Massive Reduction in FBI Cyber Crime Takedowns Was Result of Definition Change

Zsolt Biczo/

Stricter guidelines on what counts as a disruption or dismantlement led to a 10X reduction.

An apparent steep decline in FBI takedowns of cybercrime rings was the result of a change in how the bureau collects cybercrime statistics, a spokeswoman told Nextgov.

The official tally of FBI cybercrime takedowns dropped from nearly 2,500 in fiscal year 2014, the first year reliable records were kept, to just 262 in fiscal year 2017, according to annual audits.

Agents disrupted or dismantled 510 cyber crime operations in fiscal year 2015 and 259 operations in fiscal year 2016, according to the audits.

That sharp reduction “was the result of the FBI changing the definitions of what constituted a disruption or dismantlement,” Spokeswoman Jillian Stickels said.

“The change was made to ensure that investigative activity was consistently measured across all field offices,” Stickels said.  

The change, according to a person familiar with the methodology, was that some FBI field offices previously tallied disruptions and dismantlements based on the number of victims rather than the number of perpetrators.

So, depending on which office was doing the counting, a major botnet takedown could count as dozens or hundreds of dismantlements -- based on the number of victim computers – or just one – based on the single botnet operator.

A botnet is basically a large mass of computing power that’s been stolen, byte by byte, from hundreds or thousands of infected computers and other internet-connected devices around the world. Botnet operators sell that computing juice to the highest bidder who can use it to force adversaries or political opponents offline.

Beginning in 2015, the FBI clarified its methodology so all field offices counted takedowns consistently, the person familiar with the matter said.

The FBI previously declined to comment on the reduction in an earlier Nextgov story.

The perpetrator-based measurement allows for more consistency but might also be less reflective of FBI cyber activities.

The Avalanche botnet takedown in December, 2016, for example, involved blocking more than 800,000 malicious internet domains, plus arrests in five countries and cooperating with law enforcement in 35 additional countries, according to Justice Department figures.

The botnet targeted more than 40 financial institutions and cost victims hundreds of millions of dollars, the Homeland Security Department said, but the takedown would only count as a single operation.

The FBI missed its own target of 500 disruptions or dismantlements in fiscal years 2016 and 2017, according to the audit reports.