Most cybersecurity incidents can be handled through ISP abuse reports, hosting provider takedowns, and internal remediation. But some attacks cross a line where the technical response is not enough — you need law enforcement involved. Whether you are dealing with a data breach that exposed customer records, a ransomware demand, or persistent targeted intrusions, knowing how and where to report cybercrime to authorities can make the difference between an attacker operating freely and an investigation that shuts them down.
This guide is part of my complete IP abuse reporting series. Here, I focus specifically on when to escalate beyond ISP abuse desks to law enforcement agencies, how to prepare evidence for criminal investigations, and a directory of reporting channels across countries.
When to Involve Law Enforcement
Not every cyberattack needs a police report. ISP abuse reports handle the majority of cases — shutting down abusive IPs, taking down phishing pages, and blocking botnet infrastructure. But certain situations demand law enforcement involvement because they involve criminal activity that only authorities can investigate and prosecute.
Financial Loss or Fraud
If an attack has caused direct financial loss — through business email compromise (BEC), wire fraud, cryptocurrency theft, or unauthorized transactions — you need to file with law enforcement. Financial cybercrime is one of the categories that agencies prioritize because the losses are quantifiable and the trails are traceable through banking systems. The FBI IC3 alone received over 880,000 complaints in 2023 with reported losses exceeding $12.5 billion. If you have lost money, report it immediately. In BEC cases, contacting your bank and the FBI within 48 hours significantly increases the chance of recovering funds.
Data Breaches Involving Personal Information
When an attacker exfiltrates personally identifiable information (PII), health records, financial data, or login credentials for your users, you likely have legal obligations to report the breach to authorities. Regulations like GDPR (EU), HIPAA (US healthcare), and state breach notification laws often require reporting to specific agencies within defined timeframes — sometimes as short as 72 hours. Beyond compliance, a law enforcement report creates an official record that protects you legally and helps authorities track the attacker across multiple victims.
Persistent Targeted Attacks (APT)
If you are dealing with a sophisticated attacker who maintains persistence in your network despite remediation efforts — returning through different vectors, deploying custom malware, or showing signs of state-sponsored tradecraft — this is beyond what ISP abuse reports can address. Advanced persistent threats typically target multiple organizations and require the resources of national intelligence and law enforcement agencies to investigate. If you have already reported a server compromise to your hosting provider and the attacker keeps returning, it is time to escalate.
CSAM (Mandatory Reporting)
The discovery of child sexual abuse material (CSAM) is one case where reporting to law enforcement is not optional. In the US, anyone who discovers CSAM has a legal obligation to report it to NCMEC (the National Center for Missing & Exploited Children). Service providers face federal penalties for failing to report. I cover this process in detail in my CSAM reporting guide. Contact NCMEC's CyberTipline immediately if you encounter this material.
Ransomware
Ransomware attacks should always be reported to law enforcement, even if you decide not to pay. Agencies like the FBI and CISA actively track ransomware groups, and your report may contribute to an ongoing investigation. In some cases, law enforcement has decryption keys from prior takedowns that they can share with victims. Paying ransom without reporting may also violate OFAC sanctions if the ransomware group is on the sanctions list.
Threats of Physical Violence
If cybercrime activity includes threats of violence, doxxing with threatening intent, or swatting, contact local law enforcement immediately alongside any federal reporting. These situations involve imminent physical danger and require a faster response than federal agencies typically provide.
Evidence Preparation for Law Enforcement
Law enforcement investigations require more formal evidence than ISP abuse reports. The standards are higher because the evidence may eventually need to support criminal prosecution. I prepare everything with that possibility in mind.
Timeline of Events
Create a detailed chronological record of the incident. Include when you first detected the activity, every action the attacker took that you can identify, when you implemented defensive measures, and what the current status is. Use UTC timestamps throughout for consistency. Law enforcement investigators may be in a different timezone and need unambiguous time references.
IP Addresses and Network Evidence
For every IP address involved, document:
- The IP address itself and when it was observed
- Geolocation and network ownership data — use my IP Location tool to look up each address
- WHOIS records for the IP and any associated domains
- Relevant DNS records if domains are involved
Preserve raw logs — firewall logs, web server access logs, authentication logs, and network captures. Do not modify or filter them. Investigators want the originals.
Chain of Custody
This is where law enforcement evidence differs most from ISP abuse reports. Maintain a documented chain of custody for all evidence:
- Hash everything — generate SHA-256 hashes of all log files, disk images, and packet captures at the time of collection
- Document who collected what and when — name, role, date, time, method
- Store originals separately — work from copies, keep originals untouched on write-protected media
- Use tamper-evident storage — if you are imaging a compromised disk, use a hardware write blocker
If you have an incident response team, they should already be following these practices. If you are handling this yourself, the hash-and-document approach is the minimum standard that keeps evidence admissible.
Financial Records
For fraud cases, gather bank statements, wire transfer confirmations, cryptocurrency transaction hashes, invoices, and any communications that led to the fraudulent transaction. The financial trail is often more useful to investigators than technical logs.
Impact Assessment
Quantify the damage: number of records exposed, financial losses, business downtime, remediation costs, and any downstream effects on customers or partners. This helps law enforcement prioritize your case and is required for FBI IC3 reports.
US Reporting Channels
FBI Internet Crime Complaint Center (IC3)
The FBI IC3 at ic3.gov is the primary federal reporting portal for cybercrime in the United States. It accepts complaints from individuals and organizations for virtually all categories of internet-facilitated crime.
How to file:
- Go to ic3.gov and click "File a Complaint"
- Provide your contact information (required — anonymous reports are not accepted)
- Describe the incident with as much detail as possible
- Include financial information if there were losses
- Upload supporting documents (logs, screenshots, communications)
- Submit and save your complaint confirmation number
IC3 processes complaints and refers them to the appropriate federal, state, or local law enforcement agency. For time-sensitive cases like active BEC wire transfers, call your FBI local field office directly — IC3 triage can take days.
What IC3 handles: BEC/email fraud, ransomware, data breaches, identity theft, investment scams, tech support fraud, denial-of-service attacks, and more. If you have already reported a DDoS attack to the ISP without resolution, IC3 is the next escalation point.
FBI Local Field Offices
For urgent cybercrime — an active intrusion, ongoing data exfiltration, or a BEC wire transfer that happened in the last 48 hours — contact your nearest FBI field office directly. Every field office has a cyber squad. Find yours at fbi.gov/contact-us/field-offices. Direct contact bypasses IC3 triage and gets a faster response for time-critical cases.
US Secret Service
The Secret Service has jurisdiction over financial cybercrime, including payment card fraud, identity theft involving financial institutions, and network intrusions targeting financial infrastructure. If your case involves significant financial fraud, you can report to both IC3 and your local Secret Service field office.
Federal Trade Commission (FTC)
For consumer-facing fraud — phishing scams that targeted your customers, identity theft, deceptive business practices online — file at reportfraud.ftc.gov. The FTC does not investigate individual cases but uses reports to build cases against large-scale fraud operations and to produce the annual Internet Crime Report. Filing here creates a record in the Consumer Sentinel Network that over 2,800 law enforcement agencies can access.
International Reporting Channels
Cybercrime is borderless, so reporting channels vary by country. The table below covers the major national reporting portals.
| Country | Agency | Portal / Contact | Scope |
|---|---|---|---|
| United Kingdom | Action Fraud | actionfraud.police.uk | All cybercrime and fraud |
| United Kingdom | National Crime Agency (NCA) | nationalcrimeagency.gov.uk | Serious and organized cybercrime |
| EU (cross-border) | Europol EC3 | europol.europa.eu/report-a-crime | Cross-border cybercrime across EU |
| Canada | Canadian Anti-Fraud Centre | antifraudcentre-centreantifraude.ca | Fraud and cybercrime |
| Australia | Australian Cyber Security Centre | cyber.gov.au/report | All cybercrime (ReportCyber portal) |
| Germany | BSI (Federal Office for Information Security) | bsi.bund.de | Cyber incidents and threats |
| France | ANSSI | ssi.gouv.fr | Cyber incidents; Pharos for online content |
| Netherlands | Politie (Dutch National Police) | politie.nl/aangifte | Cybercrime reports |
| India | National Cyber Crime Reporting Portal | cybercrime.gov.in | All cybercrime categories |
| Japan | National Police Agency | npa.go.jp | Cybercrime via prefectural police |
| Singapore | Cyber Security Agency (CSA) | csa.gov.sg | Cyber incident reporting |
| Brazil | SaferNet Brasil | safernet.org.br | Online crime reporting |
For EU-based incidents, Europol's European Cybercrime Centre (EC3) coordinates investigations that span multiple member states. You typically report to your national police first, and they coordinate with Europol if the case has cross-border elements. Europol does not accept direct complaints from individuals for most crime types — the national agency is your entry point.
National CERTs: When and Why to Contact Them
Computer Emergency Response Teams (CERTs) — sometimes called CSIRTs (Computer Security Incident Response Teams) — serve a different function from law enforcement. While police investigate crimes, CERTs coordinate incident response, share threat intelligence, and help organizations mitigate attacks in real time.
What CERTs Do
- Incident coordination — help you contain and remediate an active attack
- Threat intelligence sharing — distribute indicators of compromise (IOCs) to other potential victims
- Cross-border coordination — work with CERTs in other countries to address attacks that cross jurisdictions
- Vulnerability disclosure — manage coordinated disclosure of newly discovered vulnerabilities
- Advisory publication — issue alerts about active threats and campaigns
When to Contact Your CERT vs Law Enforcement
Contact your national CERT when:
- You need technical assistance with incident response
- You have discovered a vulnerability that needs coordinated disclosure
- You want to share IOCs to help protect other organizations
- The attack involves critical infrastructure
Contact law enforcement when:
- You want the attacker investigated and prosecuted
- There are financial losses to recover
- Legal obligations require a police report
- The attack involves CSAM, threats of violence, or fraud
In practice, you often contact both. Your CERT helps you technically while law enforcement handles the criminal investigation. For attacks involving malware or botnet C2 infrastructure or phishing campaigns, CERTs are particularly effective because they can coordinate takedowns faster than law enforcement timelines allow.
Major National CERTs
| Country | CERT | Website |
|---|---|---|
| United States | US-CERT / CISA | cisa.gov/report |
| United Kingdom | NCSC | ncsc.gov.uk/report |
| Germany | CERT-Bund | cert-bund.de |
| France | CERT-FR | cert.ssi.gouv.fr |
| Australia | ACSC | cyber.gov.au |
| Canada | Canadian Centre for Cyber Security | cyber.gc.ca |
| Japan | JPCERT/CC | jpcert.or.jp |
| Netherlands | NCSC-NL | ncsc.nl |
| India | CERT-In | cert-in.org.in |
| Singapore | SingCERT | csa.gov.sg |
The global directory of CERTs is maintained by FIRST (Forum of Incident Response and Security Teams) at first.org/members/teams. If your country is not listed above, search the FIRST directory for your national CERT.
What to Expect After Filing
I want to set realistic expectations here, because the gap between filing a report and seeing a result is where most people get frustrated.
Timelines
Law enforcement cybercrime investigations move slowly. Expect weeks to months before you hear anything substantive. IC3 complaints go through a triage process where analysts review, categorize, and refer cases to the appropriate agency. Not every complaint results in an investigation — the FBI prioritizes cases based on financial impact, number of victims, and connection to known threat actors.
Case Numbers and Follow-Up
Always save your case number or complaint confirmation. This is how you track your report and how you reference it if you need to provide additional evidence later. For IC3, you can log back into the portal to check status. For local law enforcement, the detective assigned to your case (if one is assigned) is your point of contact.
Why Most Cases Do Not Result in Prosecution
The reality is that the vast majority of cybercrime reports do not lead to individual prosecutions. Attackers operate across jurisdictions, use anonymization tools, and may be located in countries with no extradition treaties. But this does not mean your report is wasted. Law enforcement agencies use reports to:
- Build pattern databases — your report may link to dozens of others targeting the same attacker infrastructure
- Justify resource allocation — the aggregate number of complaints about a ransomware group or fraud scheme is what triggers dedicated task forces
- Support international operations — FBI, Europol, and partner agencies conduct periodic coordinated takedowns using accumulated evidence from hundreds of individual reports
- Issue public advisories — IC3's annual reports and CISA advisories are built from submitted complaints
Even if your specific case does not result in an arrest, it contributes to the collective intelligence that drives larger operations. The FBI's 2023 takedown of the Hive ransomware group, for instance, was built on hundreds of individual victim reports over months.
Coordinating with ISP Reports
Filing a law enforcement report does not replace ISP abuse reporting — it complements it. Continue to report abuse to the responsible ISP for the immediate technical response (getting malicious IPs blocked, phishing pages taken down, compromised servers isolated). Law enforcement handles the longer-term investigation. The two tracks run in parallel, and evidence from your ISP reports can support the criminal investigation.