Criminal Justice & the Rule of Law Cybersecurity & Tech

Cyber Offense: How Far Can Private Organizations Go?

Rajeev Raghavan, Jared Engelking, Grace Tang
Thursday, May 28, 2026, 10:15 AM
The line between cyber offense and defense is disappearing—but the law still treats them very differently. That gap is getting costly.
Stock photo: Increasing cyber attacks in countries (Hardik Pandey, https://pixahive.com/photo/increasing-cyber-attacks/; Free to Use/Public Domain)
Meet The Authors
Subscribe to Lawfare

A criminal hacking group is conducting phishing attacks, masquerading as an email company to steal user data and launch ransomware. The email company’s security team has mapped the hackers’ infrastructure. The hackers have identified the command-and-control servers and a flaw in the ransomware deployment tools that could send decryption keys to victims. The company wants to launch a technical attack and take down the threat actors’ network. But there is a problem: Doing so could land the company’s employees in federal prison. That tension—between what the private sector can technically achieve and what it is legally permitted to do—sits at the heart of a growing cybersecurity policy debate.

Over the past year, the Trump administration has beaten a steady drum calling for greater public-private cooperation against state and criminal cyber adversaries. Its March 2026 Cyber Strategy for America, for example, aims to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This line of thinking is not new. Since 2013, the private sector and thought leaders have suggested “hacking back,” “cyber privateers,” and “letters of marque” as a policy response to the exponential rise in cybercrime—extending authority to conduct cyber operations against threat actors from traditional government actors (such as the FBI, U.S. Cyber Command, and the intelligence community) to qualified private-sector entities. And, while National Cyber Director Sean Cairncross has said that the administration is not asking the private sector to conduct offensive cyber operations, he stressed the need to shape adversary behavior through collaboration.

But the line between cyber defense and offense is blurring fast. Organizations are constantly evaluating how to disincentivize threat actors from targeting them and their customers. Some are exploring how a more permissive, government-enabled cyber environment can help them operationalize—and potentially monetize—their cyber systems and threat intelligence, turning a traditional cost center into a profit operation. All of this falls under the broad and loosely defined banner of “offensive cyber operations,” encompassing everything from retaliatory “hack backs” to active defensive measures, threat intelligence gathering, and court-ordered seizures of attacker infrastructure.

Artificial intelligence (AI) is accelerating the cat-and-mouse game between threat actors and network defenders. Threat actors are increasingly leveraging AI to exploit vulnerabilities and augment their efforts with the click of a button. Anthropic’s Claude Mythos, which has the ability to autonomously find and fix vulnerabilities in software, and similar models will become the minimum standard for secure software development and network defenders. Phishing and fraud detection, combing through gigabytes of logs for anomalies, predictive threat analysis, and behavioral baselining are all areas where AI has a distinct edge. When speed is the decisive factor in stopping an attack, agentic AI cybersecurity solutions promise to anticipate and respond far faster than any human defender.

The capabilities that fall under this broad umbrella—offensive, defensive, intelligence, and legal—each carry distinct risks that organizations must weigh. And the legal landscape is more complex than the heightened rhetoric might suggest.

The Hack Back Dilemma

What does “hacking back” actually mean? At its core, a traditional hack back refers to a victim retaliating by penetrating the attacker’s systems through technical means. But the term has grown to encompass active defensive measures in which victims manipulate their own network environment to make it harder and costlier for adversaries to operate. Hack backs also include intelligence gathering actions, such as infiltrating criminal forums, assuming false identities, and even law enforcement-style activities, such as conducting controlled purchases to understand bad actors’ operations.

The Computer Fraud and Abuse Act (CFAA) is the primary U.S. anti-hacking law. It prohibits intentionally accessing a computer “without authorization or exceed[ing] authorized access” as well as “knowingly caus[ing] the transmission of a program, information, code, or command” to “intentionally cause[] damage.” In 2021, the Supreme Court narrowed the CFAA by ruling that using an authorized account for an improper purpose is not, by itself, a criminal violation. However, that ruling is unlikely to greenlight offensive or defensive measures predicated on accessing attacker systems without permission. Congress has echoed this limitation. Under the Cybersecurity Information Sharing Act of 2015 (CISA 2015), organizations can monitor their own networks, share threat indicators with other private entities and the federal government, and deploy defensive measures on their own systems. However, CISA 2015 draws a hard line against offensive cyber operations, including any operations against attacker infrastructure.

Organizations contemplating hack backs must also consider civil liabilities. While network defenders aim to cause more good than harm, taking active measures—both offensive and defensive—presents a unique risk analysis. As threat actors migrate to the cloud and use shared computing resources to obfuscate attacks and hinder attribution, active offensive or defensive measures risk collateral damage to innocent third parties. Innocent victims mistakenly targeted can avail themselves of the CFAA’s civil remedies. Any person who suffers damage or loss from a CFAA violation can bring a civil action for compensatory damages and injunctive relief, as well as a host of tort or other remedies. Offensive operations that cause collateral damage can also harm an organization’s reputation and attract regulatory scrutiny—moving a well-intentioned defender from victim to perpetrator.

Activities that may fall outside traditional active measures, such as threat intelligence gathering, also carry criminal and civil risks. Corporate analysts must avoid assuming real individuals’ identities to gain access to criminal forums. Paying for forum access or purchasing malware for analysis can implicate money laundering, wire fraud, and even sanctions statutes. Clear policies are paramount, and organizations engaged in these activities need an elevated level of care and documentation typically used by law enforcement agencies.

The Hack Back Techniques and Their Legal Exposure

Attacker Infrastructure Neutralization Through Technical ActionsHigh Risk

Technical neutralization encompasses several potential offensive actions, including data retrieval, distributed denial-of-service (DDoS) attacks, and deploying ransomware or malware in response to an attack. Data retrieval and responsive malware deployment require accessing the attacker’s network and even intentionally causing damage. DDoS attacks similarly require gaining access to the attacker’s network or blocking communications using high volumes of junk data. Regardless of why and who executes them, these actions are prohibited by the CFAA—illegal for both good and bad actors.

These offensive actions also carry a high likelihood of unintentional harm. Sophisticated attackers routinely route operations through compromised third-party systems—corporate servers, cloud infrastructure, academic networks, and personal devices. Neutralizing what appears to be attacker infrastructure but is an innocent compromised system could expose the neutralizing party to tort or intellectual property claims. Cloud environments present heightened risks: A neutralization operation targeting a specific virtual machine may affect the underlying physical infrastructure that unwitting third parties share. Content delivery networks, shared hosts, and managed providers all represent environments where targeted neutralization is difficult to confine.

Absent explicit government authorization or a law enforcement partnership, organizations should view neutralizing attacker infrastructure through technical means as off limits. CFAA exposure is near certain, collateral damage risk is high, and civil liability extends to any innocent victims caught in the cross fire. Threat actors who detect neutralization attempts may also respond asymmetrically. This is not hypothetical: During the Flax Typhoon disruption, China-based threat actors conducted a DDoS attack against the FBI and its partners, abandoning the effort only once they realized they were attacking the FBI—a shield the private sector will not have.

Defending Against Incoming AttacksLow Risk

An information technology (IT) team intercepts a spear phishing campaign aimed at the organization’s chief financial officer (CFO). The threat actors are looking to induce the CFO to send funds for an apparently legitimate reason, but to a bank account controlled by them. The IT team sets up a seemingly legitimate website and asks the threat actors to log in and input their fraudulent banking details. Once the threat actor accesses the site, the organization deploys a packet capture to record and analyze all traffic sent by the attacker. They also record information about the threat actor, such as their IP address, geolocation, or browser header information.

This scenario is not far off from techniques routinely deployed by network defenders. Variations include malware traps to safely ingest and sequester potential malware files or sinkholes to redirect traffic from malicious domains to defender-controlled servers, severing the connection between compromised machines and attacker command-and-control infrastructure.

The rule of thumb is that actions taken within an organization’s own network are generally permissible, but activities reaching beyond that perimeter incur legal risk. Intercepting data sent by an attacker through a honeypot or malware trap is legally permissible. However, attempting to install a cookie or a beacon that transmits while on the attacker’s device, executing keylogging, or screenshotting software could violate the CFAA, the Wiretap Act, and state wiretap laws. If these actions inadvertently target or damage innocent third parties, the company could face CFAA civil claims and common law tort claims.

The maxim extends to other techniques. Network defenders can embed canary tokens—digital tripwires—in files, links, or other digital assets. When a bad actor accesses the file, defenders collect information such as IP addresses, device fingerprints, timestamps, and geolocation data. This is legally permissible on the organization’s network, but if the canary continues reporting after exfiltration, that could violate the CFAA. Similarly, network reconnaissance of devices on an organization’s own network is permissible, but reconnaissance on networks the operator has no authority over—including attacker infrastructure or public internet infrastructure—could violate the CFAA. Any interception of electronic communications could also trigger criminal liabilities under the Wiretap Act.

Threat IntelligenceLow Risk

Like the defensive space, threat intelligence activities can range from passive open-source monitoring to direct engagement with threat actor communities. Direct engagement can include assuming false identities to infiltrate criminal forums; accessing dark web marketplaces and invitation-only channels through surreptitious means; and paying for entry to hacker forums, malware samples, or actionable intelligence. These activities often mirror law enforcement techniques, but the private sector lacks the legal authorities and immunities available to government agents.

Open forums are generally fair game because no access controls are bypassed. Closed communities, by contrast, carry CFAA risk regardless of whether they sit on the regular or dark web. Using a real person’s identity—particularly a victim’s—to access a criminal forum can trigger the federal aggravated identity theft statute, which carries a strict mandatory minimum prison sentence of two years. Fabricated personas are not risk-free either, as any authorization obtained through deception could constitute “unauthorized access” under the CFAA. Corporate investigators seeking to construct fake identities on third-party services used by criminal actors—web hosts, crypto tumblers, and the like—must exercise caution not to run afoul of local laws such as know-your-customer regulations where the third-party service operates.

Operatives also need to exercise caution when accepting and handling stolen credentials, exfiltrated data, or malware and other malicious code that they may receive on these forums. Paying for entry or purchasing such information or code could implicate conspiracy, aiding and abetting, money laundering, and other state and criminal statutes. And because ascertaining the true identity behind online monikers can be difficult, investigators must take care to remain compliant with sanctions laws. Organizations in the cryptocurrency space conducting chain analysis or proactive investigations surrounding money laundering, pig butchering scams, or gift card fraud should be particularly cautious when interacting with threat actors or exchanging items of value—even if it is for a legitimate purpose, such as tracing illegitimate money flows.

The bottom line: Threat intelligence operations in the private sector are viable but demand governance rigor. Organizations need documented policies covering identity creation, forum access, financial transactions, and data handling before operations begin. Payments for access or tools should be screened against sanctions lists and anti-money laundering requirements, and operatives should never use real victims’ identities. Strict documentation is vital to demonstrate not just strong policies, but careful adherence by employees and contractors.

Agentic AI and the Liability Matrix—Mixed Risk

Agentic AI adds a new variable. While the risk analysis that pivots on whether actors are inside or outside the organizational network does not change, as network defenders move to active network defense enabled by AI, monitoring for issues outside normal operational parameters and ensuring humans actively participate in AI decision-making will be crucial to avoid legal liability.

The autonomous nature of AI-driven action does not insulate the organization from legal liability. Consider this scenario: An attacker embeds within a victim organization’s network topology by compromising a switch or server, infiltrating legitimate systems. An AI agent continuously scanning the network for reconnaissance and penetration testing may treat that compromised node as just another system to query and conduct a range of preauthorized active defensive measures. While there may be low legal risk for actions taken against the attacker on the organization’s own network, an agentic AI that crosses network boundaries and conducts active measures against the third-party computing resources used by the attacker could raise “unauthorized access” criminal and civil liabilities under the CFAA. Similarly, imagine an organization using Mythos to find vulnerabilities in ransomware. The organization could use the discovery to remediate ransomware installed on its systems, but it would still run afoul of the CFAA if it chose to target the threat actors’ command-and-control infrastructure.

Agentic AI can take on a more active role in deception and active defense. It can spin up honeypots dynamically or automate surveillance on criminal forums and interact with attackers to gather and compile threat intelligence. Network defenders and their legal counsel will have to consider where human-in-the-loop supervision is necessary to avoid liability. Agentic AI will require governance and auditability frameworks to ensure the software works within authorized boundaries and actions can be explained after the fact. With agents potentially deployed on cloud or software as a service infrastructure, legal liability for unauthorized actions could fall on the network operator, the software developer, and the deploying organization alike. 

Civil ToolsLow Risk

Organizations are working with outside counsel to marshal their threat intelligence resources and deploy civil legal tools, disrupting and taking down attacker infrastructure in conjunction with law enforcement.

Microsoft was the first company to develop a legal strategy centered on disrupting cybercriminal infrastructure using civil litigation tools. Starting in 2013, Microsoft’s Digital Crimes Unit worked together with the FBI and used a civil seizure warrant to disrupt a botnet that stole more than $500 million from financial institutions. Following this, Microsoft through outside counsel obtained an emergency court order in 2020 against a different cybercriminal group and disabled the IP addresses for Trickbot’s command-and-control servers. The petition alleged injuries to Microsoft, its customers, and the public based on violations of the Copyright Act, the Electronic Communications Privacy Act, the Lanham Act, and state tort law. In 2025, Microsoft deployed the same strategy to disrupt the RacoonO365 phishing service that had been used to steal Microsoft 365 credentials. Microsoft’s Digital Crimes Unit leveraged its threat intelligence work to engage directly with the leader of the criminal enterprise and conducted blockchain analysis to reveal his identity and refer him to international law enforcement.

Google entered this space this year when its newly established cyber disruption unit acted against IPIDEA—one of the largest residential proxy networks. While sharing technical analysis with law enforcement and private-sector partners, Google conducted court-authorized domain takedowns to remove dozens of domains belonging to the threat actors.

Civil actions like these are a tried and tested method for the private sector to take the fight to cyber threat actors. They enable a strong foundation for public-private coordination while allowing for transparency, predictability, scalability, and legal defensibility within rule of law and due process frameworks. With the democratization of threat intelligence in the private sector, this approach is increasingly available to organizations that may be wary of the liability surrounding offensive cyber actions.

What Comes Next

Today’s legal framework—particularly the CFAA—offers limited room for private-sector offensive hack-back operations without explicit government authorization. Network defenders generally have wide latitude on their own networks, but moving beyond that safe boundary can quickly risk criminal and civil liability. Civil tools, meanwhile, have emerged as a promising avenue—pairing threat intelligence with legal expertise to disrupt cyber adversaries. With CISA 2015 up for renewal later this year, Congress and the executive branch have an opportunity to explore a clearer framework for private-sector action alongside law enforcement. If cyber requires an “all of nation” approach, effective and coordinated operations across a spectrum of online battlefields will be the key to success.

Topics:
Criminal Justice & the Rule of Law Cybersecurity & Tech
Back to Top
Rajeev Raghavan

Rajeev Raghavan

Read More
Rajeev Raghavan is a partner at Crowell & Moring and former Special Counsel to the FBI Director and federal prosecutor. With a background as a computer programmer, he advises clients on cybersecurity and privacy incidents, government investigations, and national security matters. Rajeev helps organizations prevent, respond to, and manage complex risks at the intersection of law, technology, and government policy.
Jared Engelking

Jared Engelking

Read More
Jared Engelking is a counsel at Crowell & Moring who advises clients on criminal and civil government investigations, enforcement actions, and litigation. A former DOJ Trial Attorney and federal prosecutor, he brings extensive government experience to representing individuals and businesses through internal investigations and government inquiries, providing strategic counsel across criminal, civil, and regulatory matters.
Grace Tang

Grace Tang

Read More
Grace Tang is an associate in Crowell & Moring's Privacy and Cybersecurity Group, advising clients across industries on technology, privacy, and data protection matters. She combines a practical technology background with legal expertise to help clients navigate complex and evolving regulatory landscapes, with a particular focus on commercial technology arrangements, online safety, and artificial intelligence.
}

More Articles 

Subscribe to Lawfare