Securing justice for cyber-enabled international crimes

Legal foundations and practical routes to prosecution

Research paper

Published 26 January 2026

ISBN: 978 1 78413 663 5

The silhouette of a person walking is seen against a backdrop of glass panels imprinted in black and white with machine-coding symbols.

Elizabeth Wilmshurst CMG KC

Distinguished Fellow, International Law Programme

Harriet Moynihan

Associate Fellow, International Law Programme

Many states now have laws that criminalize cyber activity such as online fraud and hacking. But cyber means can also be used to facilitate or commit the international crimes of genocide, crimes against humanity, war crimes and aggression. There is an urgent need to improve the prospects for prosecution of such crimes when committed or facilitated by cyber means, as harmful cyber operations such as the targeting of critical infrastructure are on the increase, while generative AI threatens to expand the opportunities and means for criminals to carry out such acts.

Guidance is lacking for actors of all kinds – including states, technology companies, hacker groups and individuals – regarding the constraints imposed on their cyber activities by international criminal law and the possibilities of prosecution.

This Chatham House paper follows the 2025 publication by the International Criminal Court’s Office of the Prosecutor (OTP) of a policy paper on the subject. Our paper takes the discussion forward by examining the challenges and opportunities of investigating and prosecuting cyber-enabled international crimes in practice, and by proposing ways for states, the OTP, private companies and civil society to improve the prospects for successful future prosecutions.

DOI: 10.55317/9781784136635

04 Practical issues in investigation and prosecution

Cooperation between different entities (states, international organizations, private companies and civil society) will be crucial to the effective investigation and prosecution of cyber-enabled international crimes.

How prepared are states and the ICC to bring prosecutions for cyber-enabled international crimes in practice? What are the best strategies for identifying the perpetrator and gathering evidence? And what more is needed to strengthen the prospects of a successful prosecution?

This chapter looks at these issues with reference to three hypothetical scenarios, which highlight the main practical challenges and opportunities involved in the investigation and prosecution of cyber-enabled crimes. The first scenario centres on prosecution by a state, the second on prosecution by the ICC and the third on joint investigation by several states, with ICC participation. While each scenario highlights challenges specific to itself, many of the issues addressed will be relevant in all three scenarios.

4.1 Investigation and prosecution by a state

Scenario 1

A fighter in state A uses his smartphone to take graphic images and video footage of a fellow fighter beheading a journalist. He sends the video to the fellow fighter, who posts it online where it is seen by millions of people worldwide. Both fighters are captured and the smartphone seized by the authorities of state A.

This section analyses the pathways available to states to investigate and prosecute cyber-enabled international crimes, drawing on a scenario to illustrate how these pathways might apply in practice.

As noted in the previous chapter, in practice there are several barriers to states conducting such prosecutions, including lack of jurisdiction, immunities, political will and resources. However, some states have already prosecuted cyber-enabled international crimes.

Over the last decade, there have been many incidents in which fighters in war zones have filmed graphic images – for example, featuring the torture, mutilation or beheading of civilians or combatants they have captured, or the degrading treatment of dead bodies – and posted them online. As noted in Chapter 2, it is a war crime to impose inhuman treatment or to commit outrages on personal dignity, in particular humiliating and degrading treatment.143 Some European states, whose domestic laws criminalize international crimes and provide universal jurisdiction over them, have prosecuted fighters operating in Iraq and Syria for posing in photos or videos with mutilated bodies. For example, in 2019, Oussama Akhlafa was convicted by a Dutch court of war crimes for both membership of a terrorist organization and degrading and humiliating treatment of dead bodies, as he had distributed a photo of himself in Syria via Facebook posing next to a deceased man hanging on a cross.144 Between 2016 and 2018, Finland, Germany and Sweden prosecuted a series of similar cases of war crimes for ‘outrages upon personal dignity’, in particular humiliating and degrading treatment.145

Pathways to prosecution

To prosecute an international crime, it will be necessary both to identify the perpetrator and to gather evidence necessary to prove the elements of the crime. Where social media channels are used as a means of perpetrating or facilitating an international crime, various types of evidence may be useful. This includes mobile phone metadata such as upload times, usernames and log-in history; intercept/wiretap intelligence of communications between fighters; or open-source intelligence (OSINT). Examples of the latter include YouTube videos, Facebook posts, geospatial imagery or online forum comments.

Rules on the admissibility of evidence in court vary between jurisdictions. In civil law jurisdictions, for example, the inquisitorial system means that the court itself actively investigates and gathers evidence, including from the police. By contrast, in common law countries like Australia, Canada and the UK, where criminal law is tried by a judge and jury in an adversarial system, additional enquiries and further evidence (such as witness testimony) are typically needed to ensure that digital evidence is corroborated and therefore admissible. It is notable that the cases mentioned above were all prosecuted in civil law jurisdictions.146

Even where states have the jurisdictional basis in their domestic law to prosecute international crimes, many currently lack expertise, experience and resources in this area.

Even where states have the jurisdictional basis in their domestic law to prosecute international crimes, many currently lack expertise, experience and resources in this area. For those states that do have jurisdiction and resources, some war crimes units are still relatively new. International crimes units within prosecution authorities are typically detached from those that focus on cybercrime. But investigation and prosecution of cyber-enabled international crimes depend on expertise from both areas, so skills and communications should be pooled across teams. Development of this kind of pooled capability would help national authorities to take a proactive approach to identifying where cybercrimes may violate international criminal law as well as domestic criminal law.

In practice, cyber means will not usually be used in isolation to commit international crimes, but rather in combination with physical means. National authorities may choose to prosecute the cyber element as part of a wider package of criminal conduct. The paragraphs below discuss the diverse sources and types of evidence that may be relevant to cyber-enabled international crimes (and in some cases, to international crimes more broadly), as well as the frameworks available for prosecutors to obtain this evidence.

Frameworks for prosecutors to obtain evidence

In Scenario 1 above, it may be possible for state A to prove the identity of the perpetrator from the images on the smartphone. While the smartphone itself may be in state A’s possession, access to the images and videos may be complicated if the fighter deleted them before being captured, or if they were stored on a server located outside the jurisdiction of state A. State A would also need to establish a lawful basis for accessing those images. In relation to the video’s dissemination, state A would need to establish how the images were distributed (for example, via which social media platform, to which audience, at what scale and with which effects). These issues would likely require cooperation between state A and other states and private actors (such as technology companies) to obtain the evidence required.

States typically cooperate with each other on the investigation or prosecution of criminal offences through mutual legal assistance. A mutual legal assistance treaty (MLAT) is an international agreement between states that facilitates cooperation on activities such as gathering evidence, locating suspects or freezing assets. Requests for assistance under bilateral MLATs are usually made through a formal letter to a central authority. However, MLAT procedures can be slow and bureaucratic, often taking months, if not years, to complete. A state receiving such requests for information may be reluctant to provide it, if it has concerns about due process or human rights in the requesting state (for example, if the requesting state enforces the death penalty for the offence in question). The receiving state may also be restricted in what it can provide under data protection law.147

The Ljubljana–The Hague Convention is the first international agreement specifically designed to facilitate mutual legal assistance in relation to the prosecution of international crimes.148 The convention contains various provisions on exchange of evidence that are designed to bypass the bureaucracies of the MLAT system, including the spontaneous exchange of information relating to crimes and the establishment of single points of contact.149 Once the convention enters into force, these provisions should speed up the exchange of evidence on international crimes between states parties.

Cybercrime treaties provide another route for states to obtain electronic evidence from another state, provided that the request for evidence is within the scope of the relevant treaty. As the OTP policy paper notes, certain conduct involved in cybercrime, such as the non-consensual hacking of a computer, may also form part of a cyber-enabled international crime.150 Provisions on mutual legal assistance in recent cybercrime treaties are quite wide in scope – for example, the Budapest Convention on Cybercrime of 2001, which currently has 81 states parties (including the US),151 refers to ‘mutual legal assistance… for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data’.152 Where there is no MLAT in place, the Budapest Convention could therefore provide a basis for states to make requests for evidence relating to cyber-enabled international crimes that concern computer systems and data. Such requests can be made on an expedited basis, if necessary, through a designated point of contact, available 24 hours a day, seven days a week.153

The UN Convention against Cybercrime, which was signed in Hanoi, Vietnam in October 2025 by 71 states and the EU, could be applied to cyber-enabled international crimes as well as ordinary cybercrimes, as it refers to general principles of cooperation in relation to ‘the collecting, obtaining, preserving and sharing of evidence in electronic form of any serious crime’.154 The UN convention, once in force, will require states parties to build their capacity to prosecute cyber-related crimes by criminalizing behaviour relevant to these crimes – for example, making access to a computer without permission an offence – and establishing single points of contact in relation to inter-state requests for evidence. In due course, the UN convention may attract support from a wider range of states than the Council of Europe’s Budapest Convention, including those in the Global South.

The strengthening of procedures for exchanging electronic evidence under the UN Convention against Cybercrime could therefore be useful in the context of prosecution of cyber-enabled international crimes. At the same time, civil society groups continue to raise concerns about inadequate human rights safeguards in the UN convention, especially in terms of cooperation between States.155 Once the UN convention comes into force, it will be important that states parties implement their obligations in accordance with international human rights law.

Some states may seek to access data in the territory of other states without consent for the purpose of investigating cybercrime or cyber-enabled international crimes (for instance, by covertly gaining access to networks in another state) because relevant data is increasingly stored beyond national borders. Where evidence of a cyber-enabled international crime has been obtained in this way, several issues arise. Firstly, some states and scholars consider that obtaining information in this way could constitute a violation of international law.156 If so, the question arises as to whether a court would admit the evidence in court. Even if it did – for which there is some precedent157 – a state may be reluctant to submit the evidence to court because they may not wish to reveal how it was obtained. As the national position of the Netherlands notes, opinion is divided as to what qualifies as exercising investigative powers in a cross-border context and, ‘the manner in which the principle of sovereignty should be applied has not fully crystallised at the international level’.158

Obtaining open-source digital data

In the cases prosecuted in Germany, Finland and Sweden, publicly available, electronically recorded footage of the crimes charged and online commentary by the defendants about the crimes charged were crucial to the success of the prosecutors’ case.159 Increasingly, NGOs and ‘citizen journalists’ also gather their own information to support accountability for international crimes.160

As with more traditional types of evidence, a court would need to look carefully at the credibility of open-source digital information, including the clarity of the information presented and the nature of the organization presenting it.161 Where open-source evidence is in digital format, manipulation is easy to do and often hard to detect.162 AI tools can be used to fabricate audio recordings and digital evidence (e.g. through deepfakes) to a convincing standard, potentially undermining the credibility of video footage presented in legal proceedings and jeopardizing prosecution.

Owing to the potential for manipulation, in the scenario above, it would be necessary first to authenticate the video in the proceedings.

The difficulty sometimes of proving the provenance and reliability of open-source material means that prosecutors will often seek to corroborate digital materials with other forms of evidence such as witness testimony or intelligence reports. In the case of Bemba et al, the prosecution’s submission of photos posted on Facebook was challenged by the defence on the grounds that the images had not been properly verified. In that case, however, the Trial Chamber held that the facts had been adequately established through alternative evidence.163

Another potential problem in this context is that social media companies sometimes take down content that could constitute valuable evidence where their algorithms detect a violation of terms of service.164 Often, these removals occur precisely because the content is deemed violent or inhumane. But when digital platforms remove content, nothing generally prevents them from preserving that content and any other relevant data for future investigations. Where there is a serious risk of international crimes being committed, platforms should preserve evidence on their own initiative.165

Non-public content and non-content data

National prosecuting authorities may need information from technology companies that is not available publicly – for example, private messages sent via social media or IP history from internet platforms. The relevant evidence will often be held by one of the large US-based technology companies that dominate the market for such services (e.g. Google, Meta, Microsoft and X). However, US law prohibits technology companies in the US from being able to share certain data in response to requests from foreign governments. The Stored Communications Act (SCA) in particular contains restrictions on companies disclosing the contents of stored electronic communications,166 while the Electronic Communications Privacy Act 1986 (ECPA) restricts telecommunications companies from the disclosure of certain content data such as email.167

Private entities may also be subject to conflicting obligations in relation to the handling of data – for example, when a company receives an order from a government in one state requiring the disclosure of data, but due to the policies of the company (e.g. on user privacy) or laws of the host state, the company is not in a position to hand over the data requested. For example, Telegram is well known for taking a strong stance on user privacy. In the context of accusations against it of enabling cybercriminals,168 the company changed its policy to enable the provision of some user data to law enforcement authorities, including for cybercrime investigations.169 Commercial and prosecutorial interests may also conflict: if, for instance, a private company providing technical assistance to a prosecuting authority in relation to one matter is implicated in one of the situations that the authority is deciding whether to investigate.

In recent years, states have developed avenues to facilitate access to information from US technology companies. The US Clarifying Lawful Overseas Use of Data Act (Cloud Act), enacted in 2018, amended the SCA to require US telecommunications companies to provide data in their possession, and to enable foreign governments to seek data directly from those companies without prior review by the US government. So far, the US has entered into bilateral agreements with two countries: Australia and the UK. The UK–US Data Access Agreement allows US and UK law enforcement agencies directly to request data held by the telecommunications providers in the other party’s jurisdiction, for the exclusive purpose of preventing, detecting, investigating and prosecuting serious crimes such as terrorism or child sexual abuse and exploitation.170 The agreement covers subscriber information, as well as content data.

Another route for prosecutors to gather evidence from US technology companies is through subsidiaries of those companies based elsewhere in the world, where applicable. For example, most of the major US-based technology companies have subsidiary offices in Ireland. States wishing to obtain data from those companies may be able to submit a request to the relevant authorities in Ireland (rather than to their US headquarters), which could then obtain a court order to compel the Irish subsidiary company to provide the requested information. In assessing a request, companies take into account not only Irish law (which does not contain the same restrictions on sharing content data as the US ECPA), EU law (including data protection law such as GDPR), the law of the requesting country (including compliance with the rule of law), international norms (including international human rights law), and the company’s own policies.171

Some technology companies have become more comfortable with responding to government requests for non-content data on a voluntary basis, subject to consideration of legal and policy issues.

The US ECPA only applies to content data. Some technology companies have become more comfortable with responding to government requests for non-content data – such as registration data, IP history and device information – on a voluntary basis, subject to consideration of the legal and policy issues above.172 When a technology company is assessing whether the requesting state complies with the rule of law, it will take into account whether that state is a party to the Budapest Convention, which requires states parties to abide by certain human rights safeguards in relation to the handling of information by law enforcement authorities.

Under the EU’s e-Evidence Framework, which is due to take effect from 2026, law enforcement and judicial authorities in one member state will be able to request electronic evidence, including subscriber data, directly from a service provider in another member state.173 The EU’s e-Evidence Regulation requires a broad range of service providers (including internet domain name entities, internet service providers and cloud service providers) to preserve certain data categories on receipt of an order,174 and to disclose them within 10 days of receipt of an EU e-Production order. The Second Additional Protocol to the Budapest Convention will also enable states parties to obtain electronic data (such as subscriber information and traffic data) directly from service providers located in other countries, regardless of whether there is an MLAT in place.175 While the protocol is not yet in force, some of the major technology companies are already working to ensure compliance with its provisions as a matter of policy.

These rules are an improvement on the current situation, in which prosecutors must deal with a variety of company policies on disclosure and preservation of evidence. Further, those companies that either do not have a well-established preservation policy or have been refusing to comply with requests for disclosure will now have to comply. SIRIUS, an EU-funded project, helps law enforcement and judicial authorities in EU member states to access cross-border electronic evidence in the context of criminal investigations and proceedings.176 It has 8,000 members from the law enforcement and judicial communities, representing 47 countries worldwide, and has directly supported 70 police operations.177

However, even when technology companies do hand over information requested by law enforcement agencies, those agencies may lack the capacity to deal with the volume of data provided, both in terms of storage and authentication. Some states, such as France, the Netherlands, Singapore, the UK and the US, have implemented digital evidence management systems (DEMS) that facilitate the storage, indexing and analysis of digital evidence.178 But many other states lack these resources.

National prosecuting authorities investigating international crimes may also seek support from the OTP.179 The OTP’s policy paper on cyber-enabled international crimes notes that such support may include intelligence-sharing, evidence, situation briefs, and holding strategic consultations on case selection and prioritization.180 Cooperation between states and the OTP is discussed in more detail in the scenarios below.

4.2 Investigation and prosecution by the ICC

Scenario 2

In an armed conflict taking place in state A (a party to the Rome Statute), a commander of state A uses AI-powered facial recognition and surveillance systems to identify and track hundreds of journalists and human rights defenders. The commander then uses an encrypted online messaging platform to order his troops to target and kill those civilians, in violation of international humanitarian law. Neither state A nor other states are willing or able to prosecute the commander.

This section analyses pathways available to the OTP to investigate and prosecute cyber-enabled international crimes.181

Pathways to prosecution

In Scenario 2, since the alleged crimes take place on the territory of a state party, the ICC will have jurisdiction.182 Unlike national prosecutors, the OTP does not have law enforcement powers itself (so cannot, for example, issue subpoenas for evidence or search warrants). And, unlike states, the OTP does not have agencies that regularly gather intelligence. Therefore, if the OTP decides to open an investigation into the facilitation or perpetration of an international crime by cyber means, cooperation with states, intergovernmental organizations, the private sector and civil society to help identify those responsible and gather the evidence necessary to prosecute them will be crucial.

In cooperating with any external party, the OTP needs to maintain the independence and impartiality of the prosecutor.183 There can be, for example, a risk of conflict of interest where businesses that cooperate with the court are potentially implicated in some of the ICC’s work – for example, if information supplied by technology companies is relevant to the OTP’s investigation of a situation in which technology companies themselves are implicated because they supply IT services to militaries in an armed conflict that is part of the OTP’s investigation.

As the OTP policy paper notes, technical digital evidence may be of particular importance in establishing how cyber-enabled international crimes were committed and in attributing conduct to perpetrators.184 The Rome Statute does not place any restrictions on the types of evidence that may be admissible before the ICC. The ICC’s assessment of the weight given to evidence is also flexible.185 The ICC has experience in dealing with digital evidence, including videos and social media posts. For example, in the 2016 case concerning Malian Islamist militia member Ahmad al-Faqih Al Mahdi, videos from YouTube helped to secure a conviction for the war crime of destruction of cultural property.186 Another example is an arrest warrant issued by the ICC for Libyan commander Mahmoud Mustafa Busayf al-Werfalli in 2017, which relied on a wide range of open-source evidence including social media posts featuring executions,187 alongside witness interviews and reports from international organizations, NGOs and research centres. Evidence from Facebook was touched on briefly, although not ultimately relied upon, in the cases of Yekatom and Ngaissona and Abd-Al-Rahman.188

Technical digital evidence may be of particular importance in establishing how cyber-enabled international crimes were committed and in attributing conduct to perpetrators.

The ICC has systems in place to store, manage and review the digital evidence that will inevitably form part of a case with a cyber element. This includes a cloud-based, centralized data storage system (OTP eVault), an evidence review and analysis platform featuring generative AI tools with a particular focus on legal data (OTP eDiscovery),189 and an e-court protocol to help streamline the process for using digital evidence before the court. Since 2023, the OTP has also been able to collect digital materials (such as user-generated content from smartphones) directly through a dedicated online platform, OTP Link. This platform enables users – including victims, witnesses, civil society organizations and governmental bodies – to upload files (up to 1,000 per submission) for the purpose of preserving content for future proceedings.

Cooperation between the OTP and states

In Scenario 2, it is likely that the OTP would need to seek information from state A and any other states that may have relevant information, including from intelligence sources. Even if the states concerned are not party to the Rome Statute, or are not otherwise prepared to cooperate with the OTP, other state parties may be able to help.

Part 9 of the Rome Statute sets out arrangements for international cooperation and judicial assistance. States parties are obliged to cooperate with the ICC and to make procedures available under national law for all forms of cooperation.190 Forms of cooperation include the taking of evidence, service of documents, execution of searches and seizures, and provision of records and documents.191 States can assist the OTP not only in providing evidence themselves but also in issuing compulsory orders to companies, individuals or others to give that evidence to the state, which can then pass it to the OTP.192 The OTP may seek the assistance of states in identifying, tracing and freezing the means used to carry out cyber-enabled crimes193 – for example, in Scenario 2, by asking state A for information about the use of the surveillance system.

Like the MLAT system, the Part 9 system can be bureaucratic and time-consuming. For example, if the OTP wishes to obtain data from a private company based in a state party through formal channels, the OTP will need to make a request through the channel designated by that state (such as the foreign ministry or justice ministry),194 which will pass it on to the relevant department(s) or agencies, which in turn may then need to obtain a court order to seek the information in question. Another challenge is that, although there are procedures in place for states to provide the OTP with confidential information, states parties have the right to deny a request for assistance on national security grounds.195 The OTP has been working to streamline the Part 9 system so that cooperation with states is more efficient and, where appropriate, to make additional arrangements. In its policy paper, the OTP notes the importance of deepening engagement with national authorities.196

As noted in Scenario 1, the EU’s e-Evidence package and the Second Additional Protocol to the Budapest Convention, once in force, have more efficient procedures. Where states parties to the Rome Statute are also parties to these instruments, the OTP might be able to ask those states to issue direct requests to companies (in the case of the EU, through a European Production Order) and then to pass on the information they have received from them. Currently, all EU member states are states parties to the Rome Statute, as well as being represented in both Europol and Eurojust.197 Therefore, when the OTP requests assistance from EU states (either in relation to digital evidence that they hold or that is held by companies within their jurisdiction), those states may be able to draw on relevant powers and resources from these EU-based organizations.

The OTP has strengthened its relationships with each of these organizations in recent years, which is likely to facilitate its investigation and prosecution of cyber-enabled international crimes. In 2022, Eurojust’s regulation was amended to allow Eurojust to make evidence directly available to the ICC.198 In September 2024, the ICC signed a working arrangement with Europol to enhance cooperation and the exchange of information and expertise.199 At the same time, the ICC signed a memorandum of understanding with Europol to allow access to the latter’s SIENA network, a platform that enables swift exchange of operational and strategic crime-related information among Europol’s liaison officers, analysts and experts, member states, and third parties with which Europol has cooperation agreements, including states outside the EU such as Australia, Canada and the US.200 In December 2024, the OTP entered into a cooperation agreement with Interpol, under which the parties can exchange information, and the OTP can access Interpol’s I-24/7 network and database system, which facilitates rapid and secure data-exchange between law enforcement contact points around the world.201

The OTP may also ask states to cooperate on a voluntary basis.202 In 2024, the ICC launched a Policy on Complementarity and Cooperation, including a forum that serves as a platform for the two-way sharing of information and expertise between the OTP and national authorities.203 This forum might be helpful, for example, in relation to requests to states to preserve evidence of cyber-enabled international crimes, pending the opening of a full investigation.204 As well as having the authority to request states parties for cooperation, the court can also make ad hoc arrangements with non-state parties.205

The ICC is not itself a party to cybercrime treaties such as the Budapest Convention. But, as the OTP policy paper suggests, ‘there may be mutual value in pooling [with national authorities] capabilities, techniques, skills, and procedures related to the investigation of conduct in cyberspace’.206 For the purpose of investigations and prosecutions under the Rome Statute, the OTP intends to seek the support of states parties and any other interested states to conclude voluntary agreements extending similar assistance to the OTP as is available for states under new treaties such as the Second Additional Protocol to the Budapest Convention and the UN Convention against Cybercrime.207

As noted in Scenario 1, recently adopted treaties on cybercrime will require states to build up their techniques and procedures in relation to the preserving and sharing of digital evidence, which is likely to equip states better to handle requests from the OTP for digital evidence.

Cooperation with private actors

In Scenario 2, the OTP would also need to seek information from the companies that make the AI-powered facial recognition and surveillance systems, and the company hosting the encrypted messaging platform. OTP cooperation with private actors will often be vital in the prosecution of cyber-enabled international crimes, especially where private companies own the cyber infrastructure used to commit those crimes. However, as has been noted, there is a tension between technology companies’ cooperation in investigations into international crimes and the risk of those companies becoming complicit in the commission of such crimes – for example, through the provision of IT services to armed forces.208 In dealing with private companies, it is important that the OTP manages these risks carefully and keeps them under regular review, including by ensuring that OTP staff are aware of the risk of conflicts of interest and the importance of impartiality and confidentiality.

OTP cooperation with private actors will often by vital in the prosecution of cyber-enabled international crimes, especially where private companies own the technical infrastructure used to commit those crimes.

There are various routes by which the OTP can access evidence from private companies. As noted above, the OTP can request a state party to obtain data from a company based in that state’s jurisdiction. Where the information needed is held by a US company that has a subsidiary in Dublin, the OTP may be able to ask law enforcement authorities in Ireland (as a state party to the Rome Statute) to seek a court order to compel the company concerned to provide the information.

Data localization laws may offer the OTP alternative access points to US-controlled data. In some states parties, such as Nigeria, information held by private companies must be stored within that state’s jurisdiction or, at least, be made accessible for law enforcement purposes.209 In countries with such laws in place, the OTP could request the state party to compel the company to provide the information under relevant data localization laws. Companies will likely refuse to comply if they consider a request to be incompatible with their terms of service. But some states have powers under their domestic law to compel data sharing in certain circumstances, for example, in order to fulfil a legal obligation in the context of a criminal investigation, or following a judicial order.210

In addition to compulsory requests, the OTP may request information from companies on a voluntary basis, within the framework of their applicable legal obligations.211 In recent years, the OTP has built connections with cybersecurity firms and global service providers, which could provide a basis for broader voluntary sharing of information. There is precedent for direct sharing of evidence between social media companies and the ICC, although this practice varies across platforms. As well as holding data, platforms carry out their own investigations in some cases, which may also yield information useful for investigators. In general, however, companies prefer compulsory requests compelling the disclosure of the contents of an account, because such requests provide a clear legal framework for the company to follow and avoid setting a precedent in relation to cooperation.

US sanctions imposed on the ICC prosecutor and certain judges by the administration of President Donald Trump in 2025 place ‘US persons’ at risk of penalties if they support the court’s work. While these sanctions are the subject of litigation in the US courts,212 they are likely to make US companies cautious about cooperating with the court on investigations.

Cooperation with civil society

The OTP recently established an enhanced structural dialogue with civil society organizations, committing to hold two thematic roundtable discussions a year.213 As part of this, the OTP has met with civil society organizations to discuss cyber-enabled international crimes. In the policy paper, the OTP underlines its commitment to working with civil society organizations in this area.214 The policy also refers multiple times to international human rights law, underlining its importance as an adjacent framework in the context of cyber-enabled international crimes. For example, international human rights law provides standards on hate speech, which may be relevant to the consideration of online incitement to genocide. The policy also sets out the OTP’s commitment to work with civil society and the private sector to enhance and clarify voluntary frameworks for the sharing of information and expertise with the court.215

4.3 The multi-agency approach: Coordinated investigation and prosecution by states, with OTP support

Scenario 3

A high-profile criminal group based in state A, and supportive of the agenda of state A, launches a simultaneous widespread ransomware operation on the healthcare systems of states B and C. The operation cripples the healthcare services of states B and C nationwide for weeks. As a result, states B and C declare a state of emergency, hundreds of patients die and the health of hundreds of thousands is affected. The members of the criminal group are accused of crimes against humanity.

In 2021, a criminal gang believed to be operating from Russia, known as the Conti group, launched a ransomware operation on Ireland’s healthcare system that resulted in significant disruption to healthcare systems across the country for months.216 In 2022, a ransomware operation against Costa Rica resulted in a ‘state of emergency’ being declared after multiple government institutions – including the finance ministry – had their essential services disrupted for weeks.

Scenario 3 looks at a situation in which states B and C form a joint investigation team, supported by Eurojust, Europol, Interpol and the ICC. In doing so, the scenario explores a growing trend for coordinated approaches to the pursuit of accountability for international crimes. Joint investigations allow two or more investigative, prosecutorial or judicial bodies to coordinate in respect of common lines of inquiry, or work alongside each other in specific operations.217 In its policy paper, the OTP proposes, where appropriate, to work collaboratively with states to investigate cyber-enabled crimes under the Rome Statute and disrupt such activities where they may be ongoing.218 The OTP also notes its intention to expand its participation, where appropriate, in joint investigations.219 Various new treaties provide procedures to facilitate such investigations.220

The complexity of cyber investigations

The investigation and prosecution of cyber operations such as ransomware can be highly complex, whether those operations are conducted by states, criminal gangs or both acting together.

First, it is necessary to identify the digital infrastructure, network or device used to carry out the operation, which will likely involve the expertise of software engineers to track and trace digital evidence such as log files.

Second, it is necessary to identify who was responsible for the operation. States and the technology industry have made significant progress in the technical attribution of cyber operations to states or groups.221 However, when a state is involved in the crime, that crime must be attributed to an individual to enable prosecution.

Finally, even then, establishing that a particular individual owned the device used to launch the attack is not enough on its own. Further evidence will be needed to connect that individual to the cyber activity concerned. Malicious actors will often seek to cover their tracks, by using proxies (an intermediary server that masks the user’s IP address) or virtual private networks. Evidence such as device fingerprints, browser history or intercept intelligence may help to prove the involvement of an individual. The investigation is likely to require real-time coordination of intelligence and the securing of evidence from states and private sector providers across multiple jurisdictions.

Few states have the resources to undertake complex prosecutions alone, not least because such prosecutions are expensive.

Few states have the resources to undertake these complex prosecutions alone, not least because such prosecutions are expensive. Over the last 10 years, the US has issued indictments against Chinese, Iranian, North Korean and Russian actors for the use of destructive malware through unauthorised access to computers. However, the US is unusual in having highly skilled cross-government units able to investigate and prosecute cybercrime, as well having many of the major technology companies located within its jurisdiction, which facilitates access to evidence. The US also required the help of other actors to bring some of the cases mentioned above. For example, the US indictment of Russian GRU officers for hacking Ukrainian government networks and probing NATO member states involved an international effort including the FBI and 12 other partners, representing governments of nine countries, as part of ‘Operation Toy Soldier’.222

A multi-agency approach – involving states, cybersecurity companies, international organizations such as Eurojust, Europol and Interpol, as well as potentially cooperation with the ICC – can facilitate the investigation and prosecution of an international crime that involves a major cyber operation. This section therefore focuses on a situation in which states and other actors work together to investigate and prosecute a major cyber operation that, in addition to being a cybercrime, also constitutes a cyber-enabled international crime. This scenario is topical – in the area of ransomware, states’ use of ‘proxy’ relationships (i.e. cooperation with non-state actors, such as hackers and criminal groups) to carry out cyberattacks is increasing,223 including by Russia in the context of its war on Ukraine.224

In Scenario 3, investigators and prosecutors of the cyber-enabled international crime will be seeking similar types of evidence, and using similar frameworks, to those used in the investigation and prosecution of cybercrime. Lessons can therefore be drawn from the increasingly collaborative approaches used to tackle cybercrime.

Public–private partnerships

In investigating a ransomware attack, close cooperation with the private sector is vital. As in the previous scenarios, cloud providers may not only hold important digital evidence, they may also be able to assist with technical information (such as network traffic reports) that provide insights into the activities of hacker groups. Cybersecurity companies can provide cyberthreat intelligence and digital forensic analysis, which can help identify details such as the type of digital infrastructure or device used for an operation, the identity of the perpetrator, and the tactics, techniques and procedures used by the perpetrator. The combination of private sector detection technology and state intelligence can be highly effective.

Public–private cooperation in relation to the prosecution of cybercrime is growing. Microsoft, for example, has a well-established Digital Crimes Unit, operates a Threat Analysis Center, and provides reports on malicious cyber activities.225 Like Microsoft, cybersecurity firms such as CrowdStrike, Mandiant (part of Google Cloud) and Trellix (formerly FireEye), which specialize in threat intelligence and detection, have helped governments to trace chains of proxy servers, and to expose and respond to harmful cyber operations.226 Some governments have formed public–private task forces to assist with identification of harmful cyber activity. For example, the US Cybersecurity and Infrastructure Security Agency set up the Joint Cyber Defense Collaborative, which brings together firms like CrowdStrike, Mandiant, Microsoft and Palo Alto Networks. Some governments also contract with private companies on attribution efforts and forensic investigations.227

The majority of private sector cyber intelligence is based in the US and subject to US jurisdiction. As noted above, the strained relationship between the US and the ICC – particularly recent US sanctions against the prosecutor and certain judges – may dampen the prospects of cooperation by US companies on the investigation and prosecution of international crimes.

However, some technology companies, including US companies, have been strengthening cooperation with law enforcement agencies on cybercrime, which may also have benefits for the investigation and prosecution of cyber-enabled international crimes. For example, the EU’s Agency for Cybersecurity (ENISA) engages with private sector actors on threat intelligence and attribution, while Europol and Interpol also have formal partnerships with private companies in the cybersecurity and information technology industries.228

Over 140 states have established computer incident response teams, which use the latest developments in technology to help trace the origins of cyber operations, identify perpetrators and link attacks across borders.

Over 140 states have established computer incident response teams (CIRTs), which use the latest developments in technology to help trace the origins of cyber operations, identify perpetrators and link attacks across borders.229 Cooperation between CIRTs is growing through regional CIRT–CIRT arrangements for the exchange of information about harmful cyber operations. A UN Points of Contact Directory, established in 2024, should help to reinforce these arrangements.230 Cybersecurity firms and CIRTs may be useful as advisers or even expert witnesses in cases involving cyber-enabled international crimes. At the same time, care is needed when states and international tribunals are dependent on private companies for evidence that, in the physical world, would have traditionally come from state intelligence agencies.

Civil society organizations can also help states with investigations into harmful cyber operations. For example, MITRE Corporation, a US not-for-profit, has created a globally accessible, knowledge-based framework of adversary tactics and techniques,231 which is used by the UK’s National Cyber Security Centre and others to help with attribution.232 The CyberPeace Institute investigates cyberattacks, identifying the tactics, techniques and procedures involved and producing reports to assist investigators.233

A multi-agency approach is helping to disrupt cybercrime and assist investigations in that context. For example, Europol’s ‘Operation ENDGAME’, involving several states, technology companies and Eurojust, is the largest ever operation against botnets used to facilitate major ransomware attacks. In 2024 and 2025, it led to multiple arrests, as well as the take-down of hundreds of servers.234

However, while cyber-enabled international crimes and cybercrime have issues in common, the prosecution of cyber-enabled international crimes brings extra challenges. Evidence may be harder to obtain from other states compared to a case involving a criminal gang operating a cross-border phishing scam, which states have a mutual interest in prosecuting. There will also be additional elements to prove in relation to international crimes, as noted elsewhere in this paper.

Since many states lack the resources to prosecute international crimes on their own, international organizations have an important role to play. As well as cybercrime teams, Europol, Interpol and Eurojust each have teams dedicated to facilitating cooperation between states (and between states and other actors) on the investigation and prosecution of core international crimes. The European Network for investigation and prosecution of genocide, crimes against humanity and war crimes (Genocide Prosecution Network) facilitates cooperation between national authorities on international crimes through national contact points, comprising specialized and dedicated prosecutors, investigators and officers for mutual legal assistance.235 Europol, Eurojust, the EU’s SIENA system and Interpol’s I-24/7 system all offer platforms for cross-border cooperation, enabling real-time exchange of data between jurisdictions.

The benefit of joint investigations

The criminal investigation by the Joint Investigation Team (JIT) into the 2014 downing of Malaysian Airlines flight MH17 in Ukraine shows that joint investigations can be effective in cases involving complex attribution issues and technical evidence. The MH17 JIT investigation consisted of police and judicial authorities from Australia, Belgium, Malaysia and the Netherlands, working with Ukrainian authorities. It led to the identification of perpetrators and those responsible in the chain of command and resulted in the prosecution of four suspects. Three of those suspects were eventually found guilty and sentenced to life imprisonment.236

Eurojust helps to set up JITs and provides operational, legal and financial support to them.237 The JITs Network encourages and promotes best practice in the use of JITs.238 JITs are likely to be particularly helpful in relation to complex factual and legal situations, such as a state-sponsored cyber operation against critical infrastructure that reaches the level of an international crime. There is scope for private companies to participate in joint investigations as technical experts, provided there are measures in place to prevent potential conflicts of interest.

Joint investigations can also help to lessen political sensitivities in relation to the prosecution of international crimes, as by acting collectively states may be more resilient to domestic pressures or retaliation from the accused state than if acting in isolation. However, joint investigations also require states to pool and cede some sovereignty and independence, so trade-offs are required. States must also have the authority to participate under their domestic law, which may be an impediment for some without legislative amendments.

Within a month of Russia’s invasion of Ukraine in February 2022, a JIT was established to investigate core international crimes committed by Russia in Ukraine. The Ukraine JIT involves the national prosecution authorities of seven countries – Estonia, Latvia, Lithuania, Poland, Romania, Slovakia and Ukraine – and receives support from Eurojust, Europol,239 the ICC, the Core International Crimes Evidence Database and the International Centre for the Prosecution of the Crime of Aggression against Ukraine (ICPA).240 Being part of the Ukraine JIT has enhanced the OTP’s ability to access and collect information in relation to the situation in Ukraine, as well as to conduct rapid coordination with partner countries.241

In its assault on Ukraine, Russia is using cyber technology in combination with physical military activity, some of which is alleged to amount to international crimes.242 The UK government’s statement on the recent sanctioning of three Russian GRU units and 18 military intelligence officers asserts that ‘online reconnaissance’ was used to guide Russian missile strikes on the Mariupol Theatre in which hundreds of civilians, including children, were killed.243

As armies become more reliant on the use of technology, we can expect to see international crimes increasingly committed using cyber and physical activity in concert. It is therefore crucial that investigations and prosecutions adapt to this modern reality.

Rome Statute, arts 8(2)(a)(ii) and 8(2)(c)(iii); see also p. 12 of this paper.
Lingsma, T. (2019), ‘First Dutch Islamic State Fighter Convicted for War Crimes’, JusticeInfo.Net, 25 July 2019, https://www.justiceinfo.net/en/42008-first-dutch-islamic-state-fighter-convicted-for-war-crimes.html.
For further discussion of these cases, see Eurojust (2018), ‘Prosecuting War Crimes for Outrage Upon Personal Dignity’, fact sheet, https://www.eurojust.europa.eu/publication/prosecuting-war-crimes-outrage-upon-personal-dignity-based-evidence-open-sources-legal. Under the Elements of Crime of outrages upon personal dignity, outrages can be perpetrated against unconscious persons, mentally handicapped persons or on dead bodies.
Specifically, Finland, Germany, the Netherlands and Sweden.
Force Hill, J. (2015), ‘Problematic Alternatives: MLAT Reform for the Digital Age’, Harvard Law School National Security Journal, 28 January 2015, https://journals.law.harvard.edu/nsj/2015/01/problematic-alternatives-mlat-reform-for-the-digital-age.
See section 3.1 of this paper.
Government of Slovenia (2023), The Ljubljana–The Hague Convention on International Cooperation in the Investigation and Prosecution of the Crime of Genocide, Crimes against Humanity, War Crimes and other International Crimes, arts 17 and 21.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 27.
See Budapest Convention.
Ibid., art. 25.
Ibid., arts 27, 26 and 35.
UN Convention against Cybercrime, art. 35 (emphasis added).
Brown, D. (2024), ‘New UN Cybercrime Treaty Primed for Abuse’, Human Rights Watch, 30 December 2024, https://www.hrw.org/news/2024/12/30/new-un-cybercrime-treaty-primed-abuse.
See, for example, para 15 of the Common Position of the African Union on the Application of International Law to the Use of Information and Communication Technologies in Cyberspace, 29 January 2024; Heller, K. J. (2024), ‘The African Union (Rightly) Endorses Pure Sovereignty in Cyberspace’, Opinio Juris, 5 February 2024, https://opiniojuris.org/2024/02/05/the-african-union-rightly-endorses-pure-sovereignty-in-cyberspace.
For example, in the Corfu Channel case (UK v Albania) ICJ Reports p. 4, the ICJ admitted evidence that had been illegally obtained by the UK. See Fallah, S. (2022), ‘Illegally Obtained Evidence: International Adjudication’ in the Max Planck Encyclopaedia of International Law.
Government of the Kindgom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019.
Secretariat of the Genocide Network (2018), Prosecuting war crimes of outrage upon personal dignity based on evidence from open sources – Legal framework and recent developments in the Member States of the European Union, report, The Hague: Eurojust, https://www.eurojust.europa.eu/publication/prosecuting-war-crimes-outrage-upon-personal-dignity-based-evidence-open-sources-legal.
For example, Pigott, P. (2022), ‘Ukraine: Online posts transform war crimes documentation’, BBC News, 17 April 2022, https://www.bbc.co.uk/news/uk-wales-61011855. Organizations such as Bellingcat and University of California, Berkeley also conduct investigations into potential international crimes using the latest technology, including satellite imagery and geolocation, and make their findings available to any national or international prosecutors who are gathering evidence of such crimes.
Prosecutor v Jean-Pierre Bemba Gombo (ICC-01/05-01/08 (27 June 2013), para 269.
Freeman, L. (2021), ‘Weapons of War, Tools of Justice: Using Artificial Intelligence to Investigate International Crimes’, Journal of International Criminal Justice, 19(1), pp. 35–53, https://doi.org/10.1093/jicj/mqab013, p. 47.
Defence Response to Prosecution’s Third Request for the Admission of Evidence from the Bar Table, Prosecution v Bemba et al (ICC-01/05-01/13), Trial Chamber, 9 October 2015, paras 83–86.
Goodman, J. and Korenyuk, M. (2023), ‘AI: war crimes evidence erased by social media platforms’, BBC News, 1 June 2023, https://www.bbc.co.uk/news/technology-65755517.
See also ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, p. 150, which notes that the OTP will work with relevant stakeholders to explore the desirability of clear guidelines for cooperation on data preservation requests.
Stored Communications Act (SCA), s.2701(a)(i).
The Electronic Communications Privacy Act 1986 (ECPA), 18 U.S.C. §§ 2510-2523.
Tidy, J. (2024), ‘Telegram: ‘The dark web in your pocket’’, BBC News, 31 August 2024, https://www.bbc.co.uk/news/articles/cdey4prn3e1o.
Toulas, B. (2025), ‘Telegram hands over data on thousands of users to US law enforcement’, Bleeping Computer, 7 January 2025, https://www.bleepingcomputer.com/news/legal/telegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement.
The UK–US Data Access Agreement, which was enacted under the US Cloud Act 2018, came into force on 3 October 2022. See Home Office (2022), UK-US Data Access Agreement, policy paper, https://www.gov.uk/government/publications/uk-us-data-access-agreement-factsheet.
See, for example, Google’s policies on law enforcement requests: Google (undated), ‘How Google handles government requests for user information’, https://policies.google.com/terms/information-requests?hl=en-US.
Daskal, J. (2016), ‘Law Enforcement Access to Data Across Borders: The Evolving Security and Rights Issues’, Journal of National Security Law and Policy, 8(3), https://nationalsecurity.law.georgetown.edu/journal/2016/ 09/06/law-enforcement-access-data-across-borders-evolving-security-rights-issues.
The framework consists of an e-Evidence regulation and directive, both of which will establish unified European rules for the preservation and disclosure of electronic evidence in relation to any offence. See Regulation (EU) 2023/1543 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings, which will apply from 18 August 2026 and Directive (EU) 2023/1544 laying down harmonized rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings, which EU member states must transpose into national law by 18 February 2026.
Under the terms of EU e-Preservation Orders (para 60 of the regulation), service providers are obliged to preserve data for 60 days, with a possible extension of 30 days.
Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence, CETS No. 224, open for signature 12 May 2022, art. 7.
SIRIUS is co-funded by Europol and Eurojust, in close partnership with the European Judicial Network. The project provides products such as standardized guidelines on cooperation processes between competent authorities and service providers; investigation tools; contact details for service providers; and a restricted platform for sharing knowledge and best practice. See Europol (2025), ‘SIRIUS project’ (updated 13 Nov. 2025), https://www.europol.europa.eu/operations-services-innovation/sirius-project.
European Commission (2025), ‘Communication from the Commission to the European Parliament, the Council, The European Economic and Social Committee and Committee of the Regions: Roadmap for lawful and effective access to data for law enforcement’ COM (2025) 349 final, 24 June 2025, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52025DC0349.
For example, the Dutch government and those of several other countries use an open digital forensic platform called Hansken for criminal justice. See European Institute of Public Administration (undated), ‘Hansken, the open digital forensic platform’, https://www.eipa.eu/epsa/hansken-the-open-digital-forensic-platform.
Rome Statute, art. 93(10).
Ibid., para 142.
If an individual uses AI to commit a crime, criminal responsibility will arise, just as with the use of any other tool.
See p. 34 of this paper.
As the OTP affirms in its policy paper. See ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 128.
Ibid. para 161.
Bemba, Judgment pursuant to article 74 of the Statute, Trial Chamber III, 21 March 2016, ICC-01/05’01/ 08-3343, para 235; Lubanga Trial Judgment, para 107.
The Prosecutor v Ahmad Al Faqi Al Mahdi, ICC-01/12-01/15.
The Prosecutor v Al-Werfalli, ICC-01/11-01/17.
See McDermott Rees, Y., Hausnecht, A. and Liefgreen, A. (2025), ‘New Evidence, New Challenges: ICC Judges’ Perspectives on User-Generated Evidence and Judging in an Age of Artificial Intelligence’, Onati Social-Legal Series, 16(1), https://cronfa.swan.ac.uk/Record/cronfa71069, p. 2; The Prosecutor v. Alfred Yekatom and Patrice-Edouard Ngaïssona, Trial Judgment, ICC-01/14-01/18-2784 (24 July 2025); The Prosecutor v. Ali Muhammad Ali Abd-Al-Rahman (‘Ali Kushayb’), Trial Judgment, ICC-02/05-01/20-1240 (6 October 2025).
Features include rapid pattern identification, automatic translations, facial identification, image enrichment, translations of media files, targeted searches of source material, and video and image analytics. See Evans, H. and Hazim, M. (2023), ‘Digital Evidence Collection at the International Criminal Court: Promises and Pitfalls’, Just Security, 5 July 2023, https://www.justsecurity.org/87149/digital-evidence-collection-at-the-intl-criminal-court-promises-and-pitfalls.
Rome Statute, arts 86 and 88.
Rome Statute, art. 93.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 162.
Ibid., para 178.
Rome Statute, art. 87.
Rome Statute, arts 72 and 73.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 133.
On 2 June 2025, Hungary notified the UN secretary-general of its withdrawal from the Rome Statute. The withdrawal will take effect on 2 June 2026.
Amending Regulation (EU) 2022/838 of 30 May 2022 as regards the storage, preservation and analysis of evidence in war crimes, which came into force on 1 June 2022.
Europol (2024), ‘ICC and Europol sign Liaison Officer Agreement and SIENA Memorandum of Understanding’, press release, 18 September 2024, https://www.europol.europa.eu/media-press/newsroom/news/icc-and-europol-sign-liaison-officer-agreement-and-siena-memorandum-of-understanding.
Ibid.
ICC (2004), ‘Cooperation agreement between the Office of the Prosecutor and Interpol’, press release, 22 December 2004, https://www.icc-cpi.int/news/icc-cooperation-agreement-between-office-prosecutor-and-interpol.
The OTP’s policy paper on cyber-enabled international crimes references (at fn 175) Situation in Burundi, in which the court noted that the prosecutor may seek voluntary cooperation from states parties.
ICC Office of the Prosecutor (2024), Policy on Complementarity and Cooperation, https://www.icc-cpi.int/sites/default/files/2024-04/2024-comp-policy-eng.pdf.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 150.
Rome Statute, art. 87(5)(a).
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 27.
Ibid., para 187.
Claims have been reported regarding the alleged complicity of some technology companies in international crimes during Israel’s conflict with Gaza. See, for example, Business and Human Rights Resource Centre (2025), ‘Big Tech companies face allegations of war crimes complicity amid Israel’s war in Gaza’, 2 April 2025, https://www.business-humanrights.org/en/latest-news/big-tech-companies-allegedly-complicit-in-war-crimes-amid-israels-war-in-gaza-incl-company-responses. In August 2025, Microsoft announced a formal review of allegations reported by the Guardian that its Azure cloud platform has been used by a unit of the Israeli Defence Forces to store the data of phone calls obtained through broad or mass surveillance of civilians in Gaza and the West Bank. Microsoft provided an update on that review in September 2025. See Microsoft (2025), ‘Update on ongoing Microsoft review’, 25 September 2025, https://blogs.microsoft.com/on-the-issues/2025/09/25/update-on-ongoing-microsoft-review. Also in September 2025, Microsoft terminated the Israeli military’s access to some of its technology after accusations of usage that violated Microsoft’s terms of service. See Davies, H. and Abraham, Y. (2025), ‘Microsoft blocks Israel’s use of its technology in mass surveillance of Palestinians’, Guardian, 25 September 2025, https://www.theguardian.com/world/2025/sep/25/microsoft-blocks-israels-use-of-its-technology-in-mass-surveillance-of-palestinians.
See Techpoint.africa (2025), ‘NITDA’s new rule mandates cloud providers to host key data within Nigeria’, 12 February 2025, https://techpoint.africa/news/nitda-cloud-providers-host-data.
For example, Brazil, under its General Data Protection Law, No. 13.709/2018.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 162.
See Milaninia, N. (2025), ‘Legal Challenges Mount Against Renewed U.S. Sanctions Against the ICC’, Lawfare, 9 May 2025, https://www.lawfaremedia.org/article/legal-challenges-mount-against-renewed-u.s.-sanctions-on-the-icc.
ICC Office of the Prosecutor (2024), Policy on Cooperation and Complementarity, paras 43 and 83.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 192.
Ibid., para 194.
A ransomware attack is a malware attack that prevents the user from accessing the device or the data on it. For details on the Conti group incident, see Health Service Executive (2021), Conti Cyber Attack on the HSE: Independent Post Incident Review, report, 3 December 2021,https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf.
ICC Office of the Prosecutor (2024), Policy on Cooperation and Complementarity, para 102.
ICC Office of the Prosecutor (2025), Policy on Cyber-Enabled Crimes under the Rome Statute, para 135.
Ibid., para 150.
For example, see Government of Slovenia (2023), The Ljubljana–The Hague Convention on International Cooperation in the Investigation and Prosecution of the Crime of Genocide, Crimes against Humanity, War Crimes and other International Crimes, art. 41; the Second Additional Protocol to the Budapest Convention, art. 12; and the UN Convention against Cybercrime, art. 48.
Schöndorf notes that ‘[o]ver time, the attribution capabilities of States have improved, and even States with lesser capabilities have been able to rely on solid information provided by other States and by the private sector’. See Schöndorf (2021), ‘Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations’, p. 404.
US v Stigal, Borovkov, Denisenko, Denisov, Goloshubov and Korchagin at footnote 123.
Milenkoski, A. et al. (2025), Ransomware’s New Masters: How States are Hijacking Cybercrime, report, Virtual Routes, https://virtual-routes.org/wp-content/uploads/2025/04/Virtual-Routes-Pharos-Report-Series-No.-3.pdf.
Huntley, S. (2023), ‘Fog of war: how the Ukraine conflict transformed the cyber threat landscape’, Google Threat Analysis Group, 16 February 2023, https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict- transformed-the-cyber-threat-landscape.
For example, Microsoft’s reports on the latest threats in Ukraine have included details of Russian cyber operations targeting the criminal investigators and prosecutors who are building cases against them for war crimes. See Watts, C. (2023), ‘Russian influence and cyber operations adapt for long haul and exploit war fatigue’, blog post, Microsoft On The Issues, 7 December 2023, https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac.
For example, FireEye uncovered the major SolarWinds supply-chain cyberattack. See National Cyber Security Centre (2021), ‘NSCS Annual Review 2021’, report, London: NCSC, https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwinds, p. 10.
For example, PWC investigated and prepared a detailed report on the Conti cyber ransomware attack on the Irish health service in 2021. See Health Service Executive (2021), Conti cyber attack on the HSE.
See, for example, Europol (undated), ‘Partners & Collaboration’ (updated 28 July 2025),  https://www.europol.europa.eu/partners-collaboration.
ITU (undated), ‘National CIRT’, https://www.itu.int/en/ITU-D/Cybersecurity/Pages/national-CIRT.aspx (accessed 20 Nov. 2025). The term ‘CERT’, which stands for ‘Computer Emergency Response Team’, is often used interchangeably with ‘CIRT’.
The Points of Contact Directory was set up by the UN’s Open-Ended Working Group (OEWG) on the security of and in the use of information and communication technologies to establish secure and direct communications on malicious cyber incidents. So far, over 100 countries have joined. See UNIDIR (undated), ‘Welcome to the Global Intergovernmental Points of Contact Directory on the Use of Information and Communications Technologies in the Context of International Security’, https://poc-ict.unoda.org.
MITRE Corporation (undated), ‘MITRE ATT&CK ‘, https://attack.mitre.org.
See, for example, National Cyber Security Centre (2024), ‘SVR cyber actors adopt tactics for initial cloud access’, advisory note, 26 February 2024, https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for- initial-cloud-access.
CyberPeace Institute (undated), ‘Data-driven accountability’, https://cyberpeaceinstitute.org/threat-analysis/ #threat-analysis-investigate.
Europol (2025), ‘Operation ENDGAME strikes again: the ransomware kill chain broken at its source’, press release, 23 May 2025, https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame- strikes-again-ransomware-kill-chain-broken-its-source.
Eurojust (undated), ‘Genocide Prosecution Network’, https://www.eurojust.europa.eu/judicial-cooperation/practitioner-networks/genocide-network.
Netherlands Public Prosecution Service (undated), ‘The criminal investigation by the joint investigation team’, https://www.prosecutionservice.nl/topics/mh17-plane-crash/criminal-investigation-jit-mh17.
Eurojust (undated), ‘Joint investigation teams’, https://www.eurojust.europa.eu/judicial-cooperation/instruments/joint-i…tigation-teams.
Eurojust (undated), ‘JITs Network’, https://www.eurojust.europa.eu/judicial-cooperation/practitioner- networks/jits-network.
In November 2023, Europol set up an OSINT taskforce to support investigations into war crimes committed in Ukraine. This taskforce, which has 14 participating countries, including the US, the UK and some EU member states, aims to identify suspects and their involvement in core international crimes in Ukraine through the collection and analysis of open-source intelligence. The taskforce supports requests from Ukraine, other countries and the ICC. See Europol (2023), ‘Europol sets up OSINT taskforce to support investigations into war crimes committed in Ukraine’, press release, 21 November 2023, https://www.europol.europa.eu/media-press/newsroom/news/europol-sets-osint-taskforce-to-support-investigations-war-crimes-committed-in-ukraine.
Eurojust (undated), ‘Joint investigation team into alleged crimes committed in Ukraine’, https://www.eurojust.europa.eu/joint-investigation-team-alleged-crimes-committed-ukraine. The US has been engaged through a memorandum of understanding, but withdrew from ICPA in March 2025.
See ICC Policy on Complementarity and Cooperation, p. 41ff; ICC (2024), ‘Situation in Ukraine: ICC-01/22’, https://www.icc-cpi.int/situations/ukraine.
Human Rights Watch, SITU and Truth Hounds (2024), ‘”Our City was Gone”: Russia’s devastation of Mariupol, Ukraine’, 8 February 2024, https://www.hrw.org/feature/russia-ukraine-war-mariupol/report.
Foreign, Commonwealth & Development Office and The Rt Hon. David Lammy MP (2025), ‘UK sanctions Russian spies at the heart of Putin’s malicious regime’, press release, 18 July 2025, https://www.gov.uk/government/news/ uk-sanctions-russian-spies-at-the-heart-of-putins-malicious-regime.

Previous chapter Next chapter