International Cybercrime Treaties in 2026

[Student]

International Cybercrime Treaties in 2026: Budapest Convention, UN Hanoi Convention, Malabo Convention, Regional Frameworks, Key Provisions for Hacking/CFAA, Carding, Ransomware, Cryptocurrency Laundering, Extradition, Evidence Sharing, Status Updates, Comparisons, Challenges, and Practical Implications for US Enforcement and Defense Strategies​

This exhaustive 2026 guide, current as of April 29, 2026, provides the most detailed analysis available of all major multilateral international cybercrime treaties and frameworks. It is tailored specifically to U.S. prosecutions involving Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030) violations (unauthorized access/hacking, system damage), access device fraud/carding (18 U.S.C. § 1029), ransomware/extortion, and cryptocurrency-related money laundering (18 U.S.C. §§ 1956–1957). These treaties underpin the Department of Justice’s (DOJ) Office of International Affairs (OIA) and Computer Crime and Intellectual Property Section (CCIPS) efforts, enabling Mutual Legal Assistance Treaties (MLATs), provisional arrests via Interpol Red Notices, extradition, electronic evidence preservation/seizure, and 24/7 cooperation networks.

The treaties address the borderless nature of cyber threats through criminalization harmonization, procedural powers (e.g., expedited data preservation), international cooperation (MLA, extradition, joint investigations), and capacity-building — while incorporating dual criminality (conduct criminal in both states, usually ≥1 year imprisonment), rule of specialty, and human rights safeguards. The U.S. continues to treat the Budapest Convention as the “gold standard” and has not signed the newer UN treaty, emphasizing robust rule-of-law protections over broader but potentially weaker global reach.

1. Budapest Convention on Cybercrime (Council of Europe Treaty Series No. 185, 2001) – The Established Global Benchmark​

Signed November 23, 2001, in Budapest and entering into force July 1, 2004, this is the first and most influential multilateral treaty dedicated to cybercrime. It was negotiated under the Council of Europe with strong U.S. involvement to harmonize laws and facilitate cross-border investigations.

Core Criminalization Provisions (Chapter II, Section 1) Relevant to U.S. Cases:

• Illegal Access (Art. 2): Hacking/unauthorized entry into computer systems — directly aligns with CFAA § 1030(a)(2) and (a)(4).
• Illegal Interception (Art. 3) and Data Interference (Art. 4): Covers ransomware encryption/damage or data alteration (§ 1030(a)(5)).
• System Interference (Art. 5): DDoS or ransomware disrupting availability.
• Computer-Related Fraud (Art. 7) and Forgery (Art. 8): Carding, identity theft, and access device trafficking (§ 1029).
• Ancillary Offenses: Aiding/abetting and attempt (Art. 11). Cryptocurrency laundering can be prosecuted as computer-related fraud or via linked MLA for financial trails.
• Procedural Powers (Chapter II, Section 2): Expedited preservation of stored/transmitted data (Arts. 16–17), production orders (Art. 18), search/seizure of computer systems (Art. 19), and real-time collection of traffic data (Art. 20) — critical for blockchain tracing in laundering cases.

International Cooperation (Chapter III):

• MLA (Arts. 25–31), extradition for offenses punishable by ≥1 year in both states (Art. 24; treaty can serve as legal basis absent bilateral treaty), and a 24/7 contact point network for urgent requests (Art. 35). Dual criminality is required but flexible — no identical statutes needed.
• Supports provisional arrests and evidence sharing without full extradition packages initially.

Status as of April 29, 2026:

• 81 Parties (full ratifications/accessions), including the United States (ratified 2006, in force 2007), Canada, Australia, Japan, UK, most EU states, and non-CoE nations like Argentina, Brazil, Chile, Colombia, Costa Rica, Ghana, Israel, Mauritius, Nigeria, Philippines, Rwanda, Senegal, Sri Lanka, and Tunisia. Recent accessions (2022–2026) include Brazil, Cameroon, Tunisia, Sierra Leone, Grenada, Benin, Fiji, Kiribati, Ecuador, Rwanda, Sao Tome and Principe, Vanuatu, and New Zealand. Ireland and South Africa remain signatories without full ratification.

First Additional Protocol (2003, on racist/xenophobic acts via computer systems): 37 ratifications; U.S. has not joined due to free speech concerns.

Second Additional Protocol on Enhanced Cooperation and Disclosure of Electronic Evidence (CETS No. 224, opened 2022):

• Addresses modern challenges: direct requests to service providers for subscriber/traffic data, joint investigations, and expedited MLA in cloud/encrypted environments.
• As of April 2026: 52 signatories; 4 ratifications (Serbia and Japan in 2023; Hungary on February 5, 2026; Costa Rica on April 15, 2026). Not yet in widespread force but advancing via the Cybercrime Convention Committee (T-CY) Workplan 2026–2027. EU member states are progressing internal ratification.

U.S. prosecutors routinely use Budapest for CFAA/ransomware cases from treaty partners (e.g., Italy, Chile, Romania extraditions 2025–2026).

2. United Nations Convention against Cybercrime (Hanoi Convention, 2024) – The First Universal Global Treaty​

Adopted by UN General Assembly consensus on December 24, 2024 (Resolution 79/243). Full title: United Nations Convention against Cybercrime; Strengthening International Cooperation for Combating Certain Crimes Committed by Means of Information and Communications Technology Systems and for the Sharing of Evidence in Electronic Form of Serious Crimes.

Key Provisions:

• Criminalization (Chapter II): Cyber-dependent offenses mirroring Budapest (illegal access, data/system interference, computer-related fraud/forgery) — covering hacking, ransomware, carding. Broader scope includes support for “serious crimes” (≥4 years imprisonment) where electronic evidence is involved, potentially encompassing crypto laundering as a predicate.
• Procedural Measures and Evidence (Chapter III): Preservation orders, production/seizure of electronic data, real-time collection — tailored for ICT systems and blockchain records.
• International Cooperation (Chapter IV): MLA, extradition (Art. 37: dual criminality required; Convention can serve as basis absent bilateral treaty; “extradite or prosecute” elements), 24/7 contact points (Art. 41), joint investigations, and technical assistance. Explicitly covers evidence sharing for serious crimes beyond pure cyber offenses.
• Human Rights Safeguards (Arts. 6, 14, etc.) and capacity-building (Chapter V), though critics note weaker enforcement than Budapest.

Status as of April 29, 2026:

• 76 signatories (including EU, China, Russia, Brazil, many Global South states; initial 72 at October 25–26, 2025, Hanoi signing ceremony; additional signatures through April 2026).
• 3 Parties (ratifications): Qatar (first, early 2026), Vietnam (second, deposited April 17, 2026; first in Southeast Asia), and one additional. Not yet in force — requires 40 instruments of ratification/accession (90 days after the 40th). Remains open for signature at UN Headquarters until December 31, 2026. A Conference of States Parties will handle implementation/review post-entry.

The U.S. declined to sign, citing preference for Budapest’s stronger human rights framework. The EU signed and is advancing conclusion processes. Thirty-two Budapest Parties also signed the UN treaty, ensuring coexistence rather than replacement.

3. African Union Malabo Convention on Cyber Security and Personal Data Protection (2014)​

Adopted June 27, 2014; entered into force June 8, 2023 (after 15th ratification).

Provisions: Broad criminalization of cyber offenses (hacking, fraud, ransomware equivalents), data protection, e-governance, and some cooperation mechanisms. Less detailed on extradition/MLA than Budapest/UN.

Status: Signed by 21 AU states; ratified by 20 (as of latest lists). Low uptake limits impact — key players like Algeria and Nigeria (UN Convention supporters) have not ratified. Focuses on African harmonization but offers supplementary basis for intra-AU cooperation.

4. Other Regional Frameworks and Interactions​

• CIS, SCO, and OAS Tools: Narrower, often bilateral-leaning; limited extradition utility compared to Budapest.
• Budapest as Observer: Many regional bodies reference it.
• Interactions with Bilateral Treaties/MLATs: All serve as supplements. Budapest/UN can provide legal basis for extradition absent a specific treaty. Digital evidence (logs, crypto wallets) is gathered via 24/7 networks or protocols before formal requests.

5. Detailed Comparison: Budapest vs. UN Hanoi vs. Malabo​

• Scope: Budapest — focused cyber-dependent crimes; UN — broader (cyber-enabled serious crimes + electronic evidence); Malabo — cyber + data protection.
• Parties: Budapest (81, diverse); UN (76 signatories, more universal but only 3 parties); Malabo (20 ratifications, Africa-centric).
• Extradition/Evidence: All require dual criminality; Budapest/UN offer 24/7 networks and explicit service provider access (Second Protocol/UN Art. 41). UN has stronger “extradite or prosecute” language.
• Human Rights: Budapest strongest (CoE/ECHR linkage); UN includes safeguards but criticized as vulnerable to authoritarian misuse; Malabo includes data protection.
• U.S. Stance: Budapest primary; UN not signed.

6. Practical Implications for U.S. Extradition, Enforcement, and Cybercrime Cases (2025–2026)​

• Extradition: Treaties reduce safe havens; used in recent cases (e.g., Italian extraditions of Russian/Chinese hackers). Provisional arrests via Red Notices + treaty basis accelerate OIA processes.
• Evidence Gathering: 24/7 networks enable rapid preservation of crypto transaction data; Second Protocol/UN provisions target cloud providers.
• Penalties Leverage: Dual criminality satisfied for CFAA/card-ing/ransomware/laundering in Party states.
• EO 14390 Synergy: Trump Administration’s 2026 cybercrime order enhances multilateral use alongside these treaties.

Real-World Examples: Budapest facilitated 2025–2026 extraditions (Volkov ransomware facilitation from Italy; VAL4K carding from Chile). UN not yet operational but poised for broader Global South cooperation once in force.

7. Challenges, Criticisms, and Risks​

• Fragmentation: Overlapping treaties risk forum-shopping.
• Criticisms: UN seen as potential tool for repression (Russia/China influence); low Malabo uptake; Budapest “Western-centric” to some.
• Enforcement Gaps: Political will, judicial capacity, and data privacy conflicts (e.g., GDPR clashes).
• For Fugitives/Defendants: Human rights arguments (ECHR Art. 3 in Europe) viable in Budapest/UN challenges; monitor Interpol via CCF.

8. Practical Advice for Attorneys, Investigators, and Individuals (2026)​

• Prosecutors/CCIPS: Prioritize Budapest 24/7 channels; prepare dual-criminality affidavits early.
• Defense Counsel: In foreign extradition hearings, attack dual criminality, evidence sufficiency, or human rights (U.S. sentences/prisons). Retain dual U.S./local teams immediately upon Red Notice.
• Businesses/Victims: Leverage treaties for civil recovery via MLA.
• Future Outlook: Track UN ratifications (needs 37 more); Budapest Second Protocol acceleration; potential additional protocols.

Disclaimer: This is informational, drawn from official CoE, UNODC, AU, and DOJ sources. Treaties evolve rapidly — consult qualified international counsel and OIA for case-specific advice. Full texts: CoE Treaty Office, treaties.un.org, or au.int. Individuals facing charges must seek immediate legal representation. These instruments significantly strengthen global accountability but depend on implementation and diplomacy.

 

[Student]

Domestic US Cybercrime Laws in 2026: Exhaustive Guide to the Computer Fraud and Abuse Act (CFAA), Access Device Fraud (§ 1029 Carding), Ransomware Extortion, Cryptocurrency Laundering (§§ 1956–1957), Related Statutes, EO 14390, GENIUS Act AML Reforms, 2026 USSG Amendments, Enforcement Statistics, Charging Policies, Defenses, Forfeiture, Civil/Regulatory Overlap, and Practical Attorney Guidance for Defendants, Victims, and Compliance Professionals​

This exhaustive, updated guide — as of April 29, 2026 — provides the most detailed overview of federal domestic cybercrime laws enforced by the Department of Justice (DOJ) Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), FBI Cyber Division, Secret Service, and U.S. Attorney’s Offices. Primary statutes target hacking/unauthorized access under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), carding/access device fraud (§ 1029), ransomware (CFAA extortion + Hobbs Act/wire fraud), and cryptocurrency laundering (§§ 1956–1957). These laws apply extraterritorially when conduct affects U.S. “protected computers” (broadly defined to include any device used in or affecting interstate/foreign commerce, government systems, or financial institutions) or involves U.S. victims/funds.

The framework is bolstered by the Justice Manual (JM §§ 9-48.000 CFAA, 9-51.000 cyber-enabled crimes, 9-105.000 money laundering), Executive Order 14390 (“Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens,” signed March 6, 2026), the GENIUS Act (Public Law 119-27, enacted July 18, 2025), and 2026 U.S. Sentencing Guidelines (USSG) amendments (effective November 1, 2026, absent congressional action). EO 14390 elevates ransomware, phishing, sextortion, and scam centers operated by transnational criminal organizations (TCOs) as national security threats, directing an interagency action plan, operational cell in the National Coordination Center (NCC), private-sector collaboration, and prioritized prosecutions. The GENIUS Act subjects permitted payment stablecoin issuers (PPSIs) to Bank Secrecy Act (BSA) AML/CFT and sanctions obligations, with Treasury/FinCEN’s April 2026 proposed rules implementing tailored programs (risk assessments, SAR filing, customer due diligence, and technical capabilities to freeze/seize tokens).

FBI’s 2025 Internet Crime Complaint Center (IC3) Report (released April 2026) recorded 1,008,597 complaints and $20.877 billion in losses — a 26% increase — with cryptocurrency-related scams exceeding $11 billion (181,565 complaints). Elderly victims (60+) reported $7.7 billion (up 37%). Investment fraud, BEC, tech support, and extortion dominated.

1. Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030) – The Cornerstone Federal Hacking Statute​

Enacted 1986 and amended (including PATRIOT Act), CFAA criminalizes seven core categories of conduct against “protected computers.” Post-Van Buren v. United States (593 U.S. 374, 2020), “exceeds authorized access” is narrowly construed to technical/code-based barriers (e.g., password-protected folders), not policy violations or contracts.

Key Subsections and Elements (per JM 9-48.000 charging policy):

• (a)(1): National security/restricted data access with intent to harm U.S./aid foreign power.
• (a)(2): Unauthorized access/exceeding authorized access to obtain information (financial/government data).
• (a)(3): Unauthorized access to nonpublic government computers.
• (a)(4): Access with intent to defraud and obtain >$5,000 value (one year).
• (a)(5): Damage — (A) knowing transmission causing intentional damage; (B) reckless; (C) negligent causing loss.
• (a)(6): Trafficking passwords/access tools.
• (a)(7): Extortion (threats to damage computer, obtain info, or demand ransom — core ransomware vehicle).

Conspiracy/attempt (§ 1030(b)) and aiding/abetting also apply. DOJ policy (revised 2022, still in force) requires consultation with CCIPS; declines charges for good-faith security research (testing vulnerabilities without harm, per DMCA § 1201 definition) or mere contract/policy violations. Focus remains on technical unauthorized access or clear harm.

Penalties Table (first vs. subsequent offenses; fines always available; aggravated for critical infrastructure, death, or repeat):

Subsection	First Offense Maximum	Subsequent Maximum	Key Notes
(a)(1) National Security	10 years	20 years	Life if death results
(a)(2) Obtaining Info	1 year (misd.) / 5 years	10 years	Felony if >$5K or specific data
(a)(3) Gov’t Computer	1 year	10 years	—
(a)(4) Fraud	5 years	10 years	—
(a)(5)(A) Intentional Damage	10 years	20 years	Life possible
(a)(5)(B) Reckless Damage	5 years	20 years	—
(a)(5)(C) Negligent	1 year	10 years	—
(a)(6) Passwords	1 year	10 years	—
(a)(7) Extortion	5 years	10 years	Often paired with Hobbs Act (20 years)

Restitution mandatory (§ 3663A); civil suit available (§ 1030(g)).

2. Access Device Fraud / Carding (18 U.S.C. § 1029)​

Prohibits production, trafficking, use, or possession of counterfeit/unauthorized “access devices” (credit cards, account numbers, skimmers, PINs) affecting interstate commerce. Common in dark web/Telegram carding operations.

Prohibited Conduct (key subsections):

• Producing/trafficking counterfeit devices.
• Using devices to obtain ≥$1,000 value/year.
• Possessing 15+ counterfeit/unauthorized devices.
• Possessing device-making equipment.
• Trafficking stolen account info.

Penalties: 10–15 years first offense (20 years subsequent); up to 20 years for certain acts involving 15+ devices. Often bundled with CFAA/wire fraud (§ 1343, up to 20/30 years).

3. Ransomware, Extortion, and Related Charging​

Ransomware prosecutions combine:

• CFAA § 1030(a)(5) (damage) + (a)(7) (extortion threats/demands).
• Hobbs Act (§ 1951, up to 20 years) for affecting commerce.
• Wire fraud (§ 1343) for electronic communications.
• Identity theft (§ 1028A, mandatory 2-year consecutive).

EO 14390 prioritizes TCO-linked ransomware/scam centers, directing disruption, sanctions, and victim restitution programs. CISA requires 24-hour ransomware payment reporting for covered entities.

4. Cryptocurrency Laundering and AML (18 U.S.C. §§ 1956–1957; BSA/FinCEN)​

§ 1956 (20 years): Laundering proceeds of “specified unlawful activity” (SUA includes CFAA, wire fraud, carding) via promotional, concealment, structuring, or tax-evasion transactions. Crypto = “funds/property.” § 1957 (10 years): Monetary transactions >$10,000 in SUA proceeds (no concealment needed).

GENIUS Act (2025) & 2026 Implementation: Treats PPSIs as financial institutions under BSA. April 2026 proposed Treasury/FinCEN rules require AML/CFT programs (risk assessments, SARs, CIP, sanctions screening), technical freeze/seize/burn capabilities, and innovation research (AI, blockchain analytics). Foreign issuers restricted unless compliant. Unlicensed money transmitting (§ 1960) remains prosecutable.

Forfeiture: Criminal (§ 982)/civil (§ 981); blockchain tracing (e.g., Chainalysis) enables wallet seizures. EO 14390 enhances victim restitution/clawback.

5. Related Federal Statutes and Overlaps​

• Wire Fraud (§ 1343), Mail Fraud (§ 1341): Up to 20/30 years; staples for phishing/BEC.
• Identity Theft (§ 1028, § 1028A): Aggravated identity theft (2-year mandatory consecutive).
• RICO (§ 1961 et seq.): Organized schemes (20 years + forfeiture).
• Money Laundering Control Act enhancements via GENIUS Act.

6. 2026 USSG Amendments & Sentencing​

Base offense + adjustments for loss amount (inflation-updated tables effective Nov. 1, 2026), sophisticated means (+2), victim count, leadership, critical infrastructure. Economic crime loss thresholds increased (e.g., >$25K now triggers enhancements). Restitution/forfeiture mandatory; 3+ years supervised release (internet/crypto restrictions common). Average ransomware sentences: 5–25+ years.

7. Enforcement Trends, Civil/Regulatory Overlap, and Recent Developments​

• EO 14390/National Cyber Strategy (March 2026): Whole-of-government TCO disruption; private-sector data sharing; scam-center sanctions.
• FTC/SEC/HHS: Ransomware reporting, data security enforcement, HIPAA Security Rule initiatives.
• State Laws: Nearly all 50 states have computer crime statutes mirroring CFAA (e.g., California Penal Code § 502); some add civil remedies.

8. Defenses, Challenges, and Collateral Consequences​

• CFAA: Lack of technical authorization/exceeding; no loss/damage; good-faith research (JM policy).
• Laundering: No knowledge of SUA; legitimate source.
• Evidentiary: Fourth Amendment suppression (warrants, chain-of-custody for digital/blockchain evidence); statute of limitations (5 years general).
• Collateral: Asset forfeiture, immigration bars, licensing loss, supervised release restrictions.

9. Practical Advice from Federal Cybercrime Attorneys (2026 Perspective)​

• Defendants: Retain CCIPS-experienced counsel immediately upon warrant/subpoena/target letter. Challenge digital evidence early; consider cooperation for § 5K1.1 reductions.
• Victims/Companies: Report to IC3/CISA; preserve evidence; engage forensics for ransomware (payment reporting required).
• Compliance: PPSIs must implement GENIUS Act AML programs now; conduct risk assessments.
• Resources: justice.gov/criminal/ccips; IC3.gov; JM 9-48/9-51; monitor USSC 2026 amendments.

Disclaimer: Informational only, based on statutes, EO 14390, GENIUS Act, 2025 IC3 Report, and public DOJ/USSC sources. Laws evolve; this is not legal advice. Consult qualified federal criminal defense or regulatory counsel immediately for any investigation or compliance matter. Official resources: justice.gov, ussc.gov, fincen.gov, whitehouse.gov.