During the first six months of 2021, financial services firms throughout the United States raised alarms concerning nearly $600 million of transactions that were flagged as suspected payments to perpetrators of ransomware attacks.1 Meanwhile, the U.S. Department of Treasury identified another $5.2 billion of potential ransomware payments that were funneled through bitcoin transactions.2 In total, global ransomware attacks were expected to have accounted for about $20 billion of loss in 20213 and are predicted to result in $265 billion of loss by 2031.4 Ransomware is just one of twenty-four different categories of internet crimes identified by the Federal Bureau of Investigation (“FBI”) in its annual Internet Crime Report, and the figures cited in the report represent only a fraction of the total amount lost to cybercrime every year.5 As the number of cybercriminals and the sophistication of their methods continue to grow and evolve, the true cost of cybercrime worldwide is estimated to reach a disastrous $10.5 trillion by 2025.6
The scale and scope of cyberattacks have increased dramatically in recent years, spurred by a growing reliance on technology, increased connectivity among users, and the rise in popularity of virtual currency exchanges. Another contributing factor is that the very nature of cybercrime makes it difficult to block these attacks or punish those responsible. For example, cybercriminals frequently rely on a variety of techniques to hide their identities and evade detection by law enforcement, such as by operating out of the dark web or routing their activities through a virtual private network (“VPN”). The increasing use of virtual currencies also contributes to this problem by making it more difficult to trace monetary payments made by victims of cybercrime.
Prosecutions of cyberattacks have been constrained by decades-old statutes that are either inapplicable or insufficient to address rapidly changing social and technological environments that contribute to the proliferation of new cybercrimes. In addition to these challenges, many cybercriminals often reside in or flee to countries that are beyond the jurisdictional reach of the United States. In several widely publicized cases, cyberattacks were also believed to be sponsored by hostile foreign state actors. Unfortunately, many victims of these cybercrime attacks are reluctant to report them, usually due to the fact that while reporting an attack does little to address the harm caused, doing so may draw unwanted publicity or attention. Therefore, if the United States wishes to properly address the rise of cybercrime and its accompanying harm to the global economy, Congress must first pass legislation that would authorize the government to overcome these barriers and increase prosecutorial power over cybercrime.
One proposition that appeared before Congress was to expand the Racketeer Influenced and Corrupt Organizations (“RICO”) Act, codified in 18 U.S.C. §§ 1961–1968. This proposition was included in Section II of the International Cybercrime Prevention Act, which was originally presented in 2018 and was later reintroduced by a bipartisan group in June 2021.7 After it was referred to the U.S. Senate Committee on the Judiciary, the bill stalled and ultimately failed to pass.8 The status of the bill reflects the general shortage of political capital when it comes to prioritizing cybercrime despite the FBI’s characterization of “malicious cyber activity” as a threat to “the public’s safety and our national and economic security.”9
To raise awareness about the threats posed by cybercrimes, this Note will analyze the proposal to expand RICO and, in particular, examine the benefits of making a violation of the Computer Fraud and Abuse Act (“CFAA”) a predicate act for RICO offenses. While a few successful prosecutions of organized cybercrime rings have already been brought under RICO, this Note will evaluate the limitations of those prosecutions when it comes to computer crimes. The Note will conclude that despite the many challenges associated with tackling cybercrime, the constructive application of RICO carries great potential in prosecuting cybercriminals.
Part I of this Note provides the historical context behind RICO and examines its role in the downfall of the American Mafia. It specifically looks at the provisions in RICO that uniquely positioned it for prosecuting organized crime groups as well as legitimate business enterprises that violated state and federal laws. Part II provides an analysis of how RICO applied to traditional organized crime groups and how cybercrime groups can fall under its broad definition of “enterprise.” It also provides further context on the rise of cybercrime and introduces examples of RICO charges that were brought against two cybercrime enterprises. Part III introduces the CFAA and points to key provisions that could be used against cybercrime. It also seeks to address criticisms of the proposal to make violations of the CFAA a predicate act under RICO and evaluates key policy considerations involved in this discussion.