Computer and Cybercrime Defense in the U.S.

Federal and state prosecutors pursue computer and cybercrime charges under a complex web of overlapping statutes, making the classification of conduct — and the selection of applicable law — a central issue in any defense. This page covers the statutory framework governing computer crimes in the United States, the procedural mechanisms through which charges are investigated and prosecuted, common factual scenarios that give rise to charges, and the legal boundaries that distinguish criminal liability from conduct that may be civilly actionable or entirely lawful.

Definition and Scope

Computer and cybercrime in the U.S. legal context refers to criminal offenses in which a computer, network, or electronic device is either the target of an attack, the instrument used to commit an offense, or the repository of evidence tied to another crime. The primary federal statute is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which criminalizes unauthorized access to protected computers and covers a range of conduct from intrusion to fraud to extortion. A "protected computer" under § 1030(e)(2) includes any computer used in or affecting interstate commerce — a definition broad enough to encompass virtually every device connected to the internet (18 U.S.C. § 1030, via Cornell LII).

The Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510–2523, governs interception of electronic communications and establishes distinct criminal penalties for wiretapping and unlawful access to stored communications. The Identity Theft Enforcement and Restitution Act of 2008 strengthened CFAA provisions and expanded federal jurisdiction over cases where the attacker and victim are located in the same state.

Beyond the CFAA, federal prosecutors also invoke:

1. Wire Fraud — 18 U.S.C. § 1343, carrying penalties up to 20 years per count
2. Money Laundering — 18 U.S.C. § 1956, often layered onto cybercrime schemes involving cryptocurrency
3. Aggravated Identity Theft — 18 U.S.C. § 1028A, which carries a mandatory 2-year consecutive sentence (18 U.S.C. § 1028A, via Cornell LII)
4. Child Exploitation Statutes — 18 U.S.C. §§ 2251–2260, applicable when online conduct involves minors
5. RICO — 18 U.S.C. §§ 1961–1968, used against organized cybercrime networks (see RICO Act Criminal Defense)

All 50 states maintain independent computer crime statutes that may run parallel to or independently from federal charges. The interplay between federal vs. state criminal jurisdiction is a threshold question in every cybercrime case.

How It Works

Cybercrime investigations typically follow a multi-phase structure driven by federal agencies, most often the FBI Cyber Division, the U.S. Secret Service Electronic Crimes Task Forces, and the Department of Justice Computer Crime and Intellectual Property Section (CCIPS).

Phase 1 — Detection and Referral. Incidents are flagged through corporate breach reports, tips to the Internet Crime Complaint Center (IC3) at the FBI, or signals intelligence. The IC3 received 880,418 complaints in 2023, with reported losses exceeding $12.5 billion (FBI IC3 2023 Annual Report).

Phase 2 — Digital Evidence Collection. Investigators obtain search warrants under Federal Rule of Criminal Procedure 41 for electronic devices. Network logs, IP records, and metadata are preserved under legal hold. The Fourth Amendment's application to digital searches has been substantially shaped by Carpenter v. United States, 585 U.S. 296 (2018), in which the Supreme Court held that government access to cell-site location information generally requires a warrant. Digital evidence in criminal defense presents unique authentication and chain-of-custody challenges.

Phase 3 — Grand Jury and Charging. Cybercrime cases at the federal level typically proceed through a grand jury process where prosecutors present evidence under seal. Charges may be filed as a criminal complaint first, with indictment to follow.

Phase 4 — Prosecution and Sentencing. The U.S. Sentencing Commission Guidelines Manual, specifically §§ 2B1.1 and 2B2.3, govern base offense levels for most computer fraud and intrusion offenses. Enhancements apply based on loss amount, number of victims, and whether the offense involved critical infrastructure (U.S. Sentencing Commission, USSG § 2B1.1).

Common Scenarios

Cybercrime charges arise across a broad spectrum of factual contexts. The following scenarios represent the most frequently prosecuted categories:

• Unauthorized Computer Access ("Hacking") — Accessing a system without authorization or exceeding authorized access, the core offense under CFAA § 1030(a)(2). The statutory boundary between authorized and unauthorized access was addressed by the Supreme Court in Van Buren v. United States, 593 U.S. 374 (2021), which narrowed the "exceeds authorized access" language.
• Ransomware and Extortion — Deploying malicious code to encrypt victim data and demanding payment, prosecuted under CFAA § 1030(a)(7) and wire fraud statutes.
• Phishing and Business Email Compromise (BEC) — Social engineering schemes that fraudulently obtain credentials or redirect financial transfers; commonly charged under wire fraud and identity theft statutes.
• Distributed Denial-of-Service (DDoS) Attacks — Intentionally impairing system availability, charged under CFAA § 1030(a)(5).
• Dark Web Marketplace Operations — Sale of narcotics, weapons, or stolen data through anonymous networks; typically prosecuted alongside drug crime and RICO charges.
• Insider Threats — Employees or contractors who exfiltrate proprietary data, triggering CFAA claims as well as potential trade secret violations under the Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1836.

Decision Boundaries

Several legal thresholds determine whether conduct constitutes a criminal offense, a lesser infraction, or lawful activity:

Authorization vs. Unauthorized Access. Post-Van Buren, an individual who accesses a computer for an improper purpose but within the scope of their technical authorization does not violate the CFAA. The distinction is between which files a user may access, not why they access them.

Intent Requirements. Most CFAA subsections require proof of knowing or intentional conduct; negligent or accidental access generally does not satisfy the mens rea threshold. Security researchers who exceed scope during vulnerability testing occupy a contested legal space that has prompted DOJ policy guidance (DOJ CFAA Policy Guidance, May 2022).

Loss Calculation Thresholds. Felony-level CFAA charges under § 1030(c)(4) require a loss of at least $5,000 within a one-year period (18 U.S.C. § 1030(e)(11)). Below that threshold, conduct may be charged as a misdemeanor. The felony vs. misdemeanor classification of a cybercrime charge has direct consequences for sentencing exposure.

Fourth Amendment Protections. Evidence obtained through warrantless searches of digital devices is subject to suppression. The application of the exclusionary rule to forensically obtained data — including metadata, cloud storage contents, and device backups — is an active area of litigation. Suppression of evidence motions in cybercrime cases frequently turn on whether law enforcement complied with ECPA and Rule 41 requirements.

State vs. Federal Prosecution. Conduct meeting both federal CFAA elements and state computer crime statutes may be prosecuted in either forum, or both sequentially without violating double jeopardy protections. The criminal case process overview differs materially depending on whether charges are filed in federal or state court.

Expert and Forensic Evidence. Cybercrime prosecutions are heavily dependent on forensic evidence and expert witnesses. Chain-of-custody failures, improper forensic imaging, or failure to account for network address translation (NAT) in IP attribution can undermine the government's case.

References

• 18 U.S.C. § 1030 — Computer Fraud and Abuse Act (Cornell LII)
• 18 U.S.C. § 1028A — Aggravated Identity Theft (Cornell LII)
• FBI Internet Crime Complaint Center (IC3) — 2023 Annual Report
• U.S. Sentencing Commission — 2023 Guidelines Manual, § 2B1.1
• [DOJ Computer Crime and Intellectual Property Section (CCIPS)](https://www