Image of the entrance of the Microsoft Digital Crime Unit in Redmond, Washington. A world map and several digtal screens are pictured.
Cybersecurity

Digital Crimes Unit: Leading the fight against cybercrime

In today’s threat landscape, cybersecurity is the most critical ongoing challenge that anyone who uses technology is facing. All industries feel the urgency and pressure to protect and defend against increasingly sophisticated attacks. Cybercrime has matured into a robust and elaborate ecosystem, with cybercriminal groups constantly improving their tools and tactics to evade defenders. Alongside these global cybercriminal groups, state-affiliated threat actors remain committed to pursuing new levels of sophistication, targeting leading technology providers including Microsoft.

At Microsoft, our security experts analyze more than 78 trillion security signals daily with the help of AI. We have over 34,000 full-time dedicated security engineers in addition to our Microsoft Threat Intelligence teams that are tracking over 1,500 unique threat actor groups. While we must maintain an external focus, we cannot neglect our internal defenses. As one of the most targeted companies globally, Microsoft must continuously fortify our cybersecurity measures.

Our ability to do business depends on integrating security into everything we do. Through our Secure Future Initiative we are committed to delivering secure and reliable products and services, while continuing to work closely with governments to take action to punish malicious behavior in cyberspace.

The DCU: A Class Apart

The Microsoft Digital Crimes Unit (DCU) leads Microsoft’s fight against cybercrime to protect our customers and promote global trust in Microsoft.

We are an international team of technical, legal, and business experts that has been fighting cybercrime since 2008. We leverage Microsoft Threat Intelligence to understand online criminal networks and disrupt the technical infrastructure used by them through civil legal actions, technical measures, criminal referrals to law enforcement, and public-private partnerships. Unlike others in the industry, our focus extends beyond brand protection to safeguarding the broader ecosystem.

Disrupting and Deterring Cybercrime

Over the course of our history the DCU has disrupted 30 malware families, nation-state threat actors, and distributors of malicious tools through civil actions, rescuing over 500 million victim devices. Our collaboration with law enforcement has led to over 780 arrests since 2014. In 2024, we seized 453 domains used by cybercriminals and nation-state threat actors for malicious purposes and contributed to 85 arrests globally.

The DCU is continually evolving to address emerging threats, adapting our expertise and our tools to combat ever evolving malware and ransomware variants, state-affiliated actors, cryptocurrency-related crimes, digital fraud, and AI abuse. Increasingly we are leveraging new technologies like AI to enhance our investigations and proactively identify new threats and vulnerabilities.

Starting in 2016, we applied our legal and technical toolkit for disrupting financially motivated cybercriminals to disrupt nation-state attacks, beginning with Forest Blizzard (also known as Strontium and Fancy Bear), a state-affiliated actor targeting the US election system. By obtaining a court order, we redirected seized Microsoft-like domains to a sinkhole in Azure, protecting potential victims and stopping spear-phishing attacks, while gathering significant intelligence to strengthen Microsoft products and to share with partners. In actions such as this, the DCU often seeks the appointment of a court monitor, which enables Microsoft to continue to identify and quickly seize new domains created by persistent malicious actors. In 2022, the DCU leveraged this court monitor approach to defend Ukraine against cyberattacks by Forest Blizzard, and it is now standard for nation-state cases, including those against Russia, China, North Korea, and Iran.

Protecting Customers from Cybercrime
Collaborating with security teams, the DCU enhances detection capabilities and shapes new security features. We contribute to Microsoft’s 78 trillion daily threat intelligence signals, primarily through malware disruption operations. Civil court orders allow us to sever or disrupt malware communication, redirecting infected devices to our Cyber Threat Intelligence Program (CTIP) sinkhole service.

This service shares cyber intelligence with Computer Emergency Response Teams (CERTs), Internet Service Providers (ISPs), and Critical Infrastructure Information Sharing and Analysis Centers (ISACs), and integrates it into Microsoft products to help customers avoid unauthorized access. Our goal is to enhance security for customers globally.

Engaging in the Broader Conversation

The DCU supports Microsoft’s policy positions by sharing case evidence and insights with policymakers, customers, and the public through various channels.

By building public-private partnerships, the DCU informs education campaigns and accelerates cross-border cooperation to combat cybercrime. Recognizing the threats posed by malicious use of AI, the DCU has partnered with the Department of Homeland Security and the FBI to study AI’s impact on criminal activities. We also support Europol on the European Multidisciplinary Platform Against Criminal Threats (EMPACT) project, focusing on cybercriminals’ misuse of AI, in partnership with the US Secret Service (USSS) and the German Federal Criminal Police (BKA). Additionally, we recommend legislative language for countries to adopt to safeguard the public from deepfakes and other synthetic media.

The DCU, representing Microsoft, is also a founding member of the World Economic Forum (WEF) Cybercrime Atlas, which aims to map the cybercrime landscape and foster collaboration among stakeholders. We sponsor and actively participate in various industry groups that advance cybersecurity principles through technology and innovation – for example collaborating with the Institute for Security & Technology (IST) to develop awareness campaigns to prevent ransomware attacks.

By leveraging advanced technologies, legal expertise, and strategic partnerships, the DCU protects Microsoft’s ecosystem and contributes to global cybersecurity efforts. As cyber threats evolve, the DCU remains committed to enhancing its strategies to ensure a safer digital future for all.