DOJ Cybercrime Unit: Investigations and Federal Statutes

The Department of Justice's cybercrime enforcement infrastructure spans multiple divisions, dedicated units, and a layered set of federal statutes that together define how digital crimes are identified, investigated, and prosecuted in the United States. This page covers the organizational structure of DOJ cybercrime enforcement, the statutory authorities that underpin it, the categories of conduct that trigger federal involvement, and the boundaries that distinguish federal cybercrime jurisdiction from state or civil remedies. Understanding this framework matters because miscategorization of a cyber incident — as a civil dispute rather than a federal crime, or as a state offense rather than a federal one — can determine whether federal investigative resources are ever deployed.

Definition and scope

The DOJ's primary cybercrime enforcement authority is housed within the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS), which was established in 1991 and formalized as a permanent section in 1996. CCIPS attorneys work alongside FBI cyber squads and, in cases involving national security dimensions, coordinate with the National Security Division. The Federal Bureau of Investigation serves as the principal investigative agency for federal cybercrime, maintaining 56 field office cyber task forces across the country.

The core statutory framework includes:

1. Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 — the primary federal anti-hacking statute, criminalizing unauthorized access to protected computers. Penalties range from misdemeanor classification for simple unauthorized access to felony penalties of up to 20 years for offenses involving critical infrastructure or resulting in significant financial damage (DOJ CCIPS, Prosecuting Computer Crimes Manual).
2. Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510–2523 — governs interception of wire, oral, and electronic communications, establishing both criminal liability and law enforcement access standards.
3. Identity Theft Enforcement and Restitution Act of 2008 — amended the CFAA to expand restitution authority and lower the damage threshold for federal jurisdiction to $5,000 in losses aggregated over a one-year period (18 U.S.C. § 1030(e)(11)).
4. Wire Fraud Statute, 18 U.S.C. § 1343 — frequently charged in conjunction with CFAA violations when cyber intrusions are used to facilitate financial crimes, carrying a maximum 20-year sentence per count.
5. Economic Espionage Act, 18 U.S.C. §§ 1831–1839 — applies when trade secret theft is linked to foreign governments or state-sponsored actors.

The CFAA's definition of "protected computer" extends to any computer used in or affecting interstate or foreign commerce, a scope that encompasses virtually every internet-connected device.

How it works

Federal cybercrime investigations follow the same general architecture as other federal prosecutions, with adjustments for the technical complexity of digital evidence. Investigations typically begin through one of three channels: a victim report to an FBI field office or the Internet Crime Complaint Center (IC3), intelligence developed by federal agencies independently, or referrals from foreign law enforcement through mutual legal assistance treaty (MLAT) processes.

Once an investigation opens, FBI cyber agents and CCIPS prosecutors work in parallel — agents gather evidence under court-authorized legal process while prosecutors assess charging viability under applicable statutes. Digital evidence collection requires compliance with the Fourth Amendment's warrant requirements as interpreted in cases such as United States v. Warshak (6th Cir. 2010), which extended Fourth Amendment protection to email content stored with third-party providers.

The federal grand jury process is central to cybercrime prosecutions. Grand jury subpoenas compel electronic service providers to produce subscriber records, IP logs, and content data. For real-time surveillance, Title III wiretap orders require judicial authorization upon a showing of probable cause and necessity, a higher standard than standard search warrants.

Charging decisions in cybercrime matters weigh the severity of intrusion, the identifiability and location of the perpetrator, the adequacy of the evidence for trial, and whether civil remedies or deferred prosecution agreements might better serve enforcement goals — particularly in cases involving corporate defendants.

Common scenarios

Federal cybercrime enforcement concentrates on four primary scenario categories:

Network intrusions and ransomware — Unauthorized access to corporate, government, or critical infrastructure networks, including deployment of ransomware for financial extortion. The FBI's IC3 reported ransomware losses to U.S. victims exceeding $59.6 million in its 2023 Internet Crime Report, a figure that substantially undercounts actual losses due to underreporting (FBI IC3 2023 Internet Crime Report).

Business email compromise (BEC) — Fraudulent takeover or spoofing of business email accounts to redirect financial transfers. IC3 data from 2023 places adjusted BEC losses at over $2.9 billion, making it the highest-loss cybercrime category tracked by the FBI (FBI IC3 2023 Internet Crime Report).

State-sponsored intrusions and economic espionage — Intrusions attributed to foreign state actors targeting defense contractors, research institutions, or government systems. These cases frequently involve concurrent National Security Division involvement and may proceed through indictment even when extradition is not anticipated, as a matter of public attribution policy.

Child sexual exploitation material (CSAM) and online enticement — Prosecuted under 18 U.S.C. §§ 2251–2260A, these cases are investigated jointly by FBI and the Internet Crimes Against Children (ICAC) task force network, which coordinates across state and local law enforcement in 61 task forces nationwide (OJJDP ICAC Program).

Decision boundaries

Not every cyber incident qualifies for federal prosecution. DOJ applies structured criteria drawn from the Justice Manual and CCIPS practice to determine whether to proceed federally, decline, or refer to state authorities.

Federal vs. state jurisdiction — The CFAA requires that the targeted system qualify as a "protected computer." Purely intrastate incidents involving systems with no interstate commerce nexus — an increasingly rare scenario — may fall outside CFAA jurisdiction and remain with state prosecutors. All 50 states maintain independent computer crime statutes.

Criminal vs. civil CFAA claims — The CFAA contains both criminal and civil provisions. Private parties may sue under 18 U.S.C. § 1030(g), but civil CFAA claims require an independent showing of loss or damage meeting the $5,000 threshold. DOJ does not take positions in private civil CFAA litigation as a matter of course.

Individual vs. corporate charging — The DOJ Corporate Enforcement Policy shapes decisions when a cybercrime (such as insider theft of trade secrets) involves both individual bad actors and a corporate entity. Corporations that self-report, cooperate fully, and remediate may receive declination or a deferred prosecution agreement; individual perpetrators face independent charging analysis.

Declination factors — DOJ may issue a declination letter when evidence is insufficient for proof beyond a reasonable doubt, the perpetrator is located in a non-extradition country with no realistic prospect of custody, or when the conduct is more appropriately addressed through civil enforcement, regulatory action, or referral to the DOJ's Civil Division.

The homepage of this reference site provides a structured overview of DOJ functions and enforcement programs for readers navigating this material for the first time.