This is the Trace Id: 622f4b9e25e3107d221e0b48119da66c
Skip to main content
Corporate Responsibility
Sign in

Explore our cybersecurity work

Interior of the Microsoft Cybercrime Center featuring a world map labeled 'Microsoft Cybercrime Center' on the left, a large display screen with graphics and data in the center, and a wall on the right with the text 'Leading the fight against cybercrime.

Microsoft Digital Crimes Unit

We work to lead the fight against cybercrime by leveraging Microsoft Threat Intelligence to identify and disrupt online criminal networks.

What we do

Since 2008, the Digital Crimes Unit (DCU) has been dedicated to protecting Microsoft customers against cybercrime. Through civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships, the global team works to dismantle the infrastructure used by cybercriminals and nation-state threat actors and safeguard the digital ecosystem.

Priorities

Disrupt & deter Innovate & scale Defend & protect
Digital map highlighting regions in Europe, Africa, and the Middle East with bright blue and red colors. Various lines and circles mark specific points of interest, set against a gradient background of light blue to purple.

Financially motivated cybercrime

The DCU effectively disrupts some of the most notorious malware and ransomware families, cybercrime-as-a-service operations, and distributors of malicious tools. We do this through a combination of civil actions, technical interventions, criminal referrals to law enforcement, and strong public-private partnerships.
Read about the disruption of Lumma Stealer
Office or control room with six people seated at computer stations, each with multiple monitors displaying data. In the background, a large screen shows a digital globe and the repeated text: 'Our defense in depth approach includes extensive detection and control measures to protect all environments.' Two individuals stand near the screen, appearing to discuss or present.

Nation-state threat actors

A key innovation in our toolkit to confront nation-state threat actors has been the appointment of court monitors, enabling Microsoft to quickly identify and seize malicious domains as they are created. This model has become a standard component of the DCU’s strategy in cases involving nation-state actors from Russia, China, North Korea, and Iran.
Read about the disruption of Star Blizzard
Digital circuit board with blue and yellow electrical pathways overlaid on a background of binary code in purple and pink tones.

Disrupting the abuse of generative AI

The DCU is at the forefront of combating the criminal misuse of generative AI technologies. As threat actors increasingly exploit AI to scale cybercrime, generate harmful content, and bypass safety guardrails, the DCU is responding with innovative legal strategies and technical interventions.
Read about the DCU’s disruption of Storm-2139 Read about the DCU’s role in combating AI fraud in Japan
Satellite image of Europe at night. City lights form bright clusters across the continent, highlighting urban areas and transportation networks. The surrounding areas are dark, with coastlines faintly visible.

Disrupting criminal infrastructure at scale

The DCU’s Statutory Automated Disruption (SAD) program enables Microsoft and its partners to continuously dismantle malicious infrastructure through legal and technical action. By leveraging the Digital Millennium Copyright Act (DMCA) in the US and equivalent international statutes, SAD allows for rapid, repeatable enforcement against cybercriminal infrastructure without requiring formal litigation.
Explore the DCU’s Proof of Concept for SAD
A person using a smartphone surrounded by digital cryptocurrency icons.

Innovating with AI to protect elections

The DCU uses AI models trained on domain impersonation techniques to proactively detect and disrupt threats targeting electoral candidates and vulnerable institutions globally.
Read about Microsoft’s election protection efforts
Login interface overlay on a person typing at a white keyboard, with icons for user, fingerprint, camera, and globe.

Persistent pursuit

The DCU’s enforcement actions are not one-time takedowns—they are often sustained campaigns. By securing court-appointed monitors and automated monitoring and detection, the DCU continuously tracks and disrupts reemerging threats. This persistent approach ensures long-term impact, even as cybercriminals and nation-state threat actors attempt to rebrand or rebuild their infrastructure.
Read about the DCU’s initial disruption of Storm-1152
Digital map highlighting regions in Europe, Africa, and the Middle East with bright blue and red colors. Various lines and circles mark specific points of interest, set against a gradient background of light blue to purple.

Turning disruption into defense

Through global malware disruption operations, the DCU generates and shares real-time cyber threat intelligence via its Cyber Threat Intelligence Program (CTIP). By leveraging sinkholes to capture malicious traffic, CTIP helps Computer Emergency Response Teams (CERTs), Internet Service Providers (ISPs), Critical Infrastructure Information Sharing and Analysis Centers (ISACs) and Microsoft customers detect and remediate compromised systems—transforming enforcement actions into proactive cybersecurity defense.
Read about the Lumma malware sinkhole
Black headset with a microphone resting on a black computer keyboard.

Partnering with law enforcement globally

The DCU’s global collaboration with law enforcement globally has led to over 780 arrests and the seizure of more than over $35 million in cryptocurrency assets from major prolific cybercriminal networks, including Scattered Spider/Octo Tempest, Shiny Hunters, REvil, and LabHost.
Read about combating tech support fraud
Person working on a laptop displaying code, with a blue circuit board pattern in the background.

Accelerating protection through global partnerships

The DCU partners with organizations like the NCFTA, IC3 and JC3 to share curated threat intelligence and accelerate cybercrime disruption. These collaborations include faster identification of fraud and infrastructure abuse, helping protect people and organizations across jurisdictions with greater speed and precision.
Read about the dismantling of a scam network
Back to Tabs
An image of Mexico City at night with text reading Microsoft Digital Crimes Consortium 2026, March 9-12, 2026, Mexico City.

March 9-12, 2026

Digital Crimes Consortium

The Digital Crimes Consortium (DCC) is an exclusive, invitation-only global gathering hosted by the DCU, bringing together law enforcement, cybersecurity professionals, academics, and industry leaders to collaborate in the fight against cybercrime. Since its inception in 2009, this PR-free event—governed by Chatham House Rule—has fostered trusted, cross-sector partnerships and advanced the global response to digital threats.

Most recently held in Athens, Greece in March 2025, DCC brought in attendees from 39 countries and 167 organizations, and featured over 60 presentations, 11 hands-on labs, and a SANS range event.

We’re excited to announce that DCC 2026 will take place in Mexico City March 9-12, 2026 continuing the tradition of convening global experts to tackle emerging cyber threats.

More information on sponsorship opportunities and how to apply for admission to the event coming soon.

Report a technical support scam

The DCU uses these reports in their ongoing investigations with law enforcement to take appropriate action against technical support scams.
Report a technical support scam

Global collaboration

The DCU partners with law enforcement agencies globally and participates in global initiatives like:

World Economic Forum Partnership Against Cybercrime

The DCU is a founding member of the World Economic Forum’s Partnership Against Cybercrime (PAC), which brings together public and private sector leaders to combat cybercrime. As part of this effort, the DCU also co-founded the Cybercrime Atlas—an initiative that uses open-source intelligence to build a shared knowledge base to support coordinated cybercrime disruption efforts.
Learn about PAC Explore the Cybercrime Atlas

European Multidisciplinary Platform Against Criminal Threats (EMPACT)

The DCU is a key partner in this Europol-funded initiative—co-led by the US Secret Service (USSS) and the German Federal Criminal Police (BKA)—focused on combating cybercriminals’ misuse of AI. This collaboration under the EMPACT framework strengthens cross-border enforcement and policy efforts to address emerging AI-driven threats.
Learn about EMPACT

Ransomware Task Force

The DCU co-chaired the launch of the Institute for Security and Technology’s Ransomware Task Force (RTF), helping shape its foundational 2021 framework of 48 recommendations to combat ransomware. Today, DCU continues to drive impact as a member of the RTF Steering Committee, leading operational workstreams focused on disrupting ransomware infrastructure, advancing public-private collaboration, and reducing ransomware profitability through legal and technical interventions.
Learn about the Ransomware Task Force

National Cyber-Forensics and Training Alliance

The DCU partners with the National Cyber-Forensics and Training Alliance (NCFTA) to combat global cybercrime. This collaboration leverages industry, government, and academic expertise to share intelligence, develop strategies, and conduct joint operations against cyber threats, including fraud, ransomware, and cybercrime-as-a-service.
Read about the NCFTA

Japan Cybercrime Control Center (JC3)

The DCU’s newest partner, Japan Cybercrime Control Center (JC3), is a leading non-profit in Japan focused on identifying, mitigating, and neutralizing the root of threats to cyberspace. Together they have dismantled tech support scams targeting elderly Japanese nationals and partnered on the international takedown of the world’s largest infostealer.
Learn about JC3 Read about the DCU’s collaboration in Japan

International Counter Ransomware Initiative

For several years, Microsoft, through the DCU and partners, has supported the International Counter Ransomware Initiative (CRI), uniting 70 countries to combat ransomware. As a founding member of CRI's Public-Private Advisory Panel, Microsoft aids in information sharing, trust-building, and best practices. Microsoft also developed the Crystal Ball threat intelligence sharing platform for CRI members.
Learn about the CRI

Latest news and stories

Stay informed on the latest developments—from threat intelligence briefings to global policy updates.
Explore the stories
Image of purple lines intersecting with blue lines, overlaid with blue dots to represent an interconnected grid network.

Explore more

Learn more about Microsoft’s cybersecurity initiatives.
World map with a hexagonal overlay and padlock icons across continents, symbolizing global data security; dark blue background with light blue continents.

Customer Security and Trust (CST)

Protecting people, defending global institutions, and advancing digital trust.
Learn about our CST work
A person using a laptop with a digital map of global connections on the screen.

Microsoft Threat Analysis Center (MTAC)

MTAC offers real-time insights into nation-state activities, disinformation efforts, and geopolitical cyberthreats to protect governments from digital dangers.
Read more about MTAC
A row of international flags outside a government or conference building.

Cybersecurity Policy and Diplomacy (CPD)

The CPD team’s mission is to strengthen international norms and global policy for cybersecurity.
Learn about the CPD team
Follow Microsoft