DIGEST OF CYBER

ORGANIZED CRIME

SECOND EDITION
UNITED NATIONS OFFICE ON DRUGS AND CRIME
Vienna

DIGEST OF CYBER
ORGANIZED CRIME

SECOND EDITION

UNITED NATIONS
Vienna, 2022
© United Nations, December 2022. All rights reserved.

The designations employed and the presentation of material in this publication do not imply the expression of
any opinion whatsoever on the part of the Secretariat of the United Nations concerning the legal status of any
country, territory, city or area, or of its authorities, or concerning the delimitation of its frontiers or
boundaries.

Publishing production: English, Publishing and Library Section, United Nations Office at Vienna.
Preface
The present publication was developed by the United Nations Office on Drugs and Crime (UNODC), under
phase II of the global programme on implementing the United Nations Convention against Transnational
Organized Crime: from theory to practice, thanks to the generous support from the Governments of the
United Arab Emirates and the United States of America. This is an updated version of the publication,
which includes new cyber organized crime cases. It was updated thanks to the generous support of the
United Kingdom of Great Britain and Northern Ireland. The publication was drafted by Marie-Helen Maras,
with substantive support from the following UNODC staff members: Lisa Armberger, Carmen Corbin,
Colin Craig, Renata Delgado-Schenk, Wydiane Djaidi, Kamola Ibragimova, Nayelly Loya Marin, Maria
Cristina Montefusco, Riikka Puttonen and Adelaida Rivera. UNODC would also like to thank the following
persons for contributing case summaries for this digest: Élise Corsion, Margot Denier, Mariana Kiefer,
Irene Maithya, Max Menn, Lorenzo Picarella, Louise Pichler, Jesper Bay Kruse Samson and Manveer
Singh Sandhu.
To expand, disseminate and share the key findings of the case digest, through the global programme on
implementing the United Nations Convention against Transnational Organized Crime and the Global
Programme on Cybercrime, expert group meetings were held online for countries in Africa, Latin America
and the Middle East during the period 2019–2022, thanks to the support of the Governments of the United
Arab Emirates, the United Kingdom and the United States. UNODC would like to thank Janet Turnbull and
Berta Moran from the United States Department of State at the United States Embassy in El Salvador for
their support in the organization of the online expert group meetings for Latin America.
UNODC also wishes to acknowledge the contributions of numerous experts who attended the online expert
group meetings to support the development of this case digest and the following people who provided cases
highlighted in the present publication (listed in alphabetical order by country name): Cristina Giordano,
María Alejandra Mangano and Franco Pilnik (Argentina); James Popham (Canada); Daniel Soto (Chile);
Romel David Arévalo Gómez and Nelly Johanna Molina Alarcón (Colombia); Rodrigo Picado Mena (Costa
Rica); Marta Pelechová (Czechia); Patricia Alejandra Padilla (Dominican Republic); Mohamed Khalaf
(Egypt); Raymundo Alirio Carballo Mejia (El Salvador); Ingrid Serwah Asare (Ghana); Ihab Al Moussaoui
(Iraq); Enrique Juárez Cienfuegos and Hector Javier Talamantes Abe (Mexico); Giselle M. Acosta González
(Panama); Seongjin Park (Republic of Korea); Ultrich Kruger (South Africa); Joseph Budd, Alex Chung
and Charles Lee (United Kingdom); and Louisa Marion, Chad McHenry and Kelly Pearson (United States)
and. Marcus Asner also contributed to the development of this case digest in this manner.

iii
CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Explanatory notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

I. INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
A. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
B. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
C. Target audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
D. Structure of the publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

II. CYBER ORGANIZED CRIME: WHAT IS IT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

A. Cyber organized criminal group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
B. Criminalization of participation in cyber organized crime . . . . . . . . . . . . . . . . . . 10
1. Conspiracy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2. Criminal association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

III. CYBER ORGANIZED CRIMINAL GROUPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

A. Structure, organization and types of criminal groups that engage in
cyber organized crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Groups that predominantly operate online. . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2. Groups that operate offline and online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3. Groups that predominantly operate offline. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
B. Roles within a cyber organized criminal group . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
C. Geographical organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
D. Gender and cyber organized crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

IV. TOOLS USED BY PERPETRATORS OF CYBER ORGANIZED CRIME . . . . . . . . . . . . . . . 26

V. TYPES OF CYBER ORGANIZED CRIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

A. Cyber-dependent crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
1. Illegal access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2. Illegal interception or acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3. Data and system interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4. Misuse of devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
B. Cyber-enabled crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1. Computer-related fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2. Computer-related identity offences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3. Falsified medical product-related crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

v
 4. Counterfeiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5. Extortion, blackmail and ransom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6. Child sexual abuse and child sexual exploitation . . . . . . . . . . . . . . . . . . . . . 76
7. Trafficking in persons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8. Smuggling of migrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
9. Drug trafficking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
10. Trafficking in firearms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
11. Trafficking in wildlife. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
12. Trafficking in cultural property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
13. Money-laundering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
14. Internet gambling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

VI. RELEVANT PROCEDURAL ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

A. Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
B. Identification, tracing, freezing or seizure of assets and confiscation of
proceeds of crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
C. Special investigative techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
1. Electronic surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
2. Undercover operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3. Controlled delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4. Other techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
D. Collection and use of electronic evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
1. Expedited preservation of data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
2. Production orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
3. Real-time collection of communication traffic data. . . . . . . . . . . . . . . . . . . . 122
4. Interception of content data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
5. Destruction of evidence and interference with law enforcement
investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
E. International cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
1. Extradition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
2. Mutual legal assistance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
3. Law enforcement cooperation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4. Joint investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

VII. CONCLUSIONS AND LESSONS LEARNED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

ANNEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List of cases involving cyber organized crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

vi
Explanatory notes
Mention of any firm, product, service or licensed process does not imply endorsement or criticism by the
United Nations.
Mention of any case in the present publication does not imply endorsement of any kind.
Symbols of United States documents are composed of capital letters combined with figures. Mention of
such a symbol indicates a reference to a United Nations document.
The following abbreviations have been used:
ATM automatic teller machine

COVID-19 coronavirus disease

DNS Domain Name System

Europol European Union Agency for Law Enforcement Cooperation

FBI Federal Bureau of Investigation (United States of America)

ICT information and communications technology

I2P Invisible Internet Project

PIN personal identification number

SHERLOC Sharing Electronic Resources and Laws on Crime

SIM subscriber identification module

Tor The Onion Router

UNESCO United Nations Educational, Scientific and Cultural Organization

UNODC United Nations Office on Drugs and Crime

vii
CHAPTER I.
INTRODUCTION
DIGEST OF CASES

I. INTRODUCTION
The present case digest contains an analysis of cases of cyber organized crime. The digest is global in scope
and attempts, to the extent possible, to ensure an equitable representation of cases from different geographical
regions and legal systems. On the basis of more than 130 cases from 30 jurisdictions, observations are made
about the ways in which cyber organized crime is identified in case law and how this illicit activity is investi-
gated, prosecuted and adjudicated across jurisdictions. The case digest examines the structure and organiza-
tion of cyber organized criminal groups, tools used by perpetrators of cyber organized crime, types of cyber
organized crime and procedural issues relating to the investigation, prosecution and adjudication of
cyber organized crime cases. The case digest contains summaries of relevant judicial proceedings concerning
cyber organized crime, organized according to theme. The ultimate goals of the digest are to identify cases
involving cyber organized crime and the manner in which such crime has been investigated, prosecuted and
adjudicated in different areas of the world. The digest concludes by identifying challenges to investigating,
prosecuting and adjudicating cases involving cyber organized crime, as well as the lessons learned for criminal
justice professionals, including some of the challenging aspects of criminal justice responses to such crime.

A. Background
Information and communications technology (ICT) has transformed conceptions of organized crime.
Specifically, ICT has had an impact on the nature of organized crime activities and the types of individuals
who can participate in organized crime. This transformation includes changes not only in the types of
offences committed and the modi operandi used by organized criminal groups, but also the variety of indi-
viduals who can participate in organized crime. Some traditional organized criminal groups are gradually
expanding from offline criminal activities to cybercrime, although, to date, this has not been observed as a
full transition. What has been observed is the movement of certain illicit activities and operations of these
groups online. Such groups are also increasingly seeking to cooperate with cybercriminals who have the
critical and essential skills that these groups can use or actually need to execute certain operations. These
individuals can be, for example, coders (i.e., individuals responsible for developing malicious software
(malware), exploits and other tools used to commit cybercrime) and hackers (i.e., individuals responsible
for exploiting the vulnerabilities of systems, networks and applications).1
ICT has also transformed the way in which certain groups are structured and organized. It removes the need
for face-to-face contact between individuals and enables individuals who have never met before to work
closely together and coordinate their activities from anywhere in the world. Criminals within these groups
can collaborate on illicit activities and objectives using aliases; thus, the risk of revealing their identities and
locations to other members of the group is relatively low.
In addition to the evolution in the structure of traditional organized criminal groups, what has also been
observed is the formation of “new” groups and networks that commit cybercrimes and operate partially,
predominantly or fully online. These groups exhibit behaviours similar to those of traditional organized
criminal groups – particularly the use of their structure and special procedures, which are designed to pre-
serve the anonymity of their members and evade detection by law enforcement agencies.
Moreover, ICT has further removed the barriers for entry into illicit markets. No longer limited by geo-
graphical locations, individuals can be part of organized criminal groups from anywhere in the world. This
technology also provides criminals with the infrastructure, goods, personnel and customers needed to
engage in activities related to cyber organized crime.2 For these reasons, ICT has played a critical role in the
expansion of illicit markets and networks and has made illicit business models more efficient and effective.
Ultimately, cyberspace provides organized criminal groups with a space within which they can conduct

1
Steven R. Chabinsky, Deputy Assistant Director, Cyber Division Federal Bureau of Investigation, “The cyber threat: who’s
doing what to whom?”, speech at the GovSec/FOSE Conference, Washington, D.C., 23 March 2010; and Roderic Broadhurst and
others, “Organizations and cybercrime: an analysis of the nature of groups engaged in cyber crime”, International Journal of Cyber
Criminology, vol. 8, No. 1 (2014), pp. 1–20.
2 
Marie-Helen Maras, Cybercriminology (New York, Oxford University Press, 2017).

2
 CHAPTER I.  INTRODUCTION

their illicit activities with a degree of anonymity, exploit the gaps in the legal systems throughout the world,
conduct operations and access clients anywhere in the world. The problem of transnational organized crime
is thus further compounded by ever-increasing global connectivity and the borderless realm of
cyberspace.
One of the main challenges is to identify cyber organized crime and cyber organized criminal groups, as
well as the extent to which these groups operate exclusively, predominantly and/or partially online. At the
present time, little is known about cyber organized crime. While there is a growing body of research into
various forms of cybercrime, there is comparatively less research on cyber organized crime. While cyber
organized crime is a dimension of cybercrime, it requires separate consideration and study. This separate
consideration and study can help to shed light on the serious cybercrimes perpetrated by multiple partici-
pants working together to achieve a goal and protect their online criminal activities. Without understanding
the exact nature and extent of the threat, States continue to struggle in containing the security threat
emanating from cyber organized crime. Moreover, without this information, policymakers and other stake-
holders cannot make informed decisions in response to cyber organized crime and identify proper courses
of action to respond to or otherwise address cyber organized crime. To remedy this, the present case digest
seeks to shed light on cyber organized crime and identify cyber organized crime cases from different
regions. It identifies and analyses cyber organized crime cases in an attempt to determine not only key char-
acteristics of this form of crime and the groups that commit such crime, but also gaps in knowledge and
criminal justice practices as they relate to the investigation, prosecution and adjudication of cases involving
this crime.
There is no international consensus on a definition of cyber organized crime. However, for the purpose of
this digest only, cyber organized crime will be interpreted broadly to include either a cyber-enabled crime3
or a cyber-dependent crime4 and involve either an organized criminal group (defined in article 2 of the
United Nations Convention against Transnational Organized Crime) or an offence established in accord-
ance with article 5 of the Convention (i.e., conspiracy or criminal association).5 The digest identifies and
analyses cyber organized crime cases from various regions with the objective of finding out the ways in
which cases involving such crime are investigated, prosecuted and adjudicated, as well as the limitations of
and lessons learned from criminal justice responses to such crime.

B. Methodology
The research for this digest predominantly involved a systematic review of primary sources, supplemented
by secondary sources. The research began with the identification of cyber organized crime cases in the case
law database of the Sharing Electronic Resources and Laws on Crime (SHERLOC) knowledge manage-
ment portal of the United Nations Office on Drugs and Crime (UNODC). The database does not record
cases involving cyber organized crime but includes cases that cover both “cybercrime” and “participation
in an organized criminal group”.
Following the review of the SHERLOC case law database and the identification of cyber organized crime
cases in the database, cases were solicited from experts participating in four regional expert group meetings
on cyber organized crime that were held online (the first meeting, hosted by the United Arab Emirates, was

3 
Cyber-enabled crimes are traditional crimes that are facilitated (in some way) by information and communications technology
(ICT). For cyber-enabled crimes, ICT plays a key role in the method of operation (i.e., modus operandi of the offender or offenders;
see also United Nations Office on Drugs and Crime (UNODC) Teaching Modules, Cybercrime, Module 1: introduction to cybercrime,
“Cybercrime in brief”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-1/index.html.
4 
For cyber-dependent crimes, which include crimes that “can only be committed using computers, computer networks or other
forms of information communication technology”, ICT is the target of the crime (Mike McGuire and Samantha Dowling, “Cyber-
dependent crimes”, in Cybercrime: A Review of the Evidence, Home Office Research Report 75 (London, 2013), p. 4; see also
European Union Agency for Law Enforcement Cooperation (Europol), European Cybercrime Centre, Internet Organised Crime
Threat Assessment 2018 (The Hague, 2018), p. 15).
5 
Organized criminal groups are involved in the commission of cyber-assisted, cyber-enabled and cyber-dependent crimes. Cyber-
assisted crimes are those crimes where ICT is incidental to the illicit act (e.g., technology is used to facilitate communication between
members). While organized criminal groups utilize ICT to communicate and coordinate activities, the use of this technology in this
manner is not considered a cybercrime because it is incidental and not integral to the crime. For this reason, cyber-assisted crimes are
excluded from consideration in this digest.

3
DIGEST OF CASES

held from 21 to 24 September 2020; the second meeting, hosted by the United States Embassy in
El Salvador, was held from 19 to 21 February 2021; the third meeting, hosted by UNODC, was held from
24 to 26 November 2021; and the fourth meeting, hosted by the United States Embassy in El Salvador, was
held from 29 to 31 March 2022), as well as from States, volunteers and UNODC staff. Desk research was
also performed using private case law databases (e.g., LexisNexis and Westlaw), open case law databases
(government databases, legal information institutes), secondary literature (e.g., law journals and academic
publications) and media sources (wherever needed). Moreover, the digest draws on an earlier work by
UNODC, which included some cases of cyber organized crime involving trafficking in persons, particularly
the 2021 research brief of UNODC on trafficking in persons and Internet technologies, as well as the cases
presented at its supplementary expert group meeting on trafficking in persons and Internet technologies,
held in Vienna from 25 to 27 November 2019.
This case digest is primarily based on primary sources and hence access to court documents such as judg-
ments, indictments and/or transcripts was a prerequisite for inclusion in the digest. The guiding principles
for selection were: (a) representation of a variety of dimensions and issues relating to cyber organized
crime; (b) representation of a variety of geographical regions and legal systems; and (c) conclusion of the
cases within the period 2000–2020, which is the period covered by this case digest. Classified information
does not appear in the digest, and the names of defendants appear in the digest only if the names appear in
the official case citation. The cases referred to in the case digest are not the only ones that concern the sub-
ject of this digest. The most relevant cases or those considered to be good examples of cases involving cyber
organized crime are cited in this document. At the same time, inclusion of a particular case in this digest
does not imply endorsement of any kind by UNODC.
The identification of cases involving cyber organized crime in case law is challenging because the cases
are not recorded as cyber organized crime. In many cases involving cyber organized crime, individuals
are not charged with organized crime and/or participation in an organized criminal group; and/or cyber
organized crime, organized criminal groups and/or participation in an organized criminal group are not
explicitly mentioned. For these reasons, the identification of a case involving cyber organized crime
requires a thorough examination of the details of the case in court documents. Accordingly, for this
digest, court documents were examined and analysed to identify essential elements of cyber organized
crime, such as the existence of organized criminal groups or participation in an organized criminal group,
and the engagement of defendants in cyber-dependent and/or cyber-enabled crime. Another challenge
was obtaining court transcripts and other court documents relating to the cases. These documents were
not always publicly available or publicly accessible. A further challenge was identifying cases from a
variety of geographical regions and legal systems. Cases from certain developed countries were more
readily available. Nonetheless, even in such countries, access to many judicial decisions is restricted by
a paywall. In least developed countries, there may be no (or only a limited number of) judicial decisions
that are accessible online. Language limitations of the researchers and drafters working on the case digest
posed an additional challenge.
Other limitations are inherent in this methodology. The case digest is not a comprehensive review of all
judicial decisions dealing with cyber organized crime in all countries. A fully comprehensive review of
all countries is well beyond the scope of this digest. Moreover, the use of judicial decisions as a method-
ology for the development of the publication also has inherent limits. Concluded judicial decisions come
at the end of a long process of investigation, prosecution and adjudication of offences. At each stage of
this process, various factors affect whether and how a case proceeds to the next stage. First, some types
of cybercrime are more likely than others to be reported to authorities for investigation. This may be
attributable to a variety of factors, including who the victims are and the size and nature of the harm
caused. Secondly, not all offences reported to authorities proceed to the investigation stage. In addition
to the aforementioned factors, whether an investigation is opened may also depend on law enforcement
priorities and resources. Thirdly, not all offences that are investigated lead to charges being laid. This
may be affected by a range of issues such as lack of evidence, difficulties with international cooperation,
difficulties with jurisdiction and difficulties with identifying and extraditing suspects. Fourthly, not all
cases in which charges are laid will proceed to trial. In some countries, prosecutors have a discretion as
to which cases should be brought to trial. Charges may be dropped where prosecution is deemed not to
be in the best interests of the community. Charges may also be dropped where there is a lack of evidence

4
 CHAPTER I.  INTRODUCTION

or as part of incentives to cooperate with law enforcement. Only a minority of cases will reach the end of
this process and be subject to a final judicial decision, whether a conviction or acquittal. Finally, not all
cases that are subject to a final judicial decision will be published. The factors that hinder investigation,
prosecution, adjudication and publication of cases will vary according to, inter alia, the crime in question
and the country in which it takes place. Factors that hinder investigation, prosecution, adjudication and
publication are likely to be more pronounced in least developed countries. Each of the aforementioned
factors can have an effect on the type of cases obtained for inclusion in the case digest and on the coun-
tries represented in the digest. Accordingly, the case digest cannot be considered a representative sample
of all cases involving cyber organized crime in all countries. Nevertheless, within these limitations, the
case digest seeks to provide a broad overview of cyber organized crime threats faced in countries through-
out the world and the responses of investigators, prosecutors and the judiciary.

C. Target audience
The present digest is designed for a wide audience of readers. It is intended to serve as a reference guide
to help criminal justice actors identify and counter cyber organized crime and address the challenges in
investigating, prosecuting and adjudicating cyber organized crime. Academics, researchers, practitioners,
policymakers, legislators and proponents of legislative reform may also find this digest useful. Ultimately,
the digest can be used as a resource on what cyber organized crime entails and the manner in which it is
investigated, prosecuted and adjudicated worldwide.

D. Structure of the publication

The publication is divided into five main chapters, in addition to the chapter containing the introduction and
the chapter on conclusions and lessons learned. Specific cases involving cyber organized crime are high-
lighted in boxes in the body of the text. A list of cases involving cyber organized crime appears in the annex.
Subjects covered in the publication include the structure, organization and types of cyber organized crimi-
nal groups; tools used by perpetrators of cyber organized crime; types of cyber organized crime; and
procedural issues relating to the investigation, prosecution and adjudication of cases involving cyber organ-
ized crime.
The types of criminal groups that engage in cyber organized crime include groups that predominantly oper-
ate online and commit cybercrime; those that operate offline and online and engage in both offline crime
and cybercrime; and groups that predominantly operate offline and engage in cybercrime to expand and
facilitate offline activities.
The tools used by perpetrators of cyber organized crime include tools such as the clearnet (or the surface
web), licit online marketplaces, social media platforms, the darknet, secure communications platforms,
online payment services and digital currencies.
Cyber organized crime includes all forms of cyber-dependent or cyber-enabled crime committed by an
organized criminal group and/or those who participate in an organized criminal group. Cyber-dependent
crime includes acts against the confidentiality, integrity and availability of computer systems and data (such
as illegal access to a computer system and/or computer data, illegal interception of computer data and/or
acquisition of computer data, illegal computer system and data interference); and illegal production, distri-
bution, use and possession of computer misuse tools. Cyber-enabled crime includes traditional criminal acts
that are facilitated (in some way) by ICT, such as computer-related fraud or forgery; computer-related
identity offences; crime involving falsified medical products; counterfeiting; blackmail, extortion and
ransom; offences involving child sexual abuse and child sexual exploitation; trafficking in persons; smug-
gling of migrants; drug trafficking; trafficking in firearms; trafficking in wildlife; trafficking in cultural
property; money-laundering; and Internet gambling.
The chapter on relevant procedural issues covers issues relating to jurisdiction; identification, tracing, freez-
ing, seizure and confiscation of proceeds of crime; special investigative techniques (electronic surveillance,
undercover operations, controlled delivery and other techniques); the collection and use of electronic

5
DIGEST OF CASES

evidence (expedited preservation of data, production orders, real-time collection of communication traffic
data, and interception of content data); and various forms of international cooperation (extradition, mutual
legal assistance, law enforcement cooperation and joint investigations).
Finally, the digest includes a chapter on conclusions and lessons learned in the investigation, prosecution
and adjudication of cases involving cyber organized crime.

6
 CHAPTER II.
CYBER ORGANIZED CRIME:
WHAT IS IT?
DIGEST OF CASES

II.  CYBER ORGANIZED CRIME: WHAT IS IT?

There is no international consensus on the definition of cyber organized crime.6 For the purpose of this
digest only, cyber organized crime is being viewed broadly as any cyber-dependent and/or cyber-enabled
crime that is either: (a) committed by an organized criminal group, as defined in article 2, subparagraph (a),
of the United Nations Convention against Transnational Organized Crime, adopted in 2000; or (b) involving
an offence established in accordance with article 5 of the Convention, which covers the criminalization of
participation in an organized criminal group. Each of these elements are explored in the sections that follow.

A. Cyber organized criminal group

Cyber organized criminal groups are organized criminal groups that commit cyber organized crime.
An organized criminal group is defined in article 2, subparagraph (a), of the Organized Crime Convention
as “a structured group of three or more persons, existing for a period of time and acting in concert with the
aim of committing one or more serious crimes or offences established in accordance with this Convention,
in order to obtain, directly or indirectly, a financial or other material benefit”.
In article 2, subparagraph (c) of the Convention, “structured group” is defined as “a group that is not ran-
domly formed for the immediate commission of an offence and that does not need to have formally defined
roles for its members, continuity of its membership or a developed structure”. A structured group is thus not
necessarily one that is hierarchical. For this reason, a decentralized and/or loosely affiliated group can be
considered a “structured group”.7
The aforementioned definition of an organized criminal group states that the group must exist for a “period
of time”. This requirement can be interpreted as “any period of time”.8 The organized criminal group must
also “act in concert”, which means that “members of the organized criminal group act together”.9 The defi-
nition also includes the requirement that the group engage in serious crime. The term “serious crime” is
defined in the Convention by referring not to particular types of criminal activity but to the applicable pen-
alties. Specifically, “serious crime” is defined in article 2, subparagraph (b), of the Convention as “conduct
constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more
serious penalty”.
Finally, to be considered an organized criminal group, the group must commit “serious crimes or offences
established in accordance with this Convention”10 in order to obtain some form of “financial or other mate-
rial benefit”. There is no prerequisite, however, that the predominant aim of the organized criminal group is
a “financial or other material benefit”. The term “other material benefit” is not limited to financially related
or equivalent benefits. According to the Travaux Préparatoires of the Negotiations for the Elaboration of
the United Nations Convention against Transnational Organized Crime and the Protocols Thereto, the term
“should be interpreted broadly, to include personal benefits such as sexual gratification”. This is to ensure
that groups involved in, for instance, child sexual abuse for non-monetary reasons are not excluded.11

6 
UNODC, Comprehensive Study on Cybercrime, draft (Vienna, 2013); Broadhurst and others, “Organizations and cybercrime”;
see also UNODC Teaching Modules, Cybercrime, Module 13: cyber organized crime, “Conceptualizing organized crime and defining
the actors involved”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html.
7 
See also UNODC Teaching Modules, Organized crime, Module 1: Definitions of organized crime, “Activities, organization and
composition of organized criminal groups”. Available at sherloc.unodc.org/cld/en/education/tertiary/organized-crime/module-1/
index.html; UNODC Teaching Modules, Cybercrime, Module 13: cyber organized crime, “Conceptualizing organized crime and
defining the actors involved”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html.
8 
UNODC, Model Legislative Provisions against Organized Crime (Vienna, 2012), p. 8.
9 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime
(Vienna, 2016), para, 35.
10 
The “offences established in accordance with this Convention” that are mentioned in the definition of “organized criminal
group” are established in accordance with article 5 (criminalization of participation in an organized criminal group), article 6 (crim-
inalization of the laundering of proceeds of crime), article 8 (criminalization of corruption) and article 23 of this Convention (crimi-
nalization of obstruction of justice).
11 
Travaux Préparatoires of the Negotiations for the Elaboration of the United Nations Convention against Transnational
Organized Crime and the Protocols Thereto (United Nations Publications, 2006), p. 17; cited in UNODC, Legislative Guide for the
Implementation of the United Nations Convention against Transnational Organized Crime, para. 34.

8
 CHAPTER II.   Cyber organized crime: What is it?

The requirement that the organized group commit a serious crime to obtain some form of “financial or other
material benefit” is not a universal requirement in national legislation on organized crime, however. In the
United Kingdom of Great Britain and Northern Ireland, for example, the definition of an organized criminal
group (or organized crime group, as it is called in the Serious Crime Act 2015) does not refer to “financial
or other material benefit”. Instead, the Act refers to a group of “three or more persons who act, or agree to
act, together to further” a criminal purpose.12 Likewise, in Germany, the law’s definition of an organized
criminal group does not include an element concerning the purpose of obtaining a financial or other mate-
rial benefit.13 In a case before the Federal Court of Justice of Germany, a group of seven persons charged
with and convicted for inciting hatred and distributing unconstitutional content via an Internet radio show
(European Brotherhood Radio) were considered a “criminal organization” (see the box below).14

BGH, Beschluss vom 19.04.2011, 3 StR 230/10 (Germany)

In June 2008, the defendants W., P., M. and R. formed a structured association to disseminate
inciteful and otherwise criminal songs via an Internet radio stream. W., who had risen to organizer
and head of the organized criminal group in the summer of 2007, rented a server and created the
website “European Brotherhood Radio”. The radio stream could be accessed from this site.
Furthermore, instructions for building explosives and explosive devices could be found on the sub-
page Sprengmeister (demolition expert).

Regarding the technical functioning of the radio shows, W. provided the defendants P. and M, and
later also the defendants B., Br. and F., with access that enabled them to control and moderate the
radio stream. The defendants W. and P. also moderated their own radio shows, where they – in part
together, in part on their own – played right-wing extremist songs and other illegal content.
Moreover, they recruited other persons to moderate the shows, including the defendants B., Br. and
F., and advertised the positions by using stickers, banners, jingles, etc. on the website as well as on
the subpages. On 21 February 2009, they also organized an advertising event for the radio. Defendant
M. rented the radio stream through which the shows aired and were heard by 20–50 people. He also
moderated a continuous broadcast from 24 to 26 February 2009 where he played right-wing extrem-
ist songs with inciteful and otherwise illegal content. Defendant R. invested several small amounts
of money, including for the creation of the banner and the rent of the radio stream, and maintained
the chat rooms on the website.

All of the defendants were convicted of forming a criminal organization. Moreover, the defendants
had thousands of right-wing extremist files in their possession in order to make them available to
the listeners of the radio shows. For this reason, they were convicted for the offences of incitement
of masses, dissemination of propaganda material of unconstitutional organizations, and use of
symbols of unconstitutional organizations. Independent of the radio stream, defendant W. was in
possession of two objects banned under the Weapons Act, as well as a gun and ammunition requir-
ing a licence, which he did not have.

For more information on this case, see UNODC Sharing Electronic Resources and Laws on Crime
(SHERLOC) case law database, Case No. DEUx028.a

a
Available at https://sherloc.unodc.org/.

12 
United Kingdom of Great Britain and Northern Ireland, Serious Crime Act of 2015, sect. 45 (6).
13 
Germany, Criminal Code, sect. 129.
14 
Germany, Federal Court of Justice Decision No. 3 StR 230/10 of 19 April 2011 (BGH, Beschluss vom 19.04.2011, 3 StR
230/10).

9
DIGEST OF CASES

B. Criminalization of participation in cyber organized crime

Article 5 of the Organized Crime Convention requires States parties to the Convention to adopt legislative
and other measures to establish as a criminal offence participation in an organized criminal group as a crim-
inal offence, creating criminal liability for persons who intentionally participate in or contribute to the
criminal activities of organized criminal groups.15 This offence broadens criminal liability beyond criminal
activities committed by groups, by holding individual actors responsible for their participation in serious
crimes involving these groups. A person can be held accountable for their role in planning, organizing,
directing, supporting, facilitating or otherwise assisting in the commission of a serious crime relating to an
organized criminal group, even if an offence has not been or has not yet been committed by the person.16
National laws criminalize participation in a criminal organization. However, those laws diverge in the
manner in which participation in an organized criminal group is criminalized.

1. Conspiracy
In common-law countries, conspiracy is used to address criminal participation in an organized criminal
group. Conspiracy is a voluntary agreement between two or more persons to commit an illicit act. In article 5,
paragraph 1 (a) (i), of the Organized Crime Convention, conspiracy is paraphrased as “agreeing with one or
more persons to commit a serious crime for a purpose relating directly or indirectly to the obtaining of a
financial or other material benefit and, where required by domestic law, involving an act undertaken by one
of the participants in furtherance of the agreement or involving an organized criminal group”.

Table 1. Elements of conspiracy in the United Nations Convention against Transnational

Organized Crime

Provision in Physical element Mental element

the Convention (actus reus) (mens rea)

Article 5, Agreeing with one or more The agreement was entered into
paragraph 1 (a) (i) other persons to commit intentionally. The agreement was made
a serious crime for a purpose relating directly or
indirectly to obtaining a financial or other
material benefit.

Source: UNODC, Model Legislative Provisions against Organized Crime (Vienna, 2021).

The crime that is part of this voluntary agreement does not have to be committed for criminal responsibility
to apply. The crime of conspiracy is known as an inchoate crime, which is an illicit act taken towards the
preparation to commit and/or the commission of a crime. In some jurisdictions, beyond the agreement,
some action must be taken towards the commission of the crime. The crime of conspiracy is distinct from
the crime that is the object of the conspiracy (i.e., the crime that the conspirators agree to commit). For this
reason, people may be charged with and convicted for both conspiracy and the crime (or crimes) that they
agreed to commit.

15 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 72; and CTOC/COP/WG.2/2014/2, para. 4.
16 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 73; and CTOC/COP/WG.2/2014/2, paras. 4–5.

10
 CHAPTER II.   Cyber organized crime: What is it?

Regina v. Jake Levene, Mandy Christopher Lowther, Lee Childs (2017),

Crown Court Leeds, T20177358 (United Kingdom)

UKBargins (AlphaBay)
Using the computer moniker “UKBargins”, the defendants (J.L., M.C.L. and L.M.C.) sold adulterated
fentanyl and carfentanil online on AlphaBay, a darknet market. They distributed the drugs domes-
tically, in the United Kingdom of Great Britain and Northern Ireland, and internationally, in Argentina,
Canada, the United States of America and other countries, including European countries. The
majority of the customers (271 of the 443 identified customers) were overseas.a The defendants
purchased the equipment and rented premises used to create and package the products they sold
(carfentanil and fentanyl mixed with adulterants). The products were mailed to buyers using postal
services. The three defendants were charged with and sentenced for conspiracy to evade prohibi-
tion of the exportation of controlled substances and conspiracy to provide controlled substances.b
All three defendants pleaded guilty to their crimes. Two of the defendants (J.L. and M.C.L.) were
sentenced to 16 years and 6 months of imprisonment, while the third defendant (L.M.C.) received a
sentence of 10 years and 6 months of imprisonment.

For more information on this case, see UNODC, SHERLOC case law database, Case No. GBRx097.c

a
United Kingdom, Crown Court Leeds, R v. Lavene [2017], T20177358. Amended Sentence Opening. Judgment of 29 May
2018.
The specific charges were: conspiracy to evade prohibition on the exportation of a controlled drug of class A – carfentanyl;
b

conspiracy to evade prohibition on the exportation of a controlled drug of class A – fentanyl; conspiracy to supply a class A drug
– carfentanyl; and conspiracy to supply a class A drug – fentanyl. R. v. Lee Matthew Childs, Crown Court Leeds, T20177358, Order
for imprisonment of 18 January 2019; Regina v. Jake Lavene, Mandy Christopher Lowther, Lee Childs, Crown Court Leeds, Case
No. T20177358, Order for imprisonment of 18 January 2019; and Regina v. Mandy Christopher Lowther, Crown Court Leeds,
T20177358, Order for imprisonment of 18 January 2019.
c
Available at https://sherloc.unodc.org/.

2. Criminal association
In article 5, paragraph 1 (a) (ii), of the Organized Crime Convention, criminal association is paraphrased as
follows:
(ii) Conduct by a person who, with knowledge of either the aim and general criminal activity of an
organized criminal group or its intention to commit the crimes in question, takes an active part in:
a. Criminal activities of the organized criminal group;
b. Other activities of the organized criminal group in the knowledge that his or her participation
will contribute to the achievement of the above-described criminal aim.

11
DIGEST OF CASES

Table 2. Elements of criminal association in the United Nations Convention against

Transnational Organized Crime

Provision in the Physical element Mental element

Convention (actus reus) (mens rea)

Article 5, Through an act or omission, The act or omission is intentional

paragraph 1 (a) (ii) a take an active part in criminal and undertaken with knowledge
activities of the organized of the criminal nature of the group,
criminal group or of its criminal activities or
objectives.

Article 5, Through an act or omission, take The act or omission is intentional

paragraph 1 (a) (ii) b an active part in other and undertaken with knowledge that
(non-criminal) activities of the participation will contribute to the
organized criminal group achievement of the criminal aim.

Source: UNODC, Model Legislative Provisions against Organized Crime (Vienna, 2012).

Civil-law countries typically criminalize association with a group that has criminal objectives. In such
countries, a person can be charged with criminal association for illegal and/or legal activities that they
engage in on behalf of and/or for the organized criminal group. The person engaging in these acts must be
knowledgeable of the criminal nature, activities and/or objectives of the group.

Cassazione penale, sezione III, 12 Febbraio 2004, No. 8296, & Tribunale
di Siracusa, 19 Luglio 2012, No. 229 (Italy)
A case in Italy involved a chat group on MSN (“Foto di Preteen”) where child sexual abuse material
was shared among members of the community. This case represents one of the first instances in
that country where unlawful association (art. 416 of the Criminal Code (“Associazione per delin-
quere”)) was applied to criminal groups operating online. The court determined whether the legal
definition of unlawful association could be applied to online criminality.

In this case, the court identified the presence of all of the following elements of unlawful associa-
tion: (a) the existence of a bond between at least three persons that was not short term or occa-
sional; (b) the existence of a criminal plan that constituted the aim of the organization; and (c) the
existence of an organizational structure, with a minimum degree of sophistication, that enabled the
criminal plan to be carried out. The court held that the website allowed different persons to coop-
erate for a period of time. The website had a defined structure, with a webmaster who represented
the leader of the criminal association and who established and enforced a set of strict internal rules
regulating the organization – rules that all of the subscribers of the group had to follow and abide
by (e.g., rules for joining the website and punishment for non-compliance with the rules). In addi-
tion, the court held that the organization achieved its objectives through the website, which enabled
the collection and distribution of child sexual abuse material. Citing the above-mentioned findings
and reasons, the court concluded that the legal definition of organized crime could also be applied
to online criminal groups.

For more information on this case, see UNODC, SHERLOC case law database, Case No. ITAx030.a

a
Available at https://sherloc.unodc.org/.

12
CHAPTER III.
CYBER ORGANIZED
CRIMINAL GROUPS
DIGEST OF CASES

III.  CYBER ORGANIZED CRIMINAL GROUPS

The structure, organization and types of cyber organized criminal groups vary, as do the roles within those
groups. The geographical location and/or concentration or distribution of members of the groups also vary.
The same holds true for the gender of members of cyber organized criminal groups and those who partici-
pate in cyber organized crime, as well as the gender of victims of cyber organized crime. Each of these
issues are explored below.

A. Structure, organization and types of criminal groups that

engage in cyber organized crime
The structural complexity and organization of cyber organized crime vary. Cyber organized criminal groups
range from those with hierarchical structures, with some form of centralization, division of labour and
identifiable leaders, to those that are transient, fluid, lateral, loosely affiliated and decentralized networks.17
DrinkorDie, a group of copyright infringers/digital pirates, was a hierarchical group with a clear division of
labour and roles within the group.18 By contrast, Dream Market was a decentralized network made up of
diffused, loosely structured groups.19 In some cases, the structure and organization of the groups were not
connected to people but to the online site within which they operated. This has been observed on illicit
online market sites on both the clearnet (i.e., the visible web) and the darknet.20
Cyber organized criminal groups use online forums and platforms to regulate and control their provision
of illicit goods and services. Other cyber organized criminal groups have service-providing structures
(i.e., they offer crime as a service).21 For instance, the Shadowcrew, an international organization with
approximately 4,000 members, promoted and facilitated a wide variety of criminal activities online, includ-
ing electronic theft of personal identifying information, credit card and debit card fraud, and the production
and sale of false identification documents.22 These groups are composed in a manner that makes the provi-
sion of their services possible by, for example, leveraging multi-skilled members and/or associates who can
provide the services. The Shadowcrew divided labour according to specific skills in order to facilitate its
operations.
These groups exhibit behaviours similar to those of traditional organized criminal groups, particularly the
use of structure and procedures that are designed to preserve the anonymity of members and avoid the
attention of law enforcement agencies by deploying operational security measures to hide their identities
and activities.23 For example, the Bayrob group redirected users seeking assistance or seeking to report
crime to websites that they controlled, thus evading detection by private organizations, security companies

17 
See also UNODC Teaching Modules, Cybercrime, Module 13: cyber organized crime, “Criminal groups engaging in cyber
organized crime”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html.
18 
Federal Court of Australia, Hew Raymond Griffiths v. United States of America, 143 FCR 182 (2005), 2005 WL 572006
(DrinkorDie leader); see also United States, Department of Justice, “Extradited software piracy ringleader sentenced to 51 months in
prison”, press release, 22 June 2007.
19 
United States District Court, United States of America v. Gal Vallerius (2018).
20 
See, for example, Southern District of New York, United States of America v. Gary Davis, Case No. 1:13-CR-950-2, 26
July 2019 (UNODC, SHERLOC case law database, Case No. USAx156) (Silk Road); United States of America v. Ross William
Ulbricht, Case No. 15-1815 (2d Circuit 2017), 31 May 2017 (UNODC, SHERLOC case law database, Case No. USAx202); Western
District of Louisiana, United States of America v. John Doe #1, Edward Odewaldt, et al., Case No. 10-CR-00319, Third Superseding
Indictment, 16 March 2011, pp. 4–5 (Dreamboard); Western District of Washington, United States of America v. Brian Richard Farrell,
Case No. 2:15-CR-29-RAJ (Silk Road 2.0), 17 January 2015); United States District Court, United States of America v. Gal Vallerius
(Dream Market).
21 
Crime as a service refers to criminals’ provision of services that facilitate crimes and/or cybercrimes (Maras, Cybercriminology);
Roderic Broadhurst and others, Malware Trends on “Darknet” Crypto-markets: Research Review – Report of the Australian National
University Cybercrime Observatory for the Korean Institute of Criminology (Canberra, Australian National University, Cybercrime
Observatory, 2018).
22 
United States District Court, District of New Jersey, United States of America v. Andrew Mantovani et al., Criminal Indictment,
Case No. 2:04-CR-0078, 28 October 2004, p. 2 (Shadowcrew).
23 
United States, Northern District of Ohio, United States of America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclaus
(Bayrob Group), Case No. 1:16-CR-00224, Indictment, (8 July 2016).

14
 chapter III.  Cyber organized criminal groups

and law enforcement agencies.24 These groups also take measures to evade law enforcement detection that
accord with the type of services they provide. In fact, forums with child sexual abuse material and special-
ized forums for cybercriminals only commonly have greater security measures than those sites that offer
controlled drugs and other illegal goods. For instance, Dreamboard, an illicit site where child sexual abuse
material was exchanged, took significant measures aimed at preventing infiltration by law enforcement
agencies by requiring all its members to be vetted and to continuously contribute child sexual abuse mate-
rial to the platform.25 In addition, the administrator of Card Planet (a “carding” forum where credit card data
that were stolen predominantly through computer intrusions were made available for a fee) had also created
a site called Cybercrime Forum for elite cybercriminals.26 Any person interested in using this site had to first
become a member, and to do that the person had to be vetted by three existing members and had to pay a
fee (usually 5,000 United States dollars as a form of insurance). The existing members of the site would
then vote on whether the prospective member should be granted access to the site.27 The Cybercrime Forum
also took other security measures to avoid detection by law enforcement agencies. For example, arrested
members were banned from the site to prevent law enforcement agencies from using them and/or their
details to access the site.28
Typologies have been created on criminal groups that engage in cybercrime based on the structures of these
groups and their degree of involvement in offline and/or online activities.29 Cyber organized criminal groups
can be broken down into three types:30 groups that predominantly operate online and commit cybercrime;
groups that operate both offline and online and engage in both offline crime and cybercrime; and groups that
predominantly operate offline and engage in cybercrime to expand and facilitate their offline activities.
Each of these is explored in the subsections that follow.

1. Groups that predominantly operate online

There are two types of groups that predominantly operate online and commit cybercrime: swarms and hubs.

(a) Swarms
A swarm can be described as the coalescence, for a limited period of time, of individuals to engage in specific
tasks in order to commit a cybercrime.31 Once they complete their assigned task or objectives and/or succeed
in committing the cybercrime as a collective, some, most or all of the individuals may go their separate ways
and the temporary group that has been formed may disband.32 This disbanding does not preclude any of the
individuals from becoming part of another swarm to engage in a similar or different cybercrime in the future,
with some or all of the same individuals or with other individuals.
Swarms are characterized as decentralized networks, typically (though not exclusively) made up of “ephem-
eral clusters of individuals” with a common purpose and minimal chains of command.33 A common purpose
of a swarm is to commit a cybercrime for ideological reasons and the individuals who join swarms tend to

24 
Ibid.
25 
United States of America v. John Doe #1, Edward Odewaldt, et al. (Dreamboard).
26 
United States, Eastern District of Virginia, United States of America v. Aleksei Yurievich Burkov (Card Planet), Case No. 1:15-
CR-00245, Superseding Indictment, February 2016.
27 
Ibid., pp. 13–14.
28 
United States of America v. Aleksei Yurievich Burkov (Card Planet).
29 
BAE Systems Detica and John Grieve Centre for Policing and Community Safety, London Metropolitan University, Organised
Crime in the Digital Age (2012) UNODC, Comprehensive Study on Cybercrime, draft; and Broadhurst and others, “Organizations
and cybercrime”.
30 
Ibid.
31 
See also UNODC Teaching Modules, Cybercrime, Module 13: cyber organized crime, “Criminal groups engaging in cyber
organized crime”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html; and Broadhurst
and others, “Organizations and cybercrime”.
32 
In her 2002 article, Susan Brenner discusses the possibility of “swarms” manifesting and operating online (see Susan W.
Brenner, “Organized cybercrime? How cyberspace may affect the structure of criminal relationships”, North Carolina Journal of Law
& Technology, vol. 4, No. 1 (2002), pp. 43–45).
33 
Broadhurst and others, “Organizations and cybercrime”.

15
DIGEST OF CASES

do so for such reasons. An example of the composition of a swarm is the “hacktivist” group Anonymous.34
While Anonymous does not have a declared leader, the group has some degree of leadership, at least in the
sense that there are members of the group who take the initiative in organizing, planning and ultimately
making decisions on committing cybercrimes.35 In 2014, United States of America v. Gottesfeld,36 a
self-identified member of Anonymous conducted a distributed denial-of-service attack37 against the com-
puter network of a children’s hospital, purportedly in response to the hospital’s handling of a former patient.
He was charged with and convicted for conspiracy to damage and for damaging protected computers, was
sentenced to 121 months’ imprisonment and was required to pay restitution (an estimated US$ 443,000).38
Nevertheless, in most jurisdictions, swarms are not regarded as organized criminal groups if they do not
engage in cybercrime for a material benefit.

(b) Hubs
A hub is a group that has a core group of criminals who are surrounded by peripheral criminal associates.39
A hub is more structured than a swarm; it has a command structure that can be identified. Typically, the
activities of hubs are profit-driven. Some of the criminal activities corresponding to this organizational
structure are phishing, sexual offending and malware operations (worms, viruses, scareware, etc.).40
An example of a hub is Dreamboard, a criminal enterprise consisting of an online bulletin board that adver-
tised and distributed child sexual abuse material only to its members. In order to join Dreamboard, prospec-
tive members had to provide child sexual abuse material. In order to remain a member of Dreamboard,
members had to continuously provide child sexual abuse material or their access to the bulletin board would
be revoked. A member’s access was revoked if the member went 50 days without posting child sexual abuse
material.41 Dreamboard members had to follow rules, which were available in four languages (English,
Japanese, Russian and Spanish). One of the rules was that images on the site must be of girls 12 years old
or younger.42 The administrator of Dreamboard placed its members in separate groups. Members of the
SuperVIP group were trusted members of the site who produced and advertised their own child sexual
abuse material. SuperVIP group members had greater access to child sexual abuse material than other mem-
bers.43 VIP group members and other members had more restricted access to child sexual abuse material. To
advance to a higher group level, they needed to produce child sexual abuse material and make it available
to other members, post more advertisements for child sexual abuse material or post advertisements for child
sexual abuse material that other members did not already have in their possession.44 A few Dreamboard
members were sentenced to life imprisonment for their crimes.45

34 
Members of Anonymous have been charged with committing various cyber-dependent crimes during their hacktivist oper-
ations (see, for example, United States, Northern District of California, United States of America v. Dennis Collins et al., Case
No. 11-CR-00471-DLJ (PSG), 16 March 2012). Members of Anonymous were charged for conducting coordinated distributed deni-
al-of-service attacks against PayPal during Operation Avenge Assange). Thirteen members pleaded guilty to charges of violations
of the Computer Fraud and Abuse Act of 1986. Most of the defendants pleaded guilty to a conspiracy charge as well (United States
Attorney’s Office, Northern District of California, “Thirteen defendants plead guilty for December 2010 cyber-attack against PayPal”,
6 December 2013.
35 
David S. Wall, “Dis-organised crime: towards a distributed model of the organization of cybercrime”, The European Review of
Organised Crime, vol. 2, No. 2 (2015), pp. 71–90.
36 
United States District Court, District of Massachusetts, United States of America v. Martin Gottesfeld, 319 F. Supp. 3d 548,
19 June 2018.
37 
A distributed denial-of-service attack involves the use of multiple computers and other technologies to overwhelm the target’s
resources.
38
Nate Raymond, “Massachusetts man gets 10 years in prison for hospital cyberattack”, Reuters, 10 January 2019. 
39 
Broadhurst and others, “Organizations and cybercrime”.
40 
Ibid.; see also UNODC Educational Modules, Cybercrime, Module 13: cyber organized crime, “Criminal groups engaging in
cyber organized crime”.
41 
United States of America v. John Doe #1, Edward Odewaldt, et al. (Dreamboard).
42 
Ibid.
43 
Ibid., p. 6.
44 
Ibid.
45 
United States, Department of Justice, Office of Public Affairs, “Third Dreamboard member sentenced to life in prison for par-
ticipating in international criminal network organized to sexually exploit children”, 6 September 2012.

16
 chapter III.  Cyber organized criminal groups

2. Groups that operate offline and online

The groups that operate offline and online and engage in crimes and cybercrimes are known as hybrids.46
This group includes two subcategories: clustered hybrids and extended hybrids.

(a) Clustered hybrids

A clustered hybrid refers to a group that engages in certain activities and/or uses specific methods to commit
a cybercrime. The clustered hybrid has a structure similar to that of the hub. What differentiates them is the
clustered hybrid’s movement between offline and online activities and its ability to execute its operations
both online and offline. These groups are often focused on specific crimes and cybercrimes, use certain
tactics, have an identifiable method of operation and/or operate within a specific location.47 Like hubs, these
groups are predominantly profit-driven. A typical example of a clustered hybrid group is one that engages
in automatic teller machine (ATM) skimming48 and then uses the data to make online purchases or sells the
data in online carding forums.49
Clustered hybrid groups have engaged in other forms of fraud. For instance, an organized criminal group
based in the United Kingdom perpetrated an international Internet fraud targeting individuals in the
United States of America who advertised rental properties.50 Specifically, the members of the clustered
hybrid group, using fraudulent identities, pretended to be interested renters, contacting the individuals
advertising the property and offering them money (i.e., a deposit and rent). If the targeted individuals
responded, the perpetrators would send money – in the form of a forged cashier’s cheque – in excess of
what was being asked. The perpetrators would then contact the individuals and claim that the excess
money had been sent accidentally and request that the excess money be sent back to them via a well-
known money transfer service. In some instances, the perpetrators convinced the individuals to send by
money order the entire amount of the cheque. In other instances, the individuals, realizing that this was
a scam, did not send any money.

(b) Extended hybrids

An extended hybrid is more sophisticated and less centralized and has a less obvious core than a clustered
hybrid. Extended hybrids are made up of associates and subgroups that commit various criminal activities.
They are not as well defined as clustered hybrids and their composition is more complex. Darknet market
communities (such as Silk Road, Silk Road 2.0 and Dream Market), which have administrators and
moderators (who oversee and run the sites), vendors (who sell illegal goods and services (internationally
controlled drugs, counterfeit documents and money, hacking tools and services, etc.)), buyers (who pur-
chase illicit goods and services) and suppliers (who provide the goods to the vendors), are loosely interre-
lated and could be classified as extended hybrids.51 This would depend on the nature of the darknet
community, the complexity of its operations and structure, and the breadth of its illicit activities. Some
darknet communities that focus on one cybercrime and are not as complex in their composition could be
considered clustered hybrids.

46 
Broadhurst and others, “Organizations and cybercrime”; and BAE Systems Detica and John Grieve Centre for Policing and
Community Safety, London Metropolitan University, Organised Crime in the Digital Age (2012); UNODC, Comprehensive Study on
Cybercrime, draft.
47 
See also UNODC Teaching Modules, Cybercrime, Module 13: cyber organized crime, “Criminal groups engaging in cyber
organized crime”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html; and Broadhurst
and others, “Organizations and cybercrime”.
48 
For further information about automated teller machine (ATM) skimming, see chap. V, sect. B.1.
49 
United States, Eastern District of New York, United States of America v. Jael Mejia Collado et al., Case No. 13 CR 259
(KAM), Superseding Indictment, May 2013; United States of America v. Ercan Findikoglu, Case No. 1:13-CR-00440, Indictment,
24 June 2015.
50 
England and Wales Court of Appeal, Regina v. Sunday Asekomhe [2010] EWCA Crim 740, p. 1.
51 
See, for example, United States of America v. Gary Davis, Case No. 1:13-CR-950-2; United States of America v. Ross William
Ulbricht, Case No. 15-1815; United States of America v. Brian Richard Farrell, Case No. 2:15-CR-29-RAJ; United States of America
v. Gal Vallerius (Dream Market).

17
DIGEST OF CASES

3. Groups that predominantly operate offline

Some organized criminal groups predominantly operate offline and only use ICT to expand or support illicit
offline activities and operations. These groups are hierarchical, are typically comprised of traditional organ-
ized criminal groups and have sought to expand certain illicit activities online, such as gambling, extortion,
prostitution and trafficking in persons.52 In United States of America v. Locascio et al., members and asso-
ciates of the “Gambino Family of La Cosa Nostra” carried out an Internet scheme involving adult entertain-
ment websites with the intention of defrauding visitors to those sites. (Free tours advertised on the site were
used to lure visitors to ultimately enter their credit card details under the guise that this was needed to verify
their age. The credit card details were then used to make fraudulent transactions.)53 In Italy, associates of
the Camorra and ‘Ndrangheta ran an Internet gambling ring (Dollaro Poker).54

B. Roles within a cyber organized criminal group

Cyber organized criminal groups operate as legitimate enterprises with employees hired in various roles,
such as technical and other support personnel, marketing personnel and “employees” in charge of the
receipt and distribution of payments to other members; in addition, they have rules and codes of conduct
that govern members’ behaviour.55 When a specialized skill or ability is needed, these groups hire others to
complete the tasks.56
The roles within a cyber organized criminal group vary depending on the cybercrime committed and any
offline activities that are involved in the execution of the tasks associated with the illicit acts and/or the
achievement of the group’s objectives. Perpetrators of interpersonal cybercrimes, such as online child
sexual abuse and exploitation, have roles that differ from the roles of groups that predominantly engage in
cyber-dependent crimes. Cyber organized criminal groups that mainly commit interpersonal cybercrime
assign certain roles to members, such as identifying, recruiting and ultimately enticing a minor to engage in
a sex act57 or identifying, creating, obtaining and sharing child sexual abuse and exploitation material.58 In
contrast, cyber organized criminal groups that conduct cyber-dependent crimes would have certain roles
relating to the tools and technology needed to conduct cybercrimes, such as:59
(a) Coders. Individuals responsible for developing malware, exploits (programs, or pieces of code,
designed to find and take advantage of security flaws or vulnerabilities in an application or computer
system) and other tools used to commit cybercrime (e.g., they can build custom exploits for a fee);
(b) Hackers. Individuals responsible for exploiting vulnerabilities in systems, networks and
applications;

52 
BAE Systems Detica and John Grieve Centre for Policing and Community Safety, London Metropolitan University, “Organised
crime in the digital age” (2012); UNODC, Comprehensive Study on Cybercrime, draft; Broadhurst and others, “Organizations and
cybercrime”; see also UNODC Teaching Modules, Cybercrime Module 13: cyber organized crime, “Criminal groups engaging in
cyber organized crime”. Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-13/index.html.
53 
United States District Court, Eastern District of New York, United States of America v. Salvatore Locascio et al., 357F.
Supp. 2d 536, 28 September 2004.
54 
Italy, Cass., 31 Marzo 2017, No. 43305.
55 
Europol, Internet Organised Crime Threat Assessment 2020 (The Hague, 2020), p. 31; United States of America v. Bogdan
Nicolescu, Tiberiu Danet and Radu Miclaus (Bayrob Group); Hungary, Prosecution v. Baksa Timea and others (SHERLOC Case
No. HUNx003).
56 
Ibid.
57 
See, for example, Canada, Provincial Court of Saskatchewan, R v. Chicoine, 2017 SKPC 87, 14 November 2017; United States
District Court, Eastern District of Michigan, United States of America v. Caleb Young, Case No. 18-20128, Sentencing Memorandum,
11 May 2018; Costa Rica, Tribunal Penal del Tercer Circuito Judicial de San José, Causa penal número 15-001824-0057-PE & Causa
Penal número 19-000031-0532-PE (Operación R-INO).
58 
See, for example, Argentina, Tribunal Oral Federal de Jujuy, Causa FSA 8398/2014/TO1; United States of America v. John Doe
#1, Edward Odewaldt, et al. (Dreamboard); Germany, Federal Court of Justice, Decision 2 StR 321/19, of 15 January 2020 (BGH,
Beschluss vom 15.01.2020, 2 StR 321/19) (the Giftbox Exchange and Elysium).
59 
Pennsylvania, United States of America v. Alexander Konovolov et al., Case No. 2-19-CR-00104 (GozNym Malware), Indictment
Memorandum, 17 April 2019, p. 3.

18
 chapter III.  Cyber organized criminal groups

(c) Technical support. Individuals who provide technical support for the group’s operations, including
the maintenance of infrastructure and the technologies used;
(d) Hosts. Individuals who host illicit activities either on servers or offline physical locations.
Bulletproof hosting services, for example, offer to host illicit activities on servers that are designed to evade
law enforcement and security detection and enable illicit activities to continue uninterrupted.

These roles are often identified in organized criminal groups that provide crime as a service (i.e., provide
services that facilitate crimes and/or cybercrimes).60 In addition to hacking, malware and hosting, the illicit
services offered include the provision of exploit toolkits or information about system vulnerabilities and
ways to exploit those vulnerabilities, as well as tutorials for various cybercrimes.
Cyber organized criminal groups can have members or associates that serve as specialists. These individu-
als specialize in a specific cybercrime or other crime or in a tactic or method to commit a cybercrime. An
example of a specialist is an individual who develops “crypters”, software tools that encrypt malware so that
it can evade detection by antivirus programs on devices.61 Organized criminal groups can also have mem-
bers or associates who are suppliers and distributors of illicit goods and services.62 In addition, organized
criminal groups may use “cashers”, who convert illicit goods to money, steal money from targets and dis-
tribute it to group members, or otherwise make the proceeds from the group’s illicit activities available to
group members.63 The “cashers”, who are also known as “runners” or “strikers”, may be used to withdraw
or transfer money online or at a physical establishment, such as a bank.64 Furthermore, these groups may
use “money mules”, who obtain and transfer money illegally upon request and payment,65 to launder the
proceeds of their cybercrimes.66
Some of the roles within cyber organized criminal groups are transient and the persons in these roles only
participate in the group until they fulfil their purpose. One example of a person in a temporary role is a
specialist67 who can be hired by the organized criminal group to create malware for later distribution by the
group. Moreover, all members of the group are not valued equally and/or considered important. Even in
certain online illicit forums, members of the forum were ranked; in some cases, VIP status was granted to
elite members of the group.68 Furthermore, some members of the group may be considered expendable. For
instance, “money mules” who are solicited online and asked to open bank accounts (or use their own
accounts) and receive money from others (or asked to mail or physically move packages by receiving them
and forwarding, sending or taking the packages to their destination) are often considered by the group to be
expendable (especially if they unwittingly participate in this activity).

60 
Maras, Cybercriminology.
61 
United States of America v. Alexander Konovolov et al. (GozNym malware), p. 3.
62 
Ibid.
63 
Ibid.
64 
Canada, Ontario Court of Justice, R. v. Kalonji, 2019 ONCJ 341, 17 May 2017, para. 7.
65 
Maras, Cybercriminology, p. 337.
66 
See, for example, United States of America v. Alexander Konovolov et al. (GozNym malware) and United States v. Aleksei
Yurievich Burkov (Card Planet).
67 
Specialists can also be permanent members of the group.
68 
See, for example, United States District Court, District of Nevada, United States v. Svyatoslav Bondarenko et al., Case
No. 2:17-CR-306-JCIVI-PAL (Infraud), Second Superseding Criminal Indictment, 30 January 2018; United States of America v. John
Doe #1, Edward Odewaldt, et al. (Dreamboard).

19
DIGEST OF CASES

Tribunal de grande instance de Paris, 13e chambre correctionnelle,

20 novembre 2018 (France)
The Federal Bureau of Investigation (FBI) of the United States conducted an operation known as
“Operation Card Shop”, whereby it established an undercover carding forum (Carder Profit) that
was used to identify cybercriminals exchanging illicit goods and services relating to “carding” (the
use, sale, sharing or otherwise distribution of stolen credit card or debit card data in order to
commit cybercrime and other forms of crime).

As a result of the operation, a number of persons were arrested and taken to court in France.
Information on that case is provided below.

From 2010 to 2014, the defendant (Z.) ran a criminal enterprise that engaged in online fraud. To this
end, Z. used stolen credit card data found on carding forums by himself, P. (the “technical advisor”
of the group) and N. (a member of the group in charge of finding credit card data), as well as credit
card data stolen by L. from his former employer. The defendants (P. and Z.) would then hack into
customer accounts on commercial websites and modify the contact information so that the actual
customers would not receive any notifications of purchases and/or deliveries. Z. and N. would buy
goods on commercial websites and send them to shipping points. Z. and X. forged fake identification
to be used by “mules” to receive the packages at the shipping points. Several persons (Y., M., O., Q.,
V., T. and R.) were used as “mules”. They would each receive the packages, keeping some packages
as payment and sending others to Z. so he could sell them on retailer websites. Several people
involved in this criminal organization later started using the same techniques to buy goods for
themselves. Z. and V. were also found to be in possession of ATM skimmers that they intended to
use to obtain more credit card data. The group managed to place about 2,000 orders on online com-
mercial websites for an amount estimated to be €40,000–€60,000.

One of the 15 defendants was acquitted and the other 14 were convicted of several offences,
depending on their degree of involvement in the fraud. The convictions ranged from complicity to
commit fraud as part of an organized criminal group to participation in an organized criminal group,
illegal access to a data system and illegal acquisition of computer data as part of an organized
criminal group. For those convicted for their participation in an organized criminal group, the
French court highlighted the difference between the notions of “bande organisée” and of “associa-
tion de malfaiteurs” in French law. According to French law, “bande organisée” is used as an aggra-
vating circumstance to an already existing offence, whereas an “association de malfaiteurs” is a
separate criminal offence as such. The acts of defendants cannot be prosecuted as both “bande
organisée” and “association de malfaiteurs” if the acts are inextricably linked together. The court
held that it could not convict the defendants for both “bande organisée” and “association de mal-
faiteurs” as it related to the cyber organized crime they had committed. Ultimately, only Z. and V.,
who had taken part in the ATM skimming scheme, were convicted for participating in an “associa-
tion de malfaiteurs”.

The defendants were given sentences of imprisonment ranging from six months to two years.
For all but four of the defendants in this case (Z., V., P. and N.), the sentences were suspended.
Z. and V. were sentenced to 2 years and to 15 months of imprisonment, respectively, and
were required to pay €3,000 and €2,000, respectively, in fines to the state and €10,200 in compen-
sation to the victims. P. and N. were sentenced to 15 months and to 18 months of imprisonment,
respectively, and were required to pay fines of €2,000 to the state and €10,200 in compensation
to the victims.

For more information about this case, see UNODC, SHERLOC case law database, Case No. FRAx030.a

a
Available at https://sherloc.unodc.org/.

20
 chapter III.  Cyber organized criminal groups

C. Geographical organization
The perpetrators of cyber organized crime may be part of a group in which the offenders may or may not be
in geographical proximity. The cases included in the digest represent a variety of regions. Research has
shown that geographical proximity between perpetrators has played some role in the formation and expan-
sion of cyber organized criminal groups.69 For example, in HKSAR v Chan Pau Chi,70 15 defendants in
Hong Kong, China, were charged with and convicted for a range of offences, including money-laundering
and conspiracy relating to the illegal facilitation of prostitution online via websites (i.e., through the adver-
tisement and promotion of services). Nevertheless, other cyber organized criminal groups form and thrive
even when there is little or no geographical proximity between their members.71 There have been a number
of cases indicating that the members of a darknet site (administrators, moderators, vendors, buyers and
suppliers) can be from anywhere in the world.72

Police v. Zhong [2017] WSDC 7 (Samoa)

The case Police v. Zhong involved automatic teller machine (ATM) skimming in Samoa undertaken by
three nationals of China, two of them being defendants in the case, causing 47,350 tala in damage. On
24 August 2016, an employee reported suspicious activity involving the use of ATMs. Over 30 cards had
been used and captured by ATMs at various bank locations. The cards had never been seen before,
and their appearance was different from that of normal ATM cards. In addition, when the bank employ-
ees examined the trial balance report for the Matautu ATM for the previous day, they noticed a number
of complete and incomplete transactions corresponding to the suspicious cards. One of the employ-
ees was instructed to check the ATM cameras and obtain video footage of the suspicious transactions.
After viewing the footage, the employees contacted the police.

The police officers subsequently went to a location in Matautu, Samoa, that included a restaurant, a
shop and accommodations, where the two defendants could be identified. The police called for backup,
searched the living quarters of the defendants and found and seized, inter alia, over 100 suspicious ATM
cards and three ATM skimming devices. The defendants were arrested. In some of the video footage
produced in evidence, a third national of China could be seen participating in the offences. That man had
already left the country at the time of the defendants’ arrest and was not a party to the proceedings.

The two male defendants (Z.S. and Y.Q.) were charged with several offences involving theft; inten-
tionally accessing an electronic system without authorization; dishonestly accessing an electronic
system and thereby obtaining a benefit; and intentionally possessing a card skimming device for the
purpose of committing an offence. While some of the theft charges were subsequently dismissed
or reduced, on 7 July 2017, the defendants were each sentenced to five years’ imprisonment for
theft or stealing,a accessing an electronic system without authorization,b accessing an electronic
system for dishonest purpose,c and possession of illegal devices.d

For more information about this case, see UNODC, SHERLOC case law database, Case No. WSMx001.e

a
Samoa, Crimes Act of 2013, paras. 161 and 165 (b).
b
Ibid., para. 206.
c
Ibid., paras. 33 and 207.
d
Ibid., paras. 33 and 213 (a).
e
Available at https://sherloc.unodc.org/.

69 
Broadhurst and others, “Organizations and cybercrime”; Eric Rutger Leukfeldt, Anita Lavorgna and Edward R. Kleemans,
“Organised cybercrime or cybercrime that is organized? An assessment of the conceptualization of financial cybercrime as organised
crime”, European Journal in Criminal Policy and Research, vol. 23, No. 3 (September 2017), pp. 292–293.
70 
Hong Kong, China, HKSAR v. Chan Pau Chi [2019] HKEC 1549.
71 
See, for example, United States of America v. Alexander Konovolov et al. (GozNym malware).
72 
See, for example, United States of America v. Gary Davis, Case No. 1:13-CR-950-2; United States of America v. Ross William
Ulbricht, Case No. 15-1815; United States of America v. Brian Richard Farrell, Case No. 2:15-CR-29-RAJ; United States of America
v. Gal Vallerius (Dream Market).

21
DIGEST OF CASES

D. Gender and cyber organized crime

The demographic characteristics of offenders and victims vary, depending on the type of cybercrime. In the
cases included in this digest, the offenders were predominantly male. The members of organized criminal
groups were either all male or predominately male, with a few exceptions (in some cases, men and women
were more equally represented; in others, however, there were more women than men).73 The roles of
offenders in organized criminal groups vary by gender. Male offenders were predominantly in leadership
roles, whereas women primarily served in other roles, such as recruiters, coders, specialists and organiz-
ers.74 There are exceptions to this (see the box below). While the gender of victims was not identified in
many of the cases included in the digest, there were exceptions in cases involving trafficking in persons and
child sexual abuse and exploitation.75
The findings in this section are based solely on the cases included in the digest and are thus not
generalizable.

United States of America v. Melissa Scanlan, Case No. 18-CR-30141-NJR-1 &

Case No. 19-CR-30154-NJR-1 (S.D. Illinois, 20 October 2019) (The Drug Llama)
(United States of America)
M.S. (a female) and another conspirator B.A. (a male) used the computer moniker “The Drug Llama”
on a vendor account on Dream Market (a darknet site) to sell counterfeit tablets containing fentanyl
and acetyl fentanyl.a M.S. was responsible for sourcing the drugs that would be sold using the
vendor account, while B.A. was responsible for receiving and fulfilling darknet drug orders, as well
as the management of the account.b M.S. and B.A. received fentanyl and other drugs from Mexico,
predominantly from F.R. and another (unnamed) member of the Mexican cartel. After M.S. and B.A.
sold the drugs, they kept a portion of the criminal proceeds and gave the rest to couriers (usually
N.D. and A.K., both females). The couriers would transport the proceeds across the border between
Mexico and the United States and deliver them to F.R. and another member of a Mexican cartel.c
It has been estimated that 52,000 counterfeit tablets containing fentanyl and acetyl fentanyl tablets
were sold in a single year.d

M.S. was charged with and convicted of conspiracy to distribute fentanyl;e distribution of fentanyl;f
sale of counterfeit drugs;g misbranding of drugs;h international money-laundering conspiracy;i and
distribution of fentanyl resulting in death.j She pleaded guilty and was sentenced to 13 years and
4 months of imprisonment.k B.A. was charged with and convicted of conspiracy to distribute fenta-
nyl;l distribution of fentanyl;m sale of counterfeit drugs;n and misbranding of drugs.o He pleaded
guilty and was sentenced to 9 years’ imprisonment.p

73 
See, for example, France, Tribunal de grande instance de Paris, 13e chambre correctionnelle, 20 novembre 2018; United States,
Southern District of Illinois, United States of America v. Melissa Scanlan, Case No. 18-CR-30141-NJR-1 and Case No. 19-CR-30154-
NJR-1, Stipulation of facts, 20 October 2019, p. 4; and HKSAR v. Chan Pau Chi [2019] HKEC 1549.
74 
See, for example, United States of America v. Dennis Collins et al., Case No. 11-CR-00471-DLJ (PSG); United States, Eastern
District of Virginia, United States of America v. Daniel Palacios Rodríguez, Alexandra Guzmán-Beato, Elvis Pichardo Hernández,
José David Reyes-González, Juan Rufino Martínez-Domínguez, and Fátima Ventura Pérez, Case No. 1:19-MJ-286, Affidavit in support
of criminal complaint and arrest warrant, 24 June 2019.
75 
See, for example, Canada, R v. Philip Michael Chicoine; Canada, Nova Scotia Court of Appeal, R v. Pitts, 2016 NSCA 78; and
United States of America v. Caleb Young; and Germany, Federal Court of Justice, Decision 2 StR 321/19, of 15 January 2020 (BGH,
Beschluss vom 15.01.2020, 2 StR 321/19).

22
 chapter III.  Cyber organized criminal groups

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx187.q

a
United States of America v. Melissa Scanlan, p. 4.
b
United States of America v. Brandon Arias, Case No. 18-CR-30141-NJR-2, Stipulation of Facts (S.D. Illinois, 16 July 2019),
pp. 4–5.
c
United States of America v. Melissa Scanlan, p. 5.
d
Ibid., p. 4.
e
United States Code, Title 21, sect. 846.
f
Ibid., sect. 841.
g
Ibid., sect. 331 (1) (3).
h
Ibid., sect. 331(A).
i
United States Code, Title 18, sect. 1956 (H).
j
United States Code, Title 21, sect. 846; United States, Southern District of Illinois, United States of America v. Melissa
Scanlan, Plea Agreement, Case No. 18-CR-30141-NJR-1 and Case No. 19-Cr-30154-NJR-1, 30 October 2019, pp. 1–2.
k
United States Attorney’s Office, Southern District of Illinois, “Dark web fentanyl trafficker known as ‘The Drug Llama’
sentenced to 13 years in federal prison”, press release, 12 February 2020.
l
United States Code, Title 21, sect. 846.
m
Ibid., sect. 841.
n
Ibid., sect. 331 (1) (3).
o
Ibid., sect. 331 (A).
p
United States Attorney’s Office, Southern District of Illinois, “Brandon Aria, a/k/a ‘the Drug Llama’, sentenced to 9 years
for distributing fentanyl on the dark web”, 12 November 2019.
q
Available at https://sherloc.unodc.org/.

23
 CHAPTER IV.
TOOLS USED BY PERPETRATORS
OF CYBER ORGANIZED CRIME
DIGEST OF CASES

IV. TOOLS USED BY PERPETRATORS OF CYBER

ORGANIZED CRIME
Perpetrators of cyber organized crime leverage ICT to commit a variety of cyber-dependent and cyber-
enabled crimes on the clearnet and the darknet. The clearnet refers to the visible (or surface) web and
includes websites that are indexed using traditional search engines (Google, Bing, etc.). The deep web is
composed of sites that are not indexed by traditional search engines and thus are not easily accessible by the
general public. The sites located on the deep web can include intranet sites and password-protected sites, as
well as sites that require specialized software to access them, such as the Onion Router (Tor), Freenet or the
Invisible Internet Project (I2P). The sites that are part of an overlay network that can only be accessed using
specialized software are known as darknet sites.

LG Duisburg, Urteil vom 05.04.2017, 33 KLs - 111 Js 32/16 - 8/16 (Germany)

This case concerns the proceedings of six defendants involved in trafficking illegal goods online.
Two so-called underground economy forums, “d.cc” and “g.me” (the latter replaced another forum
of the founder and administrator N2, who was separately prosecuted), were established for the
purpose of selling and/or purchasing illegal goods and exchanging information that could subse-
quently be used for committing criminal offences. The illegal goods and data available for sale on
the forum mainly included drugs, false documents, counterfeit money and stolen personal data.
The forums were accessible by conventional browsers via the clearnet and could be found using
popular search engines. In addition, the forums were accessible by a number of special browsers,
such as the Tor browser, via the darknet.

In order to register for the forums, users had to provide an email address and username for use on
the platform and then contact N2 to activate the accounts. In addition to hosting advertisements for
illicit goods, both forums provided a platform to exchange information with other users on topics
such as anonymizing and ways to protect against law enforcement detection and the dissemination
of malware. Because of mistrust between the anonymous users, some of the transactions in the
forums were concluded via escrow service for a fee.

H., G. and X. had leadership roles on the underground economy forums. Defendant H. was respon-
sible for the technical aspects of the forums, such as maintaining servers and the security of the
forums. He held the positions of administrator, moderator and trustee, who received fees paid by
users of the escrow service. Defendant G. held the position of moderator and was responsible for
checking the compliance of user postings with forum rules and sanctioning users where necessary.
He also acted as a trustee for three transactions, sold official documents in one case and acquired
counterfeit money twice. Defendant X. held the position of “supermoderator” and mainly provided
technical support (e.g. the establishment and maintenance of the technical infrastructure of one of
the forums). He also created a “scene guide” that provided users with tips on committing criminal
offences, as well as information on how to avoid identification by law enforcement officers. The
defendant was also involved in the establishment and maintenance of the technical infrastructure
of one of the forums (“g.me”). The defendants did not know each other in person but were in close
contact for organizational purposes and communicated through areas of the forums that were
accessible only to members in leadership positions and through various other encrypted messen-
ger services.

The defendants were charged with and convicted of computer fraud (H.), attempted computer fraud
(H.), illegally acquiring narcotic drugs (X.), aiding and abetting illicit trading in narcotic drugs in
quantities which are not small (G., H. and X.), aiding and abetting illicit trading in narcotic drugs
(G., H. and X.), aiding and abetting counterfeiting of money (G., H. and X.), aiding and abetting pro-

26
 chapter IV.  Tools used by perpetrators of cyber organized crime

curement of false official identity documents (G., H. and X.) and counterfeiting of money (G.).
The court sentenced H. to 21 months’ imprisonment, G. to 12 months’ imprisonment and X. to
14 months’ imprisonment. The creator of the underground economy forums and several other per-
sons were also charged with and, in separate trials, convicted of crimes relating to the forums.

For more information on this case, see UNODC, SHERLOC case law database, Case No. DEUx025.a

a
Available at https://sherloc.unodc.org/.

Criminals exploit legitimate commercial services to further their illicit ends online.76 Case law has revealed
that perpetrators of cyber organized crime have searched for targets on dating sites, social media platforms
and live broadcasting services on the clearnet.77 Social media platforms have also been used by organized
criminal groups to communicate with members, advertise illicit goods and services, exchange illicit goods
(e.g. stolen and counterfeit identity documents) and facilitate or carry out illicit activities.78 Moreover, illicit
goods and services have also been advertised on licit online marketplaces and online classified advertise-
ment sites.79

United States of America v. Carl Allen Ferrer, Case No. 18 CR. 464
(D. Arizona, 5 April 2018) (Backpage) (United States of America)
Backpage was a classified advertisement website that included a section for advertisements for
sexual services. Among the sexual services advertised on Backpage were sexual services by traf-
ficked women and children. Charges had been unsuccessfully brought against Backpage for its
facilitation of trafficking in persons and prostitution.a A report published by the Permanent
Subcommittee on Investigations, the chief investigative subcommittee of the United States Senate
Committee on Homeland Security and Governmental Affairs, revealed that Backpage had know-
ingly sanitized advertisements published on its site in order to conceal crimes.b Specifically, the
report revealed that Backpage had knowingly facilitated trafficking in persons by editing advertise-
ments that openly advertised human beings for sexual services and posting them online instead of
denying them access to the platform.c

In April 2018, Backpage was seized by law enforcement authorities in the United States. Founders,
higher-level executives and managers of Backpage were charged with offences that included con-
spiracy to facilitate prostitution and conspiracy to commit money-laundering.d The chief executive
officer and one of the founders of Backpage, C.F., pleaded guilty to conspiracy to commit offence
or to defraud the United States, in violation of Title 18 of the United States Code (sect. 371).e In his
plea agreement, he acknowledged that the majority of revenue for the site had come from illegal
advertisements and that Backpage had used bank accounts for shell companies and cryptocur-
rency processing companies (i.e., CoinBase, Crypto Capital, GoCoin, Kraken and Paxful) to conceal
the source of its revenue.f He also acknowledged in his plea deal that he had conspired to sanitize
advertisements by removing words and photographs that were indicative of prostitution.g

76 
Europol, Internet Organised Crime Threat Assessment 2020, p. 17.
77 
United States Court of Appeals for the Fifth Circuit, United States of America v. Oladimeji Seun Ayelotan, Femi Alexander
Mewase and Rasaq Aderoju Raheem, Case No. 17-60397 (5th Circuit, 4 March 2019. The defendants created fake profiles on dating
sites to identify targets and lure them into a fake relationship (United States of America v. Caleb Young (Bored Group)).
78 
See, for example, United States District Court, Eastern District of Virginia, United States v. Ramiro Ramirez-Barreti et al.,
Criminal Case No. 4:19-CR-47, Second Superseding Indictment, 14 August 2019, p. 12; United States District Court, Western District
of North Carolina, United States v. Anthony Blane Byrnes, Case No. 3:20-CR-192.
79 
See, for example, United States of America v. Daniel Palacios Rodríguez, Alexandra Guzmán-Beato, Elvis Pichardo Hernández,
José David Reyes-González, Juan Rufino Martínez-Domínguez, and Fátima Ventura Pérez.

27
DIGEST OF CASES

United States of America v. Carl Allen Ferrer, Case No. 18 CR. 464
(D. Arizona, 5 April 2018) (Backpage) (United States of America) (continued)
As part of the plea deal, C.F. is required to forfeit the company’s assets and property, take all the
steps in his power to permanently shut down Backpage and testify that Backpage engaged in mon-
ey-laundering and facilitated prostitution. He has not yet been sentenced. A “sales and marketing
director” of Backpage, D.H., also pleaded guilty to conspiracy to facilitate prostitution in a scheme
designed to provide free advertisements to sex workers in order to draw them away from Backpage’s
competitors. The trials of another six persons affiliated with Backpage (M.L, J.L., S.S., J.B., A.P. and
J.V), which include the other two founders of Backpage (M.L and J.L.), were postponed until 2021.

The Backpage case held an Internet intermediary liable for its role in the facilitation of serious
crimes. Article 10 of the Organized Crime Convention requires States parties to the Convention to
establish the liability of legal persons for participation in serious crimes involving an organized
group.h Where Internet intermediaries with legal personhood are themselves involved in the com-
mission of serious crimes involving an organized criminal group, article 10 requires that States
parties have in place legislation under which the intermediaries can be found liable. Furthermore,
States parties must ensure that legal persons held liable in accordance with article 10 are subject
to effective, proportionate and dissuasive sanctions.i

Unlike the aforementioned case of Backpage, in the vast majority of cases, online intermediaries
are not themselves involved in the commission of serious crimes, but rather their services are
abused by criminals to carry out offences. In such circumstances, cooperation between online
intermediaries and law enforcement authorities is critical. The Organized Crime Convention envi-
sions a degree of cooperation between the law enforcement agencies and prosecutors and the
private sector in the prevention of organized crime.j The Conference of the Parties to the United
Nations Convention against Transnational Organized Crime has encouraged the private sector to
strengthen its cooperation and work with States parties to the Convention and the Protocols thereto
in order to achieve the full implementation of those instruments.k

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx169.l

a
United States District Court, District Court of Massachusetts, Doe v. Backpage.com LLC, 104 F. Supp. 3d 149, 15 May 2015;
United States, Superior Court of the State of California, The People of California v. Carl Allen Ferrer, Michael Lacey and James
Larkin, Case No. 16FE024013, 23 December 2016; Marie-Helen Maras, “Online classified advertisement sites: pimps and
facilitators of prostitution and sex trafficking?”, Journal of Internet Law, vol. 21, No. 5 (November 2017), pp. 17–21.
b
United States Senate, Permanent Subcommittee on Investigations, Backpage.com’s Knowing Facilitation of Online Sex
Trafficking (Washington, D.C., Committee on Homeland Security and Governmental Affairs, 2017).
c
See also UNODC Teaching Modules, Trafficking in persons and smuggling of migrants, Module 14: links between
cybercrime, trafficking in persons and smuggling of migrants, “Technology facilitating trafficking in persons”. Available at
sherloc.unodc.org/cld/en/education/tertiary/tip-and-som/module-14/index.html.
d
United States District Court, District of Arizona, United States of America v. Michael Lacey, James Larkin, Scott Spear, John
“Jed” Brunst, Dan Hyer, Andrew Padilla and Joye Vaught, Case No. 18 CR. 422, Indictment, 28 May 2018.
e
United States District Court, District of Arizona, United States of America v. Carl Allen Ferrer, Case No. 18 CR. 464, Plea
Agreement, 5 April 2018, p. 2.
f
Ibid., pp. 13–14.
g
Ibid., p. 13.
h
United Nations Convention against Transnational Organized Crime, art. 10, para. 1.
i
Ibid., art. 10, para. 4.
j
Ibid., art. 31, para. 2 (a).
k
CTOC/COP/2012/15, resolution 6/1.
l
Available at https://sherloc.unodc.org/.

In its report entitled Internet Organised Crime Threat Assessment 2020, the European Union Agency for
Law Enforcement Cooperation (Europol) revealed that perpetrators of cyber organized crime communi-
cated via encrypted means (e.g., Protonmail, Tutanota and cock.li).80 Case law has revealed that unen-
crypted and encrypted messaging applications were used not only for communications between perpetrators

Europol, Internet Organised Crime Threat Assessment 2020, p. 27.

80 

28
 chapter IV.  Tools used by perpetrators of cyber organized crime

of cyber organized crime, but also to identify and target victims and commit cybercrimes.81 In addition to
the use of mainstream communication platforms and devices, instant messaging, messaging platforms on
websites, proprietary communication platforms and tools have been developed and marketed exclusively to
criminals (e.g., Phantom Secure (see the box below)).82

United States of America v. Vincent Ramos et al., Case No. 18-CR-01404-WQH

(S.D. California, 2 October 2018) (Phantom Secure) (United States of America)
Phantom Secure, a company based in Canada, modified existing BlackBerry phones by removing
key features that could be used to track and keep under surveillance users of the devices, such as
the camera, microphone and Global Positioning System (GPS), and operated an encrypted network
that enabled its devices to send and receive encrypted communications.a Traffic was routed through
international proxy servers that were located in countries that the company believed did not coop-
erate with foreign law enforcement agencies.b These measures were taken to prevent law enforce-
ment agencies from accessing the devices and intercepting communications. The devices were not
available to the general public and could be obtained only through a referral from an existing user
of the device and only after the person had been vetted (i.e., a background check was conducted
using open source resources to verify the identity of the person).c To further protect the identities of
those utilizing the devices, the real names and other personally identifying information about users
were not collected.d Moreover, Phantom Secure would wipe devices that had been seized by a law
enforcement agency, destroying evidence that the devices contained by making unreadable the data
stored on them. Phantom Secure also suspended service and deleted the contents of a device if it
was suspected that a law enforcement officer or an informant was using the device as part of a law
enforcement investigation.e Phantom Secure thus obstructed justice by concealing evidence from
law enforcement authorities and destroying it.

The organizational structure of the Phantom Secure criminal enterprise included individuals with
roles as administrators, distributors and agents. Administrators included Phantom Secure’s corpo-
rate executives and staff in the front office who had physical control of the Phantom Secure net-
work, Phantom Secure’s books and records and its corporate operations. Administrators could
initiate new subscriptions, remove accounts and remotely wipe and reset devices. As the chief exec-
utive officer of Phantom Secure, the defendant V.R. was its lead administrator. K.A.R. was also
alleged to have served as an administrator of Phantom Secure. An unnamed individual (only iden-
tified as Individual A in court documents) was said to have held an integral role in the design and
maintenance of the security integrity of Phantom Secure. Distributors coordinated agents and
resellers of Phantom Secure devices and received payments for ongoing subscription fees, which
they transferred, minus a personal commission, back to Phantom Secure. They also provided tech-
nical support and communicated directly with Phantom Secure administrators. Y.N., C.P. and M.G.
were all alleged to have been distributors for Phantom Secure. Agents physically sourced and
engaged with new customers to sell and deliver Phantom Secure devices. They earned a profit on
the sale of the handset and provided first-level technical support to their customers.

81 
See, for example, United States District Court, Eastern District of Virginia, United States v. Ramiro Ramirez-Barreti et al.;
United States District Court, Southern District of California, United States of America v. Cristian Hirales-Morales, Marcos Julian
Romero and Sergio Anthony Santivanez, Case No. 19-CR-4089-DMS, Indictment, 10 October 2019; R v. Philip Michael Chicoine; and
United States of America v. Conor Freeman, Case No. 2:19-CR-20246, Indictment, 18 April 2019 (The Community).
82 
See, for example, United States of America v. Svyatoslav Bondarenko et al., p. 22 (Infraud); United States of America v. Caleb
Young (Bored Group); United States of America v. Beniamin-Filip Ologeanu, Superseding Indictment No. 5:19-CR-10, 6 February
2019, pp. 10–11; United States District Court, Northern District of Ohio, United States of America v. Bogdan Nicolescu, Tiberiu Danet
and Radu Miclaus, p. 6 (Bayrob group); United States District Court, Eastern District of Kentucky, United States of America v. Andre-
Catalin Stoica et al., Criminal Indictment No. 5-18-CR-81-JMH, 5 July 2018, p. 16 (Alexandria Online Fraud Network); United States
of America v. Ramiro Ramirez-Barreti et al.; UNODC, SHERLOC case law database, Case No. DEUx033, LG Leipzig, Urteil vom
14.06.2012, 11 KLs 390 Js 191/11.

29
DIGEST OF CASES

United States of America v. Vincent Ramos et al., Case No. 18-CR-01404-WQH

(S.D. California, 2 October 2018) (Phantom Secure) (United States of America) (continued)

The defendant was charged with racketeering conspiracy to conduct enterprise affairs in violation
of Title 18 of the United States Code (sect. 1962) and conspiracy to aid and abet the distribution of a
controlled substance in contravention of Title 21 of the United States Code (sects. 841 (a), para. (1),
and 846). The defendant was sentenced to nine years’ imprisonment. The defendant was also
ordered to be on supervised release for a term of three years following his release from imprison-
ment. The defendant was further required to forfeit assets and to pay a fine of US$ 100.

This case was significant because it was the first time the United States had prosecuted and con-
victed an executive of a company for knowingly providing transnational criminal organizations with
encrypted infrastructure to conduct the international importation and distribution of narcotic drugs.
This case shows how organized criminal groups are adapting to use improved forms of technology
to communicate and evade detection and apprehension. It also shows the challenges faced by law
enforcement authorities in investigating and prosecuting increasingly sophisticated organized
criminal groups.

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx154.f
a
United States District Court, Southern District of California, United States of America v. Vincent Ramos, Case No. 18-MJ-0973,
Complaint, 15 March 2018, pp. 5–6.
b
Ibid., p. 6.
c
United States District Court, Southern District of California, United States of America v. Vincent Ramos et al., Case No. 3:18-CR-
01404-WQH, Criminal Indictment, 15 March 2018, p. 3; United States of America v. Vincent Ramos, Complaint, p. 6.
d
United States of America v. Vincent Ramos.
e
United States District Court, Southern District of California, United States of America v. Vincent Ramos, Case No. 18-CR-01404-
WQH, Plea Agreement, 2 October 2018, p. 6.
f
Available at https://sherloc.unodc.org/.

Criminals have utilized wire transfers, cashier’s cheques, money orders, gift cards and prepaid cards, as
well as online payment and money transfer services, to send and receive the proceeds of cybercrime.83 Other
services distribute digital currency84 either through a single centralized authority or peer-to-peer, without
any central oversight. These currencies can be convertible (i.e., they have an equivalent value in fiat cur-
rency or they can be used as a substitute for fiat currency) or non-convertible (i.e., they do not have an
equivalent value in fiat currency, they cannot be substituted for fiat currency and they can be used only in
the domain or domains for which they were created, such as a gaming platform).85 Case law has revealed
that digital currencies, such as Liberty Reserve, were used to conceal crimes and distribute proceeds of
crimes between members and associates.86

83 
For example, the Alexandria Online Fraud Network received victim payments in the form of reloadable prepaid cards, prepaid
debit cards and gift cards of varying types; United States postal money orders; cashier’s cheques; money transfer service wires; and
bank wires and deposits. For other examples of cases involving groups that used some of these payment options, see Tribunal cor-
rectionnel d’Anvers, Antwerpen, 2 mai 2016 (Belgium); United States of America v. Andre-Catalin Stoica et al., p. 4; United States
of America v. Oladimeji Seun Ayelotan, Femi Alexander Mewase and Rasaq Aderoju Raheem, Case No. 17-60397; United States of
America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclaus, p. 8; United States District Court, District of South Carolina, United
States of America v. Jimmy Dunbar, Jr. and Mitchlene Padgett, Criminal Case No. 2:18-1023, Indictment, 14 November 2018, p. 3;
and United States of America v. Rakeem Spivey and Roselyn Pratt, Case No. 2:18-CR-0018, Indictment, 14 November 2018, p. 3.
84 
Digital currency can be described as a digital representation of either virtual currency (non-fiat) or e-money (fiat) (Financial
Action Task Force, “Virtual currencies key definitions and potential AML/CFT risks” (June 2014), p. 4). Virtual currencies refer to a
digital representation of value that, like traditional coin and paper currency, functions as a medium of exchange (i.e., it can be digitally
traded or transferred and can be used for payment or investment purposes) (United States, Department of Justice, Office of the Deputy
Attorney General, Report of the Attorney General’s Cyber Digital Task Force: Cryptocurrency–Enforcement Framework (Washington,
D.C., 2020), p. 2). The term “e-money” refers to the digital representation of fiat currency used to electronically transfer value denom-
inated in fiat currency (Financial Action Task Force, “Virtual currencies key definitions”, p. 4).
85 
United States, Department of Justice, Office of the Deputy Attorney General, Report of the Attorney General’s Cyber Digital
Task Force: Cryptocurrency, p. 3.
86 
Infraud used Liberty Reserve, bitcoin and other digital currencies to conceal the nature of their proceeds and move the proceeds
among enterprise members and associates (United States of America v. Svyatoslav Bondarenko et al., p. 21); see also United States
District Court, Southern District of New York, United States of America v. Liberty Reserve S.A. et al., Case No. 13-CR-368 (DLC),
23 September 2015 (UNODC, SHERLOC case law database, Case No. USA004R).

30
 chapter IV.  Tools used by perpetrators of cyber organized crime

United States of America v. Liberty Reserve, Case No. 13-CR-368 (DLC)

(S.D. New York, 23 September 2015) (United States of America)
Liberty Reserve, registered in 2006 in Costa Rica, was a centralized digital currency service that
allowed users to convert euros or United States dollars into a digital currency called Liberty Reserve
that was pegged to the value of the fiat currency. Money could not be deposited directly into Liberty
Reserve accounts through wire transfers or credit card payment. Instead, third-party exchangers
were used, which enabled Liberty Reserve to avoid collecting any information about its users
through banking transactions or other activity.a Once money was deposited into the accounts of
third-party exchangers, a corresponding amount of Liberty Reserve currency was then credited to
the user’s Liberty Reserve account. The user could then transfer the Liberty Reserve currency to
other users. Liberty Reserve currency could be converted back into fiat currency by transferring to
the Liberty Reserve account of a third-party exchanger. Liberty Reserve charged a small fee for
each transaction and offered to hide Liberty Reserve account information for a small fee (a “privacy
fee”) when users were transferring funds to other Liberty Reserve users. In addition, when users
registered for a Liberty Reserve account, the only personal information that users had to provide
during registration was a name, email address and birthdate. According to the criminal indictment,
Liberty Reserve was intentionally created, structured and operated as a criminal business venture,
one designed to help criminals conduct illegal transactions and launder the proceeds of their
crimes.b Before Liberty Reserve was shut down in 2013, the number of users worldwide exceeded
one million.

The two founders of Liberty Reserve were charged with and arrested for conspiracy-related
offences. In 2013, one of the founders, V.K., a citizen of the United States, pleaded guilty to, among
other offences, conspiracy to commit money-laundering and conspiracy to operate an unlicensed
money-transmitting business and was sentenced to 10 years of imprisonment.c The other founder,
A.B., a citizen of Costa Rica, was arrested in Spain in 2013 and extradited to the United States in
2014. In 2016, A.B. pleaded guilty to one count of conspiring to commit money-laundering and was
sentenced to 20 years of imprisonment and a fine of US$ 500,000.d

For more information on this case, see UNODC, SHERLOC case law database, Case No. USA004R.e

a
United States of America v. Liberty Reserve S.A. et al., Indictment No. 13-CR-368, para. 16.
b
Ibid., para. 8.
c
Nate Raymond and Brendan Pierson, “Digital currency firm co-founder gets 10 years in prison in U.S. case”, Reuters,
13 May 2016.
d
United States Department of Justice, Office of Public Affairs, “Liberty reserve founder sentenced to 20 years for
laundering hundreds of millions of dollars”, press release, 6 May 2016.
e
Available at https://sherloc.unodc.org/.

In addition, cryptocurrencies are used by perpetrators of cyber organized crime to further their illicit ends.
The most widely used cryptocurrency is bitcoin. Case law has revealed that darknet sites include
“tumbling” or “mixing” services to obscure links between buyers’ and vendors’ bitcoin addresses.87 These
services essentially scramble multiple buyer-seller bitcoin transactions together in order to conceal the
bitcoin payments from buyer to seller or commission payments to the administrator.88

United States of America v. Gary Davis, Case No. 1:13-CR-950-2 (SHERLOC case law database, Case No. USAx156).
87 

United States District Court, Southern District of Florida, United States of America v. Gal Vallerius, Case No. 17-MI-03241-JG,
88 

Criminal Complaint, 31 August 2017, para. 24 (c).

31
DIGEST OF CASES

Cryptocurrency used in traditional crimes

Tribunal Penal del Segundo Circuito Judicial de San José, Causa penal número
18-027579-042-PE (Creighton Kopko) (Costa Rica)
The members of an organized criminal group (including two police officers) planned and, on
24 September 2018, carried out the kidnapping of a United States citizen. They requested a ransom
of US$ 5 million to be paid in bitcoin. Although part of the ransom was paid the next day, the victim
was murdered and his body hidden in a cemetery, where it was found months later.
The crime was investigated by the specialized cybercrime unit of the police and the specialized
prosecution section of drug trafficking of Costa Rica. The investigation was assisted by the Spanish
Civil Guard and the Cuban police (the latter was involved because the head of the criminal group
had fled to Spain via Cuba). Authorities in those countries cooperated under the framework of
article 18, paragraph 4, of the United Nations Convention against Transnational Organized Crime.
By tracing the bitcoin payment, law enforcement authorities were able to identify the members of
the criminal group and their location. Subsequently, joint and simultaneous operations were con-
ducted in Costa Rica and Spain to arrest all suspects.
In this case, the Costa Rican and Spanish authorities used special investigative techniques, includ-
ing the following: the interception of telephone and Internet communications between the mem-
bers of the group and between members of the group and the family’s next of kin; electronic
surveillance; undercover operations; digital video analysis; and the tracing of cryptocurrencies and
payments among the group. Digital evidence was obtained from email messages, chat rooms,
mobile devices, computers, USB sticks, hard disk drives and the Internet, including blockchain
analysis and digital wallet exchangers.
Ultimately, 10 members of the criminal group were charged with extorsive kidnapping, aggravated
theft and criminal association. On 20 May 2022, the Tribunal Penal del Segundo Circuito Judicial (crim-
inal court of the second circuit) in San Jose adjudicated the case and sentenced nine members of the
group for extorsive kidnapping, aggravated theft and criminal association; because of insufficient
proof, the tenth member of the group was not convicted. The nine convicted members of the group
were each sentenced to a total of 65 years of imprisonment: 10 years for criminal association, 50 years
for extorsive kidnapping and 5 years for aggravated theft. Under the law in Costa Rica, individuals can
be imprisoned for no more than 50 years. At the time of writing, the verdict had not yet been appealed.

Bitcoin is the most common cryptocurrency used to receive criminal proceeds of both cybercrime and tra-
ditional crime (see the box above). In Internet Organised Crime Threat Assessment 2020, Europol revealed
that while the most popular cryptocurrency (bitcoin) is still predominantly used, darknet markets have
started to offer alternative privacy-enhanced cryptocurrencies for transactions, such as Monero, Dash and
Zcash.89 Case law supports this observation. In particular, the darknet sites included in this digest relied on
bitcoin, Monero and Ethereum for financial transactions.90 The popularity of cryptocurrencies has led to
their use in scams to lure unsuspecting investors in fraudulent schemes.91 Moreover, cryptocurrencies have
been used by criminals for money-laundering. 92 Finally, cryptocurrencies are not only a tool used by

89 
Europol, Internet Organised Crime Threat Assessment 2020, p. 58.
90 
Regina v. Jake Lavene, Crown Court Leeds, Case No. T20177358; Regina v. Mandy Christopher Lowther, Crown Court Leeds,
Case No. T20177358; Regina v. Lee Childs, Crown Court Leeds, Case No. T20177358.
A group of five defendants participated in a worldwide Ponzi scheme, the BitClub Network, which defrauded cryptocurrency
91 

investors (United States District Court, District of New Jersey, United States of America v. Matthew Brent Goettsche, Russ Albert
Medlin, Jobadiah Sinclair Weeks, Joseph Frank Abel, and Silviu Catalin Balaci, Case No. 19-CR-877-CCC, 5 December 2019;
United States District Court, District of New Jersey, United States of America v. Silviu Catalin Balaci, Superseding Information, Case
No. 19-877 (2017)).
92 
United States District Court, Southern District of New York, United States of America v. Ross William Ulbricht, Case
No. 14-CR-068, 4 February 2014.

32
 chapter IV.  Tools used by perpetrators of cyber organized crime

organized criminal groups, but also the target of these criminals. For example, the so-called Bayrob group
engaged in “cryptojacking”, malicious “cryptomining” whereby malicious code was used to infect systems
and use the resources of the infected systems to “mine” cryptocurrencies.93

Seoul Central District Court (Criminal Department I-I), 2 May 2019,

2018NO2855 (Welcome to Video) (Republic of Korea)
Between 8 July 2015 and 4 March 2018, the defendant, a national of the Republic of Korea, operated
“Welcome to Video”, a darknet website for the exchange of child sexual abuse material.a The
defendant posted approximately 20 gigabytes of images and videos to the website that had been
downloaded from other websites. Website users were able to download child sexual abuse material
using bitcoins or “points” that could be earned by uploading other child sexual abuse material to
the website. Each user received a unique bitcoin address when creating an account on the website.
An analysis of the server revealed the website had more than one million bitcoin addresses, mean-
ing that the website had a capacity for at least one million users.

Germany, the Republic of Korea, the United Kingdom and the United States engaged in a joint law
enforcement investigation that led to the arrest of the defendant and the seizure of the server used to
operate the website. Specifically, in the United States, criminal investigation agents of the Internal
Revenue Service traced bitcoin exchanges to identify IP addresses linked to the website. The agents
then analysed the IP addresses to identify the server hosting the website, which was located in the
Republic of Korea. Law enforcement officers from the Republic of Korea, the United Kingdom and the
United States subsequently raided the location of the server and arrested the website operator, seiz-
ing approximately 8 terabytes of child sexual exploitation videos. The law enforcement agencies
involved shared the data from the seized server with law enforcement agencies throughout the world,
resulting in the arrest of 337 individuals in 12 different countries. According to the National Center for
Missing and Exploited Children of the United States, approximately 45 per cent of the seized videos
contained child sexual exploitation material that had not been previously identified. Law enforcement
authorities seized money in bitcoins and Power Ledger tokens.

The defendant was sentenced to two years’ imprisonment for the production and distribution of
child pornographyb and the spreading of pornography;c the sentence was ultimately suspended. The
defendant was also sentenced to complete a sex offender treatment programme and to perform
200 hours of community service. The appellate court reversed the lower court’s judgement in part,
holding that the sentence imposed by the lower court was too light and improper. The appellate
court decided to sentence the defendant to one year and six months of imprisonment; that sentence
was not suspended. The appellate court also ordered the defendant to complete a sexual violence
treatment programme; in addition, he was subjected to a five-year restriction order on employment
in a child- and/or youth-related organization.

The website, Welcome to Video, was one of the first of its kind to use the cryptocurrency bitcoin to
monetize child sexual exploitation videos. Prior to being shut down, it was considered to be the
largest darknet site containing child sexual abuse material. The combination of the site using
cryptocurrencies for transactions and being hosted on the darknet posed challenges for law
enforcement authorities.

For more information about this case, see UNODC, SHERLOC case law database, Case No. KORx002.d
For more information on child sexual exploitation material, see chap. V, sect. B.6.
a

Article 11, paragraph 2, of the Act on the Protection of Children and Youth against Sex Offenses of the Republic of Korea.
b

 Article 44-7, paragraph (1) 1, and article 74, paragraph (1) 2, of the Act on the Promotion of Information and
c

Communications Network Utilization and Information Protection, etc.

d
Available at https://sherloc.unodc.org/.

United States of America v. Bogdan Nicolescu, Tiberiu Danet, and Radu Miclaus.
93 

33
CHAPTER V.
TYPES OF CYBER
ORGANIZED CRIME
DIGEST OF CASES

V.  TYPES OF CYBER ORGANIZED CRIME

In the present digest, two types of cyber organized crime are examined: cyber-dependent organized crime
and cyber-enabled organized crime. Types of cybercrime that fall under the categories of cyber-dependent
and cyber-enabled crimes are examined in the sections below.

A. Cyber-dependent crime
Cyber-dependent crimes target ICT and would not be possible without the use of that technology. Cyber-
dependent crimes target the confidentiality (access is restricted to authorized users), integrity (data are
correct, trustworthy and valid) and availability (systems and data are accessible on demand) of computer
systems and data. Illicit acts against the confidentiality, integrity and availability of computer systems and
data include illegal access to a computer system and/or computer data; illegal interception of computer data
and/or acquisition of computer data; illegal data and system interference; and illegal production, distribu-
tion, use and possession of computer misuse tools. These cybercrimes are committed for a variety of rea-
sons, including financial, ideological, political and personal reasons (such as revenge, personal gratification,
to gain status and to obtain recognition among peers).94

1. Illegal access
Unauthorized or illegal access to ICT and/or its data is commonly known as hacking. Hacking refers to not
only gaining unauthorized or illegal access but also exceeding authorized access. Both of these activities are
proscribed by law, but this proscription varies by country and region.95 Hackers may access or attempt to
access systems and data; exceed or attempt to exceed authorized access to systems and data; and/or may
utilize this access to steal, modify, disrupt and/or otherwise damage systems and data. With respect to the
latter, once hackers gain illegal or unauthorized access to systems, they can view, download, alter and/or
steal data, damage the systems and/or interrupt or disable access to the system and/or data by legitimate
users.96 In one case in the United States, the defendant and his co-conspirators gained unauthorized access
to computers and computer networks to obtain sensitive data and military data and provide it to others
located outside of the United States for financial gain.97

R. v. Kalonji, 2019 ONCJ 341 (Canada)

The case R. v. Kalonji involved six defendants (H.K, T.S.-M., A.G., K.R., B.M. and K.H.), three of whom
(H.K., K.H. and A.G.) were charged with and convicted of conspiracy to commit fraud, in particular
account takeover fraud (two of the defendants were also charged with and convicted of other
crimes).a To accomplish this fraud, new accounts (so-called “complicit accounts”) or joint accounts
were opened that were in some way linked to victims’ accounts (often identified by hackers that
gained illegal access to bank systems or by insiders of the bank).b Money was then transferred from
the victims’ accounts to the joint or complicit accounts and subsequently withdrawn from the
accounts by associates. Intercepted communications of one of the defendants (H.K.) revealed that
he had used hackers to identify victims’ accounts and to manipulate bank accounts for fraudulent
reasons (e.g. to transfer money from victims’ accounts to complicit accounts).c

94 
Majid Yar, Cybercrime and Society (Thousand Oaks, California, SAGE Publications, 2006); Samuel C. McQuade III,
Understanding and Managing Cybercrime (Upper Saddle River, New Jersey, Pearson Education, 2006); David S. Wall, Cybercrime:
The Transformation of Crime in the Information Age (Cambridge, United Kingdom, Polity, 2007); Maras, Cybercriminology.
Article 29, paragraph 1 (a), of the African Union Convention on Cyber Security and Personal Data Protection requires States
95 

parties to that Convention to criminalize gaining or attempting to gain unauthorized access to part or all of a computer system or
exceed authorized access.
96 
Maras, Cybercriminology, p. 14.
97 
United States of America v. Su Bin, Case No. SA CR 14-131, Plea Agreement, 22 March 2016, p. 5 (SHERLOC case law data-
base, Case No. USAx244).

36
 chapter V.   Types of cyber organized crime

For more information on this case, see UNODC, SHERLOC case law database, Case No. CANx137.d
a
Canada, Ontario Court of Justice, R. v. Kalonji, paras. 110–114.
b
Ibid., para. 6.
c
Ibid., paras. 46, 66 and 75.
d
Available at https://sherloc.unodc.org/.

Tribunal de grande instance hors classe de Dakar, 14 janvier 2020, 30/2020

The computer systems and data systems of a network of savings and credit cooperatives in Senegal,
were accessed by unknown individuals for the creation of large and fictitious amounts of money or
to steal money from existing accounts of the banking network and transfer it to their accomplices’
accounts for withdrawal.

Cheikh Al X, Jeanne AJ Ap and Alioune Ak Z were accused of aiding and abetting fraudulent com-
puter system access by providing the principal offenders – the unknown individuals – with bank
accounts to facilitate the deposits of fictitious money.

Following the unknown individuals’ orders, Cheikh Al X targeted and facilitated the use of several
bank accounts for the receipt of the stolen funds. He also asked Jeanne AJ Ap to facilitate the use
of an account of the banking network. Jeanne asked her cousin Ao AG to use her own account to
help a friend who needed to receive money from her husband. The money from each account was
sent to the unknown individuals and a part of it was shared with the defendants, as well as the bank
account owners (such as Ao AG).

The defendants were convicted of fraud and aiding and abetting the access and maintenance of
computer systems and the modification or deletion of data; fraudulent interception of computer
systems for the purpose of obtaining financial benefits; and modification of data by the introduction,
erasure or deletion of data. They were sentenced to two years of imprisonment and to pay to the
banking network 3.5 million CFA francs in compensation.

For more information on this case, see UNODC, SHERLOC case law database, Case No. SENx004.a

a
Available at https://sherloc.unodc.org/.

The term “hacking”, however, is not included in multilateral, regional and national cybercrime laws. Instead
the terms “illegal access” or “unauthorized access” are used. For example, article 2 of the Council of Europe
Convention on Cybercrime98 includes the term “illegal access”, which is defined as the intentional “access
to the whole or any part of a computer system without right”. In the Agreement on Cooperation among the
States members of the Commonwealth of Independent States in Combating Offences related to Computer
Information, “illegal access” is defined as unauthorized access to computer information.99 The term “illegal
access” is also included in the Arab Convention on Combating Information Technology Offences, adopted
by the League of Arab States in 2010; in that Convention, illicit access to, presence in or contact with part
or all of the information technology is considered to be a criminal offence. Some laws consider illegal

98 
In this digest, as a way to illustrate the meaning of concepts and variation in the definitions of concepts, the definitions included in
multilateral conventions (such as the Council of Europe Convention on Cybercrime) and regional instruments (such as the Agreement
on Cooperation among the States members of the Commonwealth of Independent States in Combating Offences related to Computer
Information), the African Union Convention on Cyber Security and Personal Data Protection and the Arab Convention on Combating
Information Technology Offences), as well as national laws, are used.
Article 1, paragraph (d), of the Agreement on Cooperation among the States members of the Commonwealth of Independent
99 

States in Combating Offences related to Computer Information.

37
DIGEST OF CASES

access alone to be an offence,100 whereas other laws require access to be accompanied by a proscribed act
in order to be considered an offence.101

2. Illegal interception or acquisition

Multilateral, regional and national cybercrime laws proscribe the illegal interception or acquisition of com-
puter data. There is no universal definition of illegal interception or acquisition of computer data and the
definitions included in laws vary. In the Arab Convention, the offence of illicit interception is defined as the
deliberate unlawful interception of the movement of data by any technical means and the disruption of
transmission or reception of information technology data (art. 7). In article 3 of the Council of Europe
Convention, “illegal interception” is defined as the intentional “interception without right, made by techni-
cal means, of non-public transmissions of computer data to, from or within a computer system, including
electromagnetic emissions from a computer system carrying such computer data”. Instead of using the
words “without right”, the African Union Convention on Cyber Security and Personal Data Protection,
adopted in 2014, holds that interception is illegal if it occurs “fraudulently”.102 Perpetrators of this type of
cybercrime seek to intercept data as they traverse networks through, for example, eavesdropping on com-
munications or masquerading as the sender or receiver of communications and/or data.103

Uganda v Nsubuga & 3 Ors (HCT-00-AC-SC 84 of 2012) [2013] UGHCACD 12

(3 April 2013) (Uganda)
Officers of the Uganda Revenue Authority identified anomalies that led them to suspect that their
computer system was being compromised. In June 2012, following a tip that indicated the presence
of a suspicious vehicle in the proximity of the Uganda Revenue Authority at Nakawa, four men were
arrested. The men inside the vehicle included the four defendants (G.N., M.F.N., O.P. and B.R.) and
another person who was not indicted. Three laptops, an inverter, an external hard disk and other
electronic paraphernalia were seized from the vehicle. The chat room exchanges between the four
defendants provided evidence that the accused prepared for system interference. The communica-
tions showed that the defendants aimed to deceive the Uganda Revenue Authority by accessing its
communication system using spyware. Some of the evidence also showed that the system of the
Uganda Revenue Authority had been interfered with and that unauthorized alterations had been

100 
See, for example, the Arab Convention on Combating Information Technology Offences, which calls for States to criminalize
illicit access to, presence in or contact with part or all of the information technology, or the perpetuation thereof (see art. 6, para. (1));
and calls for the provision of enhanced penalties for illicit access leading to the obliteration, modification, distortion, duplication,
removal or destruction of saved data, electronic instruments and systems and communication networks, and damages to the users and
beneficiaries or the acquirement of secret government information (see art. 6, para. (2)). In of the African Union Convention on Cyber
Security and Personal Data Protection, States parties to the Convention are required to criminalize: gaining or attempting to gain
unauthorized access to part or all of a computer system or exceed authorized access (art. 29, para. 1 a)); and remaining or attempting
to remain fraudulently in part or all of a computer system (art. 29, para. 1 c)).
Article 3 (1) (a) of the Agreement on Cooperation among the States members of the Commonwealth of Independent States in
101 

Combating Offences related to Computer Information calls for the criminalization of: the illegal accessing of computer information
protected by the law, where such act results in the destruction, blocking, modification or copying of information or in the disruption
of the functioning of the computer, the computer system or related networks (art. 3, para. (1) (a)); and Agreement the violation of
regulations governing the use of computers, computer systems or related networks by a person who has access to those computers,
systems or networks, resulting in the destruction, blocking or modification of computer information protected by the law, where
such act causes significant harm or serious consequences (art. 3, para. (1) (c)). The African Union Convention on Cyber Security and
Personal Data Protection considers the following to be a criminal offence: gaining or attempting to gain unauthorized access to part
or all of a computer system or exceed authorized access with intent to commit another offence or facilitate the commission of such an
offence (art. 29, para. 1 b)).
The African Union Convention requires States parties to criminalize intercepting or attempting to intercept computerized data
102 

fraudulently by technical means during non-public transmission to, from or within a computer system (art. 29, para. 2 a)).
103 
See also UNODC Teaching Modules, Cybercrime, Module 2: general types of cybercrime, “Computer-related offences”.
Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-2/index.html

38
 chapter V.   Types of cyber organized crime

made to the data. The defendants were charged with unauthorized use and interception of com-
puter services under sections 15(1) and 20 of the Computer Misuse Act; electronic fraud in violation
of section 19 of the Computer Misuse Act; unauthorized access to data under sections 12(2) and 20
of the Computer Misuse Act; producing, selling or procuring, designing and being in possession of
devices, computers, computer programs designed to overcome security measures for protection of
data in violation of sections 12(3) and 20 of the Computer Misuse Act; unauthorized access to a
customs computerized system under section 191(1)(a) of the East African Community Customs
Management Act 2009; and fraudulent evasion of payment of duty in violation of section 203(e) of
the East African Community Customs Management Act 2009. Two of the four defendants were
found guilty of all charges except fraudulent evasion of payment of duty. Those two defendants were
sentenced to 12 years’ imprisonment for electronic fraud and 8 years’ imprisonment for unauthor-
ized use and interception of computer services, unauthorized access to data and producing, selling
or procuring, designing and being in possession of devices, computers, computer programs
designed to overcome security measures for protection of data; and they were ordered to pay a fine
of US$ 4,500 for unauthorized access to a customs computerized system.

For more information about this case, see UNODC, SHERLOC case law database, Case No. UGAx005.a

a
Available at https://sherloc.unodc.org/.

3. Data and system interference

Interference is broadly understood as including any activity that alters, deletes, inhibits the functioning and/
or damages systems and/or data.104 In article 29, subparagraphs 1 d),105 1 e),106 1 f),107 2 b)108 and 2 d),109 of
the African Union Convention, data and system interference are considered criminal offences. According to
article 4 of the Council of Europe Convention, data interference is considered a crime when it is “committed
intentionally” and involves the “damaging, deletion, deterioration, alteration or suppression of computer
data without right”. Article 8 of the Arab Convention calls for the proscription of deliberate unlawful
destruction, obliteration, obstruction, modification or concealment of information technology data (so-called
“offences against the integrity of data”).

104 
Ibid.
105 
States parties are required to criminalize hindering, distorting or attempting to hinder or distort the functioning of a computer
system (art. 29, para. 1 d)).
106 
States parties are required to criminalize entering or attempting to enter data fraudulently in a computer system (art. 29,
para. 1 e)).
107 
States parties are required to criminalize damaging or attempting to damage, delete or attempting to delete, deteriorate or
attempting to deteriorate, alter or attempting to change the computer data fraudulently (art. 29, para. 1 f)).
108 
States parties are required to criminalize intentionally inputting, altering, deleting or suppressing computer data, resulting in
inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or
not the data are directly readable and intelligible (art. 29, para. 2 b)).
109 
States parties are required to criminalize the fraudulently procuring, for oneself or for another person, any benefit by inputting,
altering, deleting or suppressing computerized data or any other form of interference with the functioning of a computer system
(art. 29, para. 2 d)).

39
DIGEST OF CASES

BGH, Beschluss vom 30.08.2016, 4 StR 194/16 (Germany)

At the time of the crimes, the defendant A.T. had been working for a company producing and operating
slot machines for several years. He advised its employees regarding the manipulation protection of
the slot machines. He employed his son-in-law, P., as a computer specialist. The brother of the
defendant, S.T., had been operating his own gambling halls.

In 2013, A.T. and Dr. C. (the managing director and a shareholder of the firm Ca. GmbH, which had put
up slot machines of the firm L. GmbH in their casinos in Germany) decided to manipulate the software
of the slot machines for financial gain. P., who knew of the plans, developed cards and dongles
(a device similar to USB stick) with which the software of the machines was manipulated to credit the
player points (tradable for cash) without previously having initiated a game. This was referred to as
the “credit approach”. P. also installed a backdoor in the software that was activated by daily codes
and manipulated the game in such a way that, instead of the player choosing between red and black
without having any indication of the result, the same colour appeared multiple times in a row. This
allowed the player to eliminate the usual risk of loss and receive points that could subsequently be
traded for money.

The original flash cards used by the slot machines were replaced by cards with the manipulated soft-
ware developed by P. This swap happened at night, outside of the casinos’ business hours. At first, the
backdoor was installed on the flash cards with the original software. Later, the backdoor, as well as
the manipulated software to perform the credit approach, were installed on a dongle that was inserted
into the slot machines.

The credit approach was used 200 times between July 2014 and January 2015 to obtain €4,485,965 in
winnings from the slot machines. Between March 2014 and January 2015, the backdoor was used by
43 people instructed by A.T., resulting in proceeds of €214,030. The people later instructed by
S.T. obtained a total of €1,218,420 from making use of the backdoor 1,770 times. In one instance,
S.T. himself played and retrieved €1,500 by using the backdoor.

The defendant was charged with and convicted of commercially based computer fraud under section
263a of the German Criminal Code, which provides that whoever, with the intention of obtaining an
unlawful pecuniary benefit for themselves or a third party, damages the property of another by influ-
encing the result of a data processing operation by incorrectly configuring the computer program,
using incorrect or incomplete data, making unauthorized use of data or taking other unauthorized
influence on the processing operation incurs a penalty of imprisonment for a term not exceeding five
years or a fine. He was also charged with the disclosure of trade secrets. The defendant was sen-
tenced to five years and six months of imprisonment.

For more information on this case, see UNODC, SHERLOC case law database, Case No. DEUx027.a

a
Available at https://sherloc.unodc.org/.

Data compromises (or data breaches), which occur when criminals illegally access data or databases,110 are
an example of data interference. This illicit access may be obtained in variety of ways, such as by using
malware (see chap. V, sect. A.4, below) and other tools to exploit system vulnerabilities, as well as social
engineering tactics designed to dupe unsuspecting individuals into engaging in acts that the criminals want
the targets to engage in (e.g. revealing personal information or clicking on a link infected with malware).
Social engineering tactics are used to perpetrate not only cyber-dependent crimes, but also cyber-enabled
crimes (for examples of these tactics, see chap. V, sect. B.1, subsect. (a), below).

Europol, Internet Organised Crime Threat Assessment 2020, p. 14.

110 

40
 chapter V.   Types of cyber organized crime

Legal definitions of system interference, like those of data interference, vary. The African Union Convention
simply defines it as hindering, distorting or attempting to hinder or distort the functioning of a computer
system.111 The definition provided in the Council of Europe Convention explains what specific actions
constitute interference: inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing
computer data.112

“CARUSO SOTILLO, Saddam José y otra p.ss.aa. Asociación ilícita, etc”

SAC 7073076 (Argentina)
In Argentina, a criminal group committed a cybercrime known as ATM jackpotting – exploiting the
physical and software vulnerabilities of ATMs to make the machines dispense cash. The group tar-
geted ATMs in remote physical locations without security guards. Their method of operation was to
travel to banks to obtain physical access to ATMs by forcing the front door of the machines with a
screwdriver; accessing the interior of the central processing unit; disconnecting the USB cable that
connected the central processing unit to the peripherals, including the banknote dispenser; and
replacing the USB cable with their own cable and connecting it to a laptop. They used specialized
software to alter the functioning of the machine and to dispense cash.

The group included five named individuals: two defendants (L.D.F.J. and S.J.C.S.) and three associ-
ates (J.C.C.S., R.J.M.P. and L.A.D.S.C.). Other unnamed individuals were also involved in the cyber-
crime. The group divided the roles among its members. Some members were involved in gaining
physical access to ATMs and in the collection of the money, while others engaged in surveillance or
other tasks essential to the completion of the cybercrime. They obtained a total of 871,900 Argentine
pesos from targeted ATMs of a bank in the Province of Córdoba

The defendants were charged with and convicted of criminal association and co-authoring and partic-
ipating in fraud by computer manipulation L.D.F.J. received a sentence of three years and three
months of imprisonment. S.J.C.S. received a sentence of four years and three months of imprison-
ment. The court unified this sanction with another sentence and ordered a single sentence of
six years’ imprisonment. The Government seized the technological devices (cell phones, laptops,
SIM cards etc.) used in the commission of the cybercrime.

For more information about this case, see UNODC, SHERLOC case law database, Case No. ARGx017.a

a
Available at https://sherloc.unodc.org/.

Art. 29, para. 1 (d).

111 

According to article 5 of the Convention on Cybercrime, system interference is considered illegal when it is committed inten-
112 

tionally and seriously hinders without right the functioning of a computer system by inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data.

41
DIGEST OF CASES

Segundo Juzgado de Instrucción del Distrito Nacional –

Proceso No. 058-13-00719 (Dominican Republic)
The Integral Management Protection Center reported the suspicious use of Dominican prepaid
telephone lines to make international calls. Technology fraud engineers from the affected company
initiated an investigation, which showed that the prepaid telephone numbers fraudulently used to
make international calls from the Dominican Republic had been irregularly switched to postpaid.
By performing a search on the intranet (the local network of the telephone company), an informa-
tion security expert from the affected company identified the IP addresses from where the altera-
tions to the prepaid numbers had been made. With this information, the expert requested assistance
in the form of forensic analysis from the department of the national police responsible for the
investigation of crimes and high-technology crimes. The forensic analyst discovered that the alter-
ations had been made from the older version of the provisioning platform for automated activation
of customer services. The telephone company had recently started using an upgraded version of
the platform.

Five individuals were accused of violating articles 265 and 266 of the Penal Code and articles 7, 8,
20 and 26 of law 53-09 on high-tech offences against the national telephone company. Three of the
defendants, SAGR, IDHP and WSH, were convicted of electronic fraud and sentenced to three years
of prison. Their sentences were suspended on the condition of keeping a permanent residence,
refraining from carrying any type of weapons and refraining from drinking alcoholic beverages.

For more information about this case, see UNODC, SHERLOC case law database, Case No. DOMx010.a

a
Available at https://sherloc.unodc.org/.

Examples of cybercrimes that interfere with systems are denial-of-service attacks and distributed
denial-of-service attacks. A denial-of-service attack overwhelms the target’s resources, resulting in the
denial of requests for access from legitimate users.113 This type of cybercrime targets the availability of the
systems and data. A distributed denial-of-service attack, like a denial-of-service attack, seeks to overwhelm
the target’s resources to prevent legitimate access to the target; however, instead of just one computer or
other technology, multiple computers and other technologies are used to overwhelm the target’s resources.
Distributed denial-of-service attacks can be committed when multiple users utilize their devices to commit
coordinated cyberattacks and/or when multiple computers and other technologies infected with malware
are leveraged to conduct a cyberattack.114 The network of digital devices infected with malware that can be
used in a distributed denial-of-service attack constitute what is known as a botnet. The malware used to
create a botnet enables the monitoring and remote control of the infected digital devices. Data may also be
stolen from these infected devices.

113 
Marie-Helen Maras, Computer Forensics: Cybercriminals, Laws and Evidence, 2nd ed. (Burlington, Massachusetts, Jones and
Bartlett, 2015), p. 7.
114 
Ibid., p. 8.

42
 chapter V.   Types of cyber organized crime

Cassazione penale, sezione feriale, sentenza No. 50620, 12 Settembre 2013

(Italy)
Between 2011 and 2012, a hacktivist group operating under the name Anonymous Italia conducted
several cyberattacks against the websites of public institutions and well-known companies. This
group identified itself as the Italian branch of the Anonymous collective; its aim, according to the
view of the prosecutor, was to become a leading group in the Italian hacktivist community and carry
out cyberattacks, which it called “operations”.

The members of the group mainly communicated using private and public Internet Relay Chat
channels. Participation in private channels was limited to the organizers of the cyberattacks. In
these channels, the organizers chose the targets, organized and coordinated the operations and
prepared public messages claiming responsibility for the attacks. The public channels did not have
access restrictions and were used as platforms for discussing topics related to the ideology of
Anonymous and for looking for participants for the distributed denial-of-service attacks launched
by the organizers of the private channels. Members of the private channels were charged with par-
ticipation in a criminal association under article 416 of the Italian Criminal Code (“Associazione per
delinquere”).

The cyberattacks perpetrated by the group consisted of distributed denial-of-service attacks and
illegal access to computer systems and data, which sometimes led to the defacement of victims’
websites. The modus operandi of these attacks followed a recurrent pattern. First, the members of
the criminal group decided on the target of the so-called operation. The targets were chosen on the
basis of maximizing prospective media exposure and dissemination of the group’s messages.
Secondly, when the members of the criminal group conducted distributed denial-of-service attacks,
they recruited participants in public Internet Relay Chat channels and made use of botnets. When
they sought illegal access to computer systems and data, they scanned the targeted website in
order to find flaws in its security system that they could exploit. Thirdly, the members of the group
usually gathered in private Internet Relay Chat channels in order to coordinate the cyberattacks and
support each other during the operations. Lastly, once an operation had been completed, the group
published a message in which they claimed responsibility for the cyberattacks on the blog and the
social network accounts related to Anonymous Italia.

The defendant appealed the decision of the Tribunal of Rome. The appeal was based on four
grounds, one of which was an error in the application of the criminal association offence (art. 416).
The Court of Cassazione rejected the appeal. Regarding the criminal association offence, the judges
found that the law had been applied correctly. Regarding the mens rea and the stable association
bond elements of the criminal association offence, the messages published on the blog and social
media profiles of Anonymous Italia in which members of the group claimed responsibility for the
cyberattacks showed the existence of a shared goal, the commission of crimes, and shared identity
among the members. Moreover, the continuous cooperation of the members of the criminal asso-
ciation in the commission of the cyberattacks between 2011 and 2012 showed the existence of a
stable association bond between them. The organization element of the criminal association
offence, which requires the existence of a minimum degree of organization between the criminals,
was fulfilled by the division of labour among the members. Regarding the organization element, the
Court took into consideration the structure of Anonymous, a fluid and flexible network of individuals
who share beliefs, without formal leadership. Despite the absence of formal leadership, some indi-
viduals in the network take the initiative organizing online operations and become informal leaders.
The Court stressed that the entire Anonymous community did not constitute a criminal association;
only the small groups of individuals, who planned and executed cyberattacks and, in that way,
assumed a leading role in the hacktivist community, could be considered a criminal association
under article 416.

43
DIGEST OF CASES

Cassazione penale, sezione feriale, sentenza No. 50620, 12 Settembre 2013 (Italy) (continued)

Moreover, the basic structure of private Internet Relay Chat channels defined the extension of the
criminal association: only those who had access to the private Internet Relay Chat channels could
be part of the criminal association. In this sense, the communication tool corresponded to the
structure of the criminal association. These remarks about the structure of Anonymous highlight
an important feature of the application of the criminal association to online criminal groups.
Prosecutors only charged the members of the private Internet Relay Chat channels in which cyber-
attacks were prepared and coordinated with the criminal association offence contrary to article 416.
They did not charge the users who visited the public Internet Relay Chat channels. The character-
istic of the private channels is that their access is limited to certain members, a feature that is also
common with online communities of paedophiles. Such communities often adopt control mecha-
nisms to select new members. As noted by the Court, Italian case law had applied the offence of
criminal association to online communities of paedophiles in the past. The decision of the Court
suggests that the application of the criminal association offence to online criminal groups is limited
to the ones that constitute a closed online community. This requirement may be seen as the result
of the fluidity of the online groups and the interactions that take place on the Internet and the risk
of overcriminalization of cyberspace through a broad application of the requirements of the crimi-
nal association offence. In an online environment where lines and borders of participation are
blurred, it is sometimes difficult to identify who is actually part of an organized criminal group.

This decision represents one of the Italian landmark cases on the application of the criminal asso-
ciation (art. 416 of the Italian Criminal Code) to organized criminal groups operating online. After
examining judicial decisions applying article 416 to online communities of paedophiles, the Court
set out the requirements for the application of the criminal association to online criminal groups.
The elements of the criminal association are: (a) the existence of an association bond between at
least three persons that shall not be short term or casual; (b) the existence of a criminal plan that
constitutes the aim of the organization; and (c) the existence of an organizational structure, with a
minimum degree of sophistication, that allows the criminal plan to be carried out.

Perpetrators of distributed denial-of-service attacks use existing tools to conduct such attacks, combine
existing tools, customize existing tools and create new tools. The creation of new tools and use of existing
tools were identified in the Europol report Internet Organised Crime Threat Assessment 2020 as methods
used by criminals to adapt to security measures.115 The tools used to conduct distributed denial-of-service
attacks and even botnets are available for sale or rent online and offered as a part of “crime as a service”.116
These tools can be custom-ordered or existing tools modified to users’ preferences. Access to these botnets,
as well as other systems and data of targets, are also offered online by criminal groups as a service for a fee
(sometimes called “access as a service”).117 A case in point are websites offering booter services, which are
utilized by paying users to launch distributed denial-of-service attacks. In United States v Sergiy Usatyuk,118
the defendant, the owner and administrator of sites offering booter services, pled guilty to conspiracy to
cause computer damage and was sentenced to 13 months’ imprisonment for his crime. The booter services
provided by him and his co-conspirators were used to conduct 1,367,610 distributed denial-of-service
attacks against systems inside and outside of the United States.119

115 
Europol, Internet Organised Crime Threat Assessment 2020, p. 32.
116 
Ibid.; Ken Dunham, and Jim Melnick, Malicious Bots: An Inside Look into the Cyber-criminal Underground of the Internet
(Boca Raton, Florida, CRC Press, 2009), pp. 3 and 57.
117 
Europol, Internet Organised Crime Threat Assessment 2020, p. 31.
118 
United States, Department of Justice, Office of Public Affairs, “Former operator of illegal booter services pleads guilty to con-
spiracy to commit computer damage and abuse”, press release, 27 February 2019; United States Attorney’s Office, Eastern District of
North Carolina, “United-States-v_Sergiy-Usatyuk”. Available at www.justice.gov/usao-ednc/united-states-v-sergiy-usatyuk.
119 
United States District Court, Eastern District of North Carolina, United States v. Sergiy Petrovich Usatyuk, Case No.
5:18-CR-00461-BO, Criminal Information, 15 November 2018, p. 5.

44
 chapter V.   Types of cyber organized crime

The 2020 Europol report also revealed that Internet of Things120 devices are vulnerable to distributed
denial-of-service attacks.121 The Mirai botnet brought home the lesson that everyday objects connected to
the Internet can be successfully targeted by perpetrators. Specifically, the Mirai botnet, which at some point
was composed of hundreds of thousands of infected Internet of Things devices primarily based in the
United States, was used to conduct distributed denial-of-service attacks on various targets and provide rev-
enue to those who controlled the botnet.122 The revenue they obtained was retrieved from renting the botnet
to customers for a fee and extorting from hosting companies and others protection money to avoid being
targeted by denial-of-service attacks.123

4. Misuse of devices
The misuse of devices is considered illegal “when committed intentionally and without right”.124 This
cybercrime involves the possession, “production, sale, procurement for use, import, distribution or other-
wise making available of” a device, including a computer program, designed or adapted primarily for the
purpose of committing illegal access, illegal interception, data interference and/or system interference.125
An example of such a device is malware. Malware is often distributed through attachments and infected
links in emails and websites.126 However, criminals have also exploited software vulnerabilities to spread
malware and infect systems. While the majority of laws criminalize the misuse of such devices, other laws
explicitly prohibit the creation, use or distribution of malware.127
Criminals have additionally encrypted malware and taken other measures to evade detection by security
measures and law enforcement authorities. For instance, the malware created by the Bayrob criminal enter-
prise would block targets’ access to sites associated with law enforcement.128 Criminals have further offered
malware that is made-to-order, or customized according to the buyer’s preferences. SpyEye is an example
of a customizable malware toolkit that enabled the theft of personal and financial data. Buyers of this toolkit
could, for example, customize SpyEye to target and collect specific information from infected systems
or specific financial institutions and choose what methods would be used to collect this information
(e.g., keylogger).129

The Internet of Things is an umbrella term used to describe a network of Internet-connected devices that collect, store, collate,
120 

analyse and share a significant amount of information and monitor people, animals, plants and/or objects in order to provide users
of these devices with some form of service (Marie-Helen Maras, “Internet of Things”, in Encyclopedia of Security and Emergency
Management, Lauren R. Shapiro and Marie-Helen Maras, eds. (Cham, Switzerland, Springer International Publishing, 2020)).
121 
Europol, Internet Organised Crime Threat Assessment 2020, p. 33; for information about security concerns related to Internet
of Things devices, see Marie-Helen Maras, “Internet of Things: security and privacy implications”, International Data Privacy Law,
vol. 5, No. 2 (May 2015), pp. 99–104.
122 
United States, Department of Justice, Office of Public Affairs, “Justice Department announces charges and guilty pleas in three
computer crime cases involving significant DDoS attacks”, press release, 13 December 2017.
123 
United States District Court, District of Alaska, United States of America v. Paras Jha, Case No. 3:17-CR-00164, Plea
Agreement, 5 December 2017, p. 4.
Article 6, paragraph 1 a, of the Council of Europe Convention on Cybercrime.
124 

125 
Ibid. A somewhat similar definition is provided in article 29, paragraph 1 h), of the African Union Convention, in which States
parties are required to criminalize unlawfully producing, selling, importing, possessing, disseminating, offering, ceding or making
available computer equipment, programs or any device or data designed or specially adapted to commit offences.
126 
Lorine A. Hughes and Gregory J. DeLone, “Viruses, worms, and trojan horses: serious crimes, nuisance, or both?”, Social
Science Computer Review, vol. 25, No. 1 (February 2007), p. 84.
127 
See, for example, article 3, paragraph 1 (b), of the Agreement on Cooperation among the States members of the Commonwealth
of Independent States in Combating Offences related to Computer Information. According to the Cybercrimes (Prohibition, Prevention,
etc.) Act, 2015, of Nigeria, sect. 32, subsect. (3): any person who engages in malicious or deliberate spread of viruses or any malware
thereby causing damage to critical information in a public, private or financial institution’s computers shall be guilty of an offence and
is liable upon conviction to three years’ imprisonment or a fine of 1 million naira or both.
128 
United States of America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclaus, p. 6. The Federal Bureau of Investigation
(FBI) of the United States mentioned that one of these sites was the Internet Crime Complaint Center (www.ic3.gov/) (for further
information, see United States, Federal Bureau of Investigation, “Romanian hackers sentenced: members of Bayrob criminal enter-
prise infected thousands of computers with malware, stole millions of dollars”, 20 February 2020).
129 
United States, Northern District of Georgia, United States of America v. Aleksandr Andreevich Panin and Hamza Bendelladj,
Case No. 1:11-CR-0557-AT-AJB, First Superseding Indictment, 26 June 2013; United States, Department of Justice, Attorney’s
Office, Northern District of Georgia, “Two major international hackers who developed the ‘SpyEye’ malware get over 24 years com-
bined in federal prison”, 20 April 2016.

45
DIGEST OF CASES

The misuse of devices may also involve the possession or use of “a computer password, access code or
similar data by which the whole or any part of a computer system is capable of being accessed, with intent
that it be used for the purpose of committing” illegal access, illegal interference, data interference and/or
system interference.130 An example of this type of misuse of devices involved the deployment, by a cyber
organized criminal group, of malware known as GozNym, a Trojan Horse created by combining two others
(Gozi and Nymaim) and designed to infect targeted computers and capture financial data (particularly bank-
ing login credentials). The financial data were later used by members to commit bank fraud by gaining
unauthorized access to the targets’ accounts and stealing funds from those accounts.131

United States of America v. Vladimir Tsastsin Andrey Taame, Timur Gerassimenko,

Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, and Anton Ivanov,
Case No. 1:11-CR-00878 (S. D.N.Y., 14 October 2011) (DNS Changer Malware)
(United States of America)
The group responsible for the DNS Changer malware, worked with other conspirators to engage in
a fraudulent advertisement scheme.a In this case, members of the group posed as a legitimate
Internet advertisement agency and entered into Internet advertising agreements where they were
paid to receive money each time a user clicked on a website link or advertisement. The suspects
used rogue Domain Name System (DNS) servers and malware to fraudulently increase traffic and,
in turn, increase their revenue. The malware would infect users’ systems, alter users’ DNS server
settings to route activity to the rogue DNS servers, prevent anti-virus software from receiving
updates and facilitate click hijacking (whereby clicking on a search result redirects the user to
the perpetrators’ desired site, which the perpetrators receive payment for) and click fraud (fraudu-
lently replacing advertisements on sites with desired advertisements that perpetrators receive
payment for).b

Most of the suspects were charged with and sentenced for their crimes. V.T. pleaded guilty to con-
spiracy to commit wire fraud and conspiracy to commit computer intrusion and was sentenced to
seven years and three months of imprisonment, with one year of supervision after release, and was
required to forfeit US$ 2.5 million.c Other conspirators also pleaded guilty and were sentenced for
their crimes (T.M. and V.A. were each sentenced to four years’ imprisonment; D.J. was sentenced to
three years and eight months of imprisonment; K.P. was sentenced to three years and four months
of imprisonment; and A.I. was sentenced to time served). One defendant, A.T., is currently still
at large.

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx207.d

a
United States District Court, Southern District of New York, United States of America v. Vladimir Tsastsin, Andrey Taame,
Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, and Anton Ivanov, Case No. S2-11-CR-878, Indictment,
1 November 2011.
b
United States Attorney’s Office, Southern District of New York, “Estonian cybercriminal sentenced for infecting 4 million
computers in 100 countries with malware in multimillion-dollar fraud scheme”, 26 April 2016.
c
Ibid.
d
Available at https://sherloc.unodc.org/.

Article 6 of the Council of Europe Convention on Cybercrime. A similar definition is provided in the African Union Convention
130 

(art. 29, para. 1 h)): States parties to the Convention are required to criminalize unlawfully generating or producing a password, an
access code or similar computerized data allowing access to part or all of a computer system.
131 
United States of America v. Alexander Konovolov et al. (GozNym malware); United States Attorney’s Office, Western District
of Pennsylvania, “Three members of GozNym cybercrime network sentenced in parallel multi-national prosecutions in Pittsburgh and
Tbilisi, Georgia”, 20 December 2019.

46
 chapter V.   Types of cyber organized crime

B. Cyber-enabled crime
Cyber-enabled crimes include traditional crimes where ICT plays a key role in the methods used to commit
the crimes and facilitates the crimes. The types of cyber-enabled crime explored in the subsections below
include: computer-related fraud or forgery (bank fraud; phishing; advanced fee fraud scam; romance scam;
and other fraud-related scams); computer-related identity offences; falsified medical product-related crime;
counterfeiting; blackmail; extortion and ransom (e.g. sexual extortion (sextortion), ransom scams and ran-
somware); child sexual abuse and exploitation offences (e.g. child sexual abuse and exploitation material;
child grooming; and live-streaming child sexual abuse); trafficking in persons; smuggling of migrants;
drug trafficking; trafficking in firearms; trafficking in wildlife; trafficking in cultural property; money-
laundering; and Internet gambling.

1. Computer-related fraud
There are two general categories of cybercrime that are explored in this section: computer-related forgery
and computer-related fraud. The first category, computer-related forgery, can be described as an act,
committed intentionally and without right, involving the input, alteration, deletion or suppression of
computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic, regardless of whether or not the data are directly readable and intelligi-
ble.132 This category of cybercrime includes the impersonation of legitimate individuals and/or entities
for fraudulent purposes. Here, fraud can be regarded as the misrepresentation of a fact in order to per-
suade an individual, group, organization or other entity to provide the offender with something desired
or valued.
The second category of cybercrime, computer-related fraud, refers to an act, committed intentionally and
without right, causing loss of property to another person by any input, alteration, deletion or suppression
of computer data, and/or any interference with the functioning of a computer system, with fraudulent or
dishonest intent of procuring, without right, an economic benefit for oneself or for another person.133
A well-known example of this type of fraud is SIM box fraud. SIM boxes are used to bypass international
calls and terminate them as local calls and thereby deprive the authorities of tariffs chargeable on
international calls.134 In one case in Ghana, the SIM box fraud perpetrated by the defendants not only
deprived the Government of significant sums of money, but also caused the communication service pro-
vider to suffer a loss of about 2.9 million Ghanaian cedis, the equivalent of US$ 1,235,000 at the time of
the offence.135

Article 7 of the Council of Europe Convention on Cybercrime; see also article 10 of the Arab Convention on Combating
132 

Information Technology Offences, in which forgery is considered a cybercrime when ICT is used as a means to alter the truth of data
in a manner that causes harm, with the intent of using the altered data as true data.
Article 8 of the Council of Europe Convention on Cybercrime. See also article 11 of the Arab Convention on Combating
133 

Information Technology Offences, which refers to intentionally and unlawfully causing harm to beneficiaries and users with the
aim of committing fraud to illicitly realize interests and benefits to the perpetrator or a third party, through: (a) entering, modifying,
obliterating or concealing information and data; (b) interfering with the functioning of the operating systems and communication
systems or attempting to disrupt or change them; and (c) disrupting electronic instruments, programmes and sites.
134 
Republic v. Michael Asamoah & Anthony Ogunsanwo Olawole (2019), p. 19.
135 
Ibid. In this case, one of the defendants (MA) was sentenced for conspiracy to provide electronic communication service with-
out a licence, contrary to section 73 (1) of the Electronic Communication Act of 2008; providing electronic communication service
without authority, in violation of sections 3 (1) and 73 (1) (c) of that Act; and knowingly obstructing and interfering with the sending,
transmission, delivery and reception of communication, in violation of section 73 (1) (e) of that Act.

47
DIGEST OF CASES

Uganda v. Ssentongo & 4 Ors (Criminal Session Case 123 of 2012) [2017]
UGHCACD 1 (14 February 2017)
In Uganda, five former employees of the country’s largest telecommunication company allegedly
swindled money amounting to 10 billion Ugandan shillings out of the company. Using the company’s
former mobile money computer system, the defendants purportedly created billions of Ugandan
shillings and wired the money to their mobile money accounts, which they had created before
resigning from their jobs. The breached computer system, named after the South African company
that had created it, is still in the towers of the telecommunication company, though it has been
deactivated and replaced.

An audit revealed that the usernames of the defendants appeared on the fraudulent transactions
used to steal money from the mobile money computer system. Four of the defendants left the com-
pany in close succession between October and December 2011. This raised suspicion that they
could have committed a crime before leaving. Evidence also showed that the defendant P.S. abused
the trust bestowed on him by manipulating the system to steal money from the company’s mobile
platform, together with co-conspirators (including J.N., who withdrew funds). Witness P.L., the
former head of the network and information system department of the company, proved that, with
false entries, company administrators were able to create fictional e-money on the company’s
adjustment discrepancy account and withdraw it through the company’s public access shop (an
online platform open to the public to buy company shares).

Of the five defendants, three were acquitted of all charges. P.S. was charged and found guilty of
embezzlement under section 19(b)(i) of the Anti-Corruption Act of 2009, electronic fraud in violation
of section 19 of the Computer Misuse Act of 2011 and conspiracy to defraud under section 309 of the
Penal Code Act. J.N. was charged and found guilty of embezzlement under section 19(b)(i) of the
Anti-Corruption Act and conspiracy to defraud under section 309 of the Penal Code Act.

For more information about this case, see UNODC, SHERLOC case law database, Case No. UGAx008.a

a
Available at https://sherloc.unodc.org/.

Computer-related fraud can also involve the use of false or misleading information to obtain something
from the target that is considered desired and/or of value to the perpetrator.

Segundo Tribunal Colegiado De La Cámara Penal Del Juzgado De Primera

Instancia Del Distrito Nacional, Sentencia penal núm. 249-04-2021-SSEN-
00225 (Dominican Republic)
In the Dominican Republic, two defendants, E.A.M.G. and H.W.C, along with others (R.L.S. and
W.H.), defrauded a victim in 2018 by fraudulently obtaining access codes to her bank accounts,
which allowed them to conduct multiple electronic transfers of fraudulent funds amounting to a
total of 2,336,000 Dominican pesos. The victim was contacted by a person who -identified herself as
“Doña Carmen”, pretending to be the person who would manage the victim’s accounts in a savings
and loan association. Doña Carmen told the victim to go to the bank branch and request a code card
to activate Internet banking. The victim was subsequently contacted multiple times by “Doña
Carmen”, who requested the card code access under the pretext of adjusting the victim’s bill. When
the victim received credit card transactions, she contacted “Doña Carmen”, who told her it was a
platform problem.

48
 chapter V.   Types of cyber organized crime

The two defendants, along with J.P.R.E. and others, continued their illicit partnership, committing
another fraud, this time targeting another savings and loan association. The defendants used tech-
nology to steal the banking information of a female client of the association and illegally used that
information to access the online platform of the savings and loan association. They made 11 elec-
tronic fund transfers totalling 1,896,370 Dominican pesos, which they sent to accounts owned by
the defendants. The client reported these transactions to the savings and loan association.

The court found the defendants guilty of electronic transfer of funds and fraud, violating articles 14
and 15 of Law 53-07 on High Technology Crimes and Crimes, and criminal association, in violation
of articles 265 and 266 of the Dominican Penal Code. They were each sentenced to three years’
imprisonment for their crimes.

For more information about this case, see UNODC, SHERLOC case law database, Case No. DOMx001.a

a
Available at https://sherloc.unodc.org/.

There are many cybercrimes that can be considered computer-related forgery or fraud. Some of these cyber-
crimes, particularly bank and payment fraud, phishing, advanced fee fraud scams, romance scams and other
fraud-related scams, are explored in the subsections below.

(a) Bank and payment fraud

Bank fraud is an umbrella term that covers ways in which money, property or assets owned by financial
institutions are illicitly obtained. Payment fraud is a type of bank fraud. Payment fraud involves the
unauthorized use of an individual’s payment data for the financial gain of the perpetrator. Examples of
payment fraud include debit card and credit card fraud (i.e., the theft or unauthorized use of credit or
debit card data). With payment fraud, financial institutions are not the only victims; merchants and clients
are also victims.

Uganda v Sserunkuma & 8 Ors (HCT-00-CR-SC 15 of 2013) [2015] UGHCACD 4

(27 April 2015) (Uganda)
Nine defendants were tried for their involvement in a scheme to illegally obtain over 3 billion
Ugandan shillings (U Sh) from a network provider in Uganda that was the telecommunication com-
pany employing the defendants.

On 25 January 2013, a sum of U Sh 3,150 million was transferred from the dispute account of the
company in seven equal instalments of U Sh 450 million each, to the company’s agent lines by
fraudulent means. According to a witness at the trial, the mobile money computer system of the
company had an external environment that involved banking, agents and subscribers, as well as
an internal system that was used specifically for mobile money. Within the internal system, there
were two accounts: a bank control account and a dispute account. After a deposit was made by an
agent in an account in the Ugandan bank, the deposit would be electronically synchronized into
the internal system through the dispute account and sent onward to the intended beneficiary
without manual intervention. What went in and out of the internal system was influenced by vir-
tual cash flows.

49
DIGEST OF CASES

Uganda v Sserunkuma & 8 Ors (HCT-00-CR-SC 15 of 2013) [2015] UGHCACD 4 (27 April 2015)
(Uganda) (continued)

In this case, the money, which went into agent lines, was later transferred to a total of 138 subscriber
accounts and withdrawn in cash or tokens. This was detected immediately. Subsequently, the system
was shut down and the loss was investigated. Evidence found during the investigation suggested that
the transactions were carried out using a computer that belonged to the telecommunication com-
pany. The defendants were not arrested while committing the offences but after the prosecution had
found evidence, which the court pointed out to be circumstantial, linking them to the crime. The pros-
ecution presented electronic evidence, including a forensic report, as well as the results of various
police searches, which led to the confiscation of several million Ugandan shillings, all of which sug-
gested the involvement of the defendants in the fraud. The charges against the defendants included
embezzlement under section 19(b)(i) of the Anti-Corruption Act, theft in violation of sections 254(1)
and 261 of the Penal Code Act, conspiracy to commit a felony under section 390 of the Penal Code Act,
unauthorized access in violation of section 12(3) and 20(1) of the Computer Misuse Act and electronic
fraud in violation of section 19 of the Computer Misuse Act. Ultimately, five of the nine defendants
were found guilty and sentenced to nine years’ imprisonment.

For more information about this case, see UNODC, SHERLOC case law database, Case No. UGAx006.a

a
Available at https://sherloc.unodc.org/.

Skimming occurs when a device is installed at a card terminal to surreptitiously collect users’ credit, debit
or bank card data. A skimmer is a type of device that is designed to surreptitiously collect such information.
One type of skimmer is an ATM skimmer. This device, a card reader, is attached to the part of the machine
where individuals place their cards. When a user places their card in the machine, the information on the
magnetic strip is collected and stored. Personal identification numbers (PINs) are also collected by placing
cameras directed at the keypad.

Gachev & Ors v Uganda (Criminal Appeal 155 of 2013) [2016] UGHCCRD 4
(16 July 2016) (Uganda)
In a high-profile case in Uganda, four  Bulgarian men were accused of forging ATM cards. The men
were eventually prosecuted and convicted,

The four defendants were arrested at an ATM location in Natete, Uganda, after closed-circuit tele-
vision cameras had been installed in ATMs following complaints about unauthorized withdrawals
being made from several customers’ accounts. The defendants had used an ATM skimmer to steal
card data, picked accounts with higher sums, forged ATM cards and withdrew the money from the
customers’ accounts. After converting the money into United States dollars, the defendants had
wired the money to bank accounts in Bulgaria. In one of the defendant’s cars, 37 cards and a list of
bank customers’ personal identification numbers (PINs) had been recovered.

The defendants were charged with unauthorized access to computer data contrary to section 12 of
the Computer Misuse Act and conspiracy to commit a felony contrary to sections 390, 342 and
347 of the Penal Code Act. Three of the defendants were ordered to serve a total of 20 years’ impris-
onment for the 33 counts of forgery. The fourth defendant was ordered to serve a total of 10 years’
imprisonment for the 33 counts. The judge of the High Court of Uganda also ordered that each of
them be deported to their country of origin after serving their respective sentences. All the defend-
ants appealed their convictions and sentences. The High Court allowed the appeal of the fourth

50
 chapter V.   Types of cyber organized crime

defendant, whose conviction was quashed and whose sentence was put aside. The appeals of the
remaining three defendants were dismissed and the convictions were upheld by the High Court.
However, each of their sentences were lessened to a jail term of nine years on the ground that they
were first-time offenders who deserved the court’s lenience.

For more information about this case, see UNODC, SHERLOC case law database, Case No. UGAx007.a

a
Available at https://sherloc.unodc.org/.

In one case in Germany, three individuals were accused of skimming magnetic strip data, as well as
obtaining the PINs of several cards, using card readers and miniature cameras.136 After surreptitiously
collecting the data, they created duplicates of the cards (i.e., they cloned the cards) and used them abroad
to make payments to other accounts. They were convicted of participating in falsifying guaranteed pay-
ment cards137 and computer fraud.138 In another case,139 the German court considered whether
ATM skimming could be considered a form of data espionage, defined in the German Criminal Code,
section 202a (1), as obtaining, for themselves or another, unauthorized access by circumventing the
access protection of data that were not intended for them and were specially protected against unauthor-
ized access. The court found that the reading of the information of the payment card saved on the mag-
netic strip did not fulfil this requirement, since the data on the magnetic strip were not encrypted or
otherwise protected. The fact that some data were saved and transferred magnetically, electronically or
otherwise not immediately perceptibly was not to be regarded as “access protection”. The court came to
the same conclusion regarding the acquisition of PINs, stating that only the unauthorized use of the data
when using the card was protected, not the illicit access to the card via a reading device. Accordingly, the
court held that neither the acquisition of PINs nor the reading of data stored on the magnetic strip of cards
to produce cloned cards was a form of data espionage.

Public Prosecutor v. Law Aik Meng [2006] SGDC 243 (Singapore)

This case involved L.A.M., a national of Malaysia, who operated as a member of an organized syn-
dicate in West Malaysia. The syndicate’s objective was to skim data from genuine ATM cards in
order to manufacture cloned copies and use them to make fraudulent withdrawals. To accomplish
this, the syndicate installed skimming devices in ATMs, which would capture card information while
a pinhole camera concealed above the ATM monitor would record the victim keying in his or her
PIN. Data would then be transmitted wirelessly to a device used for encoding, storing and playing
digital video files that was concealed nearby. The cards created in this manner would subsequently
be used to withdraw cash throughout the ATM network of Singapore.

136 
UNODC, SHERLOC case law database, Germany, Case No. DEUx029, BGH, Beschluss vom 31.05.2012, 2 StR 74/12.
Available at https://sherloc.unodc.org/.
The German Criminal Code (Strafgesetzbuch), which covers counterfeiting of guaranteed payment cards and blank Eurocheques,
137 

defines “guaranteed payment cards” as credit cards, Eurocheque cards and other cards which oblige the issuer to make a guaranteed
payment by money transfer and which are specially protected against imitation by dint of their design or coding (sect. 152b (4)).
138 
Sect. 263a of the German Criminal Code (Computer fraud).
139 
UNODC, SHERLOC case law database, Germany, Case No. DEUx026, BGH, Beschluss vom 06.07.2010, 4 StR 555/09.
Available at https://sherloc.unodc.org/.

51
DIGEST OF CASES

Public Prosecutor v. Law Aik Meng [2006] SGDC 243 (Singapore) (continued)

L.A.M.’s role in the syndicate was to install the skimming devices in ATMs in Singapore. Once data
were captured, he was responsible for removing the skimming devices and transmitting the captured
data to West Malaysia. L.A.M. was also responsible for using cloned cards to make fraudulent with-
drawals. With L.A.M.’s help, the syndicate successfully withdrew 18,590 Singapore dollars from the
post office savings bank. This activity took place over a period of three months in 2006. Some 849 post
office savings bank accounts were compromised and a multinational development bank had to block
and replace each account. The assistant vice-president of compliance services of the development
bank called the police on 24 May 2006 to inform them of skimming devices that had been located.
A police investigation ensued, and L.A.M. was subsequently arrested in connection with the case and
taken to the commercial affairs department for further investigation. For his crimes, L.A.M. received
a sentence of 12 years’ imprisonment. No other conspirators were apprehended.

L.A.M.’s case was the first case of its kind in Singapore involving a criminal enterprise perpetrating
ATM fraud.

For more information about this case, see UNODC, SHERLOC case law database, Case No. SGPx013.a

a
Available at https://sherloc.unodc.org/.

Card-not-present fraud involves the illicit possession, procurement, use and/or distribution of debit and
credit card data. Examples of card-not-present fraud include e-skimming, whereby malware is injected on
a site that captures payment data, and carding, which involves the use of stolen credit card or debit card data
to obtain goods and/or services. In R. v. Nicholas Webber,140 a young male (between 17 and 18 years old)
pleaded guilty to conspiracy to defraud for creating a website (www.ghostmarket.net) dedicated to carding,
where debit and credit data were made available for purchase. In another case, known as Unlimited
Operations, a transnational organized criminal group conducted an international fraud operation by hacking
into global financial institutions networks to illegally obtain data on debit cards.141 The group then cloned
the cards, removed the withdrawal limits, and then distributed the cards to cashers to go to ATMs at a
coordinated date and time to withdraw money. The withdrawals occurred in over 20 countries. The banks
targeted in this scheme were in Oman and the United Arab Emirates.142

IKIZA RY’ URUBANZA RP/ECON 00002/2020/TGI/GSBO (Forkbombo) (Rwanda)

A notorious criminal group from Kenya (Forkbombo), operating in Rwanda, tried to manipulate
accounts at a Rwandan bank and steal millions of Rwanda francs.

In late 2019, the bank received information that an organized criminal group had relocated to
Rwanda in order to steal money from the bank using a method similar to the one used to steal
money from accounts in Kenya and Uganda. The bank informed the Rwanda Investigation Bureau,
which conducted an investigation and found that the group wanted to execute this scheme using the
bank customers’ ATM cards. To achieve their objective, the group approached a Rwandan citizen
outside of Rwanda who agreed to participate in the scheme. His number was given to one of the

140 
England and Wales Court of Appeal, R. v. Nicholas Webber [2011] EWCA Crim 3135; R. v. Nicholas Webber [2012] 2 Cr. App.
R. (S.) 41 (2011).
141 
United States of America v. Jael Mejia Collado et al.; United States of America v. Ercan Findikoglu; United States Attorney’s
Office, Eastern District of New York, “Leader of global cybercrime campaigns pleads guilty to computer intrusion and access device
fraud conspiracies”, 1 March 2016.
142 
United States Attorney’s Office, Eastern District of New York, “Eight members of New York cell of cybercrime organization
indicted in $45 million cybercrime campaign”, 9 May 2013.

52
 chapter V.   Types of cyber organized crime

group members so that he would be informed about the details of the scheme after arriving in
Rwanda. The Rwanda Information Bureau followed up on every contact between them after the
Rwandan citizen arrived in his home country and met the other members of the group. The group
members started implementing their plan of stealing the bank’s money by using an identification
application. The defendants were finally arrested at the Remera branch of the bank after trying to
steal money from 23 bank accounts.

The 22 defendants were each charged with unauthorized access to a computer or computer system
data, access to data with intent to commit an offence, unauthorized modification of computer or
computer system data, theft and forming or joining a criminal association. They were eventually
convicted of all counts. They were each sentenced to eight years’ imprisonment and ordered to pay
compensation to the bank.

For more information about this case, see UNODC, SHERLOC case law database, Case No.
RWAx001.a

a
Available at https://sherloc.unodc.org/.

(b) Phishing
Criminals impersonate legitimate organizations in email messages in order to trick targets of the crime into
trusting the content of the communications and following instructions that are designed to induce a target:
to unknowingly reveal personal and/or financial information; and/or to access malicious links and/or down-
load malware onto the target’s systems to enable the criminals to gain unauthorized access to the target’s
system, network and/or data. When this tactic targets a variety of users (and not a specific target), this crime
is commonly known as phishing.143
While the term “phishing” may not be directly used in many international, regional and national laws, it is
considered a crime. In National Association of Software and Services Companies (NASSCOM) v. Ajay
Sood,144 the High Court of Delhi held that, even though phishing was not specifically criminalized in law, it
was an illegal act under law (i.e., an Internet fraud) because it involved a misrepresentation made in the
course of trade leading to confusion as to the source and origin of the email causing immense harm not only
to the consumer but even to the person whose name, identity or password was misused.
Phishing is a cyber-enabled crime and has been used to facilitate several forms of cyber-enabled crimes, and
even cyber-dependent crimes (see the box below). Phishing schemes can be perpetrated by actors with or
without technical skills and abilities because the tools and know-how are readily available online (as part of
“crime as a service”).145 If the goal or one of goals of the phishing operation is to either take control of the
target’s system and/or steal information from the system, malware is used to infect the target’s device.146
For example, members of FIN7, an international cybercrime group, were charged with offences relating to
illicit acts against the confidentiality, integrity and availability of computer data and systems. The members
of the group used “spear phishing” (sending emails or other electronic forms of communication to a specific
individual, organization or business in order to steal data for malicious purposes or to install malware on the
target’s computer system) and social engineering tactics to trick targets into opening a malicious email with

143 
See also UNODC Teaching Modules, Cybercrime, Module 2: general types of cybercrime, “Computer-related offences”.
Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-2/index.html.
144 
National Association of Software and Services Companies (NASSCOM) v. Ajay Sood & Others, 119 (2005) DLT 596, 2005 (30)
PTC 437 Del, Judgment, 23 March 2005.
145 
Europol, Internet Organised Crime Threat Assessment 2020, p. 15 and 17.
146 
See, for example, UNODC, SHERLOC case law database, Germany, Case No. DEUx032, LG Bonn, Urteil vom 07.07.2009,
7 KLs 01/09 (phishing Trojans used). Available at https://sherloc.unodc.org/; United States, District Court, Western District of
Washington at Seattle, United States of America v. Fedir Oleksiyovych Hladyr, Case No. CRl7-276RSL, Superseding Indictment,
25 January 2018; United States of America v. Fedir Oleksiyovych Hladyr, Case No. CR17-276RSM, Plea Agreement, 11 September
2019). (Carbanak malware); and United States of America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclaus (Bayrob Trojan).

53
DIGEST OF CASES

an attachment that contained malware (Carbanak malware) designed to steal customers’ financial data.147
Three FIN7 members (F.O.H., A.K. and D.I.) were extradited from Germany, Spain and Thailand, respec-
tively, to the United States. Two members of the group (A.K. and F.O.H.) pleaded guilty to conspiracy to
commit wire fraud and conspiracy to commit computer hacking and received sentences of 7 years and
10 years of imprisonment, respectively.148 [[TPU: pls renumber remaining footnotes in running text accord-
ingly]]The other defendant (D.I.) was sentenced to five years’ imprisonment.149 Another member of the
group (D.F.) was arrested in Poland; his extradition to the United States is still pending.

Juzgado En Lo Correccional Nº 1 – San Isidro, Case No. SI-3862-2021

(Argentina)
In Argentina, members of a criminal group, including the defendant J.I.S., committed fraud by mas-
querading as employees of a private bank. Using a well-known social media platform, the group
members sent a message to the victim informing her that if she wanted to receive advice from the
financial institution, she should provide her cell phone number and her area code. She subse-
quently received calls from two phone numbers via a well-known instant messaging service from
someone in the Province of Córdoba who was pretending to be an employee of the bank in question
(that person has not yet been identified). The person who called the victim tricked her into providing
her banking details and her security token. The victim’s information was then used to obtain a loan
in the amount of Arg$ 189,448. The money from the loan, together with the money contained in the
victim’s account, a total of Arg$229,000, was later transferred to an account in the defendant’s
name. The money was then transferred to another account of the defendant and an account of N.S.
The defendant and N.S., in turn, transferred the money to others (M.S., G.A.P. and M.E.P.).

The defendant was charged with and convicted of committing fraud through the unauthorized use
of data and received a sentence of one year and six months of imprisonment. As the defendant had
previously been sentenced, the court ordered a single sentence of three years and nine months of
imprisonment, combining both sentences.

For more information about this case, see UNODC, SHERLOC case law database, Case No. ARGx016.a
a
Available at https://sherloc.unodc.org/.

Fiscalía Metropolitana Sur, Chile, Rol Único de Causa No. 1700623543-3

(Zares de la Web) (Chile)
Between February 2014 and October 2018, clients of two banks and other financial institutions, as
well as the banks themselves, were victims of successive cases of fraud (81 victims of fraud, includ-
ing individuals and small businesses, were identified). Funds from various bank accounts were
being transferred to accounts of recipients who were part of a criminal organization.

147 
United States of America, Fedir Oleksiyovych Hladyr, Case No. CRl7-276RSL, Superseding Indictment; United States of
America v. Fedir Oleksiyovych Hladyr, Case No. CR17-276RSM, Plea Agreement; see also court documents, United States Attorney’s
Office, Western District of Washington, United States of America v. Fedir Oleksiyovych Hladyr, United States of America v. Dmytro
Valerievich Fedorov, United States of America v. Andrii Kolpakov, United States of America v. Denys Iarmak.
148 
United States District Court, Western District of Washington at Seattle, United States of America v. Andrii Kolpakov,
Case No. 18-CR-159RSM, Plea Agreement, 16 November 2020; United States of America v. Fedir Oleksiyovich Hladyr, Case No.
17-CR-276RSM, 11 September 2019; U.S. Department of Justice, Office of Public Affairs, Member of Hacking Group Sentenced for
Scheme that Compromised Tens of Millions of Debit and Credit Cards (April 7, 2022).
149 
United States Attorney’s Office, Western District of Washington, United States of America v. Fedir Oleksiyovych Hladyr,
United States of America v. Dmytro Valerievich Fedorov, United States of America v. Andrii Kolpakov, United States of America v.
Denys Iarmak; United States Department of Justice, Office of Public Affairs, Member of Hacking Group Sentenced for Scheme that
Compromised Tens of Millions of Debit and Credit Cards (April 7, 2022).

54
 chapter V.   Types of cyber organized crime

The criminal group’s modus operandi consisted of the use of computer tools to deceive bank
account holders and steal their passwords and security codes. The criminal group obtained the
customer’s banking information from databases on the deep web and later sent them cloned
emails and fake links to web pages of their banks to obtain their passwords. By accessing the mali-
cious links, the customers were involuntarily delivering their passwords to the false banking plat-
form (i.e., on a fraudulent website). Members of the organized criminal group also impersonated
bank executives while making telephone calls to obtain security codes from customers or posed as
customer representatives to request a “coordinate card” to the bank (a security mechanism facili-
tated by the banks to approve transactions). “Chip spoofing” (or “SIM card hijacking”) was also
among the techniques used to obtain additional security keys. Once the coordinate card or the
security device were materially obtained, the criminals had access to the security keys of the cli-
ents. With all of this information, they were able to access the accounts without authorization and
transfer funds to previously recruited third parties. Participation in an organized criminal group
was established given the systematic way in which they repeatedly committed fraud.

This criminal group operated in an organized manner within a hierarchical structure and with spe-
cific roles for each member. The hierarchical structure of the group was as follows: the group had
two leaders (M.A.M. and D.Z.C.), who were in charge of organizing the illicit activity aimed at obtain-
ing money from bank accounts and obtaining security codes and access to online (or virtual)
accounts. This role implied general planning and distribution of tasks, which were followed by the
other members, who made their personal contributions to the common goal. The leaders were in
charge of granting and implementing the means of obtaining passwords (computer viruses, use of
databases on the deep web, etc.) to seize bank information and make successive fraudulent elec-
tronic transfers. The leaders issued direct instructions, received reports, managed the money
obtained and distributed the proceeds of the crime among the different members of the organiza-
tion. The defendant, M.A.M., served as administrator, an essential role in the survival of the organ-
ization and the continuity of criminal operations. Other members of the groups were responsible
for security and recruitment. These individuals were part of the permanent operational arms of the
organization, receiving direct instructions from the leaders. They were responsible for providing
security to the members of the organization, ensuring that the “recipients” actually delivered the
money to the organization. They directly supervised the transfer of money and the “recruiters of
recipients”. The role of the recruiters of recipients was to find account holders who, in exchange for
a commission, were willing to receive the money illegally obtained in their bank accounts. The
recipients provided the organization their bank accounts, obtained the transferred money and
delivered the licit funds to the recruiters and the leaders.

The defendant was sentenced to one year in prison for the crime of criminal association,a two years’
imprisonment for the crime of reiterated fraudb and two years’ imprisonment for money-laundering.c

For more information about this case, see UNODC, SHERLOC case law database, Case No. CHLx007.d

a
Article 293 in relation to article 467 of the Penal Code of Chile.
b
Article 467, final paragraph, of the Criminal Code in relation to article 351 of the Criminal Procedure Code.
c
Chile, Law No. 19,913 on the Establishment of the Financial Analysis Unit and Amendment of Several Provisions on
Money-Laundering (2003), art. 27.
d
Available at https://sherloc.unodc.org/.

When phishing is used against specific targets, it is known as spear phishing.150 The Bayrob group perpe-
trated this type of fraud by pretending to be legitimate organizations, such as a well-known company offer-
ing protection against computer viruses and a well-known money transfer service, and sending to targets
emails with infected attachments. When individuals who received the emails clicked on the attachment,

150
See also UNODC Teaching Modules, Cybercrime, Module 2: general types of cybercrime, “Computer-related offences”.
Available at sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-2/index.html. 

55
DIGEST OF CASES

malware was installed on their computers. This malware would harvest data and make the infected comput-
ers part of a botnet.151 Data harvested from the infected systems (account access data, financial data and
passwords) were also sold on the darknet.152
When such emails are used to target companies that have suppliers abroad and conduct wire transfers
abroad, the tactic is known as business email compromise because the perpetrators pretend to be a known
company that the target conducts business with. The emails sent making the requests are often spoofed
emails (which are considered slight variations of the legitimate emails of known companies and personnel
within those companies) and/or hacked email accounts of actual company personnel. “Operation Wire
Wire”, led by authorities in the United States, revealed that a criminal group had been masquerading as a
legitimate entity that its targets (other companies) had worked with in some capacity in order to trick the
targets into wiring money to the criminal group and/or its associates.153 The proceeds of this fraud were
laundered with the help of “money mules”, who had opened various shell company bank accounts to laun-
der the proceeds of this crime.

United States of America v. Obinwanne Okeke, Case No. 4:19-mj-00116

(E.D. Virginia, 2 August 2019)

Example of a business email compromise scam

A chief financial officer of a company received an email message that purportedly contained a
weblink to the login page of a well-known software company.a The victim, having an email account
with this host, trusted the link and viewed it as legitimate. He clicked on the link and the page that
appeared resembled the login page of the software company. For this reason, the chief financial
officer inserted his login credentials, which unbeknown to him, were captured by criminals, who
then used this information to access his account.b His email account was then used to send fraud-
ulent emails requesting wire transfers from other members of the company’s financial team.
Moreover, having observed company policy and the internal practice of forwarding emails from
vendors, the perpetrator forwarded a fictitious email message he had created to make it look
as if a vendor were sending an invoice.c Ultimately, this fraudulent scheme resulted in approxi-
mately US$ 11 million of wire transfers being sent to the perpetrator of this crimed and other
conspirators.

For more information about this case, see UNODC, SHERLOC case law database, Case No. USAx213.e
a
United States District Court, Eastern District of Virginia, United States of America v. Obinwanne Okeke, Case No. 4:19-mj-
116-1, 2 August 2019.
b
Affidavit in support of criminal complaint and arrest warrant (Obinwanne Okeke), 2 August 2019.
c
Ibid.
d
The defendant pleaded guilty to conspiracy to commit wire fraud (United States Attorney’s Office, Eastern District of
Virginia, “Nigerian businessman pleads guilty to $11 million fraud scheme”, press release, 18 June 2020.
e
Available at https://sherloc.unodc.org/.

When higher-level executives in an organization are the targets of spear phishing, the tactic is referred to as
“whaling” because the perpetrators targeting those individuals are seeking the highest payout possible.
In the Europol report Internet Organised Crime Threat Assessment 2020, the term “CEO fraud” was used
instead of “whaling”.154

United States of America v. Bogdan Nicolescu, Tiberiu Danet, and Radu Miclaus, pp. 7–9.
151 

Ibid.
152 

153 
United States District Court, District of Connecticut, United States of America v. Adeyemi Odufuye and Stanley Hugochukwu
Nwoke, Case No. 3:16R232 (JCH), Indictment, 20 December 2016 (Operation Wire case).
154 
Europol, Internet Organised Crime Threat Assessment 2020, p. 47.

56
 chapter V.   Types of cyber organized crime

Phishing is more likely to be mentioned in court documents than terms such as spear phishing, business
email compromise scam, “CEO fraud” and “whaling”. The term “whaling” is not commonly found in court
documents because it could be considered as a form of business email compromise if the targets are
higher-level executives, such as the chief executive officer or the chief financial officer.

(c) Advance fee fraud scam

An advance fee fraud scam involves a request for a target to pay money in advance of receiving something
of greater value.155 When the money is obtained by the criminal, nothing is provided to the target in return.
The criminals perpetrating this scam alternate the stories they use and the people (e.g., a friend, an acquaint-
ance, a colleague or a stranger), agencies or organizations (e.g., banks, governments agencies or non-gov-
ernmental agencies) that they pretend to be. The stories commonly used include the one about a government
official seeking to transfer money out of a country and needing the assistance of the target and inheritance
from a long-lost relative that requires a fee in order for the target to receive it. In the Federal Republic of
Nigeria v. Harrison Odiawa,156 the perpetrators pretended to be a representative from an agency of the
Government of Nigeria and offered to transfer money to the target’s company accounts and procure govern-
ment contracts for the target’s company. The advance fee fraud scam is locally known in Nigeria as
“yahoo-yahoo”, and perpetrators of this crime from that country and other countries in West Africa are
known as “Yahoo boys” (although women also engage in this crime).157 The ultimate goal of the advanced
fee fraud scam is to get the target to transfer and/or otherwise provide money to the perpetrators.

(d) Romance scam

The perpetrators of romance scams (or “catfishing”) prey on peoples’ emotions and need for companion-
ship.158 These scams often involve perpetrators opening up fake profiles on dating sites and social media
platforms and/or using chat rooms and other forums and websites to identify targets. The perpetrators of
this cybercrime use manipulation tactics to build rapport with the targets and gain their trust.159 During these
scams, the perpetrator quickly professes to have fallen in love with the target and continuously showers the
target with affection, either through declarations of love or other overt acts (such as writing love letters,
poems and songs) or by sending small gifts. After the perpetrator establishes rapport and builds up trust
with the target, the perpetrator tries to get the target to provide money or goods or some form of service.
One story commonly used in a romance scam is that the perpetrator has experienced an emergency situation
that requires the victim to send money (e.g. unexpected hospitalization or some other health-related emer-
gency). The perpetrator may also request funds to be used to travel, to help in the payment of unpaid bills,
to purchase items or to buy or rent a house or an apartment, etc. Or the perpetrator may request funds for
marriage or for a wedding engagement. If the victim gives the perpetrator money, the victim may not hear
from the perpetrator again or may receive future requests for money. In one case in France, an organized
criminal group identified their potential victims on dating sites, taking advantage of the victims’ loneliness
and credulity. The offenders developed fake relationships with their victims.160 Once they gained a victim’s
trust, they asked the victim for help, including money, to resolve a situation. In one case, the request was for
assistance in getting a suitcase of money out of another country.161 After receiving the money, offenders
usually disappeared and did not contact their victims again. In another case, the modus operandi of the scam
was somewhat different: the cybercriminals met with their victims in person in an attempt to get more
money from them (thereby committing a romance scam both online and in person).

155 
Maras, Cybercriminology.
156 
UNODC, SHERLOC Case law database, Case No. NGAx001. Available at https://sherloc.unodc.org/.
157 
UNODC, Nigeria, “West Africa takes lead in fighting 419 scams”. Available at www.unodc.org/; and Lily Hay Newman,
“Nigerian email scammers are more effective than ever”, Wired, 3 May 2018.
Monica T. Whitty and Tom Buchanan, “The online dating romance scam: the psychological impact on victims – both financial
158 

and non-financial”, Criminology and Criminal Justice, vol. 16, No. 2 (April 2016), pp. 176–194; Tom Buchanan and Monica T. Whitty,
“The online dating romance scam: causes and consequences of victimhood”, Psychology, Crime & Law, vol. 20, No. 3 (March 2013),
pp. 261–283.
159 
Maras, Cybercriminology, p. 244.
160 
France, Tribunal de grande instance de La Roche-sur-Yon, 24 septembre 2007
161 
Ibid.

57
DIGEST OF CASES

Republic v. Mohammed Libabatu, Charles Mensah & Nurudeen Alhassan (2016)

(Ghana)
M.L., C.M. and S.G., members of a criminal group, acted together to defraud the complainant
J.K., an Australian national living in New South Wales. The members of the criminal group made
initial contact with J.K. online, through a matchmaking website; each of the three members pre-
tended to be a German citizen who supposedly lived in Australia and worked from Ghana.
Subsequently, they continued to contact her by email and by phone. Through various elaborate
schemes and false representations, the members of the criminal group convinced the victim to
pay various sums of money using bank transfers, a well-known international money transfer
service and other means of money transfer. The defendants kept contact with the victim between
December 2011 and September 2014 and defrauded her of a total sum of 448,027.18 Australian
dollars.

In December 2011, the complainant was first contacted on a dating website by a person who
introduced himself as “Steve Gauman”, a German living in Australia. He asked the complainant
to meet in Perth; however, just before the meeting, he told the complainant that he had to go
abroad to work. In January 2012, while the complainant was in Melbourne, “Gauman” (C.M.)
called the victim and affirmed that he was in Ghana, staying at a hotel near the port of Accra,
waiting for his shipping containers to arrive. He also told the complainant that his Australian
bank accounts had been frozen, that he only had bank cheques with him and that the hotel would
only accept cash. He pleaded to the complainant to help him financially. The complainant agreed
and made two money transfers, $A 2,000.00 and $169,597.82. Towards the end of January 2012,
“Gauman” introduced M.L. to the victim through a telephone conversation, presenting him as an
employee assigned to assist him in unloading his shipping containers and finalizing the consign-
ment with his customers. He also told the complainant that he had been detained in the United
Kingdom by customs authorities for carrying gold in his bags without authorized documentation.
During the period from January 2012 to March 2013, C.M. requested the complainant to send
money to M.L. M.L. received the sum of $A 211,346.53 through his bank account and international
money transfers. Between March 2013 and June 2014, the complainant sent $A 67,082.83 to S.G.
Between June 2014 and September 2014, the complainant was instructed to transfer more
money to S.G. to obtain court documents for the release of “Gauman” from detention in the
United Kingdom. The complainant said that she transferred all the funds to the defendant under
the false belief that “Steve Gauman” was a German citizen with an Australian residence and that
she was helping him to return to Perth, after which he would repay her. The defendants were
operating from Ghana and defrauding the complainant in Australia. Thus, the crime took place
across international borders and involved the receipt of funds via international bank transfers
and international money transfer companies. According to the prosecution, the remittances were
sent via international money transfers and bank transfers. There was documentary and elec-
tronic evidence of the funds sent, including emails, bank records and the records of wire
transfers.

M.L., C.M. and S.G. were charged and found guilty of: conspiracy to defraud in violation of sections
23(1) and 131(1) of the Criminal Offences Act of 1960 and section 123 of the Electronic Transactions
Act of 2008; defrauding by false pretences under section 131(1) of the Criminal Offences Act of 2006
and section 123 of the Electronic Transactions Act of 2008; and money-laundering in violation of
section 1(1) of the Anti-Money Laundering (Amendment) Act 2014. M.L. was sentenced to four
years’ imprisonment.

For more information about this case, see UNODC, SHERLOC case law database, Case No. GHAx001.a

a
Available at https://sherloc.unodc.org/.

58
 chapter V.   Types of cyber organized crime

The purpose of the romance scam is to lure a target into a relationship (albeit a fake one, unbeknown to the
target). A perpetrator can feign having a background and experiences similar to those of the target. This infor-
mation is often available online in the target’s dating profiles, social media accounts and on other sites that
include information about the target. The perpetrator uses a fake image, often an attractive image from a web-
site, platform or app obtained without authorization, that is resonant with his or her target. The type of profile
encountered depends on who the target is. For example, some perpetrators who target retirees create profiles
of individuals who are of a similar age, are in retirement and/or have recently been widowed. The fake profiles
created by perpetrators often include employment that would justify significant absences in communication
with the target and or the ability to travel. For instance, fake profiles on dating websites have been set up by
people pretending to be military personnel. In one romance scam, which targeted women over 50 years old on
online dating sites, the perpetrators pretended to be male members of the United States military.162 Perpetrators
create bank accounts in different names in order to receive money sent from their targets and/or to obtain
money orders from targets that are then dispersed to other conspirators in the perpetrators’ country.163
These scammers can manipulate targets into wittingly or unwittingly aiding and abetting crimes. Thus, their
targets may wittingly or unwittingly engage in money-laundering, deliver controlled drugs and/or other illegal
goods and scam other individuals out of money or goods.164 These individuals are known as “mules”. Mules
may be motivated by fear, love or the prospects of financial compensation to wittingly commit an illicit activ-
ity.165 Mules play a primary role in many crimes and cybercrimes, such as money-laundering and various
online frauds. Money mules may be wittingly recruited and/or solicited online in order to engage in mon-
ey-laundering for criminals by opening up a bank account and receiving money from others, which is then
forwarded to the criminals in various ways (through wire transfers, by purchasing prepaid cards and mailing
those cards, through online payment platforms, etc.). Other money mules may be duped into opening up bank
accounts to receive or transfer funds from a criminal masquerading as a romantic interest for what they believe
to be a legitimate purpose; or the money mules may be duped into utilizing their own bank account to receive
and transfer the funds from a criminal pretending to be a romantic interest (or legitimate employer).

United States of America v. Oladimeji Seun Ayelotan, Femi Alexander Mewase,

and Rasaq Aderoju Raheem, Case No. 17-60397 (5th Circuit, 4 March 2019)
(United States of America)
An organized criminal group stole the personal and financial information of targets and impersonated
the victims whose information they had stolen to obtain money and transfer funds from the victims’
bank accounts. The defendants and other conspirators then conducted romance scams with the aim
of convincing the targets of the scams to launder the proceeds of their crimes (e.g. by serving as
money mules) and engage in financial fraud, such as the purchasing of goods with stolen credit cards
and the cashing of counterfeit cheques and money orders.a The defendants (O.S.A., R.A.R. and F.A.M.)
were convicted of multiple criminal charges, including conspiracy to commit bank fraud, wire fraud,
mail fraud, identity theft and money-laundering (with the exception of F.A.M.).b O.S.A. received a sen-
tence of 95 years’ imprisonment and R.A.R. received a sentence of 115 years’ imprisonment.c

For more information about this case, see UNODC, SHERLOC case law database, Case No. USA005R.d
a
United States of America v. Oladimeji Seun Ayelotan, Femi Alexander Mewase and Rasaq Aderoju Raheem, Case No. 17-60397.
b
Ibid.
c
United States, Department of Justice, Office of Public Affairs, “Three Nigerians sentenced in international cyber financial
fraud scheme”, press release, 25 May 2017.
d
Available at https://sherloc.unodc.org/.

162 
United States Attorney’s Office, Eastern District of Kentucky, “Nigerian national pleads guilty in romance fraud and grant fraud
scheme”, press release, 24 August 2020.
163 
Ibid.
164 
Maras, Cybercriminology.
165 
Better Business Bureau, “Fall in love: go to jail – BBB report on how some romance fraud victims become money mules”
(February 2019).

59
DIGEST OF CASES

(e) Other fraud-related scams

Various online scams have been perpetrated worldwide to steal the targets’ personal information, financial
data, health (or medical) data and money. Criminals who commit this type of fraud seek to manipulate, dupe
or trick individuals into providing information or money or engaging in desired acts. Online scams can be
perpetrated via unsolicited email messages, telephone calls, text messages, social media platforms, applica-
tions and websites. Examples of online scams are work-related scams, lottery scams, auction fraud, online
sales scams and subscription traps.
Work-related scams include the advertisement of and recruitment for job opportunities that can be a front for
illegal activities and operations. Illegal activities that masquerade as jobs can include working for an employer
that requires the employee: to receive and ship merchandise from home; to receive and transfer funds from
personal bank accounts to other bank accounts; to receive and cash fraudulent cheques; to receive funds from
various sources, buy goods or prepaid credit cards with this money and then mail those items to others; and/or
to receive funds from various sources and then transfer this money to others using online payment services,
money orders, cryptocurrencies and/or other digital currencies.166 Job-related scams may also include adver-
tisement for work opportunities that do not exist. For example, in India, in the State of Maharashtra v. Opara
Chilezien Joseph, the defendants were charged with and convicted for their respective roles in sending fraud-
ulent email and SMS messages to targets about getting a job in England.167 The purpose of this scam was to
convince the targets to send money for a purported (albeit fictitious) fee associated with the job. In this case,
the defendants also perpetrated lottery scams, whereby the defendants solicited funds from the targets by
claiming that they had won a lottery or prize for which fees must be paid to collect the winnings.
Another online scam is auction fraud. Auction fraud occurs when the seller of an item that is being auc-
tioned deceives buyers in order to defraud them.168 In France, a member of an organized criminal group was
sentenced to six years of imprisonment for his role in engaging in online auction fraud.169 The group
recruited people to retrieve the money from the fraudulent online sales at various post offices using forged
identity documents (i.e., passports). The individuals who were recruited to retrieve the money were paid for
their services, as well as travel and subsistence expenses. Auction fraud may also include the non-delivery
of items after payment has been rendered and the delivery of items not as advertised and/or of lower quality
than what was advertised. This type of fraud may involve sellers purposely driving up bids by bidding on
their own items multiple times using different accounts (a form of shill bidding).

United States of America v. Bogdan Nicolescu, Tiberiu Danet, and Radu Miclaus,
Case No. 1:16-CR-00224 (N.D. Ohio, 8 July 2016) (Bayrob Group) (United States
of America)
An organized criminal group perpetrated several cybercrimes, one of which was online auction fraud.
The fraud was perpetrated by members of the group by posting hundreds or thousands of listings for
automobiles, motorcycles and other high-priced goods on online auction sites.a The images of the
items being sold that were included in the postings were infected with their malware (the Bayrob
Trojan).b When individuals clicked on the images of the items, their devices were infected with the
malware, which had been designed to redirect the individuals to web pages that looked identical to the
legitimate web pages of the auction sites. For example, their fake web pages included the trademark
of a well-known online auction site and had a similar layout, design and style of the legitimate web
pages of that auction site. The fake web pages, however, prompted users to pay for the auctioned
items using something called an “eBay escrow agent”, which did not exist on the legitimate platform
of the auction site.c This purported service claimed to hold the money of the buyer in escrow until the
item was received and the buyer was satisfied with the condition of the item delivered before the

166 
Maras, Computer Forensics, p. 149.
167 
India, State of Maharashtra v. Opara Chilezien Joseph, Regular Criminal Case No. 724/2012, 28 October 2013.
168 
For more information on online auction frauds, see Maras, Computer Forensics, pp. 113–115 and 143.
169 
France, Cour de cassation, Chambre criminelle, No.11-84.437, 21 March 2012.

60
 chapter V.   Types of cyber organized crime

buyer’s funds were released to the seller. The web pages also included a live chat function that ena-
bled the unknowing users to speak with members of the group posing as customer service agents of
the online auction site.d The victims of this online auction fraud never received the items they had paid
for and never received a refund for the money they had paid for the non-delivered items.e

One of the defendants (T.D.) pleaded guilty to aggravated identity theft, wire fraud and conspiracy
offences relating to wire fraud and money-laundering and received a sentence of 10 years of impris-
onment for his crimes.f B.N. and R.M. were charged with, convicted and sentenced to 20 and 18 years
of imprisonment, respectively, for aggravated identity theft, wire fraud and conspiracy offences relat-
ing to wire fraud and money-laundering, as well as conspiracy to traffic in counterfeit service marks.g

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx170.h

a
United States of America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclaus, p. 8.
b
Ibid.
c
Ibid.
d
Ibid.
e
Ibid.
f
United States Attorney’s Office, Northern District of Ohio, “Multiple victim case update: United States v. Nicolescu et al.”,
16 January 2020; United States, Federal Bureau of Investigation, “Romanian hackers sentenced”.
g
Ibid.; and United States, Department of Justice, Office of Public Affairs, “Two Romanian cybercriminals convicted of all
21 counts relating to infecting over 400,000 victim computers with malware and stealing millions of dollars”, 11 April 2019.
h
Available at https://sherloc.unodc.org/.

Another example of an online scam is online sales fraud. This type of fraud involves the online purchasing
– from websites that may be designed to look similar to known and/or popular commercial websites – of
goods: that do not exist, that are never delivered, that are counterfeit but advertised as authentic or that are
damaged, of lower quality or otherwise not as advertised.170 In Germany, a defendant operated more than
20 online shops, mostly offering coffee machines or other kitchen items.171 The websites were modelled
after popular e-commerce websites, including the website of a well-known multinational online sales enter-
prise. Customers had to pay in advance and received an automated order confirmation. Payment agents then
transferred the money received to the defendant. The products were never sent to the customers. The fraud-
ulent operation took place mostly in Spain and, to a lesser extent, in the Netherlands. The defendant pleaded
guilty and received a sentence of five years and five months of imprisonment.
A further example of an online scam is a “subscription trap”, where websites offer for a fee services that are
offered free of charge on other websites; such services may include access to databases of publicly available
information, love and sex tests and the use of software that is available elsewhere at no cost (freeware).
A case in Germany revealed that a group included “subscription traps” on various websites.172 On the
group’s website, the registration pages were designed so that individuals signing up for the services on the
site would not notice that there was a fee associated with the use of the services. The information about the
cost associated with the use of the services was located at the bottom of the login page and was not visible
to users with average-sized monitors unless they scrolled down to the end of the page. Individuals could
complete their registration without needing to scroll down to the end of the page, where the cost was indi-
cated. Once the individuals registered on the page, they received an email confirming the contract and
ordering them to pay €60 or €84 (depending on the type of service they had signed up for). If they did not
pay, the lawyer of the group (one of the defendants) sent payment and collection notices to the individuals
who had registered for the service. The defendants were charged with and convicted of numerous crimes,
including fraud (see the discussion of copyright infringement in chapter V, section B.4, below).173

170 
For more information, see Maras, Computer Forensics, p. 115.
171 
UNODC, SHERLOC case law database, Case No. DEUx030, LG München, Urteil vom 07.06.2017, 19 KLs 30 Js 18/15.
Available at https://sherloc.unodc.org/.
172 
UNODC, SHERLOC case law database, Case No. DEUx031, LG Hamburg, Urteil vom 21.03.2012, 608 KLs 8/11. Available
at https://sherloc.unodc.org/.
173 
Section 263 (Fraud) of the German Criminal Code (Strafgesetzbuch). For further information about these crimes, see UNODC,
SHERLOC case law database, Case No. DEUx031.

61
DIGEST OF CASES

2. Computer-related identity offences

Identity-related crime refers to acts whereby the identity of a target is unlawfully assumed and/or misappro-
priated and/or this identity and/or any information associated with it is used for unlawful purposes.174
Identity-related information is considered a commodity online. Identity-related information, such as per-
sonal, medical and financial data, is bought, sold and traded online for a fee on the clearnet and the darknet.
The type of identity-related information that is sought by criminals includes identification numbers
(e.g., social security numbers), passport information, national identification information, driving licence
information, medical insurance data, financial account information, credit card data, debit card data, online
credentials (i.e., account information and passwords), email addresses, telephone numbers, IP addresses
and media access control addresses.175

Poder Judicial de Córdoba – “Emiliozzi, Arturo Osvaildo y otros PSSAA Estafa,

etc.” – Expediente SAC No. 2654377 (Argentina)
Between July 2015 and February 2017, five defendants (V.I.S., A.O.E., S.G.M., D.M.M.R. and M.J.F.),
together with other unidentified persons, were accused of forming and maintaining an organized
criminal group for the purpose of committing fraud. The group allegedly started an illegal business
oriented to the commercialization of agricultural products, mainly agrochemicals and rural
machinery, fraudulently acquired and sold to third parties in different areas in Argentina.
The group allegedly had a clear division of roles and tasks for members. Of the five defendants, V.I.S.,
A.O.E. and S.G.M. had leadership roles and were responsible for organizing the activities of the group,
whereas D.M.M.R. and M.J.F. executed assigned tasks. V.I.S. was in charge of (through third parties)
obtaining the information related to different credit card holders for the purchase of agricultural prod-
ucts and contacting different businesses by telephone or by email. He committed fraud by using the
identity of the credit card holders and/or their agents and deceiving merchants and convincing them
to sell him agricultural products. He was also responsible for hiring drivers to transport the acquired
products. A.O.E. and S.G.M. were in charge of organizing the trafficking in fraudulently obtained prod-
ucts, including the receipt, storage, distribution and redistribution of the products. They also adminis-
tered and divided the profits that corresponded to each member of the gang and recruited new
members. Two of the new members recruited were D.M.M.R. and M.J.F., who were responsible for
arranging spaces for the sale of the products. D.M.M.R. received and stored the agrochemicals in
rural areas in the Province of Buenos Aires, while M.J.F. provided the legal facade for this fraud
through his commercial farm, Agrocampo, which sold agricultural products in the Province of Córdoba.
The defendants were charged with and convicted for their crimes. Specifically, V.I.S. was found
guilty of frauda and sentenced to four years and six months of imprisonment and ordered to cover
procedural costs.b S.G.M. was initially sentenced to five years and six months of imprisonment and
ordered to pay a fine of 400 Argentine pesos and procedural costs; his sentence was subsequently
reduced to three years’ imprisonment, and he was ultimately ordered to pay a fine of $Arg 200 and
procedural costs. A.O.E. was found guilty of fraud through the use of a false private documents, was
sentenced to two years of imprisonment and was ordered to pay procedural costs. S.G.M. and A.O.E.
were also found criminally responsible for the crime of illicit association, as co-organizersc of the
fraud committed by means of illegitimate use of stolen credit card data.d
For more information about this case, see UNODC, SHERLOC case law database, Case No. ARGx013.e

a
Art. 172 of the Penal Code of Argentina.
b
Arts. 12, 40, 41, 50 and 58 of the Penal Code and arts. 550–551 of the Penal Procedure Code of Argentina.
c
Arts. 45 and 210 of the Penal Code.
d
Arts. 45, 55 and 173 (15) of the Penal Code.
e
Available at https://sherloc.unodc.org/.

See also UNODC Educational Modules, Cybercrime, Module 2: general types of cybercrime, “Computer-related offences”.
174 

UNODC, Handbook on Identity-related Crime (Vienna, 2011), pp. 12–15.

175 

62
 chapter V.   Types of cyber organized crime

United States of America v. Conor Freeman, Case No. 2:19-CR-20246

(E.D. Michigan, 18 April 2019) (“The Community”) (United States of America)
The Community was a cyber organized criminal group comprised of loosely affiliated individuals
who met online.a The group utilized online discussion forums and unencrypted and encrypted com-
munications platforms to engage in activities ranging from planning to selecting targets and exe-
cuting cybercrimes.b The group was dedicated to online identity theft. A subset of the Community
focused on the theft of cryptocurrencies such as bitcoin.c Six members of the Community, the
defendants in this case, were part of this subset.d A tactic used by these members to illicitly obtain
cryptocurrencies was SIM hijacking (also known as SIM card hijacking or SIM swapping).
SIM hijacking involves the unauthorized transfer and association of a target’s mobile phone or
smartphone number to a SIM card controlled by a third party.e This tactic enables a third party to
receive phone calls and messages intended for the target and ultimately, to access the target’s
online accounts.f Members of the Community were able to successfully engage in SIM hijacking by
using social engineering tactics (for information about this tactic, see chap. V, sect. A.3) and/or
bribing mobile phone and smartphone providers.g The ultimate purpose of SIM hijacking was
to gain access to the target’s cryptocurrency wallets and/or cryptocurrency exchange accounts.
The criminal proceeds obtained from this cybercrime were split among members.

Four of the defendants (G.E., R.H., C.J. and R.G.A.) pleaded guilty to conspiracy to commit wire
fraud and were sentenced for their crimes:

(a) G.E. was sentenced to 10 months’ imprisonment and ordered to pay US$ 121,549.37 in
restitution;
(b) R.H. was sentenced to 48 months’ imprisonment and ordered to pay US$ 7,681,570.03;
(c) C.J. was sentenced to 42 months’ imprisonment and ordered to pay US$ 9,517,129.29;
(d) R.G.A. was sentenced to 24 months’ imprisonment and ordered to pay US$ 310,791.90.

The defendants were also required to forfeit cryptocurrencies such as bitcoin.h

The other two defendants also pleaded guilty for their roles in the SIM hijacking and were sen-
tenced for their crimes and ordered to pay restitution.i R.S. was sentenced to probation in the United
States. C.F. pleaded guilty to knowingly engaging in the possession of the proceeds of crime
(i.e., cryptocurrencies) and was sentenced to two years and 11 months of imprisonment in Ireland.j
Following C.F.’s sentencing, the United States withdrew its extradition request for C.F.

For more information on these cases, see UNODC, SHERLOC case law database, Case No. USAx238.k

a
United States District Court, Eastern District of Michigan, United States of America v. Conor Freeman, Ricky Handschumacher,
Colton Juridic, Reyad Gafar Abbas, Garrett Endicott, and Ryan Stevenson, Case No. 2:19-CR-20246, Indictment, 18 April 2019, p. 2.
b
Ibid., p. 2.
c
Ibid., p. 1.
d
Ibid., p. 3.
e
Ibid., p. 2
f
Ibid., p. 3.
g
Ibid.
h
United States District Court, Eastern District of Michigan, United States of America v. Garrett Endicott, Case No. 2:19-CR-
20246-DPH-APP, Plea Agreement, 18 November 2019, pp. 1 and 7; and United States District Court, Eastern District of Michigan,
United States of America v. Ricky Handschumacher, Case No. 2:19-CR-20246-DPH-APP, Plea Agreement, 18 October 2019, p. 7.
i
U.S. Attorney’s Office, Eastern District of Michigan, “International hacking group members sentenced for SIM hijacking
conspiracy that resulted in the theft of millions in cryptocurrency”, 30 November 2021.
j
Brion Hoban, “Man jailed for role in $2 million cryptocurrency theft”, The Irish Times, 17 November 2020.
k
Available at https://sherloc.unodc.org/.

63
DIGEST OF CASES

The methods used by criminals to obtain non-digital and digital identity-related information include:
dumpster diving; mail theft or the redirection of mail; theft of identity documents; the use of publicly
available information (e.g. public records); skimming; phishing; “pharming” (a combination of the words
“phishing” and “farming”), or installing a malicious code on a computer or server that automatically
directs the user to a fraudulent website that mimics the appearance of a legitimate website; malware; and
hacking.176 Criminals may also obtain identity-related information by conducting simple searches for
such information using search engines, social media platforms, websites and online public and private
databases.177 All of the aforementioned online sites and repositories serve as a rich source of information
that includes a mix of data that individuals willingly share with the platforms, as well as data that are
collected, made available and distributed about individuals and consolidated about them without the
individuals’ knowledge and/or consent (or, at the very least, without their informed consent). This infor-
mation can then be widely distributed online via chat rooms, forums, websites, social media platforms,
peer-to-peer file-sharing networks, instant messaging, text messages and encrypted and unencrypted
communications applications, as well as via darknet sites.

United States of America v. Sergey Medvedev, Case No. 2:17-CR-306-JCM-VCF

(D. Nevada, 26 June 2020) and United States of America v. Valerian Chiochiu,
Case No. 2:17-CR-306-JCM-PAL (D. Nevada, 31 July 2020) (the Infraud
Organization) (United States of America)
The Infraud Organization, founded in 2010, was active between 2010 and 2018. The slogan of the
organization was “In fraud we trust”. The organization operated as a criminal enterprise with the
objective of financially enriching its members through the commission of cybercrime, particularly
online fraud and identity theft. The illicit acts that the organization engaged in included mon-
ey-laundering; trafficking in stolen means of identification; trafficking in and production and use of
counterfeit identification; identity theft; trafficking in and production and use of unauthorized and
counterfeit access devices; bank fraud; and wire fraud.a The organization had over 10,000 members
throughout the world before it was shut down by United States criminal justice agencies in 2018.b
The Infraud Organization was well known for selling and advertising illicit goods and services on an
online forum bearing the name of the organization.

The roles of individuals that were part of this criminal enterprise included the following:c

(a) Administrators. Administrators were responsible for long-term strategic planning of the
enterprise and daily management tasks such as determining responsibilities and levels of
access of all members, vetting prospective members, deciding which individuals could join the
organization, and rewarding and punishing existing members;
(b) Supermoderators. “Supermoderators” were responsible for moderating content by
reviewing contraband for sale, editing and deleting posts based on reviews, and mediating
disputes between buyers and vendors. The content they moderated was assigned on the basis
of either geographical area or criminal expertise;
(c) Moderators. Moderators had some of the same responsibilities for moderating content as
“supermoderators”, but had less authority and fewer privileges;
(d) Vendors. Vendors were individuals who sold and/or advertised illicit goods and services
on the site
(e) VIP members. VIP members were longstanding, distinguished members of the platform;
(f) Members. General members of the forum.

UNODC, Handbook on Identity-related Crime (Vienna, 2011), pp. 15–19.

176 

Ibid., pp. 19 and 21–22.

177 

64
 chapter V.   Types of cyber organized crime

The founders of the organization were S.B. and S.M. In addition to being one of the founders,
S.M. served as the administrator of the forum and ran the escrow service of the organization,d
which was in place to minimize instances of vendor fraud. Fraudulent vendors were known on the
site as “rippers”.e These escrow services held funds for a purchase in escrow until the buyer
received the items purchased (in good order). For quality control of contraband recovered from acts
of fraud and identity theft, members also provided feedback and ratings of vendors and their prod-
ucts. To protect participants in this criminal enterprise, measures were taken to secure the forum
and restrict access to it. S.B. established rules governing members’ conduct, which were enforced
by administrators, moderators and “supermoderators” of the site.f Members who violated these
rules were punished by bans from the forum and other sanctions. All new members had to be
vetted before being granted access to the forum.

One of the founders of the Infraud Organization, S.M., pleaded guilty to conspiracy to engage in a
racketeer-influenced corrupt organization.g On 19 March 2021, he was sentenced to 10 years’
imprisonment.h The other founder, S.B., is currently still at large. V.C., a member of the Infraud
Organization and malware author, also pleaded guilty to conspiracy to engage in a racketeer-
influenced corrupt organization.i

For more information on these cases, see UNODC, SHERLOC case law database, Case No. USAx171.j

a
United States of America v. Svyatoslav Bondarenko et al., p. 6.
b
United States Department of Justice, Office of Public Affairs, “Russian national pleads guilty for role in transnational
cybercrime organization responsible for more than $568 million in losses”, press release, 26 June 2020.
c
United States of America v. Svyatoslav Bondarenko et al., pp. 12–14.
d
United States of America v. Svyatoslav Bondarenko et al., p. 15.
e
“Rippers” are individuals who do not deliver purchased items and/or deliver items of poor quality (United States of America
v. Svyatoslav Bondarenko et al., p. 9).
f
United States of America v. Svyatoslav Bondarenko et al., p. 25.
g
United States District Court, District of Nevada, United States of America v. Sergey Medvedev, Case No. 2:17-CR-306-JCM-
VCF, Plea Agreement, 26 June 2020.
h
United States Department of Justice, Office of Public Affairs, “Foreign nationals sentenced for roles in transnational
cybercrime enterprise”, press release, 19 March 2020.
i
United States District Court, District of Nevada, United States of America v. Valerian Chiochiu, Case No. 2:17-CR-306-JCM-
PAL, Plea Agreement, 31 July 2020.
j
Available at https://sherloc.unodc.org/.

3. Falsified medical product-related crime

Falsified medical product-related crime refers to illicit acts whereby the “identity”,178 “composition”179 or
“source”180 of a medical product is “deliberately/fraudulently misrepresented”.181 Intellectual property right
considerations are excluded from this definition. Falsified medical products are considered distinct from sub-
standard and unregistered/unlicensed medical products (see figure I).182

The World Health Organization (WHO) defines “identity” as “the name, labelling or packaging or to documents that support
178 

the authenticity of an authorized medical product” (document A/70/23, annex, appendix 3, para. 7 (c)).
WHO defines “composition” as “any ingredient or component of the medical product in accordance with applicable specifica-
179 

tions authorized/recognized by” national and/or regional regulatory authorities (document A/70/23, annex, appendix 3, para. 7 (c)).
WHO defines “source” as “the identification, including name and address, of the marketing authorization holder, manufacturer,
180 

importer, exporter, distributor or retailer, as applicable” (document A/70/23, annex, appendix 3, para. 7 (c)).
The WHO defines “deliberate/fraudulent misrepresentation” as “any substitution, adulteration, reproduction of an authorized
181 

medical product or the manufacture of a medical product that is not an authorized product” (document A/70/23, annex, appendix 3,
para. 7 (c)).
182 
UNODC, Combating Falsified Medical Product-Related Crime: A Guide to Good Legislative Practices (Vienna, 2019), p. 8.

65
DIGEST OF CASES

Figure I.  Substandard, unregistered/unlicensed and falsified medical products

SUBSTANDARD UNREGISTERED/ FALSIFIED

UNLICENSED

Also called “out of Medical products that have Medical products that
specification”, these are not undergone evaluation deliberately/fraudulently
authorized medical and/or approval by the misrepresent their
products that fail to meet national and/or regional identity, composition
either their quality regulatory authorities for or source
standards or their the market in which they
specifications, or both are marketed/distributed
or used, subject to
permitted conditions under
national or regional
regulation and legislation

Source: WHO, document A/70/23, annex, appendix 3, para. 5.

Falsified medical products have negative public health, economic and socioeconomic consequences.183
They may be of poor quality, unsafe or ineffective. They may endanger health, prolong illness, promote
antimicrobial resistance and the spread of drug-resistant infection, and kill patients.184 They may also under-
mine confidence in health professionals, health-care systems and legitimate medical products, resulting in
further negative public health consequences if patients forego treatment or seek alternative treatment from
unregulated care providers.185
The coronavirus disease (COVID-19) pandemic has shed light on the threats posed by falsified medical
products.186 COVID-19 has been the catalyst for the emergence of a global market for trafficking in personal
protective equipment.187 There is also evidence of trafficking in other forms of falsified medical products
purporting to test, treat or prevent COVID-19.188
Trafficking in falsified medical products takes place both offline and online.189 Such trafficking takes place
via online marketplaces, online pharmacies, e-commerce platforms and social media and other platforms.190
In one case in the United States, two defendants sold counterfeit drugs for the treatment of cancer and hep-

183 
See WHO, A Study on the Public Health and Socioeconomic Impact of Substandard and Falsified Medical Products (Geneva,
2017), pp. 15–19; WHO, WHO Global Surveillance and Monitoring System for Substandard and Falsified Medical Products (Geneva,
2017), pp. 5–7; see also Tim K. Mackey and Gaurvika Nayyar, “A review of existing and emerging digital technologies to combat the
global trade in fake medicines”, Expert Opinion on Drug Safety, vol. 16, No. 5 (April 2017), p. 587.
WHO, A Study on the Public Health and Socioeconomic Impact, pp. 15–16.
184 

185 
Ibid., p. 17.
186 
See also UNODC, Research and Trend Analysis Branch and Global Research Network, “Report on COVID-19-related traffick-
ing of medical products as a threat to public health”, Research brief (Vienna, 2020).
187 
Ibid., p. 10.
188 
Ibid., p. 9.
189 
See Tim K. Mackey and others, “Counterfeit drug penetration into global legitimate medicine supply chains: a global assess-
ment”, American Journal of Tropical Medicine and Hygiene, vol. 92, Suppl. No. 6 (2015).
WHO, “Substandard and falsified medical products”, 31 January 2018; and WHO, WHO Global Surveillance and Monitoring
190 

System, p. 15.

66
 chapter V.   Types of cyber organized crime

atitis B to undercover officers via a well-known instant messaging service.191 The defendants (V.N.
and M.N.) pleaded guilty to conspiracy, trafficking in counterfeit drugs and smuggling goods into the
United States; one of the defendants (M.N.) also pleaded guilty to introducing misbranded medicine in
interstate commerce.192
In recent years, the number of online pharmacies, as well as the number of people purchasing medical
products online, has greatly increased.193 Nevertheless, the majority of online pharmacies conduct business
illegally and without appropriate safeguards, including by not requiring a valid prescription, operating with-
out a valid licence/certification and failing to meet national or international pharmacy regulations.194 Online
pharmacies pose particular challenges to investigating and prosecuting authorities, including practical
difficulties in identifying physical locations and jurisdictional challenges.195

United States of America v. Kristjan Thorkelson, 14-CR-27-BU-DLC

(D. Mont., 10 December 2018)
In 2001, K.T. founded Canada Drugs as an online pharmacy based in Winnipeg, Canada. The busi-
ness model of Canada Drugs was based on illegally importing unapproved and misbranded pre-
scription pharmaceutical drugs into the United States from abroad and selling the drugs illegally to
consumers throughout the United States. K.T., the defendant and chief executive officer of Canada
Drugs, and other conspirators oversaw the distribution of substantial quantities of prescription
drugs within the United States, including clinical cancer medications, that were not approved by the
Food and Drug Administration of the United States.a In addition to unapproved and misbranded
prescription pharmaceutical drugs, two counterfeit clinical cancer medications (both purportedly
containing bevacizumab) were distributed to physicians in the United States.

The defendant, companies associated with him (Canada Drugs, Rockley Ventures, Global Drug
Supply and River East Supplies) and those conspiring with him were charged with: conspiracy to
smuggle goods into the United States in contravention of Title 18, sections 371 and 545, of the
United States Code; conspiracy to commit money-laundering in violation of Title 18, sections 1956
(h) and 1957; and international money-laundering in contravention of Title 18, section 1956 (a),
paragraph (2)(A). Ultimately, the defendant pleaded guilty to the crime of misprision of felony for
having knowledge of the actual commission of a felony cognizable by a court of the United States,
concealing the felony and not informing a judge or other person in civil or military authority under
the United States of the felony.b For this crime, the defendant was sentenced to five years of proba-
tion and six months of house arrest and was required to pay a fine of US$ 250,000.

CanadaDrugs.com ceased its operations in 2018, and Canada Drugs was required to surrender its
domain names. Canada Drugs and its associated companies were sentenced to five years’ proba-
tion and were required to forfeit US$ 29 million in proceeds and to pay a fine of US$ 5 million.c

For more information about this case, see UNODC, SHERLOC case law database, Case No. USAx108.d
a
United States of America v. Kristjan Thorkelson, 14-CR-27-BU-DLC (D. Mont., 10 December 2018).ed States Code, Title 18,
sect. 4, Misprision of felony.
b
United States Code, Title 18, sect. 4, Misprision of felony.
c
United States Attorney’s Office, District of Montana, “Canadian drug firm admits selling counterfeit and misbranded
prescription drugs throughout the United States”, press release, 13 April 2018.
d
Available at https://sherloc.unodc.org/.

191 
UNODC, SHERLOC case law database, Case No. USAx227, United States of America v. Nienadov, No. 4:19 CR-365
(S.D. Tex. Mar. 29, 2021).
192 
Ibid.
WHO, WHO Global Surveillance and Monitoring System, p. 15.
193 

194 
Mackey and Nayyar, “A review of existing and emerging digital technologies”, p. 589.
WHO, A Study on the Public Health and Socioeconomic Impact, p. 22; WHO, WHO Global Surveillance and Monitoring
195 

System, p. 16.

67
DIGEST OF CASES

4. Counterfeiting
Counterfeiting involves the unlawful manufacture, sale and distribution of fake currency, documents or
products.196 Counterfeits are created for a variety of identity-related documents (e.g., identification docu-
ments, passports, driving licences), money and goods such as food, drinks, electronics, software, toys,
automobile parts, chemicals, alcohol, cigarettes, clothing, shoes, accessories, toiletries and household
products. Counterfeit products pose significant threats to the economy, the environment, and health
and safety.197
Traditional organized criminal groups are involved in trafficking in counterfeit products. The groups mainly
do not necessarily focus exclusively on trafficking in counterfeit products but commit this form of traffick-
ing along with other forms of serious crime, such as a drug trafficking, trafficking in persons and money-
laundering.198 The funds obtained from trafficking in counterfeit products are often subjected to money-
laundering and/or used to develop and sell more counterfeit goods and/or engage in other forms of serious
crime.199
The availability, manufacture and distribution of counterfeit products have expanded as a result of the ease
of movement of individuals across borders and advances in ICT.200 Organized criminal groups have pro-
duced, sold and distributed counterfeit money, documents and goods throughout the world, advertising the
sale of these items on both the clearnet and the darknet. Trafficked counterfeit products enter the market
either by being introduced into the legitimate market through online commercial websites, social media
platforms and/or other places online or by being introduced into the illegitimate market, for example,
through the sale of counterfeit products on darknet sites predominantly dedicated to the sale of illicit
goods and services. The illegal markets online were termed by a German court as the “underground illegal
economy”.201
Counterfeit products can be created, represented and/or marketed to look like copyrighted, trademarked
and/or patented goods in violation of intellectual property laws. One example is pirated copyright goods,
which are defined in the Agreement on Trade-Related Aspects of Intellectual Property Rights (art. 51) as
any goods which are copies made without the consent of the right holder or person duly authorized by the
right holder in the country of production and which are made directly or indirectly from an article where the
making of that copy would have constituted an infringement of a copyright or a related right under the law
of the country of importation.202 For example, in Queen v. Paul Mahoney,203 the appellant, with other known
and unknown conspirators, created and operated websites that enabled individuals to access and view newly
released films and television programmes for free.

196 
For more information on counterfeiting, see UNODC, The Globalization of Crime: A Transnational Organized Crime Threat
Assessment (United Nations publication, 2010), chap. 8.
197 
UNODC, “Counterfeit goods: a bargain or a costly mistake?”, Factsheet (2012); Italy, Ministry for Economic Development,
Department for Enterprise and Internationalization, General Anti-Counterfeiting Directorate, “No to fake: the counterfeiting in the
food sector–consumer guide” (Rome, n.d.).
198 
UNODC, “Counterfeit goods”.
199 
UNODC, “‘Counterfeit: don’t buy into organized crime’ – UNODC launches new outreach campaign on $250 billion a year
counterfeit business”, 14 January 2014.
200 
UNODC, “Counterfeit goods”.
This case involved the sale of counterfeit money and forged identification documents, as well as the sale of drugs, on online
201 

illicit markets (UNODC, SHERLOC case law database, Case No. DEUx025, LG Duisburg, Urteil vom 05.04.2017, 33 KLs – 111 Js
32/16 – 8/16).
WHO, document A/70/23, annex, appendix 3, footnote 1.
202 

203 
United Kingdom of Great Britain and Northern Ireland, Queen v. Paul Mahoney [2016] NICA 27.

68
 chapter V.   Types of cyber organized crime

TGI Lille, 7e ch.corr., jugement du 29 janvier 2004 (France)

Between 2000 and 2002, the defendants, members of the online forum Boom-e-rang, participated
in a scheme to share on the forum pirated content such as films, music and video games. Under
this scheme, any member who wanted to access the files had to, in return, give access to other
content. As the forum did not have the capacity to store all the files, members of the forum hacked
into open-source ftp servers, such as university servers, and provided access to the servers to
forum members to enable them to upload pirated content for download by other members. Some
forum members operated as “scanners”, using scanning software to find open-source ftp servers.
Others were “uploaders”, overseeing the uploading of files onto the hacked servers. Two members
of the forum also committed a scam using stolen credit card data and software generating credit
card numbers to buy DVDs and compact discs.

In France, the national police were made aware of the Boom-e-rang forum when a third party who
was being investigated for electronic fraud divulged the name of two members of the forum and
informed the police of the offences that they had committed. The national police conducted elec-
tronic surveillance of the forum and collected several IP addresses that were used to identify forum
members.

In this case, the defendants were charged with illegal access to a computer system with the aggra-
vating factor of system interference, as well as with illegal introduction of data into a computer
system. As the system interference resulted from the illegal introduction of data into the computer
systems (reducing their storage capacity) and not illegal access to the computer system itself,
the court held that the aggravating factor of system interference could not be applied to the case.
The court also held that the offence of illegal access to a computer system could be applied even if
the computer systems that had been accessed had not been protected from breach.

The 13 defendants were convicted of charges relating to hacking into servers, uploading pirated
material to the servers and downloading pirated material from the servers. One defendant, J.D.,
was found guilty of committing a scam and was sentenced to 10 months’ imprisonment. All the
other defendants were sentenced to terms of imprisonment ranging from two to four months. All
custodial sentences were suspended.

The two defendants convicted for offences related to the stolen credit card scam were ordered to
pay a symbolic sum of €1 to the victim, as well as €200 for legal fees. All defendants were sen-
tenced to pay jointly €1 as provisional damages to the 23 other victims, with the matter being
referred to a civil court for further determination.

For more information about this case, see UNODC, SHERLOC case law database, Case No. FRAx028.a

a
Available at https://sherloc.unodc.org/.

Perpetrators of online copyright infringement may be part of communities that illegally distribute copy-
righted works for free to obtain accolades from members of their community. For instance, in Regina v.
Reece Baker and Sahil Rafiq,204 the appellants (S.R. and R.D.B.) had leadership roles in release groups
(i.e., they formed and/or ran the groups), which often competed with each other to make the best copy of
an original copyrighted work freely and widely available or to be the first to illegally release a copy-
righted work.

204 
United Kingdom, Royal Courts of Justice, Regina v. Reece Baker and Sahil Rafiq [2016] EWCA Crim 1637, Approved
Judgment, 18 October 2016.

69
DIGEST OF CASES

LG Leipzig, Urteil vom 14.06.2012, 11 KLs 390 Js 191/11 (Germany)

The LG Leipzig case involved the criminal prosecution of the founder of the German-language
streaming portal (Kino.to), the defendant, for having made available online pirated versions of more
than 100,000 copyrighted works, including films, documentaries and television series. Starting in
March 2008, the defendant, along with seven others who were prosecuted separately, gradually
started forming an organized criminal group in order to operate this website. Until June 2011, the
website was the biggest German website for pirated films and was listed as one of the 50 most
visited websites in Germany, at times receiving over four million hits per day. The domain of the
website was registered in countries such as Tonga. The access portal to the website was at first
placed on servers in the Netherlands; subsequently, starting in mid-2008, it was placed on servers
in the Russian Federation. The location of the administrators, as well as the focus of the group’s
operations, was, however, Germany.

On the website, the defendant and his accomplices provided over one million links to copyrighted
works of film and television free of charge, without having the rights to do so. In total, 1,360,450 links
were made public on this website. The links were used to stream or download the pirated content. The
pirated content was hosted on file hosting services selected by uploaders (those who uploaded pirated
content to the website). The uploaders and file host service providers were not part of the core
employees of Kino.to. However, some of the file host services used by the site were operated by the
defendant or the members of the group who were subsequently prosecuted separately. File hosting
services that were operated by the defendant or other members of the group were preferred and were
given competitive advantage in that their links were placed on the top of the website.

Communication between the core employees usually took place using a well-known software
application that provides videophone and videoconferencing capabilities. Written communication
took place using the message tool of the access control protocol. When important decisions
were to be made, videoconferences were held, and all core employees would usually participate.
The employees tasked with publishing the links were responsible for communicating – using
their aliases – with the uploaders and file hosting service providers via the same access control
protocol.

The defendant was prosecuted for the commercial exploitation of copyrighted works contrary to
intellectual property laws.a The court held that the inclusion of pages on a site that was linked to
stored copyright content on a different site (e.g. content-sharing hosting sites) without the consent
of the copyright holder was a violation of copyright law.b For the over one million counts of commer-
cial unlawful exploitation of copyrighted works to which the defendant pleaded guilty, he received
a sentence of four years and six months of imprisonment and was required to pay more than
€3.7 million in compensation.

For more information on this case, see UNODC, SHERLOC case law database, Case No. DEUx033.c

a
Specifically, section 106 of the German Act on Copyright and Related Rights (Urheberrechtsgesetz) (see UNODC SHERLOC
case law database, Case No. DEUx033).
b
LG Leipzig, Urteil vom 14.06.2012, 11 KLs 390 Js 191/11 (kino.to was the largest German-language platform providing
links to pirated copies of films and television shows).
c
Available at https://sherloc.unodc.org/.

70
 chapter V.   Types of cyber organized crime

5. Extortion, blackmail and ransom

Extortion is an illicit act whereby an individual seeks to obtain money or other material or financial benefits
or force a target to engage in some act through intimidation, fear, violence or threat of violence or some
other form of harm.205 The nature of this harm or threatened harm varies in national law. While national
extortion laws predominantly require that a threat be made, they do not require something to be actually
obtained from the target as a result of the threat for the act to be considered extortion.
Individuals, groups, private organizations, non-governmental organizations and government agencies are
common targets of extortion. When extortion is facilitated through ICT, it is referred to as cyberextortion.
Cyberextortion, however, is not a term identified in law. Extortion and fraud-related laws are commonly
used to prosecute individuals who commit this cybercrime. Cyberextortionists commit Internet fraud,
distributed denial-of-service attacks, interpersonal cybercrime206 and other forms of cybercrime in order
to force targets to engage in desired acts or to provide offenders with money, goods and/or services.
Blackmail is a form of extortion. Blackmail occurs when an individual threatens to reveal compromising
information designed to embarrass or cause some other form of harm to the target unless a demand
is met.
Ransom can be described as the holding of something or someone of value to the target and threatening to
cause harm unless a payment is rendered to the offender. Criminals that perpetrate cyber-dependent and
cyber-enabled crime have demanded ransom from targets. For example, members of the TDO hacking
group were known for hacking several organizations in the health, entertainment, finance, commercial, real
estate and transportation sectors, stealing personal information from the systems they hacked and then
seeking ransom from the targets.207 The members of this group threatened targets by indicating that failure
to pay would result in the personal information being posted online in hacking forums or public forums or
leaked to journalists, which would harm the reputation of the company or organization to which the data
belonged. One of the members of the TDO group, known as Dark Overlord, was arrested for and pleaded
guilty to conspiracy to commit aggravated identity theft and computer fraud and was sentenced to five
years’ imprisonment.208 Other members of the group remain at large.

(a) Sexual extortion

Sexual extortion (or sextortion) occurs when an individual threatens to share or otherwise distribute personal
information or intimate images or videos if the target does not provide the offender with other images or
videos of a sexual nature, engage in sexual acts in view of the perpetrator online or provide the perpetrator
with money or other goods. Both adults and children can be the targets of sextortion. Where sextortion is not
explicitly proscribed by law, depending on the specifics of the crime, elements of sextortion are considered
criminal according to existing statutes that relate to extortion, image-based sexual abuse,209 harassment and
child sexual abuse, among other crimes.

205 
Marie-Helen Maras, Real Criminology (forthcoming).
206 
See UNODC Teaching Modules, Cybercrime, Module 12: Interpersonal cybercrime. Available at sherloc.unodc.org/cld/en/
education/tertiary/cybercrime/module-12/index.html.
207 
United States District Court, Eastern District of Missouri, United States of America v. Nathan Wyatt, Case No. 4:17CR00522
RLW/SPM, Indictment, 8 November 2017.
208 
United States, Department of Justice, Office of Public Affairs, “UK national sentenced to prison for role in ‘The Dark Overlord’
hacking group”, press release, 21 September 2020.
209 
Image-based sexual abuse is defined in academic literature as the “non-consensual creation, distribution and threat to distribute
nude or sexual images” (Nicola Henry, Asher Flynn and Anastasia Powell, “Policing image-based sexual abuse: stakeholder perspec-
tives”, Police Practice and Research: An International Journal, vol. 19, No. 6 (September 2018), pp. 565–581).

71
DIGEST OF CASES

Rajesh and others v. State of Rajasthan, Division Bench Appeal No. 178, 122 and
123 / 2016 (India)
The case Rajesh and others v. State of Rajasthan involved the rape and sextortion of a 17-year-old
female. When the victim was walking home from school, the three defendants asked her to board
their vehicle. When the victim refused, they forcibly kidnapped her and covered the rear window of
the vehicle with a curtain. The defendants stuffed the victim’s mouth, and she was forcibly removed
from the vehicle and dragged into a jungle where she was stripped and raped by the defendants.
She was subsequently driven back to her village. The defendants made a video recording of the rape
on a mobile phone and threatened to circulate the recording and share it with her relatives if she
disclosed the rape to anyone. The victim did not talk about the incident out of fear that doing so
would damage her reputation and that it might lead to her engagement being broken off. She felt so
intimidated by the threats of the defendants that she stopped going to school and was under
immense mental stress.

The defendants also attempted to blackmail her into performing further sexual acts by threatening
to make available online the video recording of her rape if she did not agree to their demands. This
sextortion continued for more than one year after the rape occurred. When the victim refused to
agree to her sexual exploitation, the defendants uploaded the video recording on the Internet. The
recording was seen by one of the victim’s relatives, who brought it to her father’s attention.
Thereafter, the victim lodged a written complaint to the court. The court convicted the three defend-
ants of rape,a violation of privacy,b publishing or transmitting obscene material in electronic form,c
publishing or transmitting material containing a sexually explicit act in electronic form,d publishing
or transmitting material depicting children in a sexually explicit act in electronic form,e kidnapping,
abducting or inducing a woman to compel her marriage,f procuration of a minor girl,g kidnapping or
abducting in order to subject a person to grievous harm, slavery,h distribution of obscene materiali
and criminal conspiracy.j The three defendants were sentenced to life imprisonment. On appeal,
their sentences were reduced to 10 years of imprisonment. The defendants were also required to
pay a fine of 392,000 rupees.

For more information about this case, see UNODC, SHERLOC case law database, Case No. INDx032.k

a
R. was convicted pursuant to section 376, clause (g), of the Indian Penal Code of 1860; S.S. and D. were convicted pursuant
to section 376, subsection (2), clause (g), of the Indian Penal Code.
b
Section 66E of the Information Technology Act, 2000, of India.
c
Section 67 of the Information Technology Act.
d
Section 67A of the Information Technology Act.
e
Section 67B of the Information Technology Act.
f
Section 366 of the Indian Penal Code.
g
Section 366A of the Indian Penal Code.
h
Section 367 of the Indian Penal Code.
i
Section 292 of the Indian Penal Code.
j
Section 120B of the Indian Penal Code.
k
Available at https://sherloc.unodc.org/.

A common tactic of perpetrators of sextortion is the utilization of fake profiles online to target the victims,
using various websites, forums, chat rooms, social media platforms and messaging applications. The perpetra-
tors ultimately seek to coerce their targets into performing sexual acts via webcam and/or to create and/or
distribute sexual images or video recordings. The images or recordings are then used to threaten the victim.
The perpetrator threatens to reveal the images or recordings to the victim’s family, friends, significant others,
employers, colleagues, classmates and/or others if the victim does not provide more sexualized media content,
pay the perpetrator and/or engage in some other act desired by the perpetrator.

72
 chapter V.   Types of cyber organized crime

United States of America v. Antwine Lamar Matthews, Malcolm Cooper, Andreika

Mouzon and Flossie Brockington, United States of America v. Jimmy Dunbar, Jr.
and Mitchlene Padgett, United States of America v. Rakeem Spivey and Roselyn
Pratt, United States of America v. David Paul Dempsey and Edgar Jermaine Hosey,
United States of America v. Wendell Wilkins, Jalisa Thompson, Tiffany Reed,
Brandon Thompson and Laben McCoy (D. South Carolina, 14 November 2018)
(United States of America)
Sexual extortion scheme run from prison
In the United States, inmates in the South Carolina Department of Corrections, using smartphones
they had smuggled into the prison, perpetrated a sextortion scheme targeting United States military
personnel.a The inmates would sign up for dating applications and target members of the military
utilizing the applications. The inmates would create fake profiles of women for whom they had found
both nude and non-nude images online. The fake profiles would be created using the non-nude
images. After contacting the targets and obtaining personal information from them, the inmates
would send the non-nude images and request that the targets share nude images of themselves.b
The inmates would then call the targets and, impersonating the father of the woman with whom the
targets were in contact, claim that the targets had been communicating with a minor and therefore
the nude images the targets had received were nude images of a minor. The inmates would then
threaten to contact the authorities and report the targets if money was not paid to the “victim” (for
example, to enable medical bills or fees to be paid).c In some cases, inmates would contact the tar-
gets and, impersonating a police officer, threaten to arrest them if money was not paid to the “victim”.
The targets were directed to pay the fees via wire transfers, using, for example, a well-known money
transfer service.d The inmates recruited “money mules”, who would receive the wire transfers from
the members of the military and then send the funds to the inmates as directed.

The defendants were charged with conspiracy to commit wire fraud, extortion and money-launder-
ing. Several of the defendants pleaded guilty to one or more of these crimes. T.R. pleaded guilty and
was sentenced to three years’ probation for conspiracy to commit wire fraud.e Another defendant,
W.W., also pleaded guilty to conspiracy to commit wire fraud, but has not been sentenced yet.f
Another defendant, A.M., pleaded guilty to conspiracy to commit wire fraud and money-laundering,g
while other defendants, J.T., B.T., and F.B., pleaded guilty to money-laundering.h J.T. and B.T. each
received time served and 15 months’ imprisonment for their crimes. D.P.D pleaded guilty to all three
charges and was sentenced to 3 years and 10 months of imprisonment. The prosecution also sub-
mitted a motion to dismiss the indictment against one of the defendants, L.M.i

For more information on this, see UNODC, SHERLOC case law database, Case No. USAx172.j
a
United States Attorney’s Office, District of South Carolina, “5 inmates among 15 defendants indicted for wire fraud,
extortion, and money laundering scheme at SCDC”, press release, 29 November 2018.
b
United States District Court, District of South Carolina, United States of America v. Antwine Lamar Matthews, Malcolm
Cooper, Andreika Mouzon and Flossie Brockington, Case No: 2:18-CR-1024, Indictment, 14 November 2018, pp. 2–3.
c
Ibid.; United States District Court, District of South Carolina, United States of America v. Jimmy Dunbar, Jr. and Mitchlene
Padgett, p. 3; United States of America v. Rakeem Spivey and Roselyn Pratt, p. 3; United States District Court, District of South
Carolina, United States of America v. David Paul Dempsey and Edgar Jermaine Hosey, Case No. 2:18-CR-1022, Indictment,
14 November 2018, pp. 2–3; United States District Court, District of South Carolina, United States of America v. Wendell Wilkins,
Jalisa Thompson, Tiffany Reed, Brandon Thompson and Laben McCoy, Case No. 2-18-CR-101, Indictment, 14 November 2018, p. 2.
d
United States of America v. Jimmy Dunbar, Jr. and Mitchlene Padgett, p. 3; United States of America v. Rakeem Spivey and
Roselyn Pratt, p. 3.
e
For further information, see United States District Court, District of South Carolina, United States of America v. Tiffany
Reed, Case No. 2:18-CR-1017-DCN, 4 May 2020; United States of America v. Brandon Thompson, Judgement, 20 December 2019.
f
For further information, see United States of America v. Wendell Bernard Wilkins, Case No. 2:18-cr-01017-DCN-1, Plea,
2 December 2019.
g
For further information, see United States Attorney’s Office, District of South Carolina, “Two money mules plead guilty in
Federal Court for role in sextortion scheme”, press release, 31 July 2019.
h
For further information, see United States District Court, District of South Carolina, United States of America v. Jalisa
Thompson, Sentencing Memorandum in Support of Downward Departure and or Defendant, Case No. 2:18-CR-01017-002,
2 December 2019; United States Attorney’s Office, District of South Carolina, “Two money mules plead guilty in Federal Court”.
i
For further information, see United States District Court, District of South Carolina, United States of America v. Laben
Weykshaw Renee McCoy, Case No. 2:18-CR-1017-5, Motion to Dismiss Indictment, 15 September 2020.
j
Available at https://sherloc.unodc.org/.

73
DIGEST OF CASES

(b) Ransom scams

There are many variations of scams that seek ransom from targets. Perpetrators of ransom scams seek to
frighten their targets into paying a ransom by claiming that they have access to some of the targets’ personal
data (e.g. login credentials) or have access to the targets’ devices and have recorded compromising infor-
mation about the targets, which they threaten to release if a ransom is not paid. The money for ransom
scams can be paid in person (to accomplices of the perpetrators), using online payment services, prepaid
debit and credit cards and digital currencies (e.g., cryptocurrencies).
Ransom scams may also involve offenders pretending to represent banks, creditors, lawyers, law enforce-
ment agencies or other government agencies demanding that outstanding debts or other matters be dealt
with expeditiously through payment of a fine or other fee. A Peruvian call centre was used to carry out fraud
and extortion schemes via Internet-based telephone calls.210 The defendants, who managed and operated
Peruvian call centres, utilized Internet-based telephone calls to threaten targets with arrest, deportation,
negative impact on their credit rating and/or seizure of property if the targets did not pay a fee.211 The
defendants targeted Spanish-speaking individuals residing in the United States. The defendants, who posed
as attorneys and government representatives, would claim that the targets owed thousands of dollars in fines
because they had failed to accept the delivery of specific products.212 The defendants would also claim that
failure to pay a so-called settlement fee to resolve the matter would result in some form of harm to the target
(e.g., bad credit rating, lawsuit, arrest and deportation).213
Ransom scams may also involve calling targets and pretending to have arrested or otherwise detained one
of their relatives and demanding money for their release. An example of this type of scam is a virtual kid-
napping scheme, whereby perpetrators contact a target claiming that they have the target’s child (or relative
or significant other) and threaten to kill or seriously harm the “kidnapped” person214 unless a ransom is paid
(see the box below).

Tribunal de Enjuiciamiento del Distrito Judicial Morelos –

número de juicio 38/2020 (Mexico)
On 6 February 2018, Victim 1 received a call on his mobile phone from a man who initially identified
himself as the commander of the prosecutor’s office and later as a member of an organized crimi-
nal group. By means of threats and intimidation, the perpetrator forced Victim 1 to change the
subscriber identification module (SIM) card of his mobile phone, go to a local motel and stay there
for four days. During this period, Victim 1 was instructed to take photographs of himself naked,
simulate a victim of kidnapping and send the images to the extortionist.

Between 6 and 9 February 2018, Victim 2 received various telephone calls from different numbers,
including calls from Victim 1’s number via a well-known messaging application that uses the
Internet. The callers sent images of Victim 1 (simulated images designed to make Victim 1 appear
to be a victim of kidnapping) to Victim 2 via the messaging app and threatened to kill Victim 1. Using
threats and intimidation, the extortionists persuaded Victim 2 to deposit 2,148,160 Mexican pesos in
various bank accounts, including one under the accused person’s name. Victim 2 reported the
extortion to the local police, who managed to locate Victim 1 on 9 February 2018.

210 
United States District Court, Southern District of Florida, United States of America v. Hidalgo Marchan, Case No. 1:15-CR-
20471, 23 June 2015.
211 
United States, Department of Justice, Office of Public Affairs, “Three men extradited for overseeing call centers that threatened
and defrauded Spanish-speaking U.S. consumers”, press release, 19 December 2019.
212 
United States, Department of Justice, Office of Public Affairs, “Peruvian man pleads guilty to overseeing call centers that
threatened and defrauded Spanish-speaking U.S. consumer”, 1 May 2020.
213 
Ibid.; United States, Department of Justice, Office of Public Affairs, “Three men extradited for overseeing call centers”.
The person may or may not be kidnapped (or otherwise held) by the perpetrators of this crime.
214 

74
 chapter V.   Types of cyber organized crime

A person incarcerated in a federal prison in the city of Tamaulipas was identified as the leader of
the organized criminal group. He led and coordinated the virtual kidnapping operation from prison.
The prosecutor’s office had information about the modus operandi of the criminal group because
the mobile phone number of one of the extortionists in this case had been linked to complaints filed
by victims in 15 similar cases.
Deposits of money stemming from the proceeds of this cyber-enabled crime had been made in the
United States through certain companies where other members of the criminal group went to col-
lect the money. Video recordings of these transactions were gathered, enabling other members of
the group to be identified. A chronological series of images were also obtained from video record-
ings from the different offices where the money deposits were withdrawn.
In this case, investigative and prosecutorial challenges were highlighted. The defence argued that
some of the evidence presented in court had been obtained illegally. For example, authorization
from a federal judge had not been obtained before extracting data from seized devices, in contra-
vention of article 16 of the Constitution. There were also inconsistencies and missing information in
the chain of custody for some of the evidence introduced in court.
Ten members of the criminal group were captured and nine members were sentenced to 22 years
and 6 months of imprisonment. The defendants who were sentenced for their crimes were also
required to pay restitutiona to Victim 2 (Mex$ 37,800 for psychological therapy and Mex$ 2,148,160,
the exact amount the sent by Victim 2 to the criminal group) and to Victim 1 (Mex$ 40,500 for
psychological therapy).
For more information about this case, see UNODC, SHERLOC case law database, Case No. MEXx004.b

a
This restitution was made in in accordance with article 20, section B, of the Political Constitution of the United Mexican
States, as well as articles 43–51 of the Penal Code for the State of Chihuahua.
b
Available at https://sherloc.unodc.org/.

(c) Ransomware
Ransomware is a form of malware that infects a user’s device and posts a warning on the device that, if the
victim does not make a payment, there will be some negative consequence to the owner of the device. This
type of malware may also be designed to block access to data, files and/or systems; the access is to be restored
when a sum of money (i.e., ransom) is paid. One form of ransomware is crypto-ransomware, a Trojan Horse
designed to encrypt data on a victim’s system and extort money from the victim to release information.215
In its report Internet Organised Crime Threat Assessment 2020, Europol noted that ransomware remains a
significant threat both within and outside of Europe.216 Individuals, businesses, non-governmental organiza-
tions and government agencies are targeted by ransomware. Ransomware is largely an underreported crime,
particularly when it involves the private sector, which may fear the negative effects of reporting this cyber-
crime (e.g., reputational harm, exposure to further cybervictimization by other perpetrators).217 Ransomware
has evolved from targeting individual users of ICT to becoming more targeted and focusing on public and
private organizations.218 Initially, crypto-ransomware threatened to permanently prevent targets from
accessing files, data and/or their systems unless payment was rendered. However, cybercriminals have
deployed crypto-ransomware, which threatens to wipe data from devices and/or auction data online if
money is not paid.219 When criminals threaten to release personal data online unless payment is made, this
is a form of “doxxing”.

215 
Maras, Cybercriminology, p. 334.
216 
Europol, Internet Organised Crime Threat Assessment 2020, p. 25.
217 
Ibid., p. 28.
218 
Ibid., p. 25.
219 
Ibid., p. 26.

75
DIGEST OF CASES

R v. Vachon-Desjardins, 2022 ONCJ 43 (NetWalker Ransomware) (Canada)

R v. Vachon-Desjardins involved an individual associated with an organized criminal group responsible
for a ransomware-as-a-service operation. The group’s ransomware-as-a-service model involved
developers (i.e. individuals who develop, update and make the ransomware available) and affiliates
(i.e. individuals who rent the ransomware, identify targets and deploy ransomware).a The group
offered affiliates the ability to rent access to the ransomware in exchange for a portion of the pro-
ceeds obtained from extorting targets. The ransomware targeted emergency services, law enforce-
ment agencies, healthcare institutions, educational institutions and commercial institutions.b

In 2021, the defendant S.V.-D. was arrested and detained in Canada pursuant to an extradition
order by the United States. S.V.-D. was not surrendered to the United States because he had out-
standing drug trafficking charges in Quebec. Those charges were subsequently resolved on
21 January 2022, when he was sentenced to 54 months of imprisonment for five drug trafficking
and related charges and possession of property obtained by crime.c Regarding his involvement in
the criminal group’s ransomware-as-a-service operation, on 1 February 2022, he pleaded guilty to
mischief in relation to computer data, unauthorized use of a computer, extortion and participation
in the activities of a criminal organization.d For these crimes, he was sentenced to serve six years
and eight months of imprisonment. The defendant was also ordered to pay restitution in the amount
of 2,805,829.97 Canadian dollars and forfeit cryptocurrencies (e.g. bitcoin) and Canadian dollars
from accounts and safe deposit boxes in Canada.e Having participated in designated offences
(i.e., extortion and participation in the activities of a criminal organization) for which DNA is ordered
for collection and storage in the DNA databank, the defendant was also ordered to provide a DNA
sample for inclusion in the databank.f

For more information on this case, see UNODC, SHERLOC case law database, Case No. CANx148.g

a
United States, Department of Justice, Office of Public Affairs, “Department of Justice launches global action against
NetWalker ransomware”, 27 January 2021.
b
Ibid.
c
R. v. Vachon-Desjardins, 2022 ONCJ 43, p. 2.
d
Ibid., p. 8
e
Ibid., p. 9.
f
Ibid., p. 8.
g
Available at https://sherloc.unodc.org/.

6. Child sexual abuse and child sexual exploitation

Online child sexual abuse and online child sexual exploitation involve the use of ICT to facilitate the sexual
abuse and the sexual exploitation of children.220 There is considerable overlap between child sexual abuse
and child sexual exploitation.221 Child sexual abuse refers to contact or interaction between a child and an
older or more knowledgeable child or adult (a stranger, sibling or person in a position of authority such as
a parent or caretaker) when the child is being used as an object for the older child’s or adult’s sexual
needs.222 Child sexual exploitation encompasses child sexual abuse, as well as other sexualized acts aimed
at and/or performed by a child.223 Online child sexual abuse and child sexual exploitation are prohibited by

220 
Susanna Greijer and Jaap Doek, Terminology Guidelines for the Protection of Children from Sexual Exploitation and Sexual
Abuse, adopted by the Interagency Working Group in Luxembourg, 28 January 2016 (Luxembourg, ECPAT International and ECPAT
Luxembourg, 2016), pp. 23 and 28.
221 
Ibid., p. 25.
222 
UNICEF, “Building knowledge and awareness: sexual violence”, Communities Care: Transforming Lives and Preventing
Violence Programme (New York, 2014).
223 
UNODC, Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children (Vienna, 2015).

76
 chapter V.   Types of cyber organized crime

national, regional and international laws.224 The manner in which online child sexual abuse and child sexual
exploitation are criminalized by law, however, varies.
Three types of offences involving child sexual abuse and child sexual exploitation are covered in the sub-
sections that follow: child sexual abuse material and child sexual exploitation material, the enticement or
solicitation of children to engage in sex acts (i.e., child grooming) and live-streaming child sexual abuse.

(a) Child sexual abuse material and child sexual exploitation material
The term “child pornography” has been rejected by civil society, law enforcement agencies, academics and
others because it minimizes what is actually occurring – child sexual abuse and not sex with a child.225 The
preferred term is “child sexual abuse material”. While child sexual abuse material depicts child sexual
abuse, all other sexualized material depicting children is considered “child sexual exploitation material”.226
Nevertheless, the term “child pornography” still exists in national, regional and international laws. In the
present digest, the terms “child pornography” and “child pornographic material” are used only when they
appear in laws and case law referenced in the digest, in recognition of the efforts of multiple actors at the
State and civil society levels working for more consistent language that respects and considers child rights
throughout advocacy, policy and laws in all languages across all regions of the world.
Laws criminalizing the possession, production and distribution of child sexual abuse material and child
sexual exploitation material vary by jurisdiction. Some jurisdictions do not proscribe computer-generated
child sexual abuse material, which refers to the production, through digital media, of child sexual abuse
material and other wholly or partly artificially or digitally created sexualized images of children;227 they
proscribe only images depicting real children.228 In some countries, possession of child sexual abuse mate-
rial is criminalized if there is an intent to distribute the material.229 In those countries, the possession of the
material alone would not be considered criminal.
Child sexual abuse material and child sexual exploitation material are created, shared and distributed via web-
sites, Internet newsgroups, web-conferencing software, social media platforms, unencrypted and encrypted
communication applications and other online platforms.230 This material is also shared using text messages,
instant messaging, email messages, chat rooms, bulletin boards and peer-to-peer file-sharing networks.231
Perpetrators of online child sexual abuse and child sexual exploitation can be part of large online commu-
nities232 or smaller communities where child sexual abuse material is sent directly between perpetrators

224
See, for example, the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution
and child pornography, the Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse
(also known as the Lanzarote Convention), the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, of Nigeria (sect. 23); directive
2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploita-
tion of children and child pornography, replacing Council framework decision 2004/68/JHA of 22 December 2003 on combating the
sexual exploitation of children and child pornography; article 27 of the African Charter on the Rights and Welfare of the Child; and
Republic Act No. 9775 of the Philippines (known as the Anti-Child Pornography Act of 2009). 
225 
For more information, see UNODC Teaching Modules, Cybercrime, Module 2: General types of cybercrime, “Computer-
related offences” Module 12: Interpersonal cybercrime, “Online child sexual exploitation and abuse”. Available at sherloc.unodc.
org/cld/en/education/tertiary/cybercrime/module-2/index.html and sherloc.unodc.org/cld/en/education/tertiary/cybercrime/
module-12/index.html.
226 
Greijer and Doek, Terminology Guidelines for the Protection of Children, pp. 39–40.
227 
Ibid., p. 40.
228 
International Centre for Missing and Exploited Children, Child Pornography: Model Legislation and Global Review, 8th ed.
(Alexandria, Virginia, 2016), p. 40; Greijer and Doek, Terminology Guidelines for the Protection of Children, p. 40.
229 
International Centre for Missing and Exploited Children, Child Pornography, pp. 18–42.
230 
Maras, Cybercriminology; Australia, R v. Mara [2009] QCA 208 (Internet newsgroups); Canada, Provincial Court of
Saskatchewan, R v. Philip Michael Chicoine, 2017 SKPC 87 (Communication applications); and United States Court of Appeals,
Third District, United States of America v. Dylan Heatherly, Case No. 19-2424 (2020) and United States of America v. William Staples,
No. 19-2932 (2020) (Web-conferencing software).
231 
See, for example, R v. Philip Michael Chicoine, 2017 SKPC 87 (Peer-to-peer sharing platforms); Germany, Federal Court of
Justice, Decision 2 StR 321/19 of 15 January 2020 (BGH, Beschluss vom 15.01.2020, 2 StR 321/19); United States of America v.
Caleb Young (Chat rooms); and United States District Court, Western District of North Carolina, United States of America v. Steven W.
Chase, Case No. 5:15-CR00015-001, 8 May 2017 (Bulletin board).
232 
See, for example, United States of America v. John Doe #1, Edward Odewaldt et al. (Dreamboard); Germany, Federal Court
of Justice, Decision 2 StR 321/19 of 15 January 2020 (BGH, Beschluss vom 15.01.2020, 2 StR 321/19); Europol, Internet Organised
Crime Threat Assessment 2020, p. 38.

77
DIGEST OF CASES

using various applications, such as encrypted messaging platforms.233 The online communities of child sex
offenders are tightly controlled with platform affiliation rules and codes of conduct.234 Rules are enforced
by moderators and administrators of the site, and members of the site must follow the official affiliation
rules and codes of conduct in order to remain active members on the site.235 Within these forums, individu-
als are often promoted based on their contributions on the site and/or rewarded for their contributions.
Active participation in the forums builds a person’s reputation and can increase a person’s position, stand-
ing and/or rank within the community. Active participation in these forums is associated with the advertise-
ment, posting, distribution or otherwise making available of child sexual abuse material and child sexual
exploitation material. To maintain access to the sites and/or to gain access to more child sexual abuse and
child sexual exploitation material on the site, members have to continuously post such material. Failure to
contribute to the site would lead to a revocation of privileges and removal from the site. Some child sexual
abuse and child sexual exploitation sites (e.g., Dreamboard and the Giftbox Exchange) also require new
members to post child sexual abuse material during registration for verification purposes,236 whereas other
sites (e.g., Elysium) did not have these requirements.237
Organized criminal groups predominantly follow profit-driven models that are characteristic of legitimate and
illegitimate organizations. Europol, in its report Internet Organised Crime Threat Assessment 2020, identified
a trend in the commercialization of child sexual abuse material and child sexual exploitation material:238 the
monetization of such material on the clearnet and the darknet.239 Individuals receive credit based on the number
of downloads of the content they upload to the site and get paid via cryptocurrencies or other forms of pay-
ment.240 An example of this is the case in the Republic of Korea involving the website Welcome to Video
(see chap. IV), whereby bitcoin was used to monetize child sexual exploitation material.241

R v. Philip Michael Chicoine [2017] S.J. No. 557, 2017 SKPC 87 (Canada)
The defendant, P.M.C., lured children to commit sexual assault and produce child sexual abuse
material, had in his possession child sexual abuse material (over 4,132 unique images and 582
videos of child sexual abuse) and created, accessed, shared and/or otherwise distributed child
sexual abuse material online, using a well-known communication application, a well-known mes-
saging application, instant messaging service applications and peer-to-peer file-sharing plat-
forms.a The defendant used a communication application to communicate with child sex offenders
located in the Philippines and Romania and paid those individuals to sexually abuse female children
4–9 years old, directing the offenders as to what specific type of sexual abuse he wanted to see. The
child sexual abuse material was either pre-recorded or live-streamed.b The defendant also directly
communicated with children through an instant messaging service and sexually exploited them,
sending them sexualized and graphic images, including images of his penis, offering them money
in exchange for images of their vaginas and directing the child victims to give the defendant’s messag-
ing service account to other young girls. The exact number of the defendant’s victims is not known.

233 
See, for example, United States of America v. Caleb Young, p. 3 (the Bored group); see also Europol, Internet Organised Crime
Threat Assessment 2020, p. 37.
234 
Europol, Internet Organised Crime Threat Assessment 2020, p. 38.
235 
Ibid.
236 
United States of America v. John Doe #1, Edward Odewaldt et al. (Dreamboard); Germany, Federal Court of Justice, Decision
2 StR 321/19 of 15 January 2020 (BGH, Beschluss vom 15.01.2020, 2 StR 321/19) (the Giftbox Exchange); see also Maras,
Cybercriminology, chap. 10.
237 
Germany, Federal Court of Justice, Decision 2 StR 321/19 of 15 January 2020 (Elysium) (BGH, Beschluss vom 15.01.2020,
2 StR 321/19); see also Maras, Cybercriminology, chap. 10.
238 
Ibid.
239 
Europol, Internet Organised Crime Threat Assessment 2020, p. 40; see also, Costa Rica, Tribunal Penal del Tercer Circuito
Judicial de San José, Causa penal No. 15-001824-0057-PE & Causa Penal No. 19-000031-0532-PE (Operación R-INO); Argentina,
Tribunal Oral Federal de Jujuy, Causa FSA 8398/2014/TO1; and Republic of Korea, Seoul Central District Court (Criminal Department
I-I), 2018NO2855, 2 May 2019.
240 
Ibid.
241 
Republic of Korea, Seoul Central District Court (Criminal Department I-I), 2018NO2855, 2 May 2019.

78
 chapter V.   Types of cyber organized crime

The defendant pleaded guilty to over 40 offences involving child sexual abuse and child sexual
exploitation, including conspiracy charges relating to creating child sexual abuse material. He was
sentenced to 12 years’ imprisonment for his offences and was required to register as a sex offender
for life (pursuant to the Sex Offender Information Registration Act of Canada). The defendant was
also prohibited from using the Internet or any other digital network to access content that violates
the law, to communicate with a minor, to directly or indirectly access any social media sites, social
networks, Internet discussion forums or chat rooms or to maintain a personal profile on any such
service.c Furthermore, he was required to pay a “victim fine surcharge” of 200 Canadian dollars for
each of the 40 counts to which he had pleaded guilty, for a total of $Can 8,000.d
For more information on this case, see UNODC, SHERLOC case law database, Case No. CANx138.e

a
R v. Philip Michael Chicoine [2017] S.J. No. 557, 2017 SKPC 87, para. 11.
b
For further information about live-streaming child sexual abuse, see chap. V, sect. B.6, below.
c
R v. Philip Michael Chicoine [2017] 2017 SKPC 87, para. 67 (d) (iii).
d
Ibid., para. 68.
e
Available at https://sherloc.unodc.org/.

(b) Child grooming

Child grooming can be described as the means by which an adult “befriends” a child with the intention of
sexually abusing the child.242 Child grooming can occur both online and offline. Research shows that girls
are predominantly the victims of this crime, whereas males are predominantly the perpetrators of this
crime.243
The term “grooming” is not commonly found in law;244 what is found are terms such as “luring”, “entice-
ment”, “solicitation” and “seduction”.245 Some laws criminalize online grooming if it can be shown that the
offender intended to meet the child in person,246 while other laws do not have this requirement.247
The grooming process varies. Essential elements, however, are: victim selection, which is based on the
appeal, ease of access and vulnerability of the victim; victim contact; rapport-building and forming a
friendship between the offender and the victim; and the sexual abuse or sexual exploitation of the victim
(e.g., the coercion or manipulation of the victim into producing child sexual abuse or child sexual exploita-
tion material).248

242 
Greijer and Doek, Terminology Guidelines for the Protection of Children, p. 49.
243 
Alessia Altamura, “Online child sexual abuse and exploitation: spotlight on female sex offenders”, ECPAT International
Journal: Online Child Sexual Exploitation – An Analysis of Emerging and Selected Issues, No. 12 (2017), pp. 26–46.
There are exceptions, such as section 131B of the Crimes Act 1961 of New Zealand, which is entitled “Meeting young
244 

person following sexual grooming, etc.”; section 15 of the Sexual Offences Act 2003 of the United Kingdom; the Council of Europe
Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse; and directive 2011/93/EU replacing Council
framework decision 2004/68/JHA.
245 
See Costa Rica, Penal Code, art. 167 bis (Seduction or encounters with minors through electronic means); Antigua and Barbuda,
Electronic Crimes Act, art. 10 (Entice); Council of Europe Convention on the Protection of Children against Sexual Exploitation and
Sexual Abuse, art. 23 (Solicitation of children for sexual purposes); and directive 2011/93/EU. Germany uses the word “influences”
(see the German Criminal Code (Strafgesetzbuch), sect. 176 (Sexual abuse of children)).
246 
Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse; directive 2011/93/
EU; section 15 of the Sexual Offences Act 2003 of the United Kingdom.
247 
For more information about the countries that have these laws, see International Centre for Missing and Exploited Children,
Online Grooming of Children for Sexual Purposes: Model Legislation and Global Review (2017), p. 7.
248 
Kenneth V. Lanning, Child Molesters: A Behavioral Analysis for Professional Investigating the Sexual Exploitation of Children,
(Alexandria, Virginia, National Center for Missing and Exploited Children, 2010; Georgia M. Winters and Elizabeth L. Jeglic, “Stages
of sexual grooming: recognizing potentially predatory behaviors of child molesters”, Deviant Behavior, vol. 38, No. 6 (2017),
pp. 724–733; Rachel O’Connell, “A typology of cybersexploitation and online grooming practices (Preston, United Kingdom,
University of Central Lancashire, Cyberspace Research Unit, 2003); Susan Aitken, Danielle Gaskell and Alan Hodkinson, “Online
sexual grooming: exploratory comparison of themes arising from male offenders’ communications with male victims compared to
female victims”, Deviant Behavior, vol. 39, No. 9 (February 2018), pp. 1170–1190.

79
DIGEST OF CASES

United States of America v. Caleb Young, Case No. 18-20128

(E.D. Michigan, 11 May 2018) (the Bored Group) (United States of America)
An international child sexual exploitation ring, the Bored group,a met, organized their activities and
operated exclusively online. Initially, the group met on a social media platform that was popular for
live-streaming video chats.b Frustrated with the moderating that existed on that site, they migrated
to other sites and ultimately ended up using one unidentified site that was not moderated.c The chat
rooms created on this site could not be found unless a person knew the uniform resource locator
(URL) of the chat room.
The perpetrators devised and executed a plan to lure targets from moderated platforms to an unmod-
erated chat room and convince them to engage in sex acts. Specifically, the members of the group
worked together to recruit, entice and coerce minors to engage in sex acts during video chat sessions.
To accomplish this, members of the group created fake profiles of teenage boys on social media and
dating sites to target underage girls.d The members would then identify minors to target, contact and
communicate with in order to get the victims to join the offenders in the unmonitored chat room. All
of the members of the group spent a considerable amount of time communicating with their targets
in order to gain their trust, build rapport and, ultimately, entice the victims into commiting sex acts.e
Members of the Bored group used several techniques to manipulate victims, including:f
(a) Dares. A group member would dare the victim to engage in sexualized behaviour and
sex acts;
(b) Polls. Running polls would be conducted with participants in the chat room about the
attractiveness of minors and/or the participants would vote on what type of items of clothing
the minor should remove and/or what type of sex act the minor should engage in;
(c) Competitions. Minors would be pitted against each other in an effort to be rewarded (i.e.,
they would receive points for engaging in certain sexualized behaviour and sex acts and would
advance to higher levels based on points);
(d) Purporting to block webcams. To reduce the inhibitions of minors, a group member whom
the victim trusted (called a “handler”) would claim that he could block the victim’s webcam and
prevent other participants in the chat room from viewing the victim. When the handler told the
other participants that this tactic was being used, they would pretend that they were unable to
see anything via the victim’s webcam;
(e) Loops. Pre-recorded videos of other minors talking and/or engaging in sexualized behav-
iour or sex acts were played as if they were occurring in real time in order to manipulate the
minor into engaging in similar conduct and/or acts.

Members of the Bored group had distinct roles: “hunters”, “talkers” and “loopers”.g “Hunters”
would lure victims to the chat room.h Once the victims had joined the chat room, “talkers” would
attempt to convince them to undress and masturbate on camera by engaging them in conversation
and building trust and rapport.i “Loopers” would pose as female minors and play a pre-recorded
video of another minor talking or engaging in sex acts, which the “loopers” would seek to pass off
as an event happening in real time.j The “loopers” would play the pre-recorded videos in an effort to
convince the girls to perform a sex act.
One method used to monitor, evaluate and coordinate their activities, track progress and share
their knowledge and expertise was to discuss their plans, activities and experiences on a separate
site (the now defunct TitanPad) and record their activities and experiences on a password-protected
spreadsheet on that site that included information about which chat rooms on the website were
associated with which victims and the social media accounts associated with members that were
used to lure each of the victims.k The spreadsheet also enabled the members of the group to keep
track of the manipulation techniques that had been successful with each victim and what sex acts

80
 chapter V.   Types of cyber organized crime

each victim had engaged in (the sex acts included extremely depraved acts; for example, one
member of the group had enticed a minor to engage in a sex act with a dog).l After TitanPad ceased
its operation in 2017, the Bored group moved its activities to Discord, a group chat platform with
voice and video capabilities.m
The defendant (C.Y.) pleaded guilty to engaging in a child exploitation enterprisen and received a
sentence of 30 years’ imprisonment for that offence.o C.M., the leader of the child exploitation
enterprise, received a sentence of 40 years’ imprisonment.p He was killed in prison during an alter-
cation with other inmates in January 2019.q Other members of the group received sentences of
38 years (A.S.), 37 years and 6 months (O.O.), 35 years (J.N.R.), 31 years and 3 months (M.F.) and
30 years and 6 months of imprisonment (B.J.S. and D.W.).r All of the members of the group were
ordered to pay each identified victim restitution (US$ 5,000).s
For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx173.t

a
The Bored group earned this nickname because the chat rooms they created all included the word “bored” in them.
b
United States of America v. Caleb Young, p. 3.
c
Ibid.
d
Ibid., p. 5.
e
Ibid., pp. 7 and 13–16.
f
Ibid., pp. 7–9.
g
United States of America v. Caleb Young, Affidavit in support of application for complaint and arrest warrant, p. 6.
h
Ibid.
i
United States of America v. Caleb Young, Sentencing Memorandum, p. 7.
j
United States of America v. Caleb Young, Plea Agreement, p. 6.
k
United States of America v. Caleb Young, Affidavit in support of application for complaint and arrest warrant, pp. 6–7.
l
United States of America v. Caleb Young, Sentencing Memorandum, pp. 10–11.
m
Ibid., p. 12.
n
United States Code, Title 18, sect. 2252A (g).
o
United States of America v. Caleb Young, Plea Agreement; United States Attorney’s Office, Eastern District of Michigan,
“Eight men sentenced for their roles in an international child pornography production ring”, press release, 6 December 2018.
p
Ibid.
q
Associated Press, “Child porn leader dies after fight at detention center”, 4 January 2019.
r
United States Attorney’s Office, Eastern District of Michigan, “Eight men sentenced”.
s
Ibid.
t
Available at https://sherloc.unodc.org/.

(c) Live-streaming child sexual abuse

Live-streaming child sexual abuse involves the broadcasting of child sexual abuse in real time.249 Participants
in the live-stream can be passive or active viewers. Passive viewers pay to watch, while active viewers pay to
play a role in the child sexual abuse by communicating what sexual acts they want to see performed by the
abusers, the child and/or the child’s handlers (active viewers engage in what is known as “child sexual abuse
to order”).250 In Canada, in R v. Pitts,251 the defendant (J.T.P.), with other unidentified individuals, engaged in
live-streaming child sexual abuse, whereby children in the Philippines were sexually exploited and abused.
Specifically, during the live sessions, the defendant made the children perform specific sex acts on adult
females and/or other children.252 The defendant pleaded guilty to offences relating to possessing, accessing
and making child sexual abuse material and to conspiring to commit the indictable offence of sexual assault
on a child and was subsequently sentenced to five years’ imprisonment.253 He unsuccessfully appealed his
sentence, claiming that it was excessive.

249 
For more information, see UNODC Teaching Modules, Cybercrime, Module 2: General types of cybercrime, “Computer-
related offences” and Module 12: Interpersonal cybercrime, “Online child sexual exploitation and abuse”. Available at sherloc.unodc.
org/cld/en/education/tertiary/cybercrime/module-2/index.html and sherloc.unodc.org/cld/en/education/tertiary/cybercrime/
module-12/index.html.
250 
UNODC, Study on the Effects of New Information; Greijer and Doek, Terminology Guidelines for the Protection of Children,
p. 47.
251 
Canada, Nova Scotia Court of Appeal, R v. Pitts, 2016 NSCA 78.
252 
Ibid., para. 10.
253 
Ibid., paras. 1 and 18.

81
DIGEST OF CASES

Live-streaming child sexual abuse is prohibited by law.254 However, the criminalization of this act varies by
country. Active participants in live-streaming child sexual abuse could be charged with laws criminalizing
the production of child sexual abuse material.255 Passive participants in live-streaming child sexual abuse
could also be charged, although this depends on national laws. Passive and active participants in live-stream-
ing child sexual abuse can be charged with the possession of child sexual abuse material if they have in their
possession a recording of the session and/or pictures that were taken during the live-stream.256 Nevertheless,
the child sexual abuse that is live-streamed may not be recorded by participants, abusers and/or child hand-
ers in an effort to evade detection by law enforcement authorities and make it more difficult for them to be
prosecuted for this cybercrime. However, even in these cases, the financial transactions between partici-
pants and abusers in live-streaming child sexual abuse (e.g. online payment services, money transfers
and payments using digital currencies) can be used to detect this cybercrime and can be used in court as
evidence of this cybercrime.257 A case in point involved Xoom.com, an online money transfer service.
It reported to a well-known messaging service provider that certain users of their services were engaging in
child sexual abuse by selling child sexual abuse material and live-streaming child sexual abuse. An investi-
gation by the service provider identified multiple instances in which their account holders were believed to
be buying and selling child sexual abuse material and participating in live-streaming child sexual abuse
from the Philippines.258 This case highlights an important facet of live-streaming child sexual abuse and
child sexual abuse material. While such crimes are perpetrated primarily for the personal sexual gratifica-
tion of the offenders, the offenders also have a financial motivation for the creation and distribution of child
sexual abuse material.

United States of America v. Dylan Heatherly, No. 19-2424 (3d Circuit 2020)
and United States of America v. William Staples, No. 19-2932 (3d Circuit 2020)
(United States of America)
In Canada, an undercover investigation by a female law enforcement officer revealed that a well-
known videoconferencing platform was being used as a chat room and live-streaming space for
child sexual abuse material. The Canadian law enforcement officer reached out to her contacts in
the Government of the United States to inform them of the illicit activity that had been observed.
United States federal agents subsequently contacted the chief executive officer of the platform,
who assisted them in their investigation of the illicit activity that had been observed on the platform.
One outcome of the cooperation is the case described below, where two individuals were charged
with and convicted for their roles in the use of the videoconferencing platform to facilitate child
sexual abuse and exploitation.

254 
In article 2, paragraph (e), of directive 2011/93/EU, “pornographic performance” is defined as a live exhibition aimed at an
audience, including by means of ICT, of: a child engaged in real or simulated sexually explicit conduct; or the sexual organs of a child
for primarily sexual purposes. In article 21, paragraph 1, of the Council of Europe Convention on the Protection of Children against
Sexual Exploitation and Sexual Abuse, parties to the Convention are required to criminalize: (a) recruiting a child into participating
in pornographic performances or causing a child to participate in such performances; (b) coercing a child into participating in por-
nographic performances or profiting from or otherwise exploiting a child for such purposes; and (c) knowingly attending pornographic
performances involving the participation of children. Section 4 of the Anti-Child Pornography Act of 2009 of the Philippines states
that it shall be unlawful for any person: (a) to hire, employ, use, persuade, induce or coerce a child to perform in the creation or produc-
tion of any form of child pornography; (b) to produce, direct, manufacture or create any form of child pornography; and (c) to publish
offer, transmit, sell, distribute, broadcast, advertise, promote, export or import any form of child pornography.
255 
Greijer and Doek, Terminology Guidelines for the Protection of Children, p. 46.
256 
Ibid.
257 
Andrea Varrella, “Live streaming of child sexual abuse: background, legislative frameworks and the experience of the
Philippines”, in Online Child Sexual Exploitation: An Analysis of Emerging and Selected Issues, ECPAT International Journal,
No. 12 (2017), p. 49.
258 
United States District Court, Southern District of California, United States of America v. Carsten Igor Rosenow, Case No. 17-CR-
3430, Motion to Suppress Evidence and Motion to Dismiss Indictment (2018), p. 3; and United States Attorney’s Office, Southern District
of California, “San Diego man sentenced to 25 years in federal prison for child pornography offenses”, press release, 2 March 2020.

82
 chapter V.   Types of cyber organized crime

The two defendants (W.S.) and (D.H.) used a videoconferencing platform as a chat room space where
they virtually met with others to view, request, receive, distribute and otherwise facilitate the receipt
and distribution of child sexual abuse material. Using the platform, pre-recorded child sexual abuse
material was shared, as well as live-streaming child sexual abuse. One male user of the platform
(A.) repeatedly live-streamed himself raping and sexually abusing his six-year-old nephew.a Other
users of the platform, including the two defendants, encouraged A. to rape and sexually abuse his
nephew. Other members of the session even directed A. to perpetrate specific types of child sexual
abuse and sexual assault on the victim (a form of “child sexual abuse to order”). The defendants also
requested child sexual abuse material from other users of the platform.

One of the defendants (W.S.) was found guilty of conspiracy to advertise, receive and/or distribute,
and aid and abet the receipt and/or distribution of, child sexual abuse material.b The other defend-
ant (D.H.) was found guilty of conspiracy to receive and/or distribute, and aid and abet the receipt
and/or distribution of, child sexual abuse material.c For their crimes, D.H. and W.S. were sentenced
to 25 and 30 years’ imprisonment, respectively.d

The two defendants appealed their convictions and sentences for conspiracy charges relating to
child sexual abuse material, claiming, among other things, that the evidence introduced in court
against them was highly prejudicial. The defendants claimed that they were not interested in child
sexual abuse material but wanted to watch other men masturbate on the platform. Child sexual
abuse video recordings and chat logs of the platform sessions and the child sexual abuse material
found on the defendants’ devices had been introduced as evidence at trial to rebuke the defendants’
claims that they were not aware and/or did not enter the chat room space for the purposes of child
sexual abuse and exploitation.

The introduction of the child sexual abuse video recordings as evidence was a particular point of con-
tention for the defendants. The introduction of the video recordings as evidence was viewed as neces-
sary to prove conspiracy to engage in child sexual abuse and child sexual exploitation by showing that
the chat room space had served as a “haven” where individuals gathered to discuss and share child
sexual abuse material.e The United States Court of Appeals for the Third Circuit held that:

The video clips helped to establish the culture that permeated the … chats. That was an impor-
tant part of proving that the participants were involved in such a unity of purpose and common
undertaking that they had necessarily entered into an agreement that this type of material be
received or distributed… The government’s attempt to verbalize what the defendants were
watching may well have been inadequate to communicate the nature of the … chats or whether
the unity of purpose between these defendants was such that it suggested an implicit agree-
ment to participate in these live-streams, as opposed to “merely” separately observing them.f

The Court of Appeals ultimately ruled that risk of the prejudicial influence of this evidence on jurors
was outweighed by the evidence being highly probative of the conspiracy and the defendants’
awareness of what they were involved in.g The Court of Appeals found no error in the defendants’
convictions and sentences and affirmed the lower court’s decisions.

For more information on these cases, see UNODC, SHERLOC case law database, Case No. USAx174.h

a
United States of America v. Dylan Heatherly, Case No. 19-2424, p. 3; and United States of America v. William Staples, Case
No. 19-2932, p. 3.
b
United States Department of Justice, Office of Public Affairs, “Two men convicted of engaging in child exploitation
conspiracy”, press release, 25 January 2018.
c
Ibid.
d
United States of America v. Dylan Heatherly, Case No. 19-2424; and United States of America v. William Staples, Case
No. 19-2932, p. 10.
e
Ibid., p. 21.
f
Ibid., pp. 7–8.
g
Ibid., p. 3.
h
Available at https://sherloc.unodc.org/.

83
DIGEST OF CASES

Tribunal Oral Federal de Jujuy, Causa FSA 8398/2014/TO1 (Argentina)

In Argentina, an investigation was initiated on 6 January 2014, following the receipt of information
from the Australian Federal Police and the FBI via the United States Embassy in Buenos Aires about
an Internet user located in Argentina (the defendant) who had downloaded child sexual abuse
images and video recordings. The downloads involved pages from the following:

(a) IMGSRC.RU, a website based in the Russian Federation and dedicated to the publication of
child sexual abuse that included links to child sexual abuse material: on this site, the defendant
uploaded a photograph called “a beuty boy 3yo before to ...” from his personal email account;
(b) The Love Zone (TLZ), a platform dedicated to the exchange of child sexual abuse material
requesting its aspiring members to make an initial contribution of 50 megabytes of unpub-
lished child sexual abuse material: the defendant joined TLZ in 2013, and, after becoming a VIP
member, uploaded several images and video recordings under the computer moniker “miguel-
boysnew”. To maintain his membership, he made monthly contributions of 40 megabytes of
child sexual abuse material.

The investigation of the case was led by the division of technological crimes of the federal police of
Argentina, which preserved, analysed and produced reports based on the electronic evidence
shared by the law enforcement authorities of Australia and the United States and the electronic
evidence obtained from material seized in Argentina. The seized material, resulting from raids on
two residences in Argentina, included four electronic devices, as well as various documents, used
and unused condoms, and clothing of adults and children. A significant number of images and video
recordings indicating the production, distribution, facilitation and acquisition of child sexual abuse
material were obtained from the devices seized in the defendant’s bedroom. Images and video
recordings of activities that could be related to the recruitment of minors were also found. After
further investigation, it was established that the defendant had filmed and photographed himself
sexually abusing minors. The produced child sexual abuse material was later exchanged on the
aforementioned website and platform. Forensic data extracted from the defendant’s mobile phone
and from his tablet computer revealed a significant number of photographs of children with Anglo-
Saxon features, including a child holding a sign that read: “for my friend…”, with the defendant’s
name following the word “friend”. An analysis of metadata of the images linked some of the images
with the defendant’s mobile phone.

The defendant used the images of minors to obtain an exclusive benefit for himself, which was to
have access to more child sexual abuse material on the website and platform. The defendant
exploited minors by subjecting them to register their images in order to obtain a benefit for them-
selves, revealing the purpose of exploitation required by the type of trafficking. What the defendant
did in relation to the TLZ site is payment in kind.

The federal oral court of Jujuy sentenced the defendant to 32 years’ imprisonment for the crimes of
“trafficking in persons for the purpose of exploitation, to promote, facilitate and commercialize
child pornography” and “sexual abuse with repeated carnal access”.

For more information about this case, see UNODC, SHERLOC case law database, Case No. ARGx012.a

a
Available at https://sherloc.unodc.org/.

84
 chapter V.   Types of cyber organized crime

7. Trafficking in persons
Trafficking in persons refers to:
The recruitment, transportation, transfer, harbouring or receipt of persons, by means of the threat
or use of force or other forms of coercion, of abduction, of fraud, of deception, of the abuse of
power or of a position of vulnerability or of the giving or receiving of payments or benefits to
achieve the consent of a person having control over another person, for the purpose of exploitation.
Exploitation shall include, at a minimum, the exploitation of the prostitution of others or other
forms of sexual exploitation, forced labour or services, slavery or practices similar to slavery,
servitude or the removal of organs.259
ICT is used to recruit, coerce and control victims, to advertise trafficked persons, solicit clients and launder
profits, among other illicit activities.260 For example, in Belgium, an organized criminal group used ICT to
recruit victims of trafficking in persons and “employees” to work for the organization (e.g., drivers), to
advertise trafficked victims and to solicit clients.261 To recruit victims, perpetrators may use “sockpuppet”
profiles (multiple fictitious online profiles controlled by the same user to bolster some point of view) to
manipulate and deceive targets and may browse social media profiles to identify vulnerable targets. Fake
job advertisements have also been used to recruit victims and/or reach out to victims for fictitious work.262
Women and girls have been coerced to perform sex acts in front of cameras live-streaming to clients in
different parts of the world (see the box below). Traffickers have also recruited and coerced persons to
commit crimes, including cybercrimes and fraud. In one case in Denmark, trafficked persons were coerced
into committing fraud involving the use of fake digital signatories to file tax returns.263 In another case in
Denmark, trafficked persons were coerced into perpetrating credit card and other forms of fraud (see, for
example, the discussion on the Wasp Nest case in chap. VI, sect. E.3).264

Regional Trial Court of Misamis Oriental, 10th Judicial Region, Branch 41,
CRIM Case No. 2009-337 (Philippines)
The victims in this case were recruited from different areas of the Philippines and transported to
and harboured in the City of Cagayan de Oro, Philippines. Some of the victims were lured under the
pretence of working as an administrative assistant for a good salary, either in the Philippines or
overseas, while others were informed that the work involved cybersex. Irrespective of what was
discussed with victims, all of the victims worked in a cybersex den. The den, located on the third
floor of a building, included several rooms, each with a bed and a computer with a webcam and
Internet connection. The victims were required to interact with paying customers and comply with
the requests of the customers, such as undressing, dancing and/or engaging in sex acts streamed
via webcam.

The defendants took advantage of the vulnerable position of the victims and sexually exploited
them. The defendants argued that cybersex was not against the law. The court emphasized that
that did not exculpate the defendants. The defendants were charged not with facilitating cybersex,
but with the crime of trafficking in persons. The court held that evidence presented in the case
demonstrated a conspiracy between the defendants and others not charged in the case.

259
Article 3, paragraph (a), of the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and
Children, supplementing the United Nations Convention against Transnational Organized Crime.
260 
See Maras, Cybercriminology.
261 
Belgium, Tribunal correctionnel d’Anvers, Antwerpen, 2 mai 2016.
262 
Maras, Cybercriminology.
263 
Danmark B (R), ref. 9-3441/2015, domfældelse 14 December 2015.
264
Ibid.

85
DIGEST OF CASES

Regional Trial Court of Misamis Oriental, 10th Judicial Region, Branch 41,
CRIM Case No. 2009-337 (Philippines) (continued)

The defendants were charged with conspiracy and trafficking in persons in violation of sections 4 (a),
4 (e) and 6 (e) of Republic Act No. 9208. The defendants, B.S.S., E.A.S., A.G.R., A.P.B and A.L.R., were
found guilty of these crimes. Two of the defendants (B.S.S. and E.A.S., both males with Swedish
citizenship) received a sentence of life imprisonment, and each of them was required to pay a fine
of 2 million Philippine pesos. The other three defendants (A.G.R., A.P.B and A.L.R.) were sentenced
to 20 years’ imprisonment, and each of them was required to pay a fine of Pts 1 million.

For more information, see UNODC, SHERLOC case law database, Case No. PHL007.a

a
Available at https://sherloc.unodc.org/.

The advertisement of services are an essential element of trafficking in persons, as it enables the traffickers
to obtain clients for the services they are offering. Such advertisements may appear on online classified
advertisement sites, may be posted on social media platforms advertising trafficked persons (even the sale
of children) and may be in the form of individual websites dedicated to advertising trafficked victims, pros-
titution or escort services.265 In the United States, six defendants (four male and two female offenders) were
charged with and convicted for their role in trafficking two female victims, an adult and a minor, for the
purpose of sexual exploitation in two states (Maryland and Virginia) between 2018 and 2019.266 Recruitments
and advertisements of the minor victim were placed on Backpage.com shortly before it was shut down (see
the box in chap. IV), as well as YesBackpage, Bedpage and CityXGuide, which were viewed and promoted
as sites that had taken the place of Backpage once it had been taken down. The advertisements were also
available on a site that consolidates in one location escort advertisements from various sites, and an online
community forum where information and reviews of escorts are shared. A well-known messaging applica-
tion was used by the defendants to distribute images of the victims, to communicate with each other, the
clients and victims and to advertise the victims, both the minors and the adults, by sending photographs of
them to a “listserv”267 of clients. Clients visited hotels and a brothel apartment leased by one of the female
perpetrators to meet the victims. The defendants received sentences ranging from 6 years and 6 months to
16 years of imprisonment, whereby the average sentence was 15 years of imprisonment (one defendant
received a sentence of 6 years and 6 months of imprisonment).268

R v. ML & Ors Cr S 63/19 (2020) (Seychelles)

In Seychelles, three defendants were charged together with 26 counts of sexual assault, extortion,
possession of indecent photographs, possession of prohibited visual recordings, procuring or
attempting to procure by way of threats or intimidation a girl to have unlawful carnal connection
and recruiting, harbouring, transferring and receiving a child knowingly or recklessly disregarding
that the person is a child for the purpose of exploitation. The first defendant, ML, used a well-known
social media and networking platform to lure and groom young girls by promising modelling jobs
and money over a period of four years. ML requested the victims to send nude pictures. After receiv-
ing nude pictures from the victims, the defendant blackmailed the victims by threatening to expose

265 
See, for example, United States of America v. Daniel Palacios Rodríguez et al. and Belgium, Tribunal correctionnel d’Anvers,
Antwerpen, 2 mai 2016.
266 
United States of America v. Daniel Palacios Rodriguez et al.
A listserv distributes messages to the subscribers of a mailing list.
267 

268 
United States Attorney’s Office, Eastern District of Virginia, “Sex traffickers sentenced to combined 81 years in prison”, press
release, 28 July 2020.

86
 chapter V.   Types of cyber organized crime

their identities if they refused to engage in sexual acts with him and the co-defendant. In some
instances, these acts were filmed.

The court observed that the first defendant had a clear pattern in committing the offences and had
facilitated the interactions between the other two defendants and the complainants. The first
defendant pleaded guilty to over 20 counts of sexual assault and was eventually sentenced to
25 years’ imprisonment. The second defendant, EL, who was a police officer when he committed his
offence, pleaded guilty and was sentenced to 12 years’ imprisonment for one count of sexual
assault. The third defendant, JYN, also pleaded guilty to one count of sexual assault and was sen-
tenced to eight years’ imprisonment.

A search warrant was executed at ML’s residence, and several electronic devices (external hard
drives, pen drives, mobile phones and laptops) were seized. In addition, the police seized a number
of video recordings, dating from 2012 to 2019, of ML and the other two defendants engaging in sex
with the young girls. ML’s mobile phone was seized and examined. The analysis of texts and images
found on the phone revealed that ML, using the name “KB” and other profiles, had been in touch
with numerous girls between the ages of 12 and 15 using the application of the social media and
networking platform. From the images and texts extracted, ML’s modus operandi emerged: he
would falsely represent himself as a female model and get in touch with young girls via the social
media and networking platform and invite them to be models. He would offer them money for their
nude photographs and eventually ask them for sexual favours. When they refused, he would
threaten them with the publication of their nude photographs.

The case is a clear example of how social media platforms can enable sexual predators to target
innocent children. The court ordered that the Attorney General formally report these crimes to the
social media and networking service in question through the complaint mechanism provided for on
the service’s platform and request that any profiles used by the first defendant be removed. The
court expressed its concern and noted the challenges for law enforcement authorities, legislators,
parents, guardians, caregivers and social services in monitoring and investigating those who target
children through social media platforms. The court pointed out the need to exercise vigilance and
caution when interacting on these platforms and to report suspicious behaviour to the authorities.
The court also stressed that this case highlighted the need for specialized laws and investigating
units to respond to this type of conduct.

For more information on this case, see UNODC, SHERLOC case law database, Case No. SYCx011.a

a
Available at https://sherloc.unodc.org/.

8. Smuggling of migrants
The smuggling of migrants refers to the procurement, in order to obtain, directly or indirectly, a financial or
other material benefit, of the illegal entry of a person into a State party of which the person is not a national
or a permanent resident.269
ICT plays an integral role in the facilitation of the smuggling of migrants. ICT has been used to advertise
and finance the smuggling of migrants and has served as a tool for communication between members of the
smuggling operation and the migrants.270 Advertisements of smuggling services, fees, methods of payment,
modes of transport (e.g., by land, air or sea) and routes are posted on websites, social media platforms and

Article 3, paragraph (a), of the Protocol against the Smuggling of Migrants by Land, Sea and Air, supplementing the Organized
269 

Crime Convention.
270 
CTOC/COP/WG.7/2020/3, paras. 7–15; A/CONF.234/11, paras. 41–48.

87
DIGEST OF CASES

other online platforms.271 These platforms are also used to recruit migrants and other participants in the
smuggling operations (e.g., drivers). ICT also facilitates the payment of fees associated with the smuggling
of migrants. Payment can be rendered to smugglers and others involved in the smuggling operations using
traditional commercial financial transactions (e.g., cash payments and wire transfers), cryptocurrencies or
online payment and money transfer services via websites or applications.272 Moreover, communication
between smugglers and their associates, as well as between members of the smuggling operation and the
migrants, is facilitated by encrypted and unencrypted telecommunications and electronic communication
channels.273

United States of America v. Cristian Hirales-Morales, Marcos Julian Romero and

Sergio Anthony Santivanez, Case No. 19CR4089DMS (S.D. California, 10 October
2019) (United States of America)

Smuggling migrants across the border between Mexico and the United States
The leader (C.H.-M.) and two other high-ranking members (M.J.R. and S.A.S.) of a transnational
criminal organization engaged in migrant smuggling operations and based in Tecate, Mexico, were
charged with various violations of Title 8, section 1324, of the United States Code, including alien
smuggling, conspiracy to bring illegal aliens into the United States for financial gain, and conspir-
acy to transport undocumented aliens within the United States for financial gain.a The organization
had illegally smuggled migrants from Mexico through the southern border of California for a fee of
US$ 8,000 per person.b M.J.R. and S.A.S had arranged meetings at hotels and motels to obtain the
fees. Arrangements had subsequently been made to send the fees to C.H.-M. in Mexico.

ICT played an integral role in the logistics of the migrant smuggling operations. In particular, the
leader, higher-ranking members and associates of the criminal organization used a well-known
messaging application to communicate and coordinate with each other before and during smug-
gling operations.c M.J.R. and other criminal associates were responsible for recruiting drivers for
the smuggling operations. Drivers were recruited through employment advertisements on an
online classified advertisement site and other websites.d Among those recruited were secondary
school students from San Diego, California.e C.H.-M. also used ICT to monitor and track movements
of operatives and migrants, as well as to inform drivers of the pick-up locations for migrants by
using a well-known mapping and navigation application for mobile devices.f

The two higher-ranking members (M.J.R. and S.A.S.) pleaded guilty to “conspiracy to bring illegal
aliens into the United States for financial gain” and “conspiracy to transport undocumented aliens
within the United States for financial gain”, respectively. They have not been sentenced for their
crimes and the leader of the organization, C.H.-M., has not yet been tried for his crimes.

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx249.g

a
United States of America v. Cristian Hirales-Morales, Marcos Julian Romero and Sergio Anthony Santivanez, Case No. 19-CR-
4089-DMS.
b
Ibid., p. 3.
c
Ibid., pp. 3–4.
d
NBC San Diego, “Migrant smuggling ring accused of recruiting local high school students”, 17 October 2019.
e
Ibid.; Kristina Davis, “Trio charged with using high-schoolers to smuggle migrants”, The San Diego Union-Tribune,
15 October 2019.
f
United States of America v. Cristian Hirales-Morales, Marcos Julian Romero and Sergio Anthony Santivanez, p. 4.
g
Available at https://sherloc.unodc.org/.

271 
Ibid.
272 
CTOC/COP/WG.7/2020/3, paras. 14–15; see also A/CONF.234/11.
273 
CTOC/COP/WG.7/2020/3, paras. 7–15.

88
 chapter V.   Types of cyber organized crime

9. Drug trafficking
Drug trafficking involves the illicit sale and distribution of drugs in violation of national laws or interna-
tional laws, such as the Single Convention on Narcotic Drugs of 1961 as amended by the 1972 Protocol, the
Convention on Psychotropic Substances of 1971 and in particular the United Nations Convention against
Illicit Traffic in Narcotic Drugs and Psychotropic Substances of 1988. Every country is affected in some
way by drug trafficking, regardless of whether it is used by drug traffickers as a source country, a transit
country or a country of destination.
In World Drug Report 2020, it was noted that the global illicit drug market had expanded, and so had the
illicit use of drugs worldwide.274 New drug trafficking patterns have also been identified.275 These patterns
include not only the types of drugs that are produced, demanded and distributed, but also the tools used (and
the manner in which they are used) in the illicit drug trade. One example of such a tool is ICT. ICT has long
been used by criminals to facilitate drug trafficking. Websites, online marketplaces, classified advertise-
ments, social media platforms and applications have been used in the advertisement, sale and purchase of
controlled drugs online.276 For example, well-known messaging, chatting and social media platform appli-
cations have been used for daily operations, price negotiation, communication, arranging deliveries and
other activities related to drug trafficking.277 ICT has also been used to evade law enforcement detection
through the use of prepaid mobile phones, encryption and the darknet.
Darknet drug markets have removed or at least reduced barriers to entry into drug markets. In United States
v. Ulbricht, the testimony of a vendor from Silk Road (a now defunct darknet market) revealed that darknet
drug markets such as Silk Road provided individuals with a platform to create a drug business irrespective
of their geographical location, by providing them with the resources they needed to sell drugs via the plat-
form: “an anonymous online sales portal, a huge pre-existing customer base, how-to advice from the
‘Seller’s Guide’ and Silk Road discussion forum, and an escrow system … to collect payment from …
customers remotely”.278 Silk Road and similar darknet sites that facilitate the illicit drug trade also made it
easier for buyers to access drugs that they might not have been able to access offline. Even drug vendors can
use other darknet vendors as drug suppliers to obtain the drugs that they sell online or offline, especially for
drugs that are not easy to obtain physically in their geographical location. The drugs that are purchased
online via the clearnet, as well as the darknet, are predominantly delivered by mail and express consignment
shipping carriers worldwide (depending on the geographical location of the buyers and sellers and the quan-
tity of the drugs).

United States of America v. Aaron Michael Shamo, Drew Wilson Crandall,

Alexandrya Marie Tonge, Katherine Lauren Anne Bustin, Mario Anthony Noble,
and Sean Michael Gygi, Case No. 2:16-CR-00631-DAK (D. Utah, 31 May 2017)
(PHARMA-MASTER, AlphaBay vendor) (United States of America)
A.M.S. ran a drug trafficking organization that imported controlled substances, such as fentanyl
and alprazolam, from China and used the drugs to manufacture fake oxycodone tablets made with
fentanyl and counterfeit Xanax (alprazolam) tablets,a which were subsequently sold on the darknet
market AlphaBay using the vendor name PHARMA-MASTER. A.M.S., through his organization, sold
1 million fake oxycodone tablets containing fentanyl to unsuspecting buyers in the United States.b

274 
World Drug Report 2020, booklet 4, Cross-Cutting Issues: Evolving Trends and New Challenges (United Nations publication,
2020), p. 9.
275 
World Drug Report 2020, booklet 4.
276 
European Monitoring Centre for Drugs and Drug Addiction, “The Internet and drug markets: summary of results from an
EMCDDA Trendspotter study” (2016).
277 
United States of America v. Ramiro Ramirez-Barreti et al., Criminal No. 4:19-CR-47; United States District Court, Western
District of North Carolina, United States of America v. Anthony Blane Byrnes, Case No. 3:20-MJ-51, Criminal Complaint, 13 February
2020.
278 
United States of America v. Ross William Ulbricht, 14-CR-68 (KBF), Government Sentencing Submission, 26 May 2015,
pp. 2–3.

89
DIGEST OF CASES

United States of America v. Aaron Michael Shamo, Drew Wilson Crandall,

Alexandrya Marie Tonge, Katherine Lauren Anne Bustin, Mario Anthony Noble,
and Sean Michael Gygi, Case No. 2:16-CR-00631-DAK (D. Utah, 31 May 2017)
(PHARMA-MASTER, AlphaBay vendor) (United States of America) (continued)

Ultimately, A.M.S. was charged with and convicted for running, organizing, supervising and direct-
ing a continuing criminal enterprise that imported and distributed controlled substances.c Along
with five other individuals (D.W.C., a male; M.A.N., a male; S.M.G., a male; A.M.T., a female; and
K.L.A.B, a female), A.M.S. engaged in drug-related offences to obtain money. All members of the
continuing criminal enterprise, with the exception of A.M.S., pleaded guilty to various drug-related
offences (e.g., conspiracy to distribute fentanyl and conspiracy to distribute alprazolam) and/or to
conspiracy to commit money-laundering charges.d A.M.S. was charged with and ultimately con-
victed by a jury for: engaging in a continuing criminal enterprise; three counts of aiding and abetting
the importation of a controlled substance; possession of a controlled substance with intent to dis-
tribute; manufacture of a controlled substance; two counts of knowing and intentional adulteration
of drugs while held for sale; aiding and abetting the use of the United States mail in furtherance of
a drug trafficking offence; conspiracy to commit money-laundering; money-laundering promotion
and concealment; and engaging in monetary transactions in property derived from specified unlaw-
ful activity.e
For his crimes, A.M.S. was sentenced to life imprisonment.f
For more information about this case, see UNODC, SHERLOC case law database, Case No. USAx208.g

a
United States Attorney’s Office, District of Utah, “Jury convicts Shamo of leading drug trafficking network”, press release,
press release, 30 August 2019.
b
United States Attorney’s Office, District of Utah, “Shamo sentenced to life in prison after conviction for organizing,
directing drug trafficking organization”, press release, 15 October 2020.
c
United States of America v. Aaron Michael Shamo, Drew Wilson Crandall, Alexandrya Marie Tonge, Katherine Lauren
Anne Bustin, Mario Anthony Noble, and Sean Michael Gygi, Case No. 2:16-CR-00631-DAK, Superseding Indictment, 31 May 2017,
pp. 2 and 8.
d
United States, Immigration and Customs Enforcement, “Utah grand jury returns superseding indictment in Shamo case;
adds distribution of fentanyl count resulting in death”, 18 October 2018.
e
United States Attorney’s Office, District of Utah, “Jury convicts Shamo of leading drug trafficking network”.
f
United States Attorney’s Office, District of Utah, “Shamo sentenced to life in prison”.
g
Available at https://sherloc.unodc.org/.

10. Trafficking in firearms

Trafficking in firearms is defined in article 3, paragraph (e), of the Protocol against the Illicit Manufacturing
of and Trafficking in Firearms, Their Parts and Components and Ammunition, supplementing the United
Nations Convention against Transnational Organized Crime, as the import, export, acquisition, sale, delivery,
movement or transfer of firearms, their parts and components and ammunition from or across the territory of
one State party (to the Protocol) to that of another State party if any one of the States parties concerned does
not authorize it in accordance with the terms of the Protocol or if the firearms are not marked in accordance
with article 8 of the Protocol. ICT facilitates firearms trafficking by enabling perpetrators to advertise and sell
firearms to customers worldwide in contravention of national and international laws.279
Firearms are advertised and sold on the clearnet and on the darknet.280 On the clearnet, websites, chat rooms,
discussion forums, social media platforms, online marketplaces and online classified advertisement sites are

279 
See UNODC, Teaching Modules, Cybercrime, Module 13. For information on global firearms trafficking, see Global Study on
Firearms Trafficking 2020 (United Nations publication, 2020).
280 
For more information, see Maras, Cybercriminology, pp. 354–356; UNODC, Teaching Modules, Firearms, Module 4: the
illicit market in firearms, “Supply, demand and criminal motivations”. Available at sherloc.unodc.org/cld/en/education/tertiary/
firearms/module-4/index.html; and Giacomo Persi Paoli and others, Behind the Curtain: The Illicit Trade of Firearms, Explosives
and Ammunition on the Dark Web (Santa Monica, California; Cambridge, United Kingdom, RAND Corporation 2017).

90
 chapter V.   Types of cyber organized crime

used in the solicitation, advertisement and sale of firearms.281 Firearms can be advertised and sold on clearnet
sites legally or in contravention of existing laws and/or terms of service of websites. Firearms are also adver-
tised and sold on the darknet, predominantly through cryptomarkets (sites that resemble those of well-known
online sales enterprises, where many vendors can sell their goods and services) and vendor sites (where ven-
dors sell their own goods or services). For example, Ross Ulbricht, the former administrator of Silk Road, the
now defunct darknet marketplace, allowed firearms sales on Silk Road until March 2012 and then moved those
sales to a site called the Armory that had been created specifically for the advertisement and sale of firearms
(see, for example, figure II).282 Technical information and other data related to the development, assembly,
procurement and use of firearms are also shared on the clearnet and the darknet.

Figure II. Screenshot showing the page of a now defunct website created solely for the
advertisement and sale of firearms

Source: United States District Court, Southern District of New York, United States of America v. Ross William Ulbricht, Indictment
14 Cr. 68 (KBF), 7 January 2015.

LG Karlsruhe, Urteil vom 19.12.2018, 4 KLs 608 Js 19580/17 (Germany)

A dark web forum by the name of “Deutschland im Deep Web – Keine Kontrolle, alles erlaubt!”
(Germany on the deep web – no control, everything allowed!) was created by the defendant, A.U.,
who operated under the username “luckyspax”. From 18 March 2013 to his provisional arrest on
8 June 2017, the defendant operated and acted as the sole administrator of this dark web forum
from his residence in Germany. The forum set up in the Tor network via the domain “germany-
husicaysx.onion”, which was used by its users primarily for discussions and the (predominantly
public) exchange of messages, but also for conducting illicit sales. To actively use the platform of
the forum, it was necessary to register under a username and to provide an encrypted message
address. Until it was shut down on 8 June 2017, the platform was one of the largest underground
forums in Germany, with over 23,000 registered users.  

281 
United States, Government Accountability Office, Report to Congressional Requesters, “Internet firearm sales: ATF enforce-
ment efforts and outcomes of GAO covert testing” (November 2017).
282 
United States of America v. Ross William Ulbricht, Government Sentencing Submission, p. 2.

91
DIGEST OF CASES

LG Karlsruhe, Urteil vom 19.12.2018, 4 KLs 608 Js 19580/17 (Germany) (continued)

The defendant subdivided the platform into different thematic categories, which were intended for
exchanging information on certain topics or sales transactions. The categories and subcategories
included:

(a) Religions (Islamists, Christian fundamentalists, doomsday);

(b) Freedom (free speech, will and suppression);
(c) Sports (martial arts, bodybuilding, steroids and doping);
(d) Politics and economy;
(e) Deep web:
(i) General (general topics about the deep web);
(ii) Websites (overview and discussion about hidden services);
(ii) Tutorials (tutorials in German about Tor, hidden services, encryption, etc.);
(iii) Bitcoins (speculation, anonymizing and trading);
(f) Security in information technology;
(g) Playground (rip-offs, etc.);
(h) Fraud and deception (fraud, carding and crime);
(i) Weapons (production, distribution and proper use);
(j) Eroticism (sex, preferences, relationships and prostitution);
(k) Suicide (effects, sharing of experiences and execution);
(l) Drugs (general topics on medicines and drugs):
(i) Experience reports and tips (safer use, trip reports, opinions);
(ii) Cultivation and production (exchange of experiences, problems and help);
(iii) Research chemicals (experiences, problems, ingredients and legality);
(m) Marketplace:
(i) Offer verified (cannabis verified, stimulants verified, psychedelics verified, phar-
macy verified);
(ii) Offer (cannabis, stimulants, psychedelics, pharmacy, new services and software);
(iii) Search (services, goods, information, etc.);
(iv) Free trade zone (bargain bin);
(v) Contact exchange (interested in new contacts?);
(vi) Experience reports and reviews (regarding offers here or on other marketplaces).

Communication on the platform mainly took place through the forums, which were accessible to
every user and only partially encrypted. In addition, users could communicate by means of the
internal messaging function for private messages, which was mandatorily encrypted using a stand-
ard encryption system. Messages older than one month were automatically deleted. The users
could also communicate via a well-known encrypted communications protocol or, in real time, via
a messaging service that required users to have a separate instant messaging application. In addi-
tion, an escrow service was offered for transactions made on the platform.

The defendant did not receive a share of the profit from the sales on the platform. The use of the
escrow service was, likewise, not based on a fee. The platform and the defendant were solely
financed by donations in bitcoin. Following an appeal for donations on 24 December 2015, the
defendant received €9,850.

The authorities were able to identify the defendant following his appeal for donations. The platform
used bitcoin as virtual currency and donations were transferred to a bitcoin address. Via a bitcoin
exchange, these donations could be transferred back to fiat currency. The bitcoins were transferred

92
 chapter V.   Types of cyber organized crime

back to fiat currency via “Bitcoin.de”, where the defendant used his real name and could therefore
be identified.

Between 27 September 2015 and 18 August 2016, the defendant put online at least 15 advertising
texts from users for the sale of narcotic drugs. The defendant also moved existing advertisements
and those previously released by him from the subcategory “Offer” to the subcategory “Offer veri-
fied” and marked each respective seller as a “Verified Seller”. By creating the category “Weapons”
on the forum, the defendant also supported trading transactions for weapons from 11 February
2015 until his provisional arrest in June 2017. Neither the defendant nor users of the forum had any
applicable permit to trade in narcotic drugs or weapons.

The transactions conducted via the platform included the sale of a handgun and the corresponding
ammunition by the user “rico” (later identified as P.K.) to the user “Maurächer” (later identified as
D.S.). Using the acquired weapon, D.S. carried out a mass shooting at a shopping centre on 22 July
2016, killing nine persons and severely injuring five others. In connection with the sale of the
weapon to D.S., P.K. was convicted of nine counts of negligent homicide and five counts of negligent
bodily harm and was sentenced to seven years’ imprisonment.

A.U. was charged with aiding the unlawful advertising of narcotic drugs (28 counts), aiding inten-
tional unlawful trading in a firearm (7 counts), aiding the intentional unlawful acquisition of a
semi-automatic pistol (2 counts) and intentional unlawful acquisition of narcotic drugs (4 counts).
He was also charged with aiding intentional unlawful trading in a firearm in conjunction with negli-
gent killing (9 counts) and with negligent bodily harm (5 counts) in relation to the sale of the weapon
used by D.S. to carry out the mass shooting. A.U. was sentenced to six years of imprisonment.

For more information about this case, see UNODC, SHERLOC case law database, Case No. DEUx035.a

a
Available at https://sherloc.unodc.org/.

The manufacture and distribution of firearms are regulated by law. Because firearms are manufactured and
distributed legally and illegally, the identification, tracing and investigation of illegal firearms are com-
plex.283 Like drug traffickers, firearms traffickers take advantage of ICT and social media platforms (to
advertise, sell and procure firearms) and also take advantage of mail and express consignment shipping
carriers (to deliver the firearms to buyers located anywhere in the world).284 In particular the online purchase
and subsequent postal delivery of ammunition and explosives, as well as parts and components and gun kits
for the assembly of firearms, are of growing concern. In addition, blueprints for the three-dimensional print-
ing of firearms or their parts can be downloaded on various websites, on the clearnet and on the dark web.
In most countries, there are legal loopholes in and limitations to the criminalization of the possession,
downloading or distribution of such blueprints.

11. Trafficking in wildlife

Wildlife crime contributes to the destruction of wildlife resources and ecosystems, desertification, environ-
mental degradation and the reduction and extinction of species. It has an impact on a wide range of wild
animal species, including rhinoceros, elephants, pangolins, tigers, parrots, reptiles and eels, as well as a
number of plant species, such as the variety of tropical hardwoods commonly referred to as “rosewood”.
It also threatens livelihoods, affects national security and undermines social and economic development.

283 
See also UNODC Teaching Modules, Organized Crime, Module 3: organized crime markets, “Firearms trafficking”. Available
at sherloc.unodc.org/cld/en/education/tertiary/organized-crime/module-3/index.html.
284 
Maras, Cybercriminology, pp. 354–356.

93
DIGEST OF CASES

Although the serious threats posed by wildlife crime are increasingly being recognized, there is no univer-
sally accepted definition of wildlife crime, nor are there international instruments that attempt to propound
such a definition.285 For the purposes of this publication, however, wildlife crime refers to trafficking in
specimens of wild flora and fauna, as well as related offences, contrary to national law, including but not
limited to national laws implementing obligations under the Convention on International Trade in
Endangered Species of Wild Fauna and Flora.286
Wildlife crime has become a significant and specialized area of transnational organized crime.287 Like other
traffickers, wildlife traffickers use ICT to enhance their operations and facilitate the advertisement, sale and
distribution of wildlife to customers throughout the world. Online trade in wildlife and wildlife products is
growing,288 a fact that has been recognized with concern by the General Assembly.289
While online marketplaces continue to be the most popular platforms for online wildlife trade, wildlife trade
is increasingly occurring on social media platforms.290 The growing trend in trafficking taking place through
social media and messaging applications has been observed in relation to a number of species, including
species of reptiles and big cats.291 One study of illicit marketplaces operating in the United Kingdom found
1,194 advertisements selling 2,456 specimens of wildlife at prices totalling almost US$ 1 million.292 In some
countries, wildlife traffickers have been reported to prefer online sales to physical markets as they entail
lower overhead costs and less scrutiny from authorities.293 Traffickers change usernames and use technolo-
gies such as virtual private networks to avoid apprehension.294 When online sales points are detected by law
enforcement authorities, the traffickers simply move to different online platforms.295

United States of America v. Eoin Ling Churn Yeng and Gal Vin Yeo Siang Ann, Case
No. 3:16 CR 00090 (D. Oregon, 23 February 2016) (United States of America)
The defendants, E.L.C.Y. and G.Y.S.A., operated Borneo Artifact, a company based in Malaysia.
Borneo Artifact illegally sold wildlife and wildlife products (orangutan skulls, rhinoceros hornbill
heads, helmeted hornbill skulls, etc.) via its website (borneoartifact.com) and an online auction
site. The defendants conspired with others to illegally ship and import wildlife and wildlife products
into the United States, concealing the true nature of the merchandise by purposely mislabelling the
shipments (as “crafts for decoration”, for example).

During the investigation of the enterprise, one of the defendants, E.L.C.Y., communicated via email
with an individual who, unbeknown to E.L.C.Y., was an undercover special agent from the United
States Fish and Wildlife Service of the Department of the Interior. The special agent was posing as
an associate of E.L.C.Y. who, following an investigation into his activities, had agreed to act as a
confidential informant and allowed the agent to use his email.a In his email messages sent to the
special agent, E.L.C.Y. revealed the types of illicit wildlife and/or wildlife products that were for sale,
the manner in which the merchandise would be transported to the United States, connections the
defendants had in the countries from which the products would be shipped and the ways in which
detection by border and custom agencies would be evaded.

285 
See also World Wildlife Crime Report 2020: Trafficking in Protected Species (United Nations publication, 2020), p. 29.
286 
See also UNODC, Guide on Drafting Legislation to Combat Wildlife Crime (2018), p. 2.
287 
World Wildlife Crime Report 2020, p. 109.
288 
Ibid., p. 13.
289 
See, for example, General Assembly resolution 71/326.
290 
International Fund for Animal Welfare, “Disrupt: wildlife cybercrime” (London, 2018), p. 30.
291 
World Wildlife Crime Report 2020, pp. 13, 15 and 87.
292 
International Fund for Animal Welfare, “Disrupt”.
293 
World Wildlife Crime Report 2020, p. 76.
294 
Coalition to End Wildlife Trafficking Online, “Offline and in the wild: a progress report of the Coalition to End Wildlife
Trafficking Online” (2020), p. 3.
295 
World Wildlife Crime Report 2020, p. 76.

94
 chapter V.   Types of cyber organized crime

The defendants ultimately pleaded guilty to conspiracy to smuggle goods into the United States,
receiving six months’ imprisonment, a fine of US$ 25,000, and 240 hours of community service to be
completed during their one year of supervised release from prison.b

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx200.c

a
United States District Court, District of Oregon, United States of America v. Eoin Ling Churn Yeng and Gal Vin Yeo Siang Ann,
Case No. 15-MJ-173, Criminal Complaint 1 December 2015); United States of America v. Eoin Ling Churn Yeng and Gal Vin Yeo
Siang Ann, Case No. 3:16 CR 00090, Criminal Indictment, 23 February 2016.
b
United States Attorney’s Office, District of Oregon, “Two Malaysian men sentenced to federal prison for smuggling
endangered wildlife into U.S.”, press release, 27 April 2016.
c
Available at https://sherloc.unodc.org/.

12. Trafficking in cultural property

Trafficking in cultural property is a crime that strikes at cultural heritage – the unique testimony to the
identity of peoples.296 Trafficking in cultural property deprives people of fundamental elements of their
identity and of valuable resources for their sustainable development, dispossessing them of their past and
thus prejudicing their future.
The General Assembly has expressed its alarm at the growing involvement of organized criminal groups in
all forms and aspects of trafficking in cultural property and related offences.297 On numerous occasions, the
Assembly has reaffirmed the need to strengthen international cooperation in preventing, prosecuting and
punishing all aspects of trafficking in cultural property.298
Notwithstanding the international consensus concerning the need to prevent and combat trafficking in cul-
tural property, there is no single, universally agreed definition of “cultural property”.299 In article 1 of the
Convention on the Means of Prohibiting and Preventing the Illicit Import, Export and Transfer of Ownership
of Cultural Property, adopted by the General Conference of the United Nations Educational, Scientific and
Cultural Organization in 1970, the term “cultural property” is defined as property that, on religious or sec-
ular grounds, is specifically designated by each State as being of importance for archaeology, prehistory,
history, literature, art or science and that belongs to the categories listed in that article. In article 2 of the
UNIDROIT Convention on Stolen or Illegally Exported Cultural Objects, adopted in 1995, “cultural
objects” are defined as those objects which, on religious or secular grounds, are of importance for archae-
ology, prehistory, history, literature, art or science and which belong to one of the categories listed in the
annex to the Convention. This definition is similar to that in article 1 of the 1970 Convention but does not
require that such objects be specifically designated by a State as being of importance.
There is also no internationally agreed definition of “trafficking in cultural property”. Trafficking in cultural
property is generally understood to be a phenomenon rather than a single type of conduct in relation to
cultural property.300 “Trafficking in cultural property” hence refers to a broad range of conduct relating
to the illicit trade in cultural property.
Trafficking in cultural property using the Internet has also been recognized as a matter of concern to the
international community.301 The General Assembly, expressing its alarm at the growing involvement of

296 
See also International Guidelines for Crime Prevention and Criminal Justice Responses with Respect to Trafficking in Cultural
Property and Other Related Offences (General Assembly resolution 69/196, annex).
297 
Ibid.
298 
See, for example, General Assembly resolutions 66/180, 69/196, annex, and 73/130.
United Nations Educational, Scientific and Cultural Organization (UNESCO), International Standards Section, Division of
299 

Cultural Heritage, “Legal and practical measures against illicit trafficking in cultural property: UNESCO handbook” (Paris, 2006), p. 4.
300 
UNODC, Practical Assistance Tool to Assist in the Implementation of the International Guidelines for Crime Prevention and
Criminal Justice Responses with Respect to Trafficking in Cultural Property and Other Related Offences (Vienna, 2016).
301 
See also UNESCO, International Criminal Police Organization (INTERPOL) and International Council of Museums, “Basic
actions concerning cultural objects being offered for sale over the Internet” (2006).

95
DIGEST OF CASES

organized criminal groups in all forms and aspects of trafficking in cultural property and related offences,
has noted that illicitly trafficked cultural property is increasingly being sold through all kinds of markets, in
particular over the Internet.302
Organized criminal groups have engaged in the trafficking in cultural property through legitimate markets
online and credible auction sites, as well as through underground illicit markets. Since the late 2000s, social
media and communication applications have also been used for trafficking in cultural property.303 The shift
to online trade has expanded the potential customer base for traffickers, has created new markets for small,
inexpensive objects such as coins that previously would not have been profitable to trade and has provided
traffickers with opportunities to sell cultural property and receive payment without being detected.304 These
trends have led to a rise in the number of dealers in trafficked cultural property.305

United States of America v. Ijaz Khan, Case No. 17-4301 (4th Circuit 2018)
(United States of America)
The defendant (I.K.) was convicted by a jury for crimes that included the smuggling of goods into the
United Statesa (the smuggling of stolen cultural artefacts (e.g., coins, pottery, arrowheads and
bronze weapons) from Pakistan into the United States) and conspiracy.b The defendant had submit-
ted fraudulent documents, purportedly from the Government of Pakistan, authorizing his export of
the cultural artefacts and certifying the value of the objects. The defendant used his company, Indus
Valley, to sell the stolen cultural artefacts to his existing customer base, in person (at shows) and
online (on websites and auction sites).c
The defendant was identified as the leader and organizer of an organized criminal group made up of
his family members (his wife and sons) and others who were not related to the defendant (e.g., J.B.M.).
He played a central role in the planning and operations and in the recruitment of accomplices, and he
controlled and exercised authority over others in the group. Because of his central leadership role, he
received a sentencing enhancement, which he unsuccessfully appealed. The defendant pleaded guilty
and was sentenced to three years’ imprisonment and was required to pay a fine of approximately
US$ 115,000 and to forfeit more than 1,300 cultural artefacts.d The defendant unsuccessfully appealed
his conviction and sentence to the United States Court of Appeals for the Fourth Circuit.
Others in the organized criminal group pleaded guilty and were also sentenced for their roles in the
conspiracy to commit smuggling. For example, V.L. (the defendant’s wife) and J.B.M. received sen-
tences of four months of imprisonment (and two years of supervised release from prison) and two
years of probation, respectively.e
For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx209.f

a
The offence of “smuggling goods into the United States” is included in Title18, section 545, of the United States Code.
b
United States Court of Appeals, Fourth Circuit, United States of America v. Ijaz Khan, Case No. 17-4301 (4th Circuit 2018).
c
United States Attorney’s Office, Eastern District of Virginia, “Three indicted for smuggling artifacts into U.S. and
citizenship fraud”, press release, 27 May 2016; United States District Court, Eastern District of Virginia, United States of America
v. Assorted Artifacts, Civil Action No. 1:16cv1393, 21 February 2017.
d
United States Attorney’s Office, Eastern District of Virginia, “Man sentenced for smuggling artifacts from Pakistan into
United States”, press release, 5 May 2017.
e
Pahedra Haywood, “Santa Fe duo sentenced in immigration fraud, artifacts-smuggling case”, The New Mexican, 5 May 2017;
Matt Zapotosky, “Probation for dealer who smuggled artifacts from grave sites in Pakistan”, The Washington Post, 26 January 2016.
f
Available at https://sherloc.unodc.org/.

302 
See General Assembly resolutions 66/180 and 69/196.
303 
Neil Brodie and Donna Yates, Illicit Trade in Cultural Goods in Europe: Characteristics, Criminal Justice Responses and an
Analysis of the Applicability of Technologies in the Combat against the Trade–Final Report (Luxembourg, Publications Office of the
European Union, 2019), p. 106; United Nations Educational, Scientific and Cultural Organization, Fourth Session of the Subsidiary
Committee of the Meeting of States Parties to the Convention on the Means of Prohibiting and Preventing the Illicit Import, Export
and Transfer of Ownership of Cultural Property, document C70/16/4.SC/10, paras. 20–22.
304 
Brodie and Yates, Illicit Trade in Cultural Goods in Europe, p. 106.
305 
Ibid.

96
 chapter V.   Types of cyber organized crime

Authorities investigating trafficking in cultural property online face a number of challenges, including the
variety of platforms on which cultural property is trafficked online, missing information hindering proper
identification of items, and difficulties identifying vendors. To avoid detection, traffickers of cultural prop-
erty operating online have used hacker techniques such as IP address spoofing (i.e., replacing the source
IP address with a fake one).306

13. Money-laundering
Money-laundering can be described as the process whereby criminals conceal and legitimate illicit funds.307
To accomplish this, criminals take the proceeds of a crime and transform them into what appears to be
legally obtained funds. Money-laundering enables criminals to keep and use the proceeds of their crimes
and to conceal the predicate offences that enabled them to obtain those proceeds. In article 6 of the Organized
Crime Convention, States parties to the Convention are required to criminalize four types of offences related
to money-laundering:
(a) The conversion or transfer of property, knowing that such property is the proceeds of crime;308
(b) The concealment or disguise of the true nature, source, location, disposition, movement or own-
ership of or rights with respect to property, knowing that such property is the proceeds of crime;
(c) The acquisition, possession or use of property, knowing that such property is the proceeds of
crime;
(d) Participation in, association with or conspiracy to commit, attempts to commit and aiding, abet-
ting, facilitating and counselling the commission of any of the offences established in accordance with
article 6 of the Convention.

State v. Naidu et al [2018] FJHC 873 (Fiji)

The case State v. Naidu et al involved an online scam with international consequences undertaken by
the defendants (R.R.N., A.R.D. and R.R.). The defendants hacked into the electronic banking facility
of several accounts of a large bank based in Australia. They made unauthorized online money
transfers to two other accounts from the same bank: the accounts of the defendant A.R.D. and
another person (A.C.). The stolen money deposited into those accounts was later withdrawn on the
instructions of R.R.N. A.R.D. gave the withdrawn sums to R.R.N., who then transferred the money
abroad through a well-known money transfer service. He was helped by R.R., who was a teller at
that company.

The defendants were all charged with money-laundering. In order to prove the offence of money-
laundering, the prosecution had to prove that the accused person engaged, directly or indirectly, in
a transaction that involved proceeds of crime (in this case, stolen money) and that the accused
knew, or ought to have known, that the money was derived or realized, directly or indirectly, from
some form of unlawful activity. In Fiji, the offence of money-laundering is not predicated on proof of
the commission of the offence from which the proceeds derived, thereby facilitating convictions of
organized criminal groups.

Ultimately, the court found all of the defendants guilty of money-laundering.a On 18 September
2018, the court sentenced the defendants R.R.N., A.R.D. and R.R. to six years and nine months of
imprisonment, three years of imprisonment and five years of imprisonment, respectively. In addi-
tion, R.R.N. was ordered to pay a restitution of 12,000 Fiji dollars to the bank.

306 
European Commission, Commission staff working document: impact assessment accompanying the document proposal for
a regulation of the European Parliament and of the Council on the import of cultural goods, document SWD(2017) 262 final, p. 15.
307 
Maras, Cybercriminology, p. 336.
308
In article 2, paragraph (e), of the Organized Crime Convention, “proceeds of crime” is defined as “any property derived from
or obtained, directly or indirectly, through the commission of an offence”.

97
DIGEST OF CASES

State v. Naidu et al [2018] FJHC 873 (Fiji) (continued)

The defendant, R.R., filed a notice of appeal against her conviction and sentence and applied for bail
pending appeal. Both the leave to appeal and the application for bail pending appeal were refused by
the court. The defendant, R.R.N., filed a notice for appeal against his conviction and sentence, arguing
that his sentence was manifestly harsh and excessive and wrong in principle, and applied for bail
pending appeal. While the Court of Appeal of Fiji noted that the defendant had not substantiated why
his sentence was harsh and excessive, it reiterated what the trial court had said – that the tariff for the
offence of money-laundering was not well settled in Fiji. The Court of Appeal further noted that, at
that stage, it was not able to tell if the sentencing tariff of 5–12 years set by the trial judge was widely
accepted and implemented among all trial courts in Fiji. The court held that the issue of sentencing
tariffs should thus be taken on by the Court of Appeal or the Supreme Court to guarantee uniformity.
The Court of Appeal found that, since it was a question of law, no leave for appeal was required, but it
allowed for leave to appeal against the sentence as a matter of formality. However, the Court of Appeal
also noted that none of the grounds of appeal had any reasonable prospect of success at that stage.
The Court of Appeal refused the application filed by R.R.N. for bail pending appeal and leave for
appeal against the conviction but allowed leave for appeal against the sentence. Appeal proceedings
have not yet taken place.

This case is of great significance, since it is one of only a few judgments in the region involving cyber-
crime. At the time of the investigation, the authorities of Fiji had only limited experience with cyber-
crime and no direct evidence proving that the proceeds of crime were derived from cybercrime was
provided to the court. The defendants could, nonetheless, be convicted of money-laundering since, in
Fiji, the offence of money-laundering is not predicated on proof of the commission of the offence from
which the proceeds derived. The trial court was therefore able to rely on circumstantial evidence
when convicting the members of the organized criminal group.

For more information, see UNODC, SHERLOC case law database, Case No. FJIx008.b

a
Fiji, Proceeds of Crime Act 1997, as amended by the Proceeds of Crime (Amendment) Act 2004, sect. 69, paras. (2) (a) and
(3) (a).
b
Available at https://sherloc.unodc.org/.

The money-laundering process consists of three stages: placement, layering and integration. During the
placement stage, the illicitly obtained money is distributed into the financial system (e.g., through the pur-
chasing of assets or currency exchanges). The next stage, layering, includes multiple activities that seek to
further distance the proceeds of the crime from their original source, making it more difficult to uncover
money laundering. More specifically, once the proceeds of the crime have been placed into the financial
system, they are moved to other financial institutions or converted from one type of asset to another in order
to further distance the proceeds of the crime from their illicit origin. Finally, the proceeds of the crime are
introduced back into the economy. At this stage of money laundering, integration, the proceeds of the crime
appear to be legitimate and are used by criminals to buy property and/or acquire other assets.

98
 chapter V.   Types of cyber organized crime

United States of America v. Tal Prihar and Michael Phan, Case No. 2-19-CR-00115-
DWA (W.D. Pennsylvania, 24 April 2019) (DeepDotWeb) (United States of
America)
The defendants (T.P. and M.P.) owned and operated a clearnet website, the DeepDotWeb, which
offered direct hyperlinks to onion addresses for darknet marketplaces, making it easier for poten-
tial customers to access those marketplaces. Darknet marketplaces offer illicit drugs and fire-
arms, stolen data, malware and hacking tools, stolen and counterfeit identity documents and
unauthorized access to compromised or hacked accounts, among other illicit goods and services.
DeepDotWeb provided links for the following (now defunct) darknet marketplaces: AlphaBay
Market, Agora Market, Abraxas Market, Dream Market, Valhalla Market, Hansa Market, TradeRoute
Market, Dr. D’s, Wall Street Market and Tocha Market.a

Each time a user utilized the link to the darknet marketplace provided by DeepDotWeb and made a
purchase on the darknet market, DeepDotWeb would receive a kickback. Specifically, the darknet
marketplace links provided by DeepDotWeb included unique account identifier that enabled the
individual marketplaces to pay DeepDotWeb so-called “referral bonuses” (i.e., a percentage of the
profits).b The defendants received an estimated US$ 8,414,173 in bitcoin as “referral bonuses”,
which was transferred to the bitcoin wallet of DeepDotWeb.c The defendants engaged in more than
2,700 transactions to withdraw the cryptocurrency.d To hide the proceeds of their crimes, the
defendants created numerous shell companies in various countries and opened up numerous
virtual and other financial accounts (i.e., an online payment service account and several bank
accounts in Georgia, Israel and Latvia).e

Both defendants were charged with conspiracy to commit money-laundering. T.P. pleaded guilty to
conspiracy to commit money-laundering and was sentenced to 97 months’ imprisonment.f Among
other things, P.T. had to forfeit US$ 8,414,173.g M.P., his co-defendant, was arrested and detained in
Israel. The United States has requested his extradition from Israel. M.P. has not yet been extradited
from Israel.

For more information, see UNODC, SHERLOC case law database, Case No. USAx236.h

a
United States District Court, Western District of Pennsylvania, United States of America v. Tal Prihar and Michael Phan,
Case No. 2-19-CR-00115-DWA, Indictment, 24 April 2019, p. 5.
b
Ibid., p. 4.
c
Ibid., p. 8.
d
Ibid.
e
Ibid., pp. 10-12.
f
 United States, Department of Justice, Office of Public Affairs, “DeepDotWeb administrator sentenced for money-
laundering scheme”, 26 January 2022.
g
United States District Court, Western District of Pennsylvania, United States of America v. Tal Prihar and Michael Phan,
Case No. 2-19-CR-00115-DWA, Judgment, 25 January 2022.
h
Available at https://sherloc.unodc.org/.

The mechanisms (e.g., people, financial and non-financial institutions, such as banks, wire transfer compa-
nies, currency exchanges and casinos) and instruments (e.g., securities or wire transfers) used in money
laundering vary. For instance, in the GozNym malware case, the offenders stole money from victims’ bank
accounts and laundered those funds using United States and foreign beneficiary bank accounts controlled
by the defendants;309 in contrast, the Bayrob criminal enterprise, and criminals in other cases included in
this digest, used money mules to do the money laundering.310

United States of America v. Alexander Konovolov et al. (GozNym malware).

309 

See, for example, United States of America v. Bogdan Nicolescu, Tiberiu Danet and Radu Miclau (Bayrob); and United States
310 

of America v. Aleksei Yurievich Burkov (Card Planet).

99
DIGEST OF CASES

United States of America v. Andre-Catalin Stoica et al., Case No. 5-18-CR-81-JMH

(E.D. Kentucky, 5 July 2018) (Alexandria Online Auction Fraud Network)
(United States of America)
A transnational criminal organization (called the “Alexandria Online Auction Fraud Network” by
United States authorities in the criminal indictment) perpetrated online auction fraud (i.e., adver-
tising and selling non-existent items) against victims in the United States on licit online market-
places, an online classified advertisement site and an online sales website.a The organization
operated primarily in Alexandria, Romania, with some operations taking place in other areas of
Eastern Europe, as well as in the United States.b The victims of the online auction fraud paid for the
fake items with reloadable prepaid cards, prepaid debit cards and gift cards of various types; United
States postal money orders; cashier’s cheques; wire transfers from a well-known money transfer
service; and bank wires and deposits.c

The Alexandria Online Auction Fraud Network worked with others to launder criminal proceeds, by
taking the money paid by victims for the fake items sold online, converting the money to bitcoin,
transferring the bitcoin to members and associates in Eastern Europe and using bitcoin exchanges
to convert the bitcoin to fiat currency.d Associates of the organizations in the United States, such as
J.A.V., obtained victims’ payments, converted them to bitcoins and sent the bitcoins to members of
the organization who had perpetrated the online auction fraud.e Third parties in the United States
who participated in money-laundering (A.E.N., D.A.B. and R.W.D.L.T) were also used to collect,
redeem and convert victims’ payments into cash or bitcoins.f In addition, two bitcoin exchangers
were used by the Alexandria Online Auction Fraud Network. R.I., a national of Bulgaria and owner
of the Bulgarian bitcoin exchange RG Coins, was charged with and convicted of conspiracy to
commit racketeering and conspiracy to commit money-laundering in contravention of United States
laws.g V.-C.N., a national of Romania and owner of a bitcoin exchange (Coinflux Services SRL) reg-
istered in Romania, pleaded guilty to conspiracy to commit racketeering.h

Of the 20 individuals charged in the United States, 16 were foreign nationals. Twelve of the foreign
nationals have been extradited to the United States.i To date, 17 individuals have been convicted for
crimes relating to the online auction fraud perpetrated by members and associates of the criminal
organization, including conspiracy to commit racketeering, money-laundering, wire fraud and iden-
tity-related fraud.j

For more information see, see UNODC, SHERLOC case law database, Case No. USAx175.k

a
United States of America v. Andre-Catalin Stoica et al., p. 3; United States of America v. Beniamin-Filip Ologeanu; United States
Attorney’s Office, Eastern District of Kentucky, “United States v. Andrei Catalin Stoica, et al. (5:18-CR-81-JMH) and United
States v. Beniamin-Filip Ologeanu, et al. (0:19-CR-10-JMH)”, updated 20 July 2020.
b
United States of America v. Andre-Catalin Stoica et al., p. 3.
c
Ibid., p. 4.
d
Ibid., pp. 3–4.
e
United States District Court, Eastern District of Kentucky, United States of America v. Joshua Aaron Vallance, Case No. 20
CR. 08, 28 May 2020), p. 3.
f
United States of America v. Beniamin-Filip Ologeanu et al., Superseding Indictment, p. 6.
g
United States of America v. Andre-Catalin Stoica et al., pp. 9–10; United States Department of Justice, Office of Public
Affairs, “Owner of bitcoin exchange convicted of racketeering conspiracy for laundering millions of dollars in international cyber
fraud scheme”, press release, 28 September 2020.
h
United States of America v. Andre-Catalin Stoica et al., p. 9.; United States Department of Justice, Office of Public Affairs,
“Fifteen defendants plead guilty to racketeering conspiracy in international cyber fraud scheme”, press release, 11 June 2020.
i
United States Department of Justice, Office of Public Affairs, “United States and international law enforcement dismantle
online organized crime ring operating out of Romania that victimized thousands of U.S. residents”, press release, 7 February
2019.
j
United States Department of Justice, Office of Public Affairs, “Owner of bitcoin exchange convicted of racketeering
conspiracy”; “United States and international law enforcement dismantle online organized crime ring”; United States District
Court, Eastern District of Kentucky, United States v. Alexandru Ion, Case No. 5:18-CR-81-REW-MAS-6, 10 October 2019; United
States Attorney’s Office, Eastern District of Kentucky, “Fifteen defendants plead guilty to racketeering”; United States of America
v. Beniamin-Filip Ologeanu et al.; United States of America v. Andre-Catalin Stoica et al.; United States Department of Justice, Office
of Public Affairs, “United States and international law enforcement dismantle online organized crime ring”.
k
Available at https://sherloc.unodc.org/.

100
 chapter V.   Types of cyber organized crime

Money laundering can also be done through unlicensed money transmitters, which do not comply with laws
and internationally recognized standards for countering money laundering. Unlicensed money transmitters
have enabled individuals to transfer funds without providing and proving their identities. A case in point is
e-Gold, an unlicensed and unregistered money transfer business that operated in contravention of money laun-
dering laws and regulations, thereby enabling criminals to use it to anonymously expand and profit from their
illicit activities.311 In particular, e-Gold provided their services (i.e., transferable gold-denominated accounts)
via two websites, where users could register and use the platforms to buy, transfer and exchange digital cur-
rency backed by precious metals, known as units of e-gold, without validating their identity. Ultimately,
e-Gold and its corporate affiliate pleaded guilty to conspiracy to engage in money laundering and conspiracy
to operate an unlicensed money transmitting business.312

United States of America v. Larry Dean Harmon, Case No. 19-CR-00395

(D.D.C. 2019) (Helix and Grams) (United States of America)
The defendant (L.D.H.) created and operated the now defunct darknet search engine known as
Grams between 2014 and 2017.a This search engine indexed darknet marketplaces that sold illicit
goods and services, enabling users to easily search for the darknet sites and obtain the hyperlinks
for direct access to those sites. L.D.H. also offered Helix on the Grams site, which provided a cryp-
tocurrency mixer or tumbler service, where the defendant charged customers a fee for cryptocur-
rency transactions whereby the source or owner of the bitcoin were obscured. Specifically, Helix
was designed to send bitcoin to one of numerous accounts held at different exchangers of convert-
ible virtual currency; take bitcoin from a different account and transmit that bitcoin to a different
bitcoin address; and from this bitcoin address, transmit bitcoin to the customer, minus a fee.b L.D.H.
advertised Helix as a simple, fast and easy service that offered customers new bitcoins that have
never been to the darknet before and new bitcoin addresses for each transaction, which the defend-
ant claimed would ensure that law enforcement agencies would not be able to tell which addresses
were Helix addresses.c L.D.H. also created Helix Light, which had a modus operandi similar to that
of Helix, with one important difference: a customer did not need a Grams account to use Helix Light.
L.D.H. also created and operated Coin Ninja, a bitcoin wallet service, between 2017 to 2020. Coin
Ninja offered a service known as DropBit,d a peer-to-peer payment application for sending money
directly to a person that was advertised as enabling quick and easy peer-to-peer bitcoin exchange.

The Financial Crimes Enforcement Network of the United States Department of the Treasury iden-
tified Helix transactions on, inter alia, the following (now defunct) darknet marketplaces: Abraxas,
Agora, AlphaBay, Aviato, Black Bank, Doctor D, Dream, DutchDrugz, Evolution, Flugsvamp Market
2.0, Hansa, Hydra, Joker’s Stash, Middle Earth, Nucleus, Oasis, Russian Anonymous, Silk Road 2,
TradeRoute, Unic, Valhalla (Silkkitie) and Wall Street Market.e Numerous Helix transactions were
also identified on Welcome to Video, a child sexual exploitation site on the darknet (see chap. IV).
Helix also conducted bitcoin transactions with BTC-e, a now defunct illegal money transmitter
offering virtual currencies. BTC-e, like Helix, was used by criminals because the users’ identities
did not need to be verified to trade cryptocurrency.f

Pursuant to the United States Bank Secrecy Act of 1970, suspicious activity reports need to be filed by
money services businesses, such as money transmitters. The Financial Crimes Enforcement Network
considers businesses that exchange and administer cryptocurrencies and/or provide mixing or tum-
bling services to be money transmitters under the Bank Secrecy Act.g The Network reported that
suspicious activity reports were not filed for Helix transactions on the aforementioned darknet mar-
kets. Ultimately, the court found that Helix had operated as an unlicensed money transmitting busi-
ness.h L.D.H. received a civil money penalty of US$ 60 million from the Financial Crimes Enforcement
Network for violating the Bank Secrecy Act.i

311 
United States District Court, District of Columbia, United States of America v. E-Gold Limited, Criminal Action No. 07-109
(RMC), 20 July 2007.
312 
United States, Department of Justice, “Digital currency business E-Gold pleads guilty to money laundering and illegal money
transmitting charges”, press release, 21 July 2008.

101
DIGEST OF CASES

United States of America v. Larry Dean Harmon, Case No. 19-CR-00395 (D.D.C. 2019)
(Helix and Grams) (United States of America) (continued)
On August 18, 2021, L.D.H. pleaded guilty to conspiracy to commit money-laundering.j

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx237.k

a
United States, Financial Crimes Enforcement Network, Department of Treasury, “In the matter of Larry Dean Harmon:
assessment of civil money penalty”, No. 2020-2, Attachment A: Statement of Facts.
b
Ibid.
c
United States District Court, District of Columbia, United States of America v. Larry Dean Harmon, Case No. 19-CR-395
(BAH), Statement of the Offense and Related Conduct, 10 August 2021.
d
United States of America, Financial Crimes Enforcement Network, Department of Treasury, “In the matter of Larry Dean
Harmon”.
e
Ibid., pp. 7–11.
f
United States Attorney’s Office, Northern District of California, “Russian national and bitcoin exchange charged in
21-count indictment for operating alleged international money-laundering scheme and allegedly laundering funds from hack
of Mt. Gox”, 26 July 2017.
g
See United States, Financial Crimes Enforcement Network, “Guidance: application of FinCEN’s regulations to persons
administering, exchanging, or using virtual currencies, FIN-2013-G001, 18 March 2013, and Guidance: application of FinCEN’s
regulations to certain business models involving convertible virtual currencies, FIN-2019-G001, 9 May 2019[[LINK]], cited in
Financial Crimes Enforcement Network, Office of Strategic Communications, “First bitcoin ‘Mixer’ penalized by FinCEN for
violating anti-money-laundering laws”, No. 703-905-3770, 19 October 2020.
h
United States District Court for the District of Columbia, United States v. Larry Dean Harmon, 474 F. Supp. 3d 76 (D.D.C. 2020).
i
United States of America, Financial Crimes Enforcement Network, Department of Treasury, “In the matter of Larry Dean
Harmon: assessment of civil money penalty”, No. 2020-2, p. 7. [[LINK]]
j
United States Attorney’s Office, District of Columbia, “Ohio resident pleads guilty to operating darknet-based bitcoin
‘Mixer’ that laundered over $300 million”, 18 August 2021.
k
Available at https://sherloc.unodc.org/.

14. Internet gambling

Internet gambling involves the offering of casino-style games (e.g., poker) and/or betting (e.g., at horse-racing
and sporting events) online. Internet gambling varies from offline gambling, particularly with respect to cur-
rency and language. Internet gambling websites and content are available in multiple languages and offer a
wide variety of currencies and payment options. For traditional (offline) gambling establishments, such as
casinos and betting or waging establishments, there are limited language, currency and payment options,
which depend on the geographical location of the establishment. Nevertheless, the main difference between
such conventional gambling and Internet gambling is that a person can engage in Internet gambling at any time
and at any place irrespective of his or her geographical location.
Internet gambling services can be provided by “bricks-and-mortar” casinos (i.e., casinos with physical loca-
tions) or betting establishments and organizations that do not have “bricks-and-mortar” casinos or by betting
establishments that only have remote gambling services. In some jurisdictions, those providing Internet gam-
bling services are required to have physical establishments that offer similar services in person;313 in those
cases, online services are viewed merely as an extension of services already provided in person. Internet
gambling raises concern over problematic and compulsive gambling behaviour; gambling by minors; fraud
and other crimes committed online for and against the gambling organizations; the fairness and integrity of
gaming and associated processes; the oversight and accountability of online gambling sites; and the cyberse-
curity of those sites.314

313 
See, for example, the government websites in countries that include information about Internet gambling licences. In the United
States, casinos in New Jersey have been given licences. The licences enable them to offer Internet gambling services in the State of
New Jersey (United States, State of New Jersey, Division of Gaming Enforcement, “Internet gaming sites”. Available at www.nj.gov/
oag/ge/gamingsites.html).
“Because of the lack of direct contact between consumer and operator, games of chance accessible via the internet involve different
314 

and more substantial risks of fraud by operators compared with the traditional market for such games” (Court of Justice of the European
Union, Sporting Exchange Ltd v. Minister van Justitie, Case No. C-203/08, Judgment, 3 June 2010, para. 34). See also Masood Zangeneh,
Mark Griffiths and Jonathan Parke, “The marketing of gambling”, in In the Pursuit of Winning: Problem Gambling Theory, Research and
Treatment, Masood Zangeneh, Alex Blaszczynski and Nigel Turner, eds. (New York, Springer, 2008), pp. 135–15); John L. McMullan
and David Perrier, “The security of gambling and gambling with security: hacking, law enforcement and public policy”, International
Gambling Studies, vol. 7, No. 1 (2007), pp. 43–58; Sangeeta Ranade, Stuart Bailey and Alexandra Harvey, “A literature review and survey
of statistical sources on remote gambling” (October 2006); UNODC, Comprehensive Study on Cybercrime, draft, p. 21.

102
 chapter V.   Types of cyber organized crime

Internet gambling is not universally criminalized at the national level. The type of gambling that is considered
illegal also varies from country to country.315 Because of the variation in laws, companies and criminal organ-
izations can house their servers and conduct their operations in multiple jurisdictions where Internet gambling
is legal. Organizations and criminal groups offering Internet gambling can have their operations located
in various countries – they can have the headquarters of their company in one country, servers in one or more
countries and support centres in different countries, depending on the regulations of each country on
Internet gambling and taxation, which vary between countries. Some countries support Internet gambling as
long as it occurs in accordance with existing laws and meets licensing, regulatory and taxation requirements.316
Other countries allow Internet gambling under certain circumstances in accordance with national law and
restrict and control and limit Internet gambling operations.317 In other countries, Internet gambling is strictly
prohibited.318

“Cicala Iván Maciel y otros p. ss. aa. de organización y explotación de juegos

de azar sin autorización” (SAC 9814642) (Argentina)
In a case in Argentina, a criminal group ran an Internet gambling operation that offered online
games of chance and betting services without proper authorization. The criminal group had a pyr-
amid structure. The group members divided roles and responsibilities among themselves. The
roles were based on the power of decision-making, the percentage of commission that they would
charge and the number of people they oversaw. The heads of the group, R.D.M. and I.M.C., managed
the operation and its ATM network. L.M.P., another member of the group, was accountable to
R.D.M. and I.M.C.. He created the ATM network, served as an organizer of the Internet gambling
services and oversaw, among other things, advertising through social networks and the month-end
closing process. P.D.S. served as an operator in the group and an intermediary between so-called
“tellers” and “cashiers” in the group, informing them, for example, how to load credit and chips on
panels when “cashiers” requested them and where to send money transfers when payments
were made. He also resolved any issues of group members, as well as any issues of affiliates, play-
ers or users.

The Government seized various technological devices (cell phones, laptops, notebook computers,
handheld game consoles, SIM cards etc.) and accessories (e.g. headphones, speakers and key-
boards), Argentine pesos, United States dollars, vehicles and clothing and accessories with printed
logos and advertisements and other items related to the operation and its activities.

Three defendants, R.D.M., I.M.C. and L.M.P., each received a sentence of three years’ imprisonment
and a fine of Arg$ 45,000. The other defendant, P.D.S., received a three-year suspended sentence
and a fine of Arg$ 30,000.

For more information about this case, see UNODC, SHERLOC case law database, Case No. ARGx018.a

a
Available at https://sherloc.unodc.org/.

315 
For example, in the United States, betting on horse racing is considered legal (with few exceptions), whereas sports betting was
considered illegal in many states until 2018, when the Supreme Court struck down a federal law prohibiting sports gambling at the
state level (see Murphy, Governor of New Jersey, et al. v. National Collegiate Athletic Association, No. 16-476, 584 U.S. ___ (2018),
138 S. Ct. 1461). The Wire Act of 1961, a United States federal law, is currently being interpreted as applying to interstate sports
gambling and interstate Internet sports gambling.
316 
See, for example, United Kingdom, Gambling Act of 2005.
317 
See, for example, Ordinance 30 of 1960 of Singapore and its subsequent revisions (i.e., the Betting Act) and the Remote
Gambling Act of 2015.
318 
See, for example, the Common Gaming Houses Act of Brunei Darussalam, which prohibits all forms of gambling, and
article 17 of the Federal Decree-Law No. 5 of 2012 of the United Arab Emirates, which prohibits Internet gambling.

103
DIGEST OF CASES

Cassazione penale, sezione VI, sentenza No. 11356, 8 Novembre 2017 (Italy)
This case concerns the involvement of a mafia-type group, the Clan of Casalesi, in illegal online
gambling. The Clan of Casalesi emerged decades prior to the instant case in the province of
Caserta in the region of Campania, in the south of Italy. After emerging in Caserta, the Clan of
Casalesi progressively established its control in the region of Campania. The group subsequently
expanded its activities into other regions of Italy, including the region of Emilia-Romagna, in the
north of Italy.

The modus operandi used by the Clan of Casalesi for their illicit activities relating to online gam-
bling in the region of Emilia-Romagna differed from the modus operandi used in the region of
Campania. In Campania, the main group of the Clan offered protection to entrepreneurs working in
the gambling industry. In exchange for a monthly fee, the main group, through intimidation and
violence, imposed on local businesses the services and products of the protected entrepreneurs,
fending off the competition. In Emilia-Romagna, where the main group had recently expanded its
influence, a relatively autonomous branch of the Clan used a different method. Rather than offering
protection to the entrepreneurs in the region, the Emilia-Romagna branch used a formally legiti-
mate enterprise as a front for their activities, opening betting points at which unauthorized slot
machines were installed and online links to illegal gambling websites were made available to cli-
ents. The illegal gambling business allowed the branch to make profits while avoiding the payment
of taxes and made possible the money-laundering of the criminal group’s proceeds derived from
other activities.

The judgment of the Supreme Court of Cassation in this case dealt with the defendants who opted
for shortened judicial proceedings. The issue in this case concerned the application of criminal
association offences – both the “simple” criminal association offence and the mafia-type associa-
tion offence – to a mafia-type group consisting of: (a) the main group operating in the region of
Campania, which adopted intimidation, submission and silence as its modus operandi (the mafia
method); and (b) the Emilia-Romagna branch, which did not adopt the mafia method. The Court was
required to determine the correct application of the criminal association offence and the mafia-type
offence in relation to the participants of the two units of the mafia-type group.

The prosecutor charged the members who had participated in the main group and the Emilia-
Romagna branch with the mafia-type association offence and with the criminal association
offence, whereas those who had participated only in the Emilia-Romagna branch were charged
with only the criminal association offence. In the opinion of both the court of first instance and the
Court of Appeal of Naples, the presence of the relatively autonomous Emilia-Romagna branch,
which had adopted a modus operandi that differed from that of the main group, required the
application of two different criminal association offences, the mafia-type association offence
being applicable to the main group and the criminal association offence being applicable to the
Emilia-Romagna branch. The courts rejected the choice made by the prosecutor in the indict-
ment (i.e., charging those members who had participated in both the main group and the Emilia-
Romagna branch with two different criminal association offences) on the grounds that that
constituted double jeopardy. This finding was supported by the court’s conclusion that the main
group and the Emilia-Romagna branch were not distinct criminal groups but rather a single
criminal group sharing the same aims, notwithstanding the fact that the Emilia-Romagna branch
exercised relative autonomy. Accordingly, to convict the defendants for membership of both the
main group and the subgroup would be to convict them twice for the same offence. The proper
approach was for the defendants that had participated in both the main group and the Emilia-
Romagna branch to face punishment only for their participation in the main group (i.e., punish-
ment for the mafia-type association offence).

104
 chapter V.   Types of cyber organized crime

Following the decision of the Court of Appeal of Naples, those members who had participated only
in the Emilia-Romagna branch appealed to the Supreme Court of Cassation seeking an acquittal for
their convictions for the criminal association offence. For almost every defendant, the Supreme
Court of Cassation upheld the decision of the Court of Appeal of Naples, which largely confirmed
the findings of guilt. In particular, the Court rejected the appeals of those defendants who had par-
ticipated only in the Emilia-Romagna branch and stated, in line with the ruling of the Court of
Appeal of Naples, that it was necessary to bring charges of both the criminal association offence
and the mafia-type association offence against different defendants, even if all defendants were
part of the same larger criminal group. This was because, first, the Emilia-Romagna branch showed
some degree of autonomy and, secondly, the Emilia-Romagna branch did not have the same modus
operandi – that is, the pattern of violence and intimidation – of the main group. Moreover, the
Supreme Court of Cassation agreed with the decision of the Court of Appeal of Naples and the trial
court that to convict the members who had operated in both regions, Campania and Emilia-
Romagna, of both the mafia-type association offence and the criminal association offence, as they
had been charged by the prosecutor, would constitute double jeopardy. Both the Court of Appeal
and the trial court had, therefore, correctly avoided the application of multiple criminal association
offences to those defendants.

105
 CHAPTER VI.
RELEVANT PROCEDURAL ISSUES
DIGEST OF CASES

VI.  RELEVANT PROCEDURAL ISSUES

Relevant procedural issues in cases of cyber organized crime include jurisdictional issues; identification,
tracing, freezing and seizure of assets and confiscation of proceeds of crime; special investigative tech-
niques (i.e., electronic surveillance, undercover operations, controlled deliveries and other techniques); the
collection and use of electronic evidence (i.e., expedited preservation of data, production orders, real-time
collection of communication traffic data and interception of content data); and various forms of interna-
tional cooperation (i.e., extradition, mutual legal assistance, law enforcement cooperation and joint investi-
gations). Each of these procedural issues are explored below.

A. Jurisdiction
Jurisdiction provides countries with the power and authority to define and preserve the duties and rights of
people within its territory, enforce laws and punish law violations.319 Countries claim jurisdiction over
crimes committed within their territory (principle of territoriality), when crimes are committed by their own
nationals (principle of nationality; active personality principle), when the victims of the crimes are their
own nationals (principle of nationality; passive personality principle) and when the crime impacts the inter-
ests and security of the country (protective principle).320
Laws are implemented to establish rules, mechanisms and ways to resolve jurisdictional issues when
multiple jurisdictional claims are made over transnational organized crime, such as cyber organized
crime. Article 15 of Organized Crime Convention establishes conditions under which jurisdiction can be
asserted and provides guidance on exercising jurisdiction. The conditions under which jurisdiction can
be asserted are when transnational organized crime offences are committed in a country’s territory, when
such offences are committed on board an aircraft or a vessel registered in a country, when such offences
are committed in one country by nationals of another and the country in which the offences were com-
mitted does not extradite the offenders on the ground that they are nationals of the other country and
when such offences are committed in one country against nationals of another country.321 Similar condi-
tions are included in other international laws, such as the United Nations Convention against Corruption
(see art. 42) and the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic
Substances of 1988 (see art. 4).322 Countries establish jurisdiction over cybercrimes in national law. For
example, Botswana can assert jurisdiction over a cybercrime committed in its territory or in part of its
territory; when the cybercrime involves one of its nationals outside of its territory if the national’s con-
duct would constitute an offence under the law of the country where the offence was committed and if
the person has not been prosecuted for the offence in that country; when the offence was committed on
a ship or aircraft registered in Botswana; and if the offence was committed outside of its territory but had
an impact on Botswana.323

319 
See also UNODC Teaching Modules, Cybercrime, Module 7: international cooperation against cybercrime, “Sovereignty and
jurisdiction”; and Module 3: legal frameworks and human rights, “The role of cybercrime law”. Available at sherloc.unodc.org/cld/
en/education/tertiary/cybercrime/module-7/index.html and sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-3/
index.html.
320 
Ibid.
321 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime
(Vienna, 2016), pp. 75–80.
322 
Ibid., para. 248.
323 
Botswana, Cybercrime and Computer Related Crimes Act, 2018, sect. 3.

108
 chapter VI.   Relevant procedural issues

United States v. Aleksey Vladimirovich Ivanov, 175 F. Supp. 2d 367 (2001)

(United States of America)
The defendant illegally accessed a corporation in the United States that hosted websites and pro-
cessed financial transactions of retail establishments. The corporation collected and stored finan-
cial data of customers, merchants and financial institutions. The defendant hacked the computer
system of the corporation. This illegal access enabled him to obtain passwords, which afforded him
the opportunity to control the corporation’s entire network. The defendant informed the corporation
of his access and sought to extort money by threatening to damage the computer systems if he was
not paid to assist the corporation in securing their systems. For his crimes, he was sentenced to
four years’ imprisonment and three years’ supervised release after serving his sentence.a

When the defendant hacked the systems of the corporation and engaged in extortion, he was phys-
ically located in the Russian Federation. The court asserted that the United States had jurisdiction
because the adverse impact of the defendant’s actions occurred in the United States and because
of the extraterritorial effect of the laws that he was charged with violating. Therefore, the United
States claimed jurisdiction over an act that had had an impact on its territory, although the act had
been perpetrated in a different country.

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx103.b

a
United States Attorney, District of Connecticut, “Russian man sentenced for hacking into computers in the United States”,
press release, 25 July 2003.
b
Available at https://sherloc.unodc.org/.

B. Identification, tracing, freezing or seizure of assets

and confiscation of proceeds of crime
In addition to the criminal convictions of offenders, the freezing or seizure324 of assets (e.g., cash, movables,
such as automobiles, boats, aircraft, businesses and shares) and confiscation325 of the proceeds of the crime326
are essential in order to prevent offenders from profiting from transnational organized crime. In the Phantom
Secure case (see chap. IV), the founder and chief executive officer of the company received for his crimes
a sentence of nine years of imprisonment and supervised release and was required to forfeit US$ 80 million,
as proceeds of crime, as well as other identified assets (funds held in international bank accounts, a luxury
automobile, real estate, virtual currencies, including cryptocurrencies, and gold coins).327 In other cases
included in this digest, the domain names were also seized and forfeited.328 Technological devices

According to article 2, paragraph (f), of the Organized Crime Convention, “freezing” or “seizure” refers to “temporarily pro-
324 

hibiting the transfer, conversion, disposition or movement of property or temporarily assuming custody or control of property on the
basis of an order issued by a court or other competent authority”.
According to article 2, paragraph (g), of the Organized Crime Convention, “confiscation”, which includes forfeiture where
325 

applicable, refers to “the permanent deprivation of property by order of a court or other competent authority”.
According to article 2, paragraph (e), of the Organized Crime Convention, the term “proceeds of crime” refers to “any property
326 

derived from or obtained, directly or indirectly, through the commission of an offence”.

327 
United States of America v. Vincent Ramos and others (2019). Fiat currency, bitcoins and bitcoin accounts, real property and
vehicles, among other assets, were also seized and forfeited in other cases included in this digest (see, for example, United States of
America v. Beniamin-Filip Ologeanu and others, p. 31; United States of America v. Sergey Medvedev; United States of America v.
Valerian Chiochiu; United States of America v. Sergiy Petrovich Usatyuk and United States of America v. Ricky Handschumacher;
United States of America v. Garrett Endicott.
328 
See, for example, United States District Court, District of Arizona, United States of America v. Carl Allen Ferrer, Case
No. 18-CR-464, 5 April 2018; United States District Court, Southern District of New York, United States v. Liberty Reserve, 13 CR.
368, 23 September 2015; and United States of America v. Tal Prihar, Case No. 2:19-CR-00115-DWA, 25 January 2022.

109
DIGEST OF CASES

(e.g., mobile phones, computers and SIM cards), firearms and other forms of property have also been
forfeited.329 Confiscation of the proceeds of crime is intended to deter transnational organized crime by
removing the incentives for committing such crime.330

Regina v. Bradley David Rogers, Colin Martin Samuels, Geraldine French,

Mark Julian Bell [2014] EWCA Crim 1680 (United Kingdom)
Four appellants, B.D.R., C.M.S., G.F. and M.J.B., were charged with and convicted for their roles in two
advance fee frauds. Both frauds were orchestrated and organized by M. (not included in the appeal),
who pleaded guilty to charges of conspiracy to defraud and was sentenced to seven years and five
months of imprisonment.a M. employed nationals of the United Kingdom at call centres in Spain or
Turkey in advance fee fraud schemes involving either debt elimination or escort services. The debt
elimination and escort services were promoted and advertised online on websites and offline in the
national press. Consumers in the United Kingdom responded to these advertisements and paid an
advanced fee to receive the advertised services. In the fraud scheme involving escort services, the
consumers were asked to pay a registration fee in order to secure a date and obtain escort services.
Once the so-called registration fee was paid, the date with the escort was cancelled and no other
dates were made available. The debt elimination fraud involved employees from the call centres
cold-calling consumers in the United Kingdom from a list that the centres had purchased from data
providers. For a fee, consumers were fraudulently promised the elimination of their debt.

Three of the appellants, C.M.S., G.F. and M.J.B. were charged with and convicted of conspiracy to
defraud and received sentences of 5 years and 6 months of imprisonment, 6 years and 5 months of
imprisonment and 6 years and 6 months of imprisonment, respectively. The other appellant, B.D.R.,
was convicted of converting criminal property contrary to the Proceeds of Crime Act 2002, for which
he received a sentence of 2 years and 10 months of imprisonment. B.D.R. appealed his conviction,
arguing that the Proceeds of Crime Act 2002 did not have an extraterritorial effect. The appellant
argued that the acts that had led to the property becoming “criminal property” took place outside of
the United Kingdom and had had impacts on victims outside the United Kingdom. The court disa-
greed; it held that the mechanics of the fraud had taken place in the United Kingdom and had had
impacts on victims in the United Kingdom. If the mechanics of the fraud had occurred in Spain and
had had impacts on Spanish victims, the court would not claim jurisdiction over the crime. However,
that was not the case. The acts had predominantly taken place in England, including the deprivation
of British victims’ monies. The court thus held that there was jurisdiction to apply the provisions of the
act, particularly the money-laundering provisions under section 340, paragraph (11) (d), of the
Proceeds of Crime Act 2002. The funds that had been obtained pursuant to the advance fee frauds in
the United Kingdom became criminal propertyb once they reached a bank account in the United
Kingdom controlled by the conspirators, and those proceeds did not cease to be criminal property
when they arrived in the appellant’s bank account in Spain.c Accordingly, the court dismissed the
appeal of B.D.R, as well as the appeals of the other appellants.

For more information on this case, see UNODC, SHERLOC case law database, Case No. GBRx095.d
a
England and Wales Court of Appeal, Regina v. Bradley David Rogers, Colin Martin Samuels, Geraldine French, Mark Julian
Bell [2014] EWCA Crim 1680, p. 1.
b
According to section 340, paragraph (3) (a), of the Proceeds of Crime Act 2002, property is criminal property if it constitutes
“a person’s benefit from criminal conduct or it represents such a benefit (in whole or part and whether directly or indirectly)”.
c
Regina v. Bradley David Rogers, Colin Martin Samuels, Geraldine French, Mark Julian Bell, p. 7.
d
Available at https://sherloc.unodc.org/.

329 
See, for example, United States District Court, Western District Court of North Carolina, United States of America v. Anthony
Blane Byrnes, Case No. 3:20-CR-109-KDB, p. 2; United States of America v. Sergiy Petrovich Usatyuk; United States of America v.
Andrii Kolpakov and United States of America v. Fedir Oleksiyovich Hladyr, Case No. 17-CR-276RSM. According to article 2, para-
graph (d), of the Organized Crime Convention, “property” refers to “assets of every kind, whether corporeal or incorporeal, movable
or immovable, tangible or intangible, and legal documents or instruments evidencing title to, or interest in, such assets”.
330 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 330.

110
 chapter VI.   Relevant procedural issues

Article 12 of the Organized Crime Convention requires States parties to the Convention to establish meas-
ures to enable the confiscation of criminal proceeds and any “property, equipment or other instrumentalities
used in or destined for use in offences”. The recommendations of the Financial Action Task Force serve as
a framework of measures that facilitate international cooperation on matters relating to criminal assets and
proceeds, which authorities can implement in their own countries according to their national laws.331 The
Stolen Asset Recovery initiative, developed by the World Bank and UNODC, also provides guidance on
how to respond to criminal proceeds.332 The above-mentioned convention, recommendations, guidance and
initiative identify the measures needed to investigate and prosecute transnational organized crime and to
identify and confiscate the proceeds of such crime.
The Organized Crime Convention obligates States to adopt the measures needed to empower competent
authorities to order that bank, financial or commercial records be made available or seized for the purpose
of identifying and freezing assets and ultimately confiscating the proceeds of organized crime.333 The
Convention also requires States to respond to requests for the identification, tracing and freezing or seizure
of such proceeds.334 In addition, the Convention sets out the procedures that need to be followed in order to
confiscate such proceeds.335 Mutual legal assistance (see the discussion in chap. VI, sect. E.2) can be sought
to obtain evidence and information relating to the identification, tracing, freezing, seizure and confiscation
of proceeds of such crime.336
The freezing or seizure of value- or property-based assets that have been identified as being directly or
indirectly derived from transnational organized crime, as well as the confiscation of the proceeds of such
crime, is a complex process. This complexity arises from the variation in national laws and the methods and
approaches taken by countries to identify, trace, freeze or seize assets, as well as the conditions that are in
place to confiscate the proceeds of crime.337 For example, the authorities that authorize freezing or seizure
orders,338 as well as the criteria and conditions that must be met for those orders to be issued, vary between
countries. Variations also exist between countries with respect to data protection and controls regarding the
disclosure of personal and financial information relating to the identification of criminals, their assets and
the proceeds of their crimes.

C. Special investigative techniques

Special investigative techniques include electronic surveillance, undercover operations and controlled
delivery. They are critical to the effective investigation and prosecution of cyber organized crimes. Special
investigative techniques are deployed because of the transnational nature of such crimes, difficulty in infil-
trating cyber organized criminal groups and difficulty in gathering information about such groups and evi-
dence of their crimes for use in prosecutions. Such techniques enable law enforcement agencies to conduct
investigations remotely and collect the evidence needed to ensure that the perpetrators are arrested and
prosecuted for the crimes they commit.
Cyber organized crime predominantly transcends borders, requiring cooperative efforts between law
enforcement agencies. Transnational investigations conducted for this type of cybercrime often involve the
use of special investigative techniques. Because criminal procedure law and rules of evidence regulating
special investigative techniques often differ from country to country, cooperation in investigations involving
these techniques may be hampered.

331 
Financial Action Task Force, International Standards on Combating Money Laundering and the Financing of Terrorism and
Proliferation (Paris, 2012–2020), updated June 2021.
332 
See https://star.worldbank.org/.
333 
Organized Crime Convention, art. 12.
334 
Ibid., art. 13.
335 
Ibid.
336 
Ibid., art. 13, para. 3.
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
337 

paras. 331–332; UNODC, Manual on International Cooperation for the Purposes of Confiscation of Proceeds of Crime (Vienna, 2012).
A “freezing order” refers to “an order (usually judicial) that leaves physical possession of the asset with the owner or a third party
338 

but imposes specific terms and conditions on their use of the asset, or prohibits any right to sell, lease, destroy or otherwise diminish the
value of the asset while the order is in force”. It is also called a “restraint”, “blocking”, “attachment” or “preservation” order in some
jurisdictions (UNODC, Manual on International Cooperation for the Purposes of Confiscation of Proceeds of Crime, p. 3).

111
DIGEST OF CASES

Special investigative techniques are considered an important tool in the arsenal of measures that may be
used to combat cyber organized crime. The techniques are labelled “special” because their use is often
costly and complicated, requiring specialized expertise and sometimes advanced technological knowledge
and instruments. Their use may in some cases pose ethical problems, while in others it may endanger the
operators. It is important to keep in mind that the use of special investigative techniques may infringe on
fundamental individual rights (e.g., the right to privacy).339

1. Electronic surveillance
Electronic surveillance involves the use of ICT to monitor and maintain surveillance of suspects and their
movements and to intercept suspects’ communications. Basically, the suspect’s behaviours, movements and
communications are kept under surveillance.340 Electronic surveillance involves the use of ICT to monitor
communications and movements, intercept telecommunications and electronic communications (telephone
calls, email messages and other messages), track individuals and devices, create audio and video record-
ings, etc.
Electronic surveillance has been used by law enforcement agencies in cases involving cyber organized
crime. This special investigative technique has been used during investigations of cyber-dependent crimes
and cyber-enabled crimes.341 Electronic surveillance is usually regulated by warrants.342 The legal order is
obtained prior to collecting electronic evidence in order to ensure that the evidence is admissible in a court
of law. In the event that a warrant is not required for the surveillance, there are limiting factors to prevent
its arbitrary and illegal use (e.g., privacy considerations, subject notification or the requirement to obtain
non-judicial permission).343
Electronic surveillance is quite intrusive, and its legality varies by jurisdiction. Countries have different
requirements for the use of various forms of electronic surveillance (e.g., audio, visual, tracking and data
surveillance) and have statutory safeguards in place to ensure that the measures taken are respectful of the
rule of law and human rights. Therefore, before using electronic surveillance, national laws, as well as
regional and international laws, and human rights obligations (particularly with respect to the right to pri-
vacy) need to be considered.
If the investigation involves the monitoring of Internet chat rooms, social networking sites or other sites, the
human rights implications of this monitoring may vary, depending on the privacy and security settings and
law enforcement activities on those sites. If the content and activities that are monitored in chat rooms or
social media or other sites are accessible to the public and if privacy and security settings have not been set
to restrict access to content, then there is no reasonable expectation of privacy over this content.344 If, how-
ever, privacy and security settings have been set to restrict access to content to specific persons, then the
user has a reasonable expectation of privacy over their content and activities.345 If law enforcement agents
interact and/or otherwise engage with persons on these sites, countries often require a legal order (e.g., a
search warrant) to authorize the gathering of information about the target through an undercover operation
(for more information about undercover operations, see the subsection that follows).

339 
UNODC, Digest of Organized Crime Cases: A Compilation of Cases with Commentaries and Lessons (Vienna, 2012), para. 99.
340 
Ibid., p. 43.
341 
See, for example, Canada, Ontario Court of Justice, R. v. Kalonji and Germany, LG Limburg, Urteil vom 07.03.2019, 1 KLs – 3
Js 73019/18.
342 
See, for example, the Surveillance Devices Act of 2004 of Australia; the Criminal Procedure Code of Germany, sect. 100a;
Interception of Communications and Surveillance Ordinance of Hong Kong, China, chap. 589, sect. 3; the Crimes Act 1961 of
New Zealand, part 11A; the Code of Criminal Procedure of Poland, chap. 26; the Criminal Procedure Code of Serbia, arts. 226
and 228; the Code of Criminal Procedure of Slovakia, sect. 88; the Regulation of Interception of Communications and Provision of
Communication-related Information Act 70 of 2002, of South Africa; and the Regulation of Investigatory Powers Act 2000 of the
United Kingdom (Current Practices in Electronic Surveillance in the Investigation of Serious and Organized Crime (United Nations
publication, 2009), p. 13).
343 
Ibid., p. 14.
344 
For further information, see United States, Global Advisory Committee, Developing a Policy on the Use of Social Media in
Intelligence and Investigative Activities: Guidance and Recommendations (February 2013); Maras, Computer Forensics; Berkman
Center for Internet and Society, Harvard Law School, Berkman Online Lectures and Discussions, Privacy in cyberspace: module IV –
governmental collection of data, part I. Available at https://cyber.harvard.edu/privacy/module4.html.
345 
Ibid.

112
 chapter VI.   Relevant procedural issues

BGH, Beschluss vom 15.01.2020, 2 StR 321/19

This case involved two darknet platforms (Elysium and the Giftbox Exchange) dedicated to the shar-
ing of child sexual exploitation material. The four defendants (M., Mä., G. and P.) had been part of
the online paedophile community before they joined several other separately prosecuted offenders
to create private forums and chat rooms. After registering on these forums, the defendants and
other unnamed conspirators undertook a number of tasks necessary for the operations of both the
Elysium and the Giftbox Exchange sites. The purpose of these operations was to facilitate the
exchange of child sexual abuse material involving children of different genders and ages between
members of the sites.

The first site that was created was the Giftbox Exchange. P. helped to create and manage it. Access to
it was limited to registered users. In order to register, prospective users had to upload illegal material
in order to minimize the risk of undercover law enforcement agents accessing the site. Likewise,
users were required to publish child sexual abuse material at least once a month to have complete
access to the content on the forum. The Giftbox Exchange platform had a strict hierarchical structure.
There were several administrators of the site, one of them being P. The administrators, with full
access to the boards, undertook administration and maintenance tasks to guarantee the faultless
operation of the site on a technical and content-related scale. The administrators were supported in
running the site by 10 moderators. Members that had risen to the ranks of administrator or modera-
tor had the additional responsibility of posting illegal material on a monthly basis. The Giftbox
Exchange chat rooms had a hierarchical structure comparable to that of the forum.

P. was responsible for programming relating to the chats, the recruitment of new members and
the allocation of accounts, in addition to informing members of the forum rules and maintaining
the Giftbox Exchange servers. G. was a chat moderator who was later “promoted” to lead chat
moderator and then chat administrator, where he was responsible for all matters regarding the
chat rooms, including the recruitment of chat room personnel. He acted as the point of contact
for staff members. He also created the seasonally changing background graphics of the chat
rooms. He also undertook other tasks in relation to the forum, including the translation of the
rules into German. M. was a chat moderator who was responsible for user support and supervi-
sion, as well as the supervision of the chat rooms themselves, mainly to ensure compliance with
the forum rules. In addition, M. worked on testing new chat scripts, together with P., and trans-
lated into German the security instructions of the forum. Mä. was a “registeredplus-member”,
and he exercised moderator functions if no other staff member was online. He could issue warn-
ings and block users if necessary. Mä. also worked on testing chat scripts and translating the
instructions by proofreading the translation created by M. As part of the posting and verification
duties, defendants M., G. and P. posted child sexual abuse material and child sexual exploitation
material in order to make the material accessible to users of the forums, as well as to encourage
other users to share material.

In this case, the court of first instance discussed the composition of organized criminal groups on
the darknet. In examining the roles of the defendants and their tasks, the court held that the defend-
ants, as well as each member registered on the forums or the chat rooms of the platform, were
considered members of an organized criminal group. The court held that the members of the plat-
forms had implicitly joined the organized criminal group of the defendants by registering for the
forums. The members came together with the intent to independently commit numerous, and at
the time of registration, unknown offences of the same type of crime for a certain period of time in
the future. Through their actions, the defendants, as well as all registered members, aimed at
obtaining child abuse and exploitation material not yet in their possession and to exchange views on
topics including paedophilia and child abuse. The court also held that the fact that the members of
the organized criminal group did not know each other personally and communicated with nick-
names or pseudonyms was irrelevant to their classification as an organized criminal group.

113
DIGEST OF CASES

BGH, Beschluss vom 15.01.2020, 2 StR 321/19 (continued)

In the course of investigations, investigating police were able to associate the forum with an
Australian hosting provider. In Australia, Task Force Argos of the Queensland Police Service was
able to seize the data of the forum, including threads, postings and not yet deleted messages, and
take over the operation of the platform. P. noticed that something was wrong and – via the darknet
– warned users not to visit the Giftbox Exchange. Furthermore, he backed up the data of the plat-
form and tried to close the server. The same persons responsible for running the Giftbox Exchange
then created a new platform, Elysium, under the leadership of P. In order to log in to the platform
and have unlimited access to content, registration was again required. The obligation to post mate-
rial for verification purposes was, however, not introduced, which led to the registration of a large
number of users within a short period of time.

After locating the server of the Elysium platform, law enforcement authorities conducted electronic
surveillance of the server and of one defendant, M., as well as undercover operations. The surveil-
lance measures included uploading avatar (or user profile) images to confirm the server location,
as well as the monitoring of messages. This electronic surveillance helped to identify defendants
M. and Mä., which subsequently led to the identification of P. In addition, the Federal Criminal Police
Office of Germany obtained child sexual abuse images involving G., which ultimately led to the iden-
tification of G.

M. was charged with and convicted of ring-based dissemination of child sexual abuse material;
procuring, for another, child sexual abuse material; production of child sexual abuse material; and
aggravated child sexual abuse in conjunction with procurement of child sexual abuse material,a for
which he received a sentence of 8 years’ imprisonment. Mä. was charged with and convicted of ring-
based dissemination of child sexual abuse material and possession of child sexual abuse material.
He received a sentence of 3 years and 10 months of imprisonment. G. was charged with and con-
victed of ring-based dissemination of child sexual abuse material; procuring, for another, child
sexual abuse material; production of child sexual abuse material; and aggravated child sexual
abuse in conjunction with procurement of child sexual abuse material.b For those offences, he was
sentenced to 9 years and 9 months of imprisonment; however, that sentence was reduced to 8 years
and 7 months of imprisonment given the reversal of the conviction for aggravated child sexual
abuse in conjunction with procurement of child sexual abuse material on appeal. Finally, P. was
charged with and convicted of ring-based dissemination of child sexual abuse material and ring-
based procurement, for another, of child sexual abuse material.c He received a sentence of 6 years
and 6 months of imprisonment.

For more information on this case, see UNODC, SHERLOC case law database, Case No. DEUx024.d

a
In the court of first instance, M. was also charged with and convicted for the possession of child sexual abuse material.
That conviction was subsequently reversed on appeal.
b
G. was also charged with and convicted for other crimes. Those convictions were subsequently reversed on appeal.
c
In the court of first instance, P. was also charged with and convicted for the possession of child sexual abuse material.
That conviction was subsequently reversed on appeal.
d
Available at https://sherloc.unodc.org/.

2. Undercover operations
An undercover operation involves the use of an undercover agent, an informant (i.e., a person who provides
information about a crime or suspect) or some other person to infiltrate an organized criminal group.
Informants may or may not be criminals. They are used in undercover operations because they can provide
access to closed organized criminal groups, places or spaces where members of those groups gather and/or
where the group members engage in and/or conspire to commit transnational organized crime. Undercover
operations are difficult and risky for those involved, and they require a significant investment in time and in
human, financial and technical resources.

114
 chapter VI.   Relevant procedural issues

The purpose of undercover operations is to gather evidence of crimes planned and those committed and to
obtain insight into the structure, organization and roles and/or identities of members of the organized crim-
inal group. In one case in the United States, a female victim of an international romance fraud notified law
enforcement authorities of the incident.346 An agent of Homeland Security Investigations, the investigative
component of the Department of Homeland Security of the United States, posed as the victim and continued
to communicate with the perpetrators. The communications helped criminal justice authorities to under-
stand the nature and scope of the international romance fraud and ultimately led to the perpetrators of this
fraud being brought to justice.

R v. Mara [2009] QCA 208 (Australia)

The defendant (D.R.M.), along with three others, made up the core members of a group that traded
child sexual abuse material via Internet newsgroups. The core members were responsible for
reviewing and admitting new members to the group. In addition, they served as “administrators” of
the group, along with two other group members. The group’s other members (i.e., those who were
not part of the core group and did not serve as administrators) were known in the group as “the
trustworthy”.a

No member of the group knew the true identities of the other members – only the nicknames pro-
vided by the members. To avoid detection by law enforcement authorities, the nicknames of mem-
bers and the location of the newsgroup were frequently changed, and members altered filename
extensions of child sexual abuse material to hide the true nature of what was being traded. Members
of the newsgroup also used encryption, and encryption keys were regularly changed. The child
sexual abuse material was traded in the newsgroup as binary files that could not be accessed with-
out a key.b

Despite being a member of a group that engaged in serious crime, the defendant was not charged
with a crime associated with organized crime, such as participation in an organized criminal group.
Instead, the perpetrator was charged with, pleaded guilty to and was sentenced for the following
offences:c

(a) Use of a carriage service (the Internet) to access child pornography material between
6 January 2006 and 29 February 2008;
(b) Use of a carriage service (the Internet) to cause child pornography material to be trans-
mitted to himself between the same dates;
(c) Use of a carriage service (the Internet) to transmit child pornography material between
the same dates;
(d) Recording an indecent visual image of a child under the age of 16 years without legitimate
reason between 31 December 2007 and 1 February 2008.

The defendant engaged in these crimes for his own sexual gratification and not for financial rea-
sons. Nevertheless, financial contributions were made by some members of the group to other
members when requests were made for custom-ordered child sexual abuse material.d

In 2006, law enforcement authorities infiltrated the group and conducted an undercover operation
that lasted 26 months.e At the time of the investigation, there were 43 members of the group.f Even
though the defendant cooperated with investigators, the identities of other members of the group
could not be determined. The defendant was sentenced to six years’ imprisonment. A subsequent
appeal lodged by the defendant on the basis that the sentence was manifestly excessive was
unsuccessful.

United States of America v. Oladimeji Seun Ayelotan, Femi Alexander Mewase and Rasaq Aderoju Raheem, Case No. 17-60397,
346 

p. 2.

115
DIGEST OF CASES

R v. Mara [2009] QCA 208 (Australia) (continued)

For more information on this case, see UNODC, SHERLOC case law database, Case No. AUSx208.g
a
R v. Mara [2009] QCA 208, para. 6.
b
Ibid., para.7.
c
Ibid., para. 3.
d
Ibid., para. 8.
e
Ibid., para. 9.
f
Ibid.
g
Available at https://sherloc.unodc.org/.

Undercover operations can also involve the infiltration of an individual into an organized criminal group or
illicit network to participate in its general criminal activity or in a specific illicit business.347 For example,
in the case of the DarkMarket site, an undercover FBI agent, posing as a cybercriminal, infiltrated the site
and eventually became one of the site’s administrators (i.e., Master Splyntr).348 In the Phantom Secure case,
the Royal Canadian Mounted Police purchased Phantom Secure devices, posed as drug traffickers and,
through their undercover operations, were able to establish that the company had tailored its services to
criminals.349 Undercover agents in the United States also posed as drug traffickers, met with the founder and
chief executive officer of Phantom Secure and were able to establish that the devices had been created to
facilitate serious crime.350
The present digest includes many cases in which undercover operations were used, particularly in cases
involving cyber-enabled crime.351 The legality of undercover operations varies depending on the jurisdic-
tion. In most jurisdictions, undercover officers are not allowed to encourage suspects to commit crimes that
they would not ordinarily commit, either as an agent provocateur or through entrapment.352 Countries also
place restrictions on the manner in which an undercover operation is conducted and on what those involved
in the operation can do (e.g., undercover law enforcement officers may not be allowed to commit any
crimes, or they may be allowed to commit only certain crimes). The use of informants is also regulated in
order to protect informants and to ensure that guidelines are in place on the use, management, supervision
and, where relevant, payment of informants.

3. Controlled delivery
Controlled delivery is defined in the Organized Crime Convention as a technique that allows “illicit or sus-
pect consignments to pass out of, through or into the territory of one or more States, with the knowledge
and under the supervision of their competent authorities, with a view to the investigation of an offence and
the identification of persons involved in the commission of the offence”.353 This technique was initially used
to combat drug trafficking. The United Nations Convention against Illicit Traffic in Narcotic Drugs and
Psychotropic Substances of 1988 regulates the use of this special investigative technique for investigating
cases involving drug trafficking. In article 1, paragraph (g), of the Convention, “controlled delivery” is
defined as a technique allowing illicit or suspect consignments of narcotic drugs, psychotropic substances,
substances in Table I or II of the Convention (i.e., precursor chemicals) or substances substituted for them,
to pass out of, through or into the territory of one or more countries, with the knowledge and under the

347 
UNODC, Digest of Organized Crime Cases, p. 42.
348 
United States, Federal Bureau of Investigation, “‘Dark Market’ takedown: exclusive cyber club for crooks exposed”,
20 October 2008.
349 
United States of America v. Vincent Ramos, Case No. 3:18-CR-01404-WQH.
350 
Ibid.
351 
See, for example, United States of America v. Gal Vallerius (Dream Market); Germany, LG Limburg, Urteil vom 07.03.2019,
1 KLs – 3 Js 73019/18; United States of America v. Eoin Ling Churn Yeng and Gal Vin Yeo Siang Ann, Case No. 3:16 CR 00090;
United States of America v. Dylan Heatherly, No. 19-2424 and United States of America v. William Staples, No. 19-2932. There
are, however, exceptions. See, for example, United States of America v. Aleksandr Andreevich Panin and Hamza Bendelladj, Case
No. 1:11-CR-0557-AT-AJB (SpyEye).
352 
CTOC/COP/WG.7/2013/2, para. 18.
353 
Organized Crime Convention, art. 2, para. (i).

116
 chapter VI.   Relevant procedural issues

supervision of their competent authorities, with a view to identifying persons involved in the commission
of offences established in accordance with the Convention.
Controlled delivery is also used in the investigation of other forms of transnational organized crime. This
special investigative technique has been used to identify and trace the origin, route and destination of illegal
goods and trafficked wildlife specimens. It has also been used where contraband is identified or intercepted
in transit and then delivered under surveillance to identify the intended recipients or to monitor its subse-
quent distribution throughout a criminal organization.354 While controlled delivery has also been used in
cases involving the smuggling of migrants and trafficking in persons, and increasingly in cases involving
firearms trafficking, its use for investigating those crimes is problematic and has usually been limited to
exceptional circumstances, and it is used only if specific conditions are met (e.g., sufficient safeguards are
in place to ensure protection of victims).355 Overall, the methods that can be used involve intercepting illicit
or suspect consignments and doing one of the following: (a) allowing them to continue to their destination
intact; (b) replacing them in whole or in part and then allowing them to continue to their destination; or
(c) removing the identified illicit or suspect consignments.356 The legality, conditions and limits for the use
of this special investigative technique vary by country.357

United States v. Anthony Blane Byrnes, Case No. 3:20-CR-192 (W.D.N.C. 2020)
(United States of America)
The defendant (A.B.B.) conspired with an organized criminal group (i.e., a regional drug trafficking
organization) to distribute and to possess with the intent to distribute controlled substances, such
as stimulant and hallucinogenic drugs (e.g., DMT, lysergic acid diethylamide (LSD), 3,4-methylene-
dioxymethamphetamine (MDMA, commonly known as “ecstasy”)).a According to the criminal com-
plaint, he came to the attention of law enforcement authorities when United States Customs and
Border Protection intercepted a package from Slovenia that was addressed to the defendant. The
package was found to contain narcotic drugs. Law enforcement authorities arranged for the con-
trolled delivery of the package to the defendant’s address. After law enforcement officers observed
the defendant collecting the package and bringing the package into his residence, they executed a
search warrant for the defendant’s residence. During the search of the defendant’s residence, they
found and seized different forms of controlled drugs, as well as a firearm and ammunition. The
defendant revealed to law enforcement authorities that the controlled drugs had been purchased
via the Empire Market darknet site. The defendant also revealed that he had facilitated the pur-
chase of controlled drugs with bitcoins and used his mobile phone and certain phone applications
to communicate with other conspirators and otherwise facilitate drug trafficking. He was sentenced
to 5 years and 11 months of imprisonment.b

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx210.c

a
United States District Court, Western District of North Carolina, United States of America v. Anthony Blane Byrnes, p. 1.
b
United States Attorney’s Office, Western District of North Carolina, “Huntersville, N.C. man is sentenced to prison for
trafficking narcotics on the dark web using bitcoin ATMs & virtual wallets”, press release, 10 September 2020.
c
Available at https://sherloc.unodc.org/.

354 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 443.
355 
Ignacio Miguel de Lucas Martín and Cristian-Eduard Stefan, Transnational Controlled Deliveries in Drug Trafficking
Investigations Manual, co-funded by the European Commission Directorate-General Migration and Home Affairs, as a result of
the project “Enhancing the cooperation of European Union Legal Enforcement Agencies for successful drug controlled deliveries”
(JUST/2013/ISEC/DRUGS/AG/6412), pp. 48–49.
356 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 451.
357 
CTOC/COP/WG.7/2013/2, pp. 6–7.

117
DIGEST OF CASES

4. Other techniques
Other special investigative techniques include the use of “exploits” (codes that take advantage of software
vulnerability or security flaws to allow intruders to remotely access a network and gain elevated privileges),
malware and hacking to access sites, servers and tools used by cyber organized criminal groups. Taking
advantage of exploits in ICT, hacking and using malware are becoming more commonplace as special
investigative techniques in some countries. This, in turn, has raised concern about the impact of these tech-
niques in terms of respect for the rule of law and respect for human rights. One example is the law enforce-
ment operation known as Trojan Shield, in which law enforcement agencies ran a sting operation providing
mobile phones that performed a single function hidden behind a calculator app: sending encrypted mes-
sages and photographs.358
In the United States, these techniques have been labelled “network investigative techniques”. Such techniques
were used in Operation Pacifier, a law enforcement operation that shut down Playpen, one of the largest sites on
the darknet, which had housed child sexual abuse material and child sexual exploitation material. Once the FBI
gained access to the Playpen server, it was copied and the FBI continued to operate the Playpen website on its
own server. After the FBI agents gained control of the server and the site, they placed malware on a link on the
site. Once users clicked on the link, the malware was downloaded on their device and used to identify the
IP addresses and ultimately other identifying data of those who had accessed the site and clicked on the link.
The so-called network investigative technique used in the operation that resulted in the Playpen site being
shut down has been referred to as a “watering hole attack”.359 The network investigative technique config-
ured the target server to install software on the devices of users accessing the site.360 Once downloaded on
the user’s device, identifying information about the user’s device was relayed to the FBI.361 The information
collected from the use of the network investigative technique was used to effectuate the arrest of persons in
various countries. In each of the countries, the law enforcement authorities utilized the information obtained
using the network investigative technique to arrest perpetrators within their country’s borders. Searches
based on information obtained from the use of the network investigative technique were thus viewed as
permissible by the authorities in those countries. In the United States, certain features of the source code of
the network investigative technique are classified and requests to reveal the technique source code have
been denied,362 even when this denial has resulted in the dismissal of charges against defendants.363 In addi-
tion to taking advantage of known software vulnerabilities and/or exploiting “zero-day vulnerabilities”
(software vulnerabilities unknown to those interested in fixing them, including the vendor of the software),
law enforcement agencies have also used malware such as keylogging software (software recording the
keystrokes of users) in investigations of members of organized criminal groups.364

D. Collection and use of electronic evidence

There are several challenges to the collection and use of electronic evidence (also known as digital evidence)
in criminal proceedings. Before it can be introduced as evidence in a court of law, its authenticity and integrity
must be established by examining the processes, methods and tools used in the collection, acquisition, preser-
vation and analysis of the electronic evidence. The volume, volatility, velocity and fragility of data serve as

Yan Zhuang, Elian Peltier and Alan Feuer, “The criminals thought the devices were secure, but the seller was the FBI”,
358 

The New York Times, 9 June 2021.

A “watering hole attack” involves infecting with malware sites most frequented by targets, in an attempt to gain access to the
359 

targets’ systems, networks and/or data. (Maras, Cybercriminology, p. 382).

360 
United States District Court, District of South Carolina, United States of America v. Jamison Franklin Knowles, 207 F. Supp.
3d 585, 14 September 2016.
361 
Ibid.
362 
See, for example, United States Court of Appeals, Seventh Circuit, United States of America v. Neil Kienast, 907 F. 3d 522,
23 October 2018.
363 
See, for example, United States District Court, Eastern District of Virginia, United States of America v. Gerald Andrew Darby,
Case No. 2:16CR36, Government’s response to defendant’s motion to compel, 16 June 2016; and United States District Court, Western
District of Washington, United States of America v. Jay Michaud, Government’s unopposed motion to dismiss indictment without
prejudice (2017).
364 
United States District Court, District of New Jersey, United States of America v. Nicodemo S. Scarfo et al., 180 F. Supp. 2d 572,
26 December 2001.

118
 chapter VI.   Relevant procedural issues

obstacles to introducing the data as evidence in court. Moreover, given the cross-border nature of cyber organ-
ized crime and the different legal systems around the world, the rules of evidence vary between countries. This
variation serves as an obstacle to the collection, requesting and use of electronic evidence in national courts.
What also varies between countries are the conditions and safeguards for the collection and use of electronic
evidence in courts of law in a manner that respects the rule of law and human rights. The conditions and safe-
guards for the collection and use of electronic evidence predominantly require judicial or other independent
supervision and delineate and place limits on the procedures, processes, methods and tools used to collect,
acquire, preserve and analyse electronic evidence. National laws include provisions on rules of evidence,
investigative powers and criminal procedure that relate to data collection and use. Some of these investigative
powers and rules are discussed below, particularly the expedited preservation of data, production orders, the
real-time collection of data and the interception of content data.

1. Expedited preservation of data

Data preservation seeks to maintain data that are already stored, in order to prevent their deletion or altera-
tion. Data preservation, however, does not require data that are not already being stored to be kept in the
future. The stored data sought during an investigation of cyber organized crime may not exist for various
reasons. For example, they may not be stored because storing them was deemed unnecessary for business
reasons; they may have been deleted; or they may have been overwritten. Data protection laws may also
require the deletion of specific data after a period of time. To address these issues, the investigative power
of requesting the preservation of data was introduced into multilateral, regional and national laws.
The expedited preservation of data applies to stored data, not to the real-time collection of traffic data
(i.e., data about communications)365 or content data (i.e., written or spoken words in communications).
Here, only a request is made for the data to continue to be stored. Generally, preserved data cannot be
accessed by criminal justice authorities pursuant to this request but a legal order is required in order to
access preserved data (i.e., a subpoena, court order or search warrant). Preservation orders do not exist in
some countries. In such countries, data can only be preserved and ultimately collected through the use of
production orders (discussed in chap. VI, sect. D.2, below) or searches and seizures. Requests for the pres-
ervation and production of data may be met with non-compliance, especially if there are concerns about the
breadth of the requests (e.g., the requests may not be for data on specific individuals but are blanket requests
for data) and their legality (e.g., concerns relating to privacy or other human rights).
To protect the privacy of the subjects of the preservation order, the preserved data are maintained for a lim-
ited period of time. This time period varies by country. For example, in Kenya, preserved data are to be
maintained for a period of 30 days, whereas in Sri Lanka, they are to be preserved for a period of 7 days.366
These periods can be extended in many jurisdictions, often with a legal order (e.g., a court order). The
Council of Europe Convention, which is intended to serve as a guideline for national legislation and a
framework for international cooperation, provides for the preservation of data for a maximum period of
90 days, with the possibility of extension (see art. 16).

2. Production orders
A production order compels the recipient of the order to provide and/or grant access to information (or
material) to those requesting it within a specific period of time. The recipient of the order can be an individ-
ual within a territory, a service provider367 within a territory or a service provider that provides services
within that territory. Georgia, for example, has an international production order that may be used to
empower a Georgian judge to issue a production order in respect of persons or entities outside of the

According to article 1, paragraph d, of the Council of Europe Convention on Cybercrime, “traffic data” refers to “any computer
365 

data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of
communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”.
Similar descriptions are included in national laws, such as the Computer Misuse and Cybercrimes Act, 2018, of Kenya and Republic
Act No. 10175 of the Philippines (also known as the Cybercrime Prevention Act of 2012).
366 
Kenya, Computer Misuse and Cybercrimes Act, 2018; Sri Lanka, Computer Crime Act No. 24 of 2007; A/74/130,
paras. 349–361.
A public or private entity that provides telecommunication and electronic communication services.
367 

119
DIGEST OF CASES

territorial jurisdiction of Georgia if the following conditions are met: agreement of the person who is the
subject of the order with the voluntary disclosure of electronic data; and permission from the host country
of the foreign entity for such disclosure through its laws or executive policies.368 Like a preservation order,
a production order only applies to data already stored and does not require data about future communica-
tions to be stored. The data referred to in the production order are computer data and/or subscriber data
(i.e., information held by a service provider that relates to subscribers of its services).369
The authority that can compel disclosure of subscriber data varies by country. Some countries (e.g.,
Australia, Denmark, Finland and the United Republic of Tanzania) provide law enforcement agencies with
the authority to order the disclosure of this information, while other countries (e.g., Azerbaijan, Bosnia and
Herzegovina, Jamaica and Romania) require prosecutorial or judicial authorization to compel disclosure.370
Some countries have designated persons or specialized agencies that compel disclosure of subscriber data
(e.g., specialized directorates and departments of the state agency in Bulgaria and the State Attorney in
Croatia).371 In other countries (e.g., Austria), the authorizing agency depends on the type of subscriber
data.372 Some countries have different requirements for obtaining communication traffic data (e.g., rather
than police obtaining access to such data, judicial authorization is required).373 These countries view the
interference with the rights of individuals to be substantially different when obtaining subscriber informa-
tion than when obtaining communication traffic data. For this reason, different rules apply for obtaining
such information.374 Overall, the conditions for compelling disclosure and/or obtaining subscriber informa-
tion and communication traffic data differ from country to country.

Tribunal Penal del Tercer Circuito Judicial de San José, Causa penal
número 15-001824-0057-PE & Causa Penal número 19-000031-0532-PE
(Operación R-INO) (Costa Rica)
A criminal group (R.Z.R., L.G.G., J.M.R.F., V.V.C., E.D.S.C. and J.T.N.R.) with a structured division of
roles and with members from Brazil, Costa Rica and Mexico was dedicated to producing, dissemi-
nating and commercializing child sexual abuse material and child sexual exploitation material on
different websites. The members of the criminal group in Mexico (R.Z.R., L.G.G. and J.M.R.F.) were
Mexican nationals. R.Z.R. was the head of the organization in Mexico. L.G.G., his wife, was in charge
of making payments (through a well-known money transfer service) to E.S.C., who was located in
Costa Rica, for the logistics of the production of child sexual abuse material. J.M.R.F. was in charge
of transferring money obtained from the commercialization of the child sexual abuse material and
child sexual exploitation material on their websites to accounts in Texas and to bank accounts in
Mexico City. V.V.C., a Mexican national operating from Brazil and Mexico, was in charge of recruiting
victims and producing child sexual abuse material and/or child sexual exploitation material. The
recruitment of victims, mostly minors, took place through a modelling agency, promoting castings

368 
A/74/130, para. 109.
369 
According to article 18, paragraph 3, of the Council of Europe Convention on Cybercrime, the term “subscriber information”
refers to any information contained in the form of computer data or any other form that is held by a service provider, relating to sub-
scribers of its services other than traffic or content data and by which can be established: (a) the type of communication service used,
the technical provisions taken thereto and the period of service; (b) the subscriber’s identity, postal or geographical address, telephone
and other access number, billing and payment information, available on the basis of the service agreement or arrangement; and
(c) any other information on the site of the installation of communication equipment, available on the basis of the service agreement or
arrangement. Similar descriptions are included in national laws, such as the Computer Misuse and Cybercrimes Act, 2018, of Kenya
and the Cybercrime Prevention Act of 2012 of the Philippines.
370 
Cybercrime Convention Committee, Rules on Obtaining Subscriber Information, report adopted by the Cybercrime Convention
Committee at its 12th Plenary (Strasbourg, France, 2–3 December 2014), pp. 17–20; United Republic of Tanzania, Cybercrimes Act
of 2015; Jamaica, Cybercrimes Act of 2015.
371 
Cybercrime Convention Committee, Rules on Obtaining Subscriber Information.
372 
Ibid.
373 
Ibid., pp. 26–28.
374 
Ibid., p. 28.

120
 chapter VI.   Relevant procedural issues

through social networking sites. Several photographers conducted auditions with minors and pro-
duced child sexual abuse material involving girls for distribution on websites. The other two mem-
bers, E.D.S.C. and J.T.N.R., were located in Costa Rica. E.D.S.C. was responsible for creating and
registering different websites, whereas J.T.N.R. was responsible for recruiting victims and produc-
ing child sexual abuse material and/or child sexual exploitation material.

The members of the organized criminal group created various pages redirecting users to other
sites to ensure that the web pages of the sites containing child sexual abuse material and/or child
sexual exploitation material were restricted in the public IP addresses assigned to Costa Rica so
that they could be accessed only from abroad. In this way, they tried to control their visibility and
cover the traces of the crime. Membership rights to access the content were paid through a sepa-
rate website (www.support-gurus.com) via encrypted online transactions. The membership cost
was US$ 30 a month for accessing material that included child sexual abuse and exploitation
images and video recordings.

The investigation was carried out by the human trafficking and migrant smuggling unit of the judi-
cial investigation agency of Costa Rica. The investigation of the Internet domains resulted in the
identification of 41 websites on which material involving the sexual abuse of girls from Brazil, Costa
Rica and Mexico was commercialized. Some of the websites were registered by individuals from
those three countries, which allowed each of the members of the organized criminal group to be
identified. The sites on the dark web were accessed using Tor, due to geoblocking (technology that
restricts access to Internet content on the basis of the user’s geographical location). An undercover
agent used a fictitious email address to create an account and access the sites. A significant amount
of child sexual abuse material and child sexual exploitation material was downloaded and used as
evidence for the case.

For the first time in Costa Rica, raids were carried out on websites by means of a court order
(decision made by a judge of the Republic).

On 2 February 2017, an application was sent to the Ministry of Public Security for authorization by
the computer crime section of the judicial investigation agency to enter the investigated websites.
Subsequently, a request was made to extend the authorization to allow access to and the examina-
tion and collection of child sexual abuse material and/or child sexual exploitation material. This is
referred to as the jurisdictional order of the criminal judge of San José for authorization to access,
examine and obtain material with child pornographic content from Internet websites. This request
indicated the reasons why it was necessary to expand the search and obtain the material.

On 15 March 2017, a fiscal request and jurisdictional order of the criminal judge of San José was
submitted by the Ministry to the criminal court to allow sexual abuse material to be accessed on
and obtained from the websites. The request was approved and ordered by the judge.

Only two members of the organized criminal group were prosecuted in Costa Rica (E.D.S.C. and
J.T.N.R.). E.D.S.C. was sentenced to 39 years’ imprisonment for several charges relating to criminal
association, trafficking in persons, child sexual abuse and production and distribution of child
sexual abuse material and child sexual exploitation material, among other offences. J.T.N.R.
received 149 years and 4 months of imprisonment for several charges relating to criminal associa-
tion, production and distribution of child sexual abuse material and child sexual exploitation mate-
rial, and trafficking in persons, among other offences. J.T.N.R.’s sentence was subsequently
reduced to 28 years’ imprisonment.

For more information about this case, see UNODC, SHERLOC case law database, Case No. CRIx007.a

a
Available at https://sherloc.unodc.org/.

121
DIGEST OF CASES

3. Real-time collection of communication traffic data

Real-time collection of communication traffic data involves obtaining currently generated communications
at the time the communications are taking place. A copy of the data is made during the collection process.
The real-time collection of data lasts for a specific period of time.375 This process does not prevent data from
reaching the intended recipients. The targets of the real-time collection of such data are not notified of the
surveillance, at least not when the surveillance and investigation are still in progress.376 Several national
laws include provisions that require service providers and other individuals involved in the investigation,
collection and provision of data to keep confidential the investigation, surveillance, targets of the data col-
lection and/or the type of information sought.377 Service providers are only required to collect data in real
time if they have the technical and human capabilities to do so.378
The real-time collection of communication traffic data affects the privacy rights of those targeted by this
investigatory power. Privacy is a fundamental human right that is enshrined in human rights treaties, such
as the Universal Declaration on Human Rights (art. 12), the European Convention on Human Rights
(art. 8), the International Covenant on Civil and Political Rights (art. 17) and the American Convention on
Human Rights (art. 11). An important element of this right is data protection. Traffic communication data
can reveal private information, especially when the data are consolidated. For this reason, many countries
have implemented limits and safeguards regarding the use of these powers (for more information, see
chap. VI, sect. D.4, below).

United States v. Steven W. Chase, Case No. 5:15-CR-00015 (W.D. North Carolina,
8 May 2017) (United States of America)
The defendant, S.W.C., created and served as the administrator for Playpen, a darknet bulletin
board and website dedicated to trade in child sexual abuse material. Users of Playpen were able to
anonymously exchange and purchase illicit material via bulletin boards and communicate with
other users via forums, subforums and private messaging. On the site, child sexual abuse material
was organized by age and gender of the victim (including male and female toddlers, prepubescents
and pubescents) under different “boards”.

As an administrator of the site, S.W.C. ran the site and was responsible for tasks such as handling
the technical needs of the site, hosting the site, developing and enforcing the rules of the site,
admitting new members and deleting existing members.a Playpen also had moderators who were
responsible for deleting content deemed to be not relevant or inappropriate, moving content to the
appropriate forum if it was posted in the wrong location and banning users for violating the rules of
the site.b

S.W.C. was charged with and tried and convicted for engaging in a child exploitation enterprise
(United States Code, Title 18, sect. 2252A (g)), advertising child sexual abuse material (Title 18, sect.
2251 (d) and (e)), transporting child sexual abuse material (Title 18, sect. 2252A (a), para. (1), and
(b), para. (1)), and possessing child sexual abuse material that involved a prepubescent minor or a
minor under 12 years of age (Title 18, sect. 2252A (a), para. (5)(B), and (b), para. (2)).c He was sen-
tenced to 30 years’ imprisonment for engaging in a child exploitation enterprise and for advertising
child sexual abuse material and to 20 years’ imprisonment for transporting child sexual abuse

375 
Generally, the period of time is included in national laws. For example, in Pakistan the period of time for real-time collection
of data is set at seven days (see section 36 of the Prevention of Electronic Crimes Act of 2016).
376 
Certain countries have provisions in law to contact the targets of the collection after the fact (e.g., Georgia, the Republic of
Moldova, and Ukraine). For more information, see Council of Europe experts under the Cybercrime@EAP III project, Conditions and
Safeguards under Article 15 of the Convention on Cybercrime in the Eastern Partnership (May 2018).
377 
See, for example, Sri Lanka, Computer Crimes Act No. 24 of 2007, sect. 24; United Republic of Tanzania, Cybercrimes Act of
2015, sect. 21; and Pakistan, Prevention of Electronic Crimes Act of 2016, sect. 38.
378 
See, for example, Mauritius, Computer Misuse and Cybercrime Act 2003, sect. 15, para. 1.

122
 chapter VI.   Relevant procedural issues

material and possessing child sexual abuse material involving a prepubescent minor or a minor
under 12 years of age.d Since his sentences run concurrently, he will serve 30 years’ imprisonment
for his crimes. Another administrator of the site (M.M.F) and a so-called “global moderator” (D.B.),
who pleaded guilty to engaging in a child exploitation enterprise, likewise received lengthy terms of
imprisonment (i.e., 20 years).e Other members of the site have also been prosecuted in separate
cases.f

After S.W.C’s arrest, the server in North Carolina, where Playpen was hosted, was seized by the FBI
and a copy of the server was made on a government-controlled server located in Virginia. The FBI
also obtained legal authorization – a search warrant – to use a network investigative technique. The
FBI further received judicial authorization in the form of a wiretap authorization (i.e., a “Title IIIg
authorization”) to monitor Playpen site users for a limited period of time. The court-authorized
network investigative technique enabled the FBI to identify users of the site – their identities and
locations. To assist in the identification of the users of the devices that accessed Playpen by enter-
ing the site through their registered account (as well as the users’ location), IP addresses and
media access control addresses (in addition to other information) were collected.h The monitoring
of all of Playpen’s postings and messages was conducted by the FBI in accordance with Title III of
the Omnibus Crime Control and Safe Streets Act of 1968.i These court authorizations, therefore,
legally enabled the FBI to obtain real-time communication traffic data and content data (for more
information on the real-time collection of content data, see chap. VI, sect. D.4, below).

For further information about this case, see UNODC, SHERLOC case law database, Case No.
USAx151.j

a
United States District Court, Western District of North Carolina, United States of America v. David Lynn Browning, Case
No. 3:15MJ279, Affidavit of Karlene Clapp in support of complaint and arrest of David Lynn Browning, 29 July 2015, para. 10.
b
Ibid.
c
United States District Court, Western District of North Carolina, United States of America v. Steven W. Chase, Case
No. 5:15-CR-00015-001.
d
Ibid., p. 1.
e
United States District Court, Western District of North Carolina, United States of America v. David Lynn Browning, Case No.
5:15 CR 15-RLV, Plea Agreement, 10 December 2015; United States of America v. Michael Fluckiger, Case No. 5:15 CR 15-RLV,
Plea Agreement, 24 November 2015.
f
See, for example, United States Court of Appeals, Fifth Circuit, United States of America v. Daryl Pawlak, Case No. 17-11339,
15 August 2019.
g
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (also known as the Wiretap Act).
h
United States District Court, Eastern District of Virginia, In the matter of the search of computers that access upf45jv3bziuctml.
onion, Case No. 1:15-SW-89, 20 February 2015, p. 25.
i
United States District Court, Western District of North Carolina, United States of America v. Steven W. Chase, Case No.
5:15-CR-15-RLV, 1 September 2016, p. 9.
j
Available at https://sherloc.unodc.org/.

4. Interception of content data

In some countries, a distinction is made between real-time collection of communication traffic data and
real-time interception of content data. Several countries distinguish between real-time collection of these
two types of data by requiring different legal prerequisites to authorize the use of investigatory powers for
the real-time collection of traffic data and content data.379 Certain countries even stipulate the crimes for
which these investigatory powers would be authorized.380 Generally, real-time interception of content data
is authorized only for serious crimes, as defined in national laws. Other countries381 do not distinguish
between real-time collection of traffic data and interception of content data and do not have different legal
requirements for the real-time collection of traffic data and content data.

379 
For more information, see Council of Europe experts under the Cybercrime@EAP III project, Conditions and Safeguards under
Article 15 of the Convention on Cybercrime.
380 
Ibid.
381 
For example, Armenia and Azerbaijan (see Council of Europe experts under the Cybercrime@EAP III project, Conditions and
Safeguards under Article 15 of the Convention on Cybercrime).

123
DIGEST OF CASES

The interception of content data interferes with the privacy of communications. Because it is a privacy-in-
vasive measure, safeguards and limits have been placed on its use in investigations in national law. Important
limits that have been identified in national law and human rights case law are: the time limits placed on the
use of these powers; restriction of the use of these powers to certain serious crimes; limiting the use of these
powers to specific individuals being investigated for serious crimes; and the use of these powers as a last
resort, when other less invasive means are not as effective.382 Essential safeguards in national law for the use
of this investigatory power are legal orders (i.e., search warrants and wiretaps) and judicial or other inde-
pendent supervision.383 In Australia, for example, safeguards include requirements for the judicial authority
to exercise power, parliamentary reporting requirements, the right of defendants to challenge the admissi-
bility of evidence and the right of review, and the oversight of all telecommunications warrants by the
Commonwealth Ombudsman.384 Both the real-time collection of communication traffic data and the inter-
ception of content data are considered special investigative techniques (see chap. VI, sect. C, above).385
In some countries,386 notification for the real-time collection of traffic data and/or the interception of content
data is not required.

Tribunal de grande instance de La Roche-sur-Yon, 24 septembre 2007 (France)

In 2006, an organized criminal group consisting of six identified members perpetrated a romance
scam using dating websites. Members of the group would pass as a woman having recently inher-
ited money and needing help to get the money from Nigeria to France. They would offer 25 percent
of the inheritance in exchange for help in obtaining a suitcase containing the inheritance in bank-
notes that had been physically darkened for protection from theft. The group would forge docu-
ments showing that the suitcase had passed customs and would arrange to meet the victims in
person to hand over the suitcase. The leader of the group would pretend to be a diplomat, while
other group members would cover different roles functional to the scam, acting as, for example, his
chauffeur (A.O.), his secretary (V.E.) and handlers of the banknotes (C.E. and A.O.). Another member
(M.C.) would act as the director of a chemical company and show the victims how to bleach the
darkened banknotes in order to return them to their original state. The group would then ask the
victim for €50,000 in exchange for the chemicals to bleach the banknotes.

During the investigation, F.A. was arrested and placed in pretrial custody. The real-time collection
of content data (in particular, telecommunications data) as a result of the wiretapping of members
of the group revealed that M.C. had taken the lead and continued the scam while F.A. was in cus-
tody. M.C. and A.O were subsequently arrested and placed in pretrial custody. A European arrest
warrant was issued for C.E., one of the members of the group, but as authorities were not able to
locate him, he was tried in absentia.

Of the six defendants arrested in this case, five were charged with and sentenced for committing
fraud as part of an organized criminal group (F.A., A.O., V.E., M.C. and C.E.). One of the defendants
(V.E.) had her sentence suspended. The remaining defendants were sentenced to five years’

382 
For example, the time limit in Georgia and the Republic of Moldova is one month; in Ukraine, two months; and in Armenia
and Azerbaijan, six months. Provisions in law also enables the extension of the period of interception under certain circumstances
(Council of Europe experts under the Cybercrime@EAP III project, Conditions and Safeguards under Article 15 of the Convention
on Cybercrime).
383 
See, for example, national laws in Belarus, Georgia and Sri Lanka (Council of Europe experts under the Cybercrime@EAP
III project, Conditions and Safeguards under Article 15 of the Convention on Cybercrime; Sri Lanka, Computer Crime Act No. 24
of 2007).
384 
A/74/130, para. 28.
385 
See, for example, Republic of Moldova (Council of Europe experts under the Cybercrime@EAP III project, Conditions and
Safeguards under Article 15 of the Convention on Cybercrime, pp. 51–52).
386 
For example, Armenia and Azerbaijan (Council of Europe experts under the Cybercrime@EAP III project, Conditions and
Safeguards under Article 15 of the Convention on Cybercrime).

124
 chapter VI.   Relevant procedural issues

imprisonment (F.A., M.C. and C.E.) and three years’ imprisonment (A.O.), in addition to being
ordered to pay varying amounts of compensation to the victims. The sixth defendant (A.A.) was
charged with receiving money obtained from the fraud but was ultimately acquitted by the court.

For more information on this case, see UNODC, SHERLOC case law database, Case No. FRAx029.a

a
Available at https://sherloc.unodc.org/.

5. Destruction of evidence and interference with law enforcement investigations

Perpetrators of cyber organized crime use a variety of techniques to interfere with the availability and col-
lection of evidence relating to their crimes. In particular, they use numerous techniques to hide, obfuscate,
delete or destroy digital data. To hide the data, they use encryption, which blocks access to the data from
those who do not have access to the relevant encryption key, such as law enforcement agencies.387 Privacy-
enhancing technologies, such as virtual private networks and Tor, are also used.388 Digital data can be obfus-
cated by using tactics such as the use of proxy servers to mask or hide IP addresses.389 Finally, the deletion
and destruction of digital data can be done by manually deleting data and destroying hardware.390 Members
of the Bored group, an international child sexual exploitation group (see the box in chap.V, sect. B.6),
deleted data from their devices and drilled holes in hard drives.391 In Regina v. Reece Baker and Sahil Rafiq,
the appellants had deleted content from their computers, and one defendant wiped their computer once he
had been informed that he was under investigation.392 In United States of America v. Paras Jha (the Mirai
botnet case), the defendant not only securely erased the virtual machine used to run Mirai on his device, but
also posted the Mirai code online, in order to create plausible deniability if law enforcement authorities
found the code on computers controlled by the defendant or the other conspirators.393 Data can also be dam-
aged and destroyed through the use of software that is designed to wipe data from digital devices. For
example, one of the defendants in the Infraud case wiped data from his smartphone and used a tool to erase
data from his hard drives before he surrendered them to the authorities.394 All of the aforementioned tools
are called “anti-forensic” tools because they are designed to remove, alter, disrupt or otherwise interfere
with evidence of criminal activities on digital systems, similar to how criminals would physically remove
evidence from crime scenes.395 These anti-forensic tools can be used to obstruct justice by destroying and
concealing evidence from law enforcement authorities.

E. International cooperation
International cooperation involves countries working together to achieve common goals. Cooperation
between criminal justice authorities in different countries can include the sharing of information and human,
technical and/or financial resources during investigations and prosecutions of cyber organized crime.
International cooperation is dependent on existing relationships between countries. This type of interna-
tional cooperation can be informal or formal. Informal international cooperation is based on criminal justice

387 
Europol, Internet Organised Crime Threat Assessment 2020, p. 17; United States of America v. John Doe #1, Edward Odewaldt,
et al. (Dreamboard members used encryption).
388 
Europol, Internet Organised Crime Threat Assessment 2020, p. 17.
389 
United States of America v. John Doe #1, Edward Odewaldt, et al. (Dreamboard members used proxy servers).
390 
United Kingdom, Royal Courts of Justice, Regina v. Reece Baker and Sahil Rafiq [2016] EWCA Crim 1637, 2016 WL 06476265.
391 
United States of America v. Caleb Young, p. 15.
392 
Regina v. Reece Baker and Sahil Rafiq [2016] EWCA Crim 1637.
393 
United States of America v. Paras Jha, chap. II, sect. C, para. 8.
394 
United States District Court, District of Nevada, United States of America v. Valerian Chiochiu, 10 April 2019; United States of
America v. Valerian Chiochiu, Case No. 2:17-CR-306-JCM-PAL, Plea Agreement, 31 July 2020.
395 
Kevin Conlan, Ibrahim Baggili and Frank Breitinger, “Anti-forensics: furthering digital forensic science through a new
extended, granular taxonomy”, Digital Investigation, vol. 18 (2016), p. 67.

125
DIGEST OF CASES

actor cooperation between countries. Formal international cooperation can be based on multilateral, regional
or bilateral treaties. The Organized Crime Convention can serve as a basis for formal international cooper-
ation as it includes provisions on mechanisms to facilitate such cooperation. States parties to the Convention
are required to take measures that facilitate various forms of international cooperation, including extradi-
tion, mutual legal assistance, law enforcement cooperation and joint investigations. Each of these measures
is discussed in the present section.

R v. Ionut Emanuel Leahu [2018] EWCA 1064 (Crim) (United Kingdom)

The appellant, I.E.L., along with other defendants in the case (P., B. and M.), men from the Republic
of Moldova and Romania, were part of an organized criminal group that obtained unauthorized
access to automatic teller machines (ATMs) in Great Britain by infecting the systems with malware
that was then used to remove large sums of money from them. On one long weekend in May 2014,
the group obtained unauthorized access to 51 ATMs. The appellant identified the ATMs that mal-
ware could be loaded onto and subsequently accessed the machines so that they could be infected
with the malware.

A few days after the bank fraud was perpetrated, the appellant and M. were arrested, interviewed
and subsequently released on bail. Following their release, they left the country, travelling on
flights to the Republic of Moldova (M.) and Romania (the appellant). Following the issuance of
European arrest warrants for both individuals, they were extradited to England.

The appellant pleaded guilty to conspiracy to defraud and was sentenced to 4 years and 10 months
of imprisonment. M. was sentenced to 2 years and 10 months of imprisonment for the same offence.
The other conspirators (P. and B.) received sentences of 5 years’ imprisonment and 7 years’ impris-
onment, respectively, for their roles in the fraud. The appellant’s subsequent appeal against his
sentence was unsuccessful.

For more information on this case, see UNODC, SHERLOC case law database, Case No. GBRx096.a

a
Available at https://sherloc.unodc.org/.

1. Extradition
Extradition involves the return of wanted fugitives to the country requesting extradition. Extraditions are
made possible with bilateral and/or regional treaties. Pursuant to the extradition treaty that the United States
has with Israel, for example, the administrator of Card Planet was arrested at an airport near Tel Aviv
and subsequently extradited to the United States from Israel, after having lost several appeals to prevent
his extradition.396
Extradition is governed by the domestic law of the States concerned, as well as any applicable bilateral or
multilateral treaties. Article 16, paragraph 4, of the Organized Crime Convention provides a legal basis for
extradition in respect of offences covered by that article in cases where there is no extradition treaty between
the States. Instruments governing extradition determine, among other things, the conditions for extradition
and any mandatory or discretionary grounds for refusal. Dual criminality is generally a prerequisite for
extradition; the aim is to ensure that the State in the territory of which a person is present will not extradite
him or her unless the offence for which the person is wanted is qualified as a crime in both States.397

United States of America v. Aleksei Yurievich Burkov.

396 

UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
397 

paras. 473 and 492.

126
 chapter VI.   Relevant procedural issues

Some national laws concerning cybercrime expressly address extradition. A case in point is the Cybercrime
and Computer Related Crimes act of Botswana, adopted in 2007. Article 29 of the act holds that an offence
under the act shall be considered to be an extraditable crime for which extradition may be granted or
obtained under the Extradition Act, 1990. Without extradition treaties, a country has no obligation to extra-
dite a wanted fugitive to the requesting country. Nonetheless, even the existence of extradition treaties does
not guarantee that a wanted fugitive will be extradited to the country requesting the extradition.

ÚS 530/18 ze dne 27. 3. 2018 (Czechia)

In October 2020, Y.A.N., a Russian national, was sentenced to 88 months’ imprisonment in the
United States for hacking into social networks, including a well-known social network for profes-
sionals, and a file hosting service based in the United States and selling the information stolen
from this unauthorized access. He was extradited to the United States from Czechia.a He had
challenged a decision by the municipal court of Prague, as well as the rejection by the high court
of his appeal of the decision, to extradite him to the United States. He filed a complaint pursuant
to the Constitution, the Charter of Fundamental Rights and Freedoms of Czechia and the
Convention for the Protection of Human Rights and Fundamental Freedoms (the European
Convention on Human Rights).

The municipal court of Prague ruled on the proposal of the office of the public prosecutor regarding
the extradition of the complainant for two criminal prosecutions in different countries pursuant to
the Act on International Judicial Cooperation in Criminal Matters of Czechia, as amended. The
municipal court ruled that the extradition for both prosecutions was allowed and that the complain-
ant could, therefore, be extradited to the United States (to be prosecuted for unauthorized access
to systems and data) and to the Russian Federation (to be prosecuted for the theft of property over
the Internet within an organized criminal group). The municipal court held that the alleged acts that
were the subject of the prosecutions in the Russian Federation and the United States were consid-
ered crimes under Czech law. The municipal court also concluded that the due process rights of the
complainant would be respected in both countries. From the materials provided by the foreign
authorities, the municipal court held that the extradition was not prohibited under the Act on
International Judicial Cooperation in Criminal Matters.b According to the municipal court, the com-
plainant was a young, healthy man, and it could not be assumed that his extradition would cause
him disproportionate harm.

It is important to note that the complainant did not object to his extradition to the Russian
Federation. The complainant objected to his extradition to the United States. The municipal court
did not find any reason to object to the extradition of the complainant to the United States.
Furthermore, the municipal court held that the complainant’s objection to the extradition to the
United States, specifically, on the grounds that he would be subjected to a disproportionate pen-
alty were unfounded, especially since in the United States sentences for several crimes could be
served concurrently.

The complainant appealed the decision of the municipal court to the high court in Prague. After
reviewing the decision of the municipal court and the evidence presented by the complainant, the
high court rejected the appeal and similarly found that there were no grounds for prohibiting the
extradition of the complainant. The high court echoed many of the conclusions of the municipal
court, concluding that there were no facts presented that illustrated the risk of human rights viola-
tions and disproportionate sentencing of the complainant if he was to be extradited to the United
States. With regard to the latter, the high court rejected the complainant’s argument that he was at
risk of receiving a penalty of up to 54 years’ imprisonment in the United States. In rejecting this
claim, the high court noted that the penalty that he could receive for the alleged crimes ranged
from 12 to 14 years of imprisonment.

127
DIGEST OF CASES

ÚS 530/18 ze dne 27. 3. 2018 (Czechia) (continued)

The Constitutional Court held that the decisions of the municipal court and the high court met con-
stitutional requirements. The Court held that Czechia was obligated to comply with its international
obligations in the field of criminal law, unless other stronger international obligations (usually in
the field of protection of human rights) or the basic values of the Czech constitutional order took
precedence. The task of the courts in proceedings under section 95 of the Act on International
Judicial Cooperation in Criminal Matters was, in essence, to determine whether the request for
extradition met the basic requirements of this Act and whether extradition was not hindered by any
legal obstacle. The Constitutional Court concluded that the municipal court and the high court had
fulfilled this task. The Constitutional Court also held that differences in the approach of countries
with respect to criminal penalties were not in themselves grounds for non-compliance with inter-
national obligations, as long as the penalties and the treatment of offenders were in line with
human rights obligations. Ultimately, the Constitutional Court ruled that the constitutional com-
plaint of the applicant was manifestly unfounded.

When Y.A.N. was extradited to the United States and tried by a jury, he received a sentence of
7 years and 4 months of imprisonment for his offending.c

For more information on this case, see UNODC, SHERLOC case law database, Case No. CZEx002.d

a
United States Attorney’s Office, Northern District of California, “Russian hacker sentenced to over 7 years in prison for
hacking into three Bay Area tech companies”, press release, 30 September 2020. For information about the case and charges
against the defendant, see United States District Court, Northern District of California, United States of America v. Yevgeni
Nikulin, Case No. 16-CR-0440-WHA, Indictment, 20 October 2016. of an individual to a foreign country.
b
This Act includes criteria that would prohibit the extradition of an individual to a foreign country.
c
HHe was sentenced for selling stolen usernames and passwords, in violation of Title 18, section 1029 (a)(2), of the United
States Code; installing malware on protected computers, in violation of Title 18, section 1030 (a)(5); conspiracy, in violation of
Title 18, section 371; computer intrusion, in violation of Title 18, section 1030 (a)(2)(C); and aggravated identity theft, in violation
of Title 18, section 1028A (1) (United States Attorney’s Office, Northern District of California, “Russian hacker sentenced to over
7 years in prison”).
d
Available at https://sherloc.unodc.org/.

2. Mutual legal assistance

Mutual legal assistance is a crucial tool for international cooperation, enabling countries to receive and
provide assistance in the investigation, prosecution and adjudication of transnational organized crime. In
United States of America v. Eric Eoin Marques, for example, the FBI was able to obtain information that
confirmed the location of the Freedom Hosting server and, via a request to France for mutual legal assis-
tance, identified evidence that the subscriber to the Freedom Hosting server account was the defendant
(E.M.).398 When the server was seized, more than 8.5 million images and video recordings of suspected and/
or confirmed child sexual abuse material were found, almost 2 million of which were unknown to law
enforcement authorities at the time of the seizure.399
National laws and bilateral, regional and multilateral treaties, agreements and arrangements have been
enacted that permit mutual legal assistance between countries. Mutual legal assistance is used to facilitate
requests for assistance. For example, in United States of America v. Su Bin, a mutual legal assistance treaty
between Canada and the United States enabled Canadian authorities to seize documents and digital devices
and media suspected of containing proprietary data on behalf of the United States.400 These instruments
establish the nature and scope of the cooperation, the type of mutual legal assistance to be provided, the
rights and responsibilities of those requesting and providing mutual legal assistance, and the procedures to

398 
United States District Court, District of Maryland, United States of America v. Eric Eoin Marques, Case No. TDC-19-200,
Plea Agreement, 28 January 2020.
399 
Ibid.
400 
United States District Court, Central District of California, United States of America v. Su Bin, Case No. SA CR 14-131,
Plea Agreement, 22 March 2016, pp. 17–18 (SHERLOC case law database, Case No. USAx244).

128
 chapter VI.   Relevant procedural issues

be followed. Article 18 of the Organized Crime Convention provides for the establishment of a comprehen-
sive regime for mutual legal assistance. In paragraph 3 of article 18, it is stated that mutual legal assistance
to be afforded in accordance with that article may be requested for any of the following purposes:
(a) Taking evidence or statements from persons;
(b) Effecting service of judicial documents;
(c) Executing searches and seizures, and freezing;
(d) Examining objects and sites;
(e) Providing information, evidentiary items and expert evaluations;
(f) Providing originals or certified copies of relevant documents and records, including government,
bank, financial, corporate or business records;
(g) Identifying or tracing proceeds of crime, property, instrumentalities or other things for eviden-
tiary purposes;
(h) Facilitating the voluntary appearance of persons in the requesting State party;
(i) Any other type of assistance that is not contrary to the domestic law of the requested State party.

Mutual legal assistance can be denied for several reasons, including if one or more of the conditions for
mutual legal assistance are not met and/or compliance with the request would violate human rights obliga-
tions.401 In the absence of mutual legal assistance treaties, agreements or conventions that can be used in lieu
of such treaties and agreements, mutual legal assistance can be provided if reciprocity is guaranteed by the
requesting country.402

Apelação Criminal 5492-CE, 5a Região da TRF (2004.81.00.018889-0) (Brazil)

S.S., one of the leaders of an organized criminal group in Germany known as the Brazil Club, along with
others, O.F.G., F.C.L.O. and F.S.M., created and maintained websites (www.brasil-club.de and www.brasil-
club.com) that facilitated sex tourism. Others in the organized criminal group (O.F.G. and F.C.L.O.) also
contributed to the enterprise by recruiting victims and obtaining naked and/or sexualized images of
women for use on the websites in order to advertise the women and the services offered. As part of the
criminal activity, clients were solicited to purchase sexual services and women were recruited from
Brazil to participate in international sex tourism and offer sexual services to paying clients in Germany.
Arrangements were also made for Brazil Club’s clients in Germany to travel to Brazil to engage in
sexual activities with Brazilian women. Brazilian women were also solicited to travel to Europe to
engage in sex work. The organized criminal group also recruited some female minors.

During the investigation and prosecution of the case, S.S. could not be located by Brazilian authorities.
S.S. became aware of the criminal proceedings against him when he was in Germany. He subsequently
hired a lawyer, pleaded not guilty and argued that Brazilian courts had no jurisdiction over the case.
Under Brazilian criminal procedure, a defendant’s testimony is compulsory (with few exceptions), even
if it only concerns an affirmation to remain silent. Because S.S. was not in Brazil, a letter rogatory was
used to inform him of the criminal case and to obtain his testimony pursuant to article 368 of the Code
of Criminal Procedure of Brazil.a Ultimately, S.S. was not tried in a Brazilian court – not because Brazil
did not have jurisdiction, but because a trial in Germany would be more efficient.

401 
See, for example, article 2 of the European Convention on Mutual Assistance in Criminal Matters; article 25, paragraph 4,
of the Council of Europe Convention on Cybercrime; article 4 of the Economic Community of West African States Convention on
Mutual Assistance in Criminal Matters; UNODC Teaching Modules, Cybercrime, Module 3: legal frameworks and human rights,
“International and regional instruments”; Module 7: international cooperation against cybercrime, “Formal international cooperation
mechanisms”; and UNODC Teaching Modules, Organized Crime, Module 11: international cooperation to combat transnational
organized crime, “Mutual legal assistance”. Available at sherloc.unodc.org/cld/en/education/tertiary/index.html.
402 
See UNODC Educational Modules, Cybercrime, Module 7: international cooperation against cybercrime, “Formal interna-
tional cooperation mechanisms”; and UNODC Teaching Modules, Organized Crime, Module 11: international cooperation to combat
transnational organized crime, “Mutual legal assistance”. Available at sherloc.unodc.org/cld/en/education/tertiary/index.html.

129
DIGEST OF CASES

Apelação Criminal 5492-CE, 5a Região da TRF (2004.81.00.018889-0) (Brazil) (continued)

Like S.S., one of the defendants (O.F.G.) appealed his conviction, claiming that the websites were por-
nographic and that no international treaty existed between Brazil and Germany regarding the mainte-
nance of pornographic websites. The court of appeals rejected this claim, arguing that his conviction,
which was supported by evidence, was not for maintaining pornographic websites but for facilitating
prostitution and international trafficking in persons for the purpose of sexual exploitation.b He received
a sentence of 10 years and 6 months of imprisonment for international trafficking in persons for the
purpose of sexual exploitation and facilitating prostitution or other forms of sexual exploitation, among
other crimes. Other members of the criminal organization were sentenced for the same crimes.c

For further information about this case, see UNODC, SHERLOC case law database, Case No. BRA004.d

a
Article 368 of the Code of Criminal Procedure of Brazil holds that “If the accused is abroad, in a known place, he will be
summoned by letter rogatory…”.
b
Brazil, Tribunal Regional Federal da 5a Região, Apelação Criminal 5492-CE, 5a Região da TRF (2004.81.00.018889-0).
c
F.S.M. received a sentence of 11 years and 10 months of imprisonment for those crimes, and F.C.L.O. received a sentence
of 8 years and 9 months of imprisonment, as well as being charged with an offence relating to child sexual abuse material (see
UNODC SHERLOC case law database, Case No. BRA056. Available at https://sherloc.unodc.org/).
d
Available at https://sherloc.unodc.org/.

3. Law enforcement cooperation

Law enforcement cooperation occurs in accordance with national criminal law and criminal procedure law.
These laws enable countries to determine the scope and means of such cooperation, as well as to deny
requests for cooperation that contravene national laws.403 Regional and multilateral treaties, conventions
and agreements also enable international cooperation between law enforcement agencies. Article 27 of the
Organized Crime Convention provides for measures that facilitate cooperation, such as establishing and/or
improving police-to-police communication channels and guidance on the type of police cooperation sought
(e.g., the identity, location and activities of persons and the location of property). The manner in which this
cooperation is to occur may vary from country to country. Law enforcement cooperation may involve direct
contact between law enforcement agencies or contact through a specific designated agency. There are legal
and practical issues associated with law enforcement cooperation, including variation in national laws and
procedures regarding such cooperation and the efficiency of those channels. The purpose of this type of law
enforcement cooperation is to provide an alternative to the lengthy mutual legal assistance process.

Danmark B(R), ref. 9-3441/2015, domfældelse 14 December 2015 (Denmark)

Operation Hvepsebo (Wasp Nest case)

Operation Hvepsebo concerned an organized criminal group engaged in trafficking in persons for
the purpose of exploitation (in particular, forced labour). The male victims were recruited in
Romania. Their recruiters fraudulently advertised work in Denmark. When the Romanian victims
arrived in Denmark, however, they were exploited and forced to engage in unlawful acts, commit-
ting a wide variety of fraudulent activity online and offline. After the victims’ arrival, members of the
organized criminal group would take each victim to a municipal office to receive a Danish personal
identification number. This identification was needed for the victims to be able to legally work in

403 
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
p. 175.

130
 chapter VI.   Relevant procedural issues

Denmark and to pay taxes. To obtain the identification number, the victims provided their authentic
Romanian identification documents along with fake employment contracts and home addresses.
Members of the organized criminal group used the identifying information of the victims, including
their Danish personal identification numbers, to perpetrate a wide variety of illicit activities both
online and offline (credit card fraud, tax fraud, etc.), as well as to create new companies to perpe-
trate some of the illicit activities. The defendants had victims open up bank accounts and obtain
debit cards, credit cards and loans, in addition to having the victims turn over their identity docu-
ments and data to the defendants, which they used, unbeknown to the victims, to perpetrate various
forms of fraud. The defendants would accompany victims to establishments such as banks and
stores and would speak on behalf of the victims (since the victims did not know the language) and
would have the victims sign documents that they could not read and could not understand. The
victims never actually worked in the jobs they were promised. The victims were provided short-
term work assignments by the defendants or they worked for the defendants for no payment or a
very modest payment.

This case involved three members of the group. For the crimes perpetrated by the three defend-
ants, their sentences ranged from 3 to 8 years of imprisonment. These defendants were not Danish
citizens and were deported from Denmark and banned from re-entering the country.

This case highlights successful cross-border police cooperation in a case involving cyber organized
crime. In addition to showing the successful cooperation between law enforcement agencies in
two countries (Denmark and Romania), this case involved the creation of a multidisciplinary
team that worked together on the case. The team included a Danish non-governmental organiza-
tion (the Centre against Human Trafficking), the Danish Immigration Service and a tax agency
(Skattestyrelsen), as well as police and prosecutors from Denmark and Romania.

4. Joint investigations
Another form of international cooperation is a joint investigation. Agreements or arrangements between
countries are made to enable and facilitate the creation of joint investigative bodies.404 When these agree-
ments and arrangements are absent, joint investigations may be conducted on a case-by-case basis.405
The Legislative Guide for the Implementation of the United Nations Convention against Transnational
Organized Crime includes two models for joint investigations:
(a) The first model identified consists of parallel, coordinated investigations with a common goal,
assisted by a liaison officer network or through personal contacts and supplemented by formal mutual legal
assistance requests in order to obtain evidence. The officials involved may be “non-co-located” and be able
to work jointly on the basis of long-standing cooperative practices and/or existing mutual legal assistance
legislation depending on the nature of the legal systems or systems involved;
(b) The second model consists of integrated joint investigation teams with officers from at least two
jurisdictions. These teams can be further divided and characterized as either passive or active. An example
of a passively integrated team would be the situation where a foreign law enforcement officer is integrated
with officers from the host State in an advisory or consultancy role or in a supportive role based on the
provision of technical assistance to the host state. An actively integrated team would include officers from
at least two jurisdictions with the ability to exercise operational powers (equivalent or at least some powers)
under host State control in the territory or jurisdiction where the team is operating.406

404 
See article 19 of the Organized Crime Convention.
405 
Ibid.
406
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 596. For further information, see UNODC, Model Legislative Provisions against Organized Crime (Vienna, 2012), pp. 87–93.

131
DIGEST OF CASES

There are certain legal and practical issues associated with joint investigations, including trust between law
enforcement agencies, differing criminal procedural issues and rules of evidence, and/or the absence of
agreement on organization, roles, responsibilities, leads and supervision in the joint investigation and/or
mechanisms for resolving conflicts.407

United States of America v. Bryan Connor Herrell, Case No. 1:17 CR00301
(E.D. California, 2 September 2020) and United States of America v. Ronald L.
Wheeler III, Case No. 1:17-CR-377 (N.D. Georgia, 15 November 2017)
(United States of America)

AlphaBay (darknet site)

AlphaBay operated as a criminal enterprise with “employees” serving as security administrators,
moderators, public relations specialists and scam watchers (whose primary duty was to identify
and remove fraudulent listings). “Employees” received their salaries in bitcoin. AlphaBay employ-
ees have been identified and prosecuted for their crimes. For example, B.C.H., a moderator for the
site, settled disputes between buyers and vendors on AlphaBay.a He pleaded guilty to conspiracy to
engage in a racketeer-influenced corrupt organization, receiving a sentence of 132 months’ impris-
onment.b In addition, R.L.W. III, who served as a public relations specialist for AlphaBay, not only on
the darknet site but also on the clearnet, in an AlphaBay online community on a well-known social
media website.c He was charged with and pleaded guilty to conspiracy to commit access device
fraud. For his crime, he received a sentence of 3 years and 10 months of imprisonment and 3 years
of supervised release.d

AlphaBay and another major darknet market, Hansa Market, were shut down following a joint
investigation involving the FBI, the Drug Enforcement Administration of the United States, the
national police of the Netherlands and other European law enforcement agencies acting through
Europol.e The national police of the Netherlands had taken over Hansa Market and had monitored
and run the site unbeknown to the users, enabling the police to identify users and disrupt illicit
activity on the site. AlphaBay was shut down while the national police were running Hansa Market.
The coordinated shutting down of AlphaBay enabled the national police to obtain information iden-
tifying the users from AlphaBay who had joined Hansa. Once that information was collected, Hansa
Market was shut down and its seizure by law enforcement agencies was made public.

For more information on this case, see UNODC, SHERLOC case law database, Case No. USAx191.f

a
United States District Court, Eastern District of California, United States of America v. Bryan Connor Herrell, Case No. 1:17-
CR00301, Indictment, 2 September 2020.
b
Ibid.; United States Attorney’s Office, Eastern District of California, “Colorado man pleads guilty to racketeering charges
related to darknet marketplace AlphaBay”, press release, 28 January 2020.
c
United States District Court, Northern District of Georgia, United States of America v. Ronald L. Wheeler III, Case No. 1:17-
CR-377, Criminal Information, 15 November 2017.
d
United States Attorney’s Office, Northern District of Georgia, “AlphaBay spokesperson sentenced to federal prison”, press
release, 1 August 2018.
e
Europol, “Massive blow to criminal dark web activities after globally coordinated operation”, press release, 20 July 2017.
f
Available at https://sherloc.unodc.org/.

407
UNODC, Legislative Guide for the Implementation of the United Nations Convention against Transnational Organized Crime,
para. 597.

132
CHAPTER VII. 
CONCLUSIONS AND
LESSONS LEARNED
DIGEST OF CASES

VII.  CONCLUSIONS AND LESSONS LEARNED

The present digest shows how criminal justice systems throughout the world have responded to cyber
organized crime by analysing concluded judicial decisions from more than 20 jurisdictions. The research
for this digest predominantly involved a review of primary sources, supplemented by secondary sources.
The cases referred to in the digest are not the only ones that concern the subject of this digest. The cases
included were chosen because of (a) their relevance; (b) the substantive and procedural elements of cyber
organized crime that were covered; and (c) the need to ensure that a variety of jurisdictions were repre-
sented in the digest. Accordingly, the findings of this digest are not generalizable because the cases included
in the digest cannot be considered a representative sample of all cases involving cyber organized crime in
all countries. Nevertheless, the cases included in the digest may help to shed some light on a largely
unknown and understudied form of cybercrime. This last chapter provides concluding remarks and lessons
learned from the cases analysed in the digest.
Overall, cases of cyber organized crime were not easily identifiable across jurisdictions. The identification
of such cases is challenging because the cases are not recorded as cyber organized crime and perpetrators
of these crimes may not be charged with and/or convicted of organized crime and/or participation in an
organized criminal group. Research on cyber organized crime is thus hampered by the fact that the concept
of cyber organized crime is not frequently deployed in such cases, making the cases harder to identify and
analyse. Although the cases included in this digest were not prosecuted and adjudicated as cyber organized
crime, they were identified as a form of cyber organized crime through a careful, time-consuming review of
court documents. The language limitations of the researchers and drafters working on the digest represented
a challenge to efforts to identify cases of cyber organized crime. An additional challenge was the lack of
access to publicly available court documents in many jurisdictions.
While the digest predominantly includes cases that involved participation in an organized criminal group,
there were some cases where cybercrime was perpetrated by an organized criminal group that operated
exclusively online, operated both online and offline, or utilized only the Internet and digital devices to facil-
itate the crimes. To a lesser extent, there were cases that met the definition of cyber organized crime but the
court documents mentioned neither an organized criminal group nor participation in an organized criminal
group in the analysis of the cybercrimes.
Most of the court documents analysed for this digest did not provide enough information to determine the
structure of cyber organized criminal groups, particularly whether such groups could be classified as
swarms, hubs, clustered hybrids and/or extended hybrids. The most difficult structure to identify in the
court documents was a swarm. More information is needed about the structure of cyber organized criminal
groups and even the roles of individuals within those groups.408 When available, critical procedural infor-
mation relating to the investigation and prosecution of cyber organized crime was also found in affidavits,
criminal information, complaints and indictments, as well as in requests for extradition. Information about
the gender dimensions of cyber organized crime was also limited and was largely based on the cases of
cyber organized crime that were identified. The information provided in this digest about the gender dimen-
sions of cyber organized criminal groups and cyber organized crime are not generalizable. Gender informa-
tion about victims was not often identified in the court documents of the cases in the digest, exceptions
being the cases that involved child sexual exploitation and abuse, trafficking in persons and, to a lesser
extent, romance scams and sextortion.
It would be useful to receive such information about the structures and organization of cyber organized
criminal groups and the roles of individuals within those groups, as well as the gender of participants in
cyber organized crime and victims of cyber organized crime, from criminal justice professionals through
court documents. This information would enable the identification of trends and patterns that could be
shared with criminal justice agencies around the world to help them improve their efforts to detect, investi-
gate, prosecute and adjudicate cyber organized criminal groups and those who participate in cyber organ-
ized crime. This information would also provide criminal justice professionals with a better understanding

The limited information that was identifiable about the structure and roles of cyber organized criminal groups were primarily
408 

(but not exclusively) found in United States court documents (i.e., criminal complaints and indictments).

134
 chapter VII.   Conclusions and lessons learned

of cyber organized criminal groups, their tactics, targets, techniques, tools, members, associates and meth-
ods of operation, as well as the ways in which these groups evolve in response to countermeasures.
In the cases included in this digest, variations were observed with respect to sentences for similar offences
across and even within jurisdictions. These variations were also observed between different offences.
A case in point were sentences for offences relating to child sexual exploitation and abuse. In some juris-
dictions the penalties were quite severe, while in others the penalties were low, depending on the type of
offences involving child sexual exploitation and abuse.409 Moreover, in one jurisdiction, perpetrators of a
romance scam received a more severe penalty than perpetrators of child sexual exploitation and abuse, both
within the country and outside of that country.
Furthermore, the cases in this digest revealed that international cooperation, harmonized approaches to the
investigation and prosecution of cyber organized crime, as well as the existence of sufficient national
human, technical and economic resource capacities to investigate and prosecute cyber organized crime,
played a critical role in the successful adjudication of cyber organized crime. In view of that, attention needs
to be paid to the deficit in national capacities to investigate, prosecute and adjudicate cyber organized crime.
This would enable more jurisdictions to take a leading role in prosecuting offences involving cyber organ-
ized crime.
Ultimately, the findings of the digest illustrate the need to harmonize approaches with respect to the collec-
tion and recording of information relating to cyber organized crime in court and other documents across
jurisdictions, as well as the need to train criminal justice professionals on cyber organized crime and the
ways to successfully detect, investigate, prosecute and adjudicate cyber organized crime, cyber organized
criminal groups and participation in cyber organized crime. It is hoped that the digest will lead to the col-
lection and recording of information and the training of criminal justice professionals on cyber organized
crime, as well as future research on cyber organized crime, which will help to inform policymakers and
other stakeholders regarding the courses of action to be taken to reduce, control, prevent and/or mitigate this
form of cybercrime.

409 
See, for example, Argentina, Tribunal Oral Federal de Jujuy, Causa FSA 8398/2014/TO1; Costa Rica, Tribunal Penal del Tercer
Circuito Judicial de San José, Causa penal número 15-001824-0057-PE & Causa Penal número 19-000031-0532-PE (Operación
R-INO); Canada, R v. Philip Michael Chicoine [2017] S.J. No. 557, 2017 SKPC 87; United States of America v. Caleb Young, Case
No. 18-20128, 11 May 2018; United States of America v. Dylan Heatherly, No. 19-2424 and United States of America v. William
Staples, No. 19-2932; United States of America v. John Doe #1, Edward Odewaldt, et al., Case No. 10-CR-00319, 16 March 2011;
Republic of Korea, Seoul Central District Court (Criminal Department I-I), 2018NO2855, 2 May 2019 (Welcome to video); Australia,
R v. Mara [2009] QCA 208; Germany, LG Limburg, Urteil vom 07.03.2019, 1 KLs – 3 Js 73019/18.

135
ANNEX
DIGEST OF CASES

ANNEX

List of cases involving cyber organized crime

Argentina
“CARUSO SOTILLO, Saddam José y otra p.ss.aa. Asociación ilícita, etc” SAC 7073076
“Cicala Iván Maciel y otros p. ss. aa. de organización y explotación de juegos de azar sin autorización”
(SAC 9814642)
Juzgado En Lo Correccional Nº 1 – San Isidro, Case No. SI-3862-2021
Poder Judicial de Córdoba – “Emiliozzi, Arturo Osvaildo y otros PSSAA Estafa, etc.”
– Expediente SAC No. 2654377
Tribunal Oral Federal de Jujuy, Causa FSA 8398/2014/TO1

Australia
Hew Raymond Griffiths v. United States of America, 143 FCR 182 (2005), 2005 WL 572006
R v. Mara [2009] QCA 208

Belgium
Tribunal correctionnel d’Anvers, Antwerpen, 2 mai 2016

Brazil
Apelação Criminal 5492-CE, 5a Região da TRF (2004.81.00.018889-0)

Canada
R v. Kalonji, 2019 ONCJ 341
R v. Philip Michael Chicoine [2017] S.J. No. 557, 2017 SKPC 87
R v. Pitts, 2016 NSCA 78
R v. Vachon-Desjardins, 2022 ONCJ 43

Chile
Fiscalía Metropolitana Sur, Chile. Rol Único de Causa No.1700623543-3 (Zares de la Web)

China
Hong Kong
HKSAR v. Chan Pau Chi [2019] HKEC 1549

Costa Rica
Tribunal Penal del Tercer Circuito Judicial de San José, Causa penal número 15-001824-0057-PE &
Causa Penal número 19-000031-0532-PE (Operación R-INO)

Czechia
ÚS 530/18 ze dne 27. 3. 2018

Denmark
Danmark B(R), ref. 9-3441/2015, domfældelse 14 December 2015

138
 annex

Dominican Republic
Segundo Juzgado de Instrucción del Distrito Nacional – Proceso No. 058-13-00719
Segundo Tribunal Colegiado De la Cámara Penal del Juzgado de Primera Instancia del Distrito Nacional,
Sentencia penal núm. 249-04-2021-SSEN-00225

El Salvador
Tribunal de Sentencia de Santa Tecla, 139-1U-2018

Fiji
State v. Naidu et al [2018] FJHC 873

France
Cour de cassation, chambre criminelle, 21 mars 2012, 11-84437
TGI Lille, 7e ch. corr., jugement du 29 janvier 2004
Tribunal de grande instance de La Roche-sur-Yon, 24 septembre 2007
Tribunal de grande instance de Paris, 13e chambre correctionnelle, 20 novembre 2018

Germany
BGH, Beschluss vom 06.07.2010, 4 StR 555/09
BGH, Beschluss vom 19.04.2011, 3 StR 230/10
BGH, Beschluss vom 31.05.2012, 2 StR 74/12
BGH, Beschluss vom 30.08.2016, 4 StR 194/16
BGH, Beschluss vom 15.01.2020, 2 StR 321/19
LG Bonn, Urteil vom 07.07.2009, 7 KLs 01/09
LG Duisburg, Urteil vom 05.04.2017, 33 KLs – 111 Js 32/16 – 8/16
LG Hamburg, Urteil vom 21.03.2012, 608 KLs 8/11
LG Karlsruhe, Urteil vom 19.12.2018, 4 KLs 608 Js 19580/17
LG Leipzig, Urteil vom 14.06.2012, 11 KLs 390 Js 191/11
LG Limburg, Urteil vom 07.03.2019, 1 KLs - 3 Js 73019/18
LG München, Urteil vom 07.06.2017, 19 KLs 30 Js 18/15

Ghana
Republic v. Mohammed Libabatu, Charles Mensah & Nurudeen Alhassan (2016)
Republic v. Michael Asamoah &Anthony Ogunsanwo Olawole (2019)

India
Rajesh and others v. State of Rajasthan, Division Bench Appeal No. 178, 122 and 123 / 2016
State of Maharashtra v. Opara Chilezien Joseph

Italy
Cassazione penale, sezione III, 12 Febbraio 2004, No. 8296, & Tribunale di Siracusa,
19 Luglio 2012, No. 229
Cass., 31 Marzo 2017, No. 43305
Cassazione penale, sezione VI, sentenza No. 11356, 8 Novembre 2017
Cassazione penale, sezione feriale, sentenza No. 50620, 12 Settembre 2013

139
DIGEST OF CASES

Mexico
Tribunal de Enjuiciamiento del Distrito Judicial Morelos – número de juicio 38/2020

Nigeria
Federal Republic of Nigeria v. Harrison Odiawa, Suit No ID/127c/2004

Philippines
Regional Trial Court of Misamis Oriental, 10th Judicial Region, Branch 41, CRIM Case No. 2009-337

Republic of Korea
Seoul Central District Court (Criminal Department I-I), 2 May 2019, 2018NO2855

Rwanda
IKIZA RY’ URUBANZA RP/ECON 00002/2020/TGI/GSBO (Forkbombo)

Samoa
Police v. Zhong [2017] WSDC 7

Senegal
Tribunal de grande instance hors classe de Dakar, 14 janvier 2020, 38/2020

Seychelles
R v ML & Ors Cr S 63/19 (2020)

Singapore
Public Prosecutor v. Law Aik Meng [2006] SGDC 243

Uganda
Gachev & Ors v. Uganda (Criminal Appeal 155 of 2013) [2016] UGHCCRD 4 (16 July 2016)
Uganda v. Ssentongo & 4 Ors (Criminal Session Case 123 of 2012) [2017] UGHCACD 1 (14 February
2017)
Uganda v. Sserunkuma & 8 Ors (HCT-00-CR-SC 15 of 2013) [2015] UGHCACD 4 (27 April 2015)
Uganda v. Nsubuga & 3 Ors (HCT-00-AC-SC 84 of 2012) [2013] UGHCACD 12 (3 April 2013)

United Kingdom of Great Britain and Northern Ireland

England and Wales
Regina v. Nicholas Webber [2011] EWCA Crim 3135
Regina v. Sunday Asekomhe [2010] EWCA Crim 740
Regina v. Reece Baker and Sahil Rafiq [2016] EWCA Crim 1637, 2016 WL 06476265
Regina v. Jake Levene, Mandy Christopher Lowther, Lee Childs (2017), Crown Court Leeds, T20177358
Regina v. Ionut Emanuel Leahu [2018] EWCA 1064
Regina v. Bradley David Rogers, Colin Martin Samuels, Geraldine French, Mark Julian Bell [2014]
EWCA Crim 1680

Northern Ireland
Queen v. Paul Mahoney [2016] NICA 27, 2016 WL 03506240.

140
 annex

United States of America

United States of America v. Brandon Arias, Case No. 18-CR-30141-NJR-2 (S.D. Illinois, 16 July 2019)
United States of America v. Oladimeji Seun Ayelotan, Femi Alexander Mewase, and Rasaq Aderoju
Raheem, Case No. 17-60397 (5th Circuit, 4 March 2019)
United States of America v. Silviu Catalin Balaci, Case No. 19-877 (D. New Jersey, 2017)
United States of America v. Ramiro Ramirez-Barreti et al., Case No. 4:19-cr-47 (E.D. Virginia, 14 August
2019)
United States of America v. Su Bin, Case No. SA CR 14-131 (C.D. California 2016)
United States of America v. Svyatoslav Bondarenko et al., Case No. 2:17- CR -306-JCIVI-PAL
(D. Nevada, 30 January 2018)
United States of America v. David Lynn Browing, Case No. 5:15 CR 15-RLV (W.D. North Carolina,
10 December 2015)
United States of America v. Aleksei Yurievich Burkov, Case No. 1:15-CR-245 (E.D. Virginia, 4 February
2016)
United States of America v. Anthony Blane Byrnes, Case No. 3:20-CR-192 (W.D.N.C. 2020)
United States of America v. Steven W. Chase, Case No. 5:15-CR-00015 (W.D. North Carolina, 8 May 2017)
United States of America v. Valerian Chiochiu, 2019 U.S. Dist. LEXIS 133555 (D. Nevada, 10 April 2019)
United States of America v. Jael Mejia Collado, et al., Case No. 13 CR 259 (KAM) (E.D. New York,
May 2013)
United States of America v. Dennis Collins et al., Case No. 11-CR-00471-DLJ (PSG) (N.D. California,
16 March 2012)
United States of America v. Conor Freeman, Case No. 2:19-CR-20246 (E.D. Michigan, 18 April 2019)
United States of America v. Gary Davis, Case No. 1:13-CR-950-2 (S.D. New York, 26 July 2019)
United States of America v. David Paul Dempsey and Edgar Jermaine Hosey, Case No. 2:18-CR-1022
(D. South Carolina, 14 November 2018)
United States of America v. John Doe #1, Edward Odewaldt, et al., Case No. 10-CR-00319,
(W.D. Louisiana, 16 March 2011)
United States of America v. Jimmy Dunbar, Jr., and Mitchlene Padgett, Case No. 2:18-CR-1023
(D. South Carolina, 14 November 2018
United States of America v. E-Gold Limited, Criminal Action No. 07-109 (RMC) (D.D.C., 20 July 2007)
United States of America v Brian Richard Farrell, Case No. 2:15-CR-29-RAJ (W.D. Washington,
17 January 2015)
United States of America v. Carl Allen Ferrer, Case No. 18 Cr. 464 (D. Arizona, 5 April 2018)
United States of America v. Ercan Findikoglu, Case No. 1:13-CR-00440 (E.D. New York, 24 June 2015)
United States of America v. Michael Fluckiger, Case No. 5:15 CR 15-RLV (W.D. North Carolina,
24 November 2015)
United States of America v. Matthew Brent Goettsche, Russ Albert Medlin, Jobadiah Sinclair Weeks, Joseph
Frank Abel, and Silviu Catalin Balaci, Case No. 19-CR-877-CCC (D. New Jersey, 5 December 2019)
United States of America v. Martin Gottesfeld, 319 F. Supp. 3d 548 (D. Mass. 2018)
United States of America v. Larry Dean Harmon, Case No. 19-CR-00395 (D.D.C. 2019)
United States of America v. Dylan Heatherly, Case No. 19-2424 (3d Circuit 2020)
United States of America v. Bryan Connor Herrell, Case No. 1:17 CR00301 (E.D. California, 2 September
2020)
United States of America v. Cristian Hirales-Morales, Marcos Julian Romero and Sergio Anthony
Santivanez, Case No. 19-CR-4089DMS, Indictment (S.D. California, 10 October 2019)
United States of America v. Fedir Oleksiyovych Hladyr, Case No. CRl7-276RSL (W.D. Washington,
25 January 2018)
United States of America v. Alexandru Ion, Case No. 5:18-CR-81-REW-MAS-6 (E.D. Kentucky,
10 October 2019)
United States of America v. Aleksey Vladimirovich Ivanov, 175 F. Supp. 2d 367 (2001)

141
DIGEST OF CASES

United States of America v. Paras Jha, Case No. 3:17-CR-00164 (D. Alaska, 5 December 2017)
United States of America v. Ijaz Khan, Case No. 17-4301 (4th Circuit 2018)
United States of America v. Alexander Konovolov et al., Case No. 2-19-CR-00104 (W.D. Pennsylvania,
17 April 2019)
United States of America v. Michael Lacey, James Larkin, Scott Spear, John “Jed” Brunst, Dan Hyer,
Andrew Padilla and Joye Vaught, 18 Cr. 422 (D. Arizona, 28 May 2018)
United States of America v. Liberty Reserve, Case No. 13-CR-368 (DLC) (S.D. New York, 23 September
2015)
United States of America v. Salvatore Locascio et al., 357 F. Supp. 2d 536 (2004)
United States of America v. Andrew Mantovani et al., Case No. 2:04-CR-0078 (D. New Jersey, 28 October
2004)
United States of America v. Eric Eoin Marques, Case No. TDC-19-200 (D. Maryland, 28 January 2020)
United States of America v. Hidalgo Marchan, Case No 1:15-CR-20471 (S.D. Florida, 23 June 2015)
United States of America v. Antwine Lamar Matthews, Malcolm Cooper, Andreika Mouzon, and Flossie
Brockington. Cr. No. 2:18-1024 (D. South Carolina, 14 November 2018)
United States of America v. Bogdan Nicolescu, Tiberiu Danet, and Radu Miclaus, Case No. 1:16-CR-00224
(N.D. Ohio, 8 July 2016)
United States of America v. Nienadov, No. 4:19 CR-365 (S.D. Tex. Mar. 29, 2021)
United States of America v. Yevgeni Nikulin, Case No. 16-CR-0440-WHA (U.S. District Court of Northern
California, 20 October 2016).
United States of America v. Adeyemi Odufuye and Stanley Hugochukwu, Case No. 3:16R232 (JCH),
Indictment (D. Connecticut, 20 December 2016)
United States of America v. Obinwanne Okeke, Case No. 4:19-mj-00116 (E.D. Virginia, 2 August 2019)
United States of America v. Beniamin-Filip Ologeanu, Case No. 5:19-CR-10, Superseding Indictment
(E.D. Kentucky, 6 February 2019)
United States of America v. Rakeem Spivey and Roselyn Pratt, Case No. 2:18-cr-0018 (D. South Carolina,
14 November 2018)
United States of America v. Vincent Ramos et al., Case No. 3:18-CR-01404-WQH (S.D. California,
15 March 2018)
United States of America v. Daniel Palacios Rodríguez, Alexandra Guzmán-Beato, Elvis Pichardo
Hernández, José David Reyes- González, Juan Rufino Martínez-Domínguez, and Fátima Ventura Pérez,
Case No. 1:19-MJ-286 (E.D. Virginia, 24 June 2019)
United States of America v. Aleksandr Andreevich Panin and Hamza Bendelladj, Case No. 1:11-CR-0557-
AT-AJB (N.D. Georgia, 26 June 2013)
United States of America v. Melissa Scanlan, Case No. 18-CR-30141-NJR-1 & Case No. 19-CR-30154-
NJR-1 (S.D. Illinois, 20 October 2019)
United States of America v. Aaron Michael Shamo, Drew Wilson Crandall, Alexandrya Marie Tonge,
Katherine Lauren Anne Bustin, Mario Anthony Noble, and Sean Michael Gygi, Case No.
2:16-CR-00631-DAK (D. Utah, 31 May 2017)
United States of America v. William Staples, Case No. 19-2932 (3d Circuit 2020)
United States of America v. Andre-Catalin Stoica et al., Case No. 5-18-CR-81-JMH (E.D. Kentucky,
5 July 2018)
United States of America v. Kristjan Thorkelson, Case No. 14-CR-27-BU-DLC (D. Mont., 10 December
2018)
United States of America v. Vladimir Tsastsin, Andrey Taame, Timur Gerassimenko, Dmitri Jegorov, Valeri
Aleksejev, Konstantin Poltev, and Anton Ivanov, Case No. 1:11-CR-00878 (S. D. New York, 14 October
2011)
United States of America v. Ross William Ulbricht, Case No. 15-1815 (2d Circuit 2017)
United States of America v. Sergiy Petrovich Usatyuk, Case No. 5:18-CR-00461-BO (E.D. North Carolina,
15 November 2018).
United States of America v. Joshua Aaron Vallance, Case No. 20 Cr. 08 (E.D. Kentucky, 28 May 2020)

142
 annex

United States of America v. Gal Vallerius, 2018 U.S. Dist. LEXIS 85620
United States of America v. Ronald L. Wheeler III, Case No. 1:17-CR-377 (N.D. Georgia, 15 November
2017)
United States of America v. Wendell Wilkins, Jalisa Thompson, Tiffany Reed, Brandon Thompson and
Laben McCoy, Case No. 2-18-CR-101 (D. South Carolina, 14 November 2018)
United States of America v. Nathan Wyatt, Case No. 4:17CR00522 RLW/SPM (E.D. Missouri,
8 November 2017)
United States of America v. Eoin Ling Churn Yeng and Gal Vin Yeo Siang Ann, Case No. 3:16 CR 00090
(D. Oregon, 23 February 2016)
United States of America v. Caleb Young, Case No. 18-20128 (E.D. Michigan, 11 May 2018)
United States of America v. Tal Prihar and Michael Phan, Case No. 2-19-CR-00115-DWA
(W.D. Pennsylvania, 24 April 2019)

143
 Vienna International Centre, P.O. Box 500, 1400 Vienna, Austria
Tel.: (+43-1) 26060-0, Fax: (+43-1) 263-3389, www.unodc.org
2210875