities with no clear legal foundation to transfer suspects. The United States has extradition treaties with approximately 100 countries, but notable gaps include Russia, China, and several nations that have become de facto cybercrime havens.
• Dual criminality requirement: Extradition usually demands that the alleged conduct be criminal in both states. Where cybercrime laws are underdeveloped, this condition may fail. When U.S. authorities sought extradition of a suspect from a Southeast Asian country for unauthorized computer access, the request was denied because the suspect's jurisdiction had no law criminalizing the specific conduct, despite it being a federal felony in the United States.
• Political and human rights concerns: States may refuse extradition where they fear political persecution, inadequate due process, or disproportionate penalties for the accused. European courts have occasionally refused extradition to the United States over concerns about lengthy sentences for computer crimes and conditions in federal prisons.
• De facto safe havens: Some countries are reluctant to extradite nationals or may quietly tolerate criminal groups that target only foreign victims, turning their territories into operational bases. Russia's approach is particularly notable: while it has sophisticated cybercrime laws and occasionally prosecutes domestic crimes, it systematically refuses to cooperate when Russian nationals target foreign entities. Similarly, North Korea has been documented harboring state-sponsored groups like Lazarus, which conducts financially motivated attacks against foreign institutions to generate revenue for the regime.

These dynamics encourage a "jurisdiction shopping" mindset among offenders: they base their activities where the risk of arrest and extradition is minimal, while targeting victims in states with stronger enforcement but weaker reach. The arrest of Russian cybercriminal Roman Seleznev in the Maldives in 2014—a rare success—required years of tracking and waiting for him to travel outside Russia, underscoring how geographic sanctuary remains the most effective defense against prosecution.

Coordination Between Law Enforcement Agencies

• Incompatible processes and tools: Varying standards for digital forensics, case management, and information classification can hinder joint operations. A 2022 Europol assessment found that member states use over 40 different digital forensics platforms, many of which cannot directly share or compare evidence without manual conversion—adding weeks to time-sensitive investigations.
• Resource and expertise gaps: Some countries lack trained cybercrime units or updated tools, limiting their ability to contribute meaningfully to shared efforts. While the FBI's Internet Crime Complaint Center receives over 800,000 complaints annually, many smaller nations have cybercrime units of fewer than 10 officers with limited technical training, creating asymmetries in multinational investigations.

Despite initiatives such as INTERPOL's cybercrime directorate, Europol's European Cybercrime Centre (EC3), and regional task forces like the ASEAN Cybercrime Operations Desk, coordination remains uneven. Joint operations like Operation Onymous (targeting dark web marketplaces) and Operation Disruptor (against opioid trafficking) show what's possible with sustained cooperation, but these remain exceptions requiring years of relationship-building. Offenders on the dark web, by contrast, often collaborate fluidly across borders, languages, and time zones, with cryptocurrency payments enabling instant, pseudonymous transactions that formal law enforcement channels cannot match for speed.

Young Offenders and Global Criminal Ecosystems

The Kaspersky finding that the median dark web job seeker is 24 highlights another dimension of the cross-jurisdictional problem: cybercrime is increasingly driven by young, tech-savvy individuals who join distributed, international

---

Related Articles

• Fix Your Data Privacy Strategy Before 2026 or Face Hefty Fines
• Cybersecurity Analysis: Cryptocurrency regulations and their impact on legal practitioners
• International espionage and the implications of state-sponsored cyberattacks on businesses