Cybercrime Defense: Federal Charges and Computer Fraud

Federal cybercrime prosecutions represent one of the fastest-growing segments of the U.S. criminal docket, carrying penalties that can exceed 20 years of imprisonment under a single statute. This page covers the primary federal laws governing computer fraud and unauthorized access, how federal prosecutors build cybercrime cases, the most common charged scenarios, and the legal boundaries that separate civil violations from criminal exposure. Understanding this framework is essential context for anyone navigating federal criminal defense process or evaluating the scope of computer-related charges.

Definition and scope

The foundational federal statute governing computer crimes is the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. Enacted in 1986 and amended substantively in 1994, 1996, 2001, and 2008, the CFAA criminalizes unauthorized access to "protected computers" — a term the statute defines broadly to include any computer "used in or affecting interstate or foreign commerce or communication," which federal courts have interpreted to encompass virtually any internet-connected device.

The CFAA creates seven distinct categories of offenses under § 1030(a), ranging from accessing a government computer without authorization (§ 1030(a)(1)) to intentional damage to protected computers (§ 1030(a)(5)). Penalties scale by the seriousness of harm and the defendant's criminal history. A first-offense conviction under § 1030(a)(4) (fraud involving a computer) carries a maximum of 5 years; convictions involving critical infrastructure or aggravated damage can reach 20 years (18 U.S.C. § 1030(c)).

Beyond the CFAA, federal prosecutors routinely charge cybercrime conduct under companion statutes:

• 18 U.S.C. § 1343 — Wire Fraud (transmitting fraudulent schemes via electronic communications)
• 18 U.S.C. § 2511 — Wiretap Act (interception of electronic communications without authorization)
• 18 U.S.C. § 1029 — Access Device Fraud (unauthorized use of credit card numbers, passwords, or account data)
• 18 U.S.C. § 1028 — Identity Theft and Fraud
• 18 U.S.C. § 2701 — Stored Communications Act (unauthorized access to stored electronic data)

Jurisdiction is almost universally federal when any interstate communication is involved. The Federal Bureau of Investigation (FBI) and the Department of Justice's Computer Crime and Intellectual Property Section (CCIPS) are the primary investigative and prosecutorial bodies.

How it works

Federal cybercrime investigations follow a structured sequence that differs materially from typical street-crime cases. The grand jury process in federal criminal cases plays a central role, as investigators use grand jury subpoenas to compel records from internet service providers, cloud platforms, and financial institutions before any arrest.

A typical federal cybercrime investigation proceeds through these phases:

1. Detection and referral — A victim entity (bank, corporation, or government agency) reports an intrusion to the FBI's Internet Crime Complaint Center (IC3) or directly to CCIPS. The IC3 received 880,418 complaints in 2023 with reported losses exceeding $12.5 billion (FBI IC3 2023 Annual Report).
2. Digital forensics and evidence preservation — Agents image storage media, capture network logs, and issue legal process to preserve cloud data under the Stored Communications Act. Digital and electronic evidence collected at this stage frequently forms the core of the prosecution's case.
3. Grand jury subpoenas and warrants — Investigators obtain subscriber records, IP logs, and financial data. Fourth Amendment warrant requirements apply to content data; the fourth amendment search and seizure doctrine governs the admissibility of this evidence.
4. Indictment — A grand jury votes on a sealed indictment specifying each count, the statute violated, and the approximate loss amount (which drives sentencing under U.S. Sentencing Guidelines § 2B1.1).
5. Arrest, arraignment, and pretrial — The defendant is processed through arraignment, bail determination, and a pretrial motions phase that often includes suppression challenges targeting the digital evidence collected in phase two.

Common scenarios

Federal cybercrime charges cluster around six recurring fact patterns:

Unauthorized access and data exfiltration — An individual or group accesses a system without authorization, or exceeds authorized access, and extracts proprietary data. This is the core § 1030(a)(2) offense. The distinction between "without authorization" and "exceeds authorized access" was addressed by the U.S. Supreme Court in Van Buren v. United States, 593 U.S. 374 (2021), which narrowed the "exceeds authorized access" prong to accessing files the user was not entitled to access — not merely misusing legitimately accessed data.

Ransomware and malicious code deployment — Defendants deploy malware that encrypts victim systems and demands payment. Prosecutors typically charge § 1030(a)(5)(A) (intentional damage) alongside wire fraud and extortion statutes. Sentences in ransomware cases involving critical infrastructure have reached 25+ years in combined counts.

Phishing and credential theft — Fraudulent emails or spoofed websites harvest login credentials. Charges typically combine CFAA § 1030(a)(4), wire fraud (§ 1343), and access device fraud (§ 1029). Cases involving criminal conspiracy among multiple actors often carry additional exposure under 18 U.S.C. § 371.

Insider threats — A current or former employee accesses employer systems post-termination or downloads proprietary data before resignation. These cases hinge on Van Buren's authorization framework and frequently involve white collar crime defense considerations.

Distributed Denial of Service (DDoS) attacks — Flooding a target system with traffic to make it unavailable. Charged under § 1030(a)(5); the measurable "damage" threshold (causing loss aggregating at least $5,000 in value) is a statutory element prosecutors must prove.

Dark web marketplaces and cryptocurrency fraud — Operating or participating in illicit online markets involving drug sales, stolen data, or money laundering. These cases typically involve the Drug Enforcement Administration alongside CCIPS and RICO/conspiracy charges.

Decision boundaries

Several legal thresholds determine whether conduct constitutes a federal criminal offense, a civil CFAA claim, or no violation at all.

Criminal versus civil CFAA liability — The CFAA authorizes both criminal prosecution and a civil private right of action. Criminal charges require proof beyond a reasonable doubt that the defendant knowingly and intentionally acted without authorization. Civil plaintiffs use a preponderance standard. Congress set the minimum damages threshold for a civil action at $5,000 in losses within a one-year period (18 U.S.C. § 1030(g)).

Felony versus misdemeanor classification — First-time offenders charged under § 1030(a)(2) (unauthorized access to obtain information) face a maximum of 1 year if no aggravating factors exist — a misdemeanor. The offense escalates to a felony (up to 5 years) if the offense was committed for financial gain, involved a value exceeding $5,000, or was in furtherance of another crime. This parallels the broader felony vs. misdemeanor distinction framework that structures all federal criminal exposure.

Authorization as the critical element — Because the CFAA centers on "without authorization," the defense analysis begins with whether access was actually authorized. Employer-issued credentials, penetration testing agreements, or terms-of-service violations (post-Van Buren) do not automatically satisfy the authorization element. This makes digital and electronic evidence about user permissions, system access logs, and employment contracts central to both prosecution and defense theories.

Sentencing guidelines loss calculation — Under U.S. Sentencing Guidelines § 2B1.1, loss amount drives offense level increases in cybercrime cases more than any other single variable. A loss of $550,000 adds 12 levels; a loss exceeding $65 million adds 22 levels (U.S. Sentencing Commission, Guidelines Manual § 2B1.1). Defense counsel frequently contest the prosecution's loss methodology, particularly in cases involving speculative harm estimates from data breaches.

Statute of limitations — The general federal criminal statute of limitations is 5 years under 18 U.S.C. § 3282. For offenses involving financial institutions, the period extends to 10 years. Statutes of limitations in cybercrime cases often require analysis because intrusions may not be discovered until months or years after the event; the limitations period generally begins when the

References

• National Association of Home Builders (NAHB) — nahb.org
• U.S. Bureau of Labor Statistics, Occupational Outlook Handbook — bls.gov/ooh
• International Code Council (ICC) — iccsafe.org