Microsoft Digital Crimes Unit
We work to lead the fight against cybercrime by leveraging Microsoft Threat Intelligence to identify and disrupt online criminal networks.
What we do
Since 2008, the Digital Crimes Unit (DCU) has been dedicated to protecting Microsoft customers against cybercrime. Through civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships, the global team works to dismantle the infrastructure used by cybercriminals and nation-state threat actors and safeguard the digital ecosystem.
Priorities
Financially motivated cybercrime
The DCU effectively disrupts some of the most notorious malware and ransomware families, cybercrime-as-a-service operations, and distributors of malicious tools. We do this through a combination of civil actions, technical interventions, criminal referrals to law enforcement, and strong public-private partnerships.
Nation-state threat actors
A key innovation in our toolkit to confront nation-state threat actors has been the appointment of court monitors, enabling Microsoft to quickly identify and seize malicious domains as they are created. This model has become a standard component of the DCU’s strategy in cases involving nation-state actors from Russia, China, North Korea, and Iran.
Disrupting the abuse of generative AI
The DCU is at the forefront of combating the criminal misuse of generative AI technologies. As threat actors increasingly exploit AI to scale cybercrime, generate harmful content, and bypass safety guardrails, the DCU is responding with innovative legal strategies and technical interventions.
Disrupting criminal infrastructure at scale
The DCU’s Statutory Automated Disruption (SAD) program enables Microsoft and its partners to continuously dismantle malicious infrastructure through legal and technical action. By leveraging the Digital Millennium Copyright Act (DMCA) in the US and equivalent international statutes, SAD allows for rapid, repeatable enforcement against cybercriminal infrastructure without requiring formal litigation.
Innovating with AI to protect elections
The DCU uses AI models trained on domain impersonation techniques to proactively detect and disrupt threats targeting electoral candidates and vulnerable institutions globally.
Persistent pursuit
The DCU’s enforcement actions are not one-time takedowns—they are often sustained campaigns. By securing court-appointed monitors and automated monitoring and detection, the DCU continuously tracks and disrupts reemerging threats. This persistent approach ensures long-term impact, even as cybercriminals and nation-state threat actors attempt to rebrand or rebuild their infrastructure.
Turning disruption into defense
Through global malware disruption operations, the DCU generates and shares real-time cyber threat intelligence via its Cyber Threat Intelligence Program (CTIP). By leveraging sinkholes to capture malicious traffic, CTIP helps Computer Emergency Response Teams (CERTs), Internet Service Providers (ISPs), Critical Infrastructure Information Sharing and Analysis Centers (ISACs) and Microsoft customers detect and remediate compromised systems—transforming enforcement actions into proactive cybersecurity defense.
Partnering with law enforcement globally
The DCU’s global collaboration with law enforcement globally has led to over 780 arrests and the seizure of more than over $35 million in cryptocurrency assets from major prolific cybercriminal networks, including Scattered Spider/Octo Tempest, Shiny Hunters, REvil, and LabHost.
Accelerating protection through global partnerships
The DCU partners with organizations like the NCFTA, IC3 and JC3 to share curated threat intelligence and accelerate cybercrime disruption. These collaborations include faster identification of fraud and infrastructure abuse, helping protect people and organizations across jurisdictions with greater speed and precision.
Digital Crimes Consortium
This global event, hosted by the DCU since 2009, brings together law enforcement, cybersecurity experts, academics, and industry leaders to collaborate on the fight against cybercrime. Held under the Chatham House Rule, this PR-free forum fosters trusted, cross-sector partnerships and strengthens the global response to digital threats.
Please check back soon for updates on the next event.
Report a technical support scam
The DCU uses these reports in their ongoing investigations with law enforcement to take appropriate action against technical support scams.
Global collaboration
The DCU partners with law enforcement agencies globally and participates in global initiatives like:
World Economic Forum Partnership Against Cybercrime
The DCU is a founding member of the World Economic Forum’s Partnership Against Cybercrime (PAC), which brings together public and private sector leaders to combat cybercrime. As part of this effort, the DCU also co-founded the Cybercrime Atlas—an initiative that uses open-source intelligence to build a shared knowledge base to support coordinated cybercrime disruption efforts.
European Multidisciplinary Platform Against Criminal Threats (EMPACT)
The DCU is a key partner in this Europol-funded initiative—co-led by the US Secret Service (USSS) and the German Federal Criminal Police (BKA)—focused on combating cybercriminals’ misuse of AI. This collaboration under the EMPACT framework strengthens cross-border enforcement and policy efforts to address emerging AI-driven threats.
Ransomware Task Force
The DCU co-chaired the launch of the Institute for Security and Technology’s Ransomware Task Force (RTF), helping shape its foundational 2021 framework of 48 recommendations to combat ransomware. Today, DCU continues to drive impact as a member of the RTF Steering Committee, leading operational workstreams focused on disrupting ransomware infrastructure, advancing public-private collaboration, and reducing ransomware profitability through legal and technical interventions.
National Cyber-Forensics and Training Alliance
The DCU partners with the National Cyber-Forensics and Training Alliance (NCFTA) to combat global cybercrime. This collaboration leverages industry, government, and academic expertise to share intelligence, develop strategies, and conduct joint operations against cyber threats, including fraud, ransomware, and cybercrime-as-a-service.
Japan Cybercrime Control Center (JC3)
The DCU’s newest partner, Japan Cybercrime Control Center (JC3), is a leading non-profit in Japan focused on identifying, mitigating, and neutralizing the root of threats to cyberspace. Together they have dismantled tech support scams targeting elderly Japanese nationals and partnered on the international takedown of the world’s largest infostealer.
International Counter Ransomware Initiative
For several years, Microsoft, through the DCU and partners, has supported the International Counter Ransomware Initiative (CRI), uniting 70 countries to combat ransomware. As a founding member of CRI's Public-Private Advisory Panel, Microsoft aids in information sharing, trust-building, and best practices. Microsoft also developed the Crystal Ball threat intelligence sharing platform for CRI members.
Latest news and stories
Stay informed on the latest developments—from threat intelligence briefings to global policy updates.
Explore more
Learn more about Microsoft’s cybersecurity initiatives.
Customer Security and Trust (CST)
Protecting people, defending global institutions, and advancing digital trust.
Microsoft Threat Analysis Center (MTAC)
MTAC offers real-time insights into nation-state activities, disinformation efforts, and geopolitical cyberthreats to protect governments from digital dangers.
Cybersecurity Policy and Diplomacy (CPD)
The CPD team’s mission is to strengthen international norms and global policy for cybersecurity.
Follow Microsoft
