Operational support to cybercrime cases

In 2023, cybercrime was once again among the top five crime areas addressed by the Agency. Eurojust handled more than 500 cybercrime-related cases in 2023, with more than half representing new cases referred to the Agency.

The number of cybercrime-focused joint investigation teams and coordinated action days supported by Eurojust increased compared to 2022, while the number of related coordination meetings almost doubled.

In 2023, Eurojust’s cybercrime casework was characterised by an increase in ransomware attacks, which continue to pose a major challenge for judicial and law enforcement authorities.

A key case in 2023 involved the dismantling of a ransomware group in Ukraine, whose attacks affected over 1 800 victims in 71 countries, causing losses of several hundred million euros. Another significant case involved a major international operation against the Ragnar Locker ransomware group, which has attacked 168 international companies worldwide since 2020. In both cases, the operations were successful thanks to Eurojust’s facilitation of rapid cooperation between the judicial authorities involved.

Operational and strategic work related to cases involving encrypted communication platforms

Encryption is used by criminal organisations to evade investigation and prosecution. Judicial and law enforcement authorities often depend on access to encrypted digital data to carry out their investigative work. It is therefore crucial that digital data is gathered in a legal way so it can be admitted as evidence in court. Eurojust follows operational and strategic developments in this area by gathering and analysing relevant case-law for judicial authorities.

In 2023, the Agency continued to provide Member States with crucial assistance in cases related to encrypted communication platforms. Since Eurojust’s support to the investigations related to the EncroChat communication platform in 2020 and the Sky ECC communication platform in 2021, the Agency has dealt with thousands of ‘spin-off’ cases related to drugs and organised crime, involving 30 countries. Since April 2021, Eurojust’s French Desk has processed around 2 700 requests for mutual legal assistance (MLA) and European Investigation Orders in ‘spin-off’ cases related to the decryption of Sky ECC communications. Moreover, in February 2023, judicial and law enforcement authorities in the Netherlands and Germany, supported by Eurojust, dismantled the Exclu encrypted communication tool, which had an estimated 3 000 users, including members of organised crime groups.

During 2023, Eurojust contributed to two expert meetings of the High-Level Group on access to data for effective law enforcement, launched by the European Commission in June 2023. The Group’s mission is to propose recommendations for the further development of Union policies to enhance and improve access to data for the purpose of effective law enforcement.

Cybercrime Judicial Monitor 

In June 2023, Eurojust and the European Judicial Cybercrime Network published the eighth edition of their annual Cybercrime Judicial Monitor, distributed to judicial and law enforcement authorities active in the fight against cybercrime and cyber-enabled crime.

The report’s first section covers legislative developments in the area of cybercrime, cyber-enabled crime and electronic evidence in 2022, including adopted legislation (e.g. the Digital Services Act) as well as ongoing procedures (e.g. the Artificial Intelligence Act). The judicial analysis section presents summaries of court rulings from various EU Member States and non-EU countries. In 2022, several European countries reported court rulings on the culpability of persons operating darknet marketplaces and the use of captured encrypted communication data. The third section covers developments in data retention. In 2022, the Court of Justice of the European Union concluded three preliminary rulings, providing additional guidance on the implementation of (supranational) data retention rules in European countries. The final section is dedicated to the adoption of the EU legislation on European Production and Preservation Orders for electronic evidence in 2023. 

EU and international legislative developments on cybercrime

The adoption of EU legislation on electronic evidence in 2023 marked a significant step forward for access to digital information in cross-border criminal investigations and prosecutions. The new legislation will bring ground-breaking changes to the process of cross-border gathering of electronic evidence. The EU Electronic Evidence legislative package was adopted in July 2023 and will apply as of mid-2026. Eurojust, together with the European Judicial Network (EJN) and the European Judicial Cybercrime Network (EJCN), contributed during the legislative process on the Electronic Evidence Regulation, by providing practitioners’ input on the European Production and Preservation Order certificates (EPOC and EPOC-PR) in annex to the Regulation.

The new legal powers created by the legislative package (Electronic Evidence Regulation and Electronic Evidence Directive) and the Second Additional Protocol[2] to the Council of Europe Convention on Cybercrime (Budapest Convention[3]) will enable competent authorities to order the preservation and production of electronic evidence directly from service providers, such as telecom companies, located abroad. The unprecedented procedures envisaged by this legislation are intended to work faster and in a more flexible way than the existing judicial cooperation instruments for the gathering of electronic evidence (i.e. EIO and MLA processes), as well as bring legal clarity on the process of gathering cross-border electronic evidence.

In September 2023, Eurojust and the Council of Europe co-organised a workshop on international cooperation provisions of the Second Additional Protocol to the Budapest Convention. Discussions focused on the expedited disclosure of stored computer data in an emergency, as well as emergency mutual assistance, including the enhanced role of 24/7 Points of Contact established under the Budapest Convention.

In December 2023, the European Parliament and the Council reached a political agreement on the Artificial Intelligence Act, later endorsed by the European Parliament in March 2024. The EU's AI Act is the first-ever comprehensive legal framework on AI worldwide. By guaranteeing the safety and fundamental rights of people and businesses, it will support the development, deployment and take-up of trustworthy AI in the EU, fostering responsible innovation. The European Judicial Cybercrime Network, supported by Eurojust, discussed the misuse of AI by criminals during its 15th plenary meeting in November 2023. The network will continue to follow the developments in this area closely to identify challenges and share knowledge with judicial practitioners via the network’s master classes for investigative prosecutors and judges working in this area.

Eurojust is closely monitoring all cyber-related legislative developments, including those in which it is not directly involved (such as the negotiations on the CLOUD Act[4] or the UN Convention on Cybercrime), as they will have a considerable impact on the Agency’s operational and strategic work. The SIRIUS project on cross-border access to electronic evidence, co-led by Eurojust, is developing knowledge products on the relevant legal instruments. It has and will continue to assist competent national authorities to navigate the increasingly complex legal framework and prepare them for the future application of these legislative developments.

Developments from the SIRIUS project on cross-border access to electronic evidence

The SIRIUS project, co-implemented by Eurojust and Europol, is a central reference point in the EU for knowledge sharing on cross-border access to electronic evidence. It offers a variety of services, such as guidelines, trainings and tools, to facilitate access to data held by service providers. SIRIUS serves a community of competent authorities from 47 countries, representing all EU Member States and a growing number of third countries, as well as the European Public Prosecutor’s Office.

In 2023, the SIRIUS project celebrated its fifth anniversary, marking its evolvement into a centre of excellence in the field of electronic evidence in the EU. On this occasion, the project updated its web presence on Eurojust’s corporate website, which now features more than 20 legal and policy reviews on cross-border access to electronic evidence, made fully public for the first time.

In March 2023, the SIRIUS project held its annual Advisory Board meeting at Eurojust’s premises. Participants discussed the achievements of the project to date, as well as future plans for capacity building and further assistance to competent EU authorities in the gathering of electronic evidence across borders.

The SIRIUS annual conference took place in November 2023 and was attended by over 900 participants, including representatives from law enforcement and judicial authorities from 38 countries, as well as 20 representatives of service providers. The conference tackled topics such as novel legal instruments for obtaining electronic evidence across borders, challenges concerning the clash between authorities’ need for data versus data protection requirements, upholding content policies and respective privacy rights in the face of core international crimes.

In December 2023, the SIRIUS EU Electronic Evidence Situation Report was jointly published by Eurojust, Europol and the European Judicial Network. The report provides an overview of the EU’s electronic evidence landscape through the lenses of law enforcement, the judiciary and service providers. From a law enforcement perspective, social media platforms, messaging apps and cryptocurrency exchanges are pivotal in investigations. While formal training on electronic evidence has been provided to officers, gaps in familiarity with the new legislation remain, emphasising the need for extensive training programmes. Judicial authorities face time-consuming hurdles when accessing data from foreign service providers, highlighting the need for enhanced legal powers and EU-wide legislative efforts to regulate data retention for the purposes of criminal investigations and proceedings. Service providers, on the other hand, grapple with authenticating requests and resource allocation, emphasising the benefits of centralising requests.

European Judicial Cybercrime Network developments

During 2023, Eurojust continued to work closely and provide support to the European Judicial Cybercrime Network. The network consists of judicial authorities specialised in countering the challenges of cybercrime, cyber-enabled crime and investigations in cyberspace.

In June 2023, the network held its 14th plenary meeting. Participants discussed the challenges of the metaverse, joint investigation teams in cybercrime, spontaneous information exchange in relation to Article 26 of the Budapest Convention and cooperation with crypto asset service providers.

In November 2023, the Network held its 15th plenary meeting. Topics discussed by participants included the criminal use of AI, obfuscation methods including the use of crypto assets mixers, ransomware and issues related to victims’ rights, as well as cybercrime prevention.

The challenges related to crypto assets were discussed in connection with victim remediation in ransomware and laundering the proceeds of online criminal activity, with reference to the Market in Crypto Assets Regulation, which will become fully applicable in December 2024.

In 2023, the Network continued to provide specialised training on cybercrime and digital evidence to practitioners by hosting dedicated master classes on how to obtain evidence from online service providers (in March and October 2023), encrypted networks (in cooperation with the Western Balkans Criminal Justice Project in June 2023) and ransomware (in December 2023).

US-EU expert group on obtaining (e-)evidence

In March 2023, Eurojust organised a second meeting of the US-EU expert group on obtaining evidence via MLA from the United States (US). The aim of the expert group is to facilitate the swifter execution of MLA requests for gathering evidence in the US. The meeting focused on the probable cause requirement in light of the case-law of the U.S. Supreme Court, and provided case examples and tips on drafting requests to the US.

In June 2023, Eurojust and US authorities organised a workshop focused on the free speech clause of the First Amendment to the U.S. Constitution, including its implications on MLA requests submitted by foreign authorities to the US seeking electronic evidence, which generally require the US legal process.

In November 2023, a third meeting was organised to explain when an MLA request to the US is required in relation to witness/suspect interviews, and which information is essential to include in such a request.

Online marketplace selling stolen account credentials to criminals worldwide taken down in multi-country effort dubbed Operation Cookie Monster

Crime: Since 2018, Genesis Market, a criminal marketplace accessible on the dark and clear web, sells packages of account access credentials – including usernames and passwords for email, bank accounts and social media. The credentials are stolen from malware-infected computers around the world and then used by cybercriminals to commit cyber-enabled fraud.

Action: The U.S. FBI works with its law enforcement partners to identify prolific users of Genesis Market who have purchased and used stolen access credentials to commit fraud and other cybercrimes. The U.S. Department of Justice also works with its judicial counterparts through Eurojust to ensure coordinated action. This effort results in hundreds of leads being sent by the FBI to law enforcement partners in Australia, Canada, Denmark, France, Germany, Italy, the Netherlands, Poland, Spain, Sweden and the United Kingdom.

Result: On 4-5 April 2023, in a major coordinated action supported by Eurojust and Europol, more than 100 suspects are arrested and 200 property searches are conducted in 13 countries. In addition, the infrastructure and main domains of the criminal website are seized and taken down.

Eurojust's Role: Eurojust facilitates the cross-border judicial cooperation between the national authorities involved. The Agency hosts a coordination meeting in March 2023 to prepare for the joint action and a command centre on 4 April 2023 to resolve legal issues arising during the parallel operations in 13 countries.

Main administrator of iSpoof website sentenced to 13 years

August 2021 - August 2022: Around 10 million fraudulent calls are made globally via iSpoof, a website that allows criminals to impersonate trusted corporations to scam victims for financial gain. The website has 59,000 registered users when it is shut down.

October 2021: The case is opened at Eurojust at the request of the UK authorities. National authorities from 10 countries, including European Union Member States and third countries, support the investigation.

November 2021, September 2022: Two coordination meetings are hosted by Eurojust to coordinate the national investigations and prepare for the joint action.

6 November 2022: The main administrator of the website is arrested. He is believed to have made a profit of between GBP 1.7 million and GBP 1.9 million (over EUR 2 million) from running the iSpoof website.

8 November 2022: In an international coordinated action led by the UK and supported by Eurojust and Europol, 142 users and administrators are arrested across the world. Judicial and law enforcement authorities in Europe, Australia, the United States, Ukraine and Canada support the operation. The website is taken offline and the servers are seized by US and Ukrainian authorities.

May 2023 – JUSTICE DONE: The main administrator of the website is sentenced to 13 years and 4 months of imprisonment by Southwark Crown Court in the United Kingdom.