The arrest of Pavel Durov, CEO of Telegram, in August 2024, inspired us to write our article ‘Prosecuting communication service providers as crime facilitators: A cautionary tale’ for the journal Computer Law & Security Review. French law enforcement authorities charged Durov with multiple offences, including criminal association, the refusal to provide information for lawful interception, and complicity in the distribution of child sexual abuse material, drug trafficking, money laundering, computer crime, and fraud.
In our article, we examine the recent strategy of law enforcement authorities and public prosecutors to target communication service providers in criminal investigations and how fundamental rights constrain their strategy. In this blog post, we introduce our article and share the main findings.
We have also auto-generated a podcast using NotebookLM. It takes a more playful and hyperbolic tone than the article itself, but it captures the main ideas well. When you listen to it, please consider it a fun companion to the full paper rather than a literal retelling.
Similarly, we have included a video (created with NotebookLM). While it also adopts a more dramatic tone than our academic article, it serves as an accessible introduction to the core themes.
From reactive to proactive investigations
In our article, we first explain how the significant challenges of anonymity, encryption and jurisdiction in reactive criminal investigations into cybercrime led to a shift towards proactive investigation. Law enforcement authorities shifted to an intelligence or ‘data-driven’ approach. We illustrate how law enforcement authorities, working with other agencies, took down entire IT infrastructures used by criminals for botnets, ransomware and online marketplaces. The data stored on those servers can provide a treasure trove of information about buyers, sellers and administrators of online forums.
We then explain how this strategy is now employed for many different types of cybercrime and even used to combat organised crime. Increasingly, EU law enforcement authorities target communication service providers, such as VPN providers, certain types of hosting providers, and cryptophone providers. They collect large amounts of data which can then be used to start new investigations that may lead to the prosecution of suspects involved in serious crime. This poses interesting questions relating to the right to privacy (including data protection law) and the right to a fair trial.
However, in our article, we focus instead on the question of criminal liability and complicity for communication service providers arising from criminal activities committed by their clients. If you are interested in the human rights implications of data driven investigations, you can read our previous article ‘The future of data driven investigations in light of the Sky ECC operation’.
Fundamental rights constraints & case law analysis
The ECtHR has ruled that the mere offering of an encrypted communication service does not, in itself, amount to criminal liability for the provider. As shown in our case law analysis, this principle is upheld in Dutch courts. However, in both cryptophone cases analysed, directors of these companies were sentenced for directing a criminal organisation. The courts took into account the fact that they facilitated complete user anonymity by not registering personal data, assigning anonymous usernames, and accepting cash or Bitcoin payments.
The public prosecutor was required to prove that the defendants knew these phones were being provided to criminals. This aligns with the ECtHR’s requirement that the prosecution must establish proof that the accused had knowledge of the criminal organisation’s activities. As a result, the burden of proof extends beyond demonstrating the material elements of a criminal offence (actus reus) to establishing intent in forms of participation in crime, specifically by providing the means to commit offences to third parties. This requires proof of the perpetrator’s criminal intent (the mental element of the crime, or mens rea). In the context of a ‘bulletproof’ hosting provider or crypto communication service provider, the actus reus typically relates to the physical act of providing the technical means to commit a crime (e.g., servers and applications). Criminal intent can, for example, be demonstrated through communications with clients or advertisements on criminal marketplaces.
Under the principle of “double intention”, the prosecution in many jurisdictions must demonstrate that the provider not only intended to provide the technical service but also specifically intended to facilitate the underlying crimes committed by the users. The requirements to establish this type of intent vary across EU member states, depending on the specifics of national criminal law.
Finally, our analysis of national case law highlights the growing relevance of KYC (Know Your Customer) procedures and anti-money laundering measures in establishing criminal liability. Our findings indicate that evidence of criminal intent can be inferred from a deliberate lack of due diligence by the provider, even in the absence of strict legal obligations. This includes instances of inadequate customer administration, a failure to implement anti-money laundering measures, and the systematic ignoring of abuse notifications and law enforcement requests.
Future research
Further research exploring the intersection between the due diligence obligations of communication service providers and substantive criminal law would be valuable. Accordingly, a doctrinal analysis of the various modes of criminal participation is recommended, specifically within the legal systems of those states that actively employ this prosecution strategy: namely the Netherlands, France, Germany, and Belgium.
In this context, the ongoing proceedings against Pavel Durov in France warrant close attention. It is essential to distinguish Telegram from the significantly smaller bulletproof hosting providers and crypto communication service providers discussed in this article. The proportion of criminal activity on Telegram, relative to its total user base, will likely differ from that of providers allegedly targeting criminals exclusively.
Consequently, establishing the requisite mens rea for prosecution, specifically regarding co-perpetration and complicity, will present significant evidentiary hurdles. Therefore, continued scrutiny of cases such as the one involving Pavel Durov is essential.
On 12 March 2025, Europol published its latest EU Serious and Organised Crime Threat Assessment (EU SOCTA) report (.pdf). The report immediately caught my attention, as it highlights how the DNA of serious and organised crime is evolving due to several key factors:
Increasing entanglement between organised crime and state actors, leading to ‘hybrid threats’ that destabilise society.
The growing role of the internet and digital communication tools in facilitating more traditional criminal activities.
The acceleration of crime through emerging technologies such as artificial intelligence, which grant criminal networks new capabilities.
Europol concludes that these developments are transforming the tools, tactics, and structures employed by criminal organisations. This is reflected in the title of the report: ‘The changing DNA of serious and organised crime’.
This blog provides a summary of the report’s findings, particularly focusing on the intersection between organised crime and technology. Additionally, I have created a podcast on this topic with Notebook LM, and a Dutch version is available in .pdf format. The first episode of the official podcast by Europol is also about this report.
The EU SOCTA report identifies key threats to serious and organised crime in Europe. These threats include cyber-attacks, online fraud schemes, (online) child sexual exploitation, migrant smuggling, drug trafficking, firearms trafficking, and waste crime. The key threats encompass both crimes predominantly occurring in the digital and online realm, as well as more traditional crime areas involving physical trafficking and illicit cross-border activity. This summary focusses on crimes with a clear connection to the digital and online realm, following the same structure as the report.
1. Hybridisation of Organised Crime: Destabilising Society?
According to Europol, serious and organised crime has a dual destabilising effect on the EU and its Member States. It undermines and reduces trust in the EU’s economy, the rule of law, and society as a whole by generating illicit proceeds, spreading violence, and normalising corruption.
Hybrid threats
Criminal networks may be influenced by state actors and may target democratic processes, social cohesion, public security, or the rule of law. In some cases, it may also impact financial stability and economic prosperity. These are called ‘hybrid threats’ in the report.
Some states even provide safe havens for criminals in exchange for the services of criminals, allowing them to operate with impunity. This enables states to outsource crimes such as cyber-attacks, disinformation campaigns, and money laundering, making attribution more difficult.
Ransomware
Criminal networks contribute to hybrid threats through ransomware attacks on critical infrastructure, businesses, and government agencies. These attacks generate financial profits—often through cryptocurrency payments—while also disrupting services and undermining public trust.
Europol notes that ransomware attacks are becoming more targeted, focusing on private industries, critical infrastructure, and small-to-medium-sized businesses. Additionally, there has been a growing number of supply chain attacks. The ransomware landscape is also evolving due to law enforcement interventions, leading to fragmentation and rebranding of criminal groups.
Cyberespionage and desinformation
Criminal networks can also steal data on behalf of hybrid threat actors. By infiltrating secure systems, they might steal data of strategic importance for governance or business and provide hybrid threat actors with invaluable information that can be used for espionage, economic advantage, or even coercion.
Additionally, these networks are instrumental for propaganda campaigns aimed at spreading disinformation and influencing political systems. These networks can play a key role in disinformation campaigns, using fake social media accounts, coordinated troll operations, and manipulated news content to weaken democratic institutions from within.
Corruption
Criminal networks exploit corruption to secure protection from prosecution by trying to bribe law enforcement and the judiciary. This enables them to avoid arrests, obstruct investigations, and manipulate legal proceedings in their favour. Additionally, corrupt officials may provide criminals with classified information regarding operations, allowing them to evade detection and continue their activities with impunity. Beyond law enforcement and judiciary, public institutions are highly susceptible to infiltration by criminal networks.
Europol explains that corruption has adapted to the broader trends toward digitalisation and a crime-as-a-service model. Several issues become increasingly visible: the targeting of individuals with access to digital systems in public and private entities, the use of digital recruitment tactics, and the elevated role of corruption brokers. The recruitment of, and communication with corruptees takes place online. Bribes are transferred by criminally exploiting cryptocurrencies or fintech. In addition, individuals with access to digital systems become key targets for corruption as they can provide access to information relevant to the criminal enterprise.
2. Digitalisation of organised crime
Europol states that:
“Today, nearly all forms of serious and organised crime have a digital footprint.”
Criminal networks exploit digital infrastructure for recruitment, trade, and financial transactions. They use encrypted messaging apps to communicate, recruit members (including minors), and advertise illicit goods and services. These networks employ technical specialists to enhance their operations and evade law enforcement detection.
Europol identifies two primary forms of encrypted communication:
1. Dedicated criminal platforms – Platforms such as EncroChat, Sky ECC, Ghost and others provided a communication environment for serious and organised crime. Such systems are designed to provide an end-to-end encryption that prevents external interception
2. Mainstream communication tools – Criminals abuse end-to-end encrypted communication services, which are legally designed to protect users’ privacy. These over-the-top communication applications provide legitimate encryption, large user bases that allow criminals to blend in with ordinary users. Unlike the first category, these platforms or tools are not built for criminals, making it necessary for law enforcement to engage with private companies, navigate legal frameworks to investigate and disrupt criminal networks operating within them.
Recruitment and violence
Organised crime-related violence has intensified in certain regions, particularly in urban drug markets and port cities. Criminals use online platforms to recruit hitmen and coordinate violent attacks. Violence is now increasingly offered as a service and made possible by the availability of trafficked weapons.
Within criminal networks, low-ranking members commonly act as perpetrators, but violence is also outsourced to young perpetrators, assorted criminals, and professional hitmen or hit squads offering violence-as-a-service. They are contacted directly through a network of personal contacts, in prisons, or via intermediary contacts. Encrypted communications and online platforms are instrumental in finding and recruiting these executors.
Young perpetrators
Europol finds the involvement of young perpetrators in violent crimes of particular concern. The recruitment of young perpetrators, including young adolescents and children, into serious and organised crime and terrorism is not a new phenomenon. However, it has increasingly become a means used by criminal networks to remain out of reach of law enforcement and the judiciary.
Young perpetrators are frequently exploited in several criminal markets and in several roles. In cyber-attacks, script kiddies are influenced to conduct specific cyberactivities for a fee. In drug trafficking, young people are recruited in roles like dealers or couriers but also warehouse operators, and drug extractors from shipping containers. Young people are used as money mules, receiving and transferring illicit funds through their bank accounts, often in exchange for a small share of the money.
These young perpetrators are recruited through social media platforms and messaging applications, exploiting the anonymity and encryption they offer. Criminals use tactics to lure young people, including tailored language, coded communication, and gamification strategies. By glorifying a luxurious and violent lifestyle, they convince vulnerable young people to join their ranks.
3. The Role of Technology in Other Crimes
Europol’s report reveals surprising connections between technology and traditional crimes like human trafficking and firearms smuggling. For example, criminal networks use the internet to recruit victims, advertise illicit services, and exchange funds electronically. They also circulate forged identity documents online to facilitate trafficking.
AI and 3D printing technologies are increasing access to illicit firearms and enhancing weapon modification techniques. Encrypted communication platforms are expected to play a growing role in the trafficking of firearms and explosives.
Digital content piracy
Europol explains that the current cost-of-living crisis as well as the fragmentation of content across multiple legal streaming platforms prompt consumers to seek more cost-effective and unified packages regardless of their illegality.
Criminal networks often lease servers from legitimate hosting provider companies to ensure the anonymity and scalability of their operations. Others establish their own servers which may be outsourced to other criminal networks as a service. The increased use of anonymisation tools such as VPNs to avoid server blocks ordered by judicial or law enforcement authorities will continue to be a default modus operandi. Criminal actors also rely on a variety of professional expertise, mainly associated to information technology (IT) services such as technicians who build, operate and optimise the software and digital infrastructure for illegal streaming.
Digital pirates may also steal or purchase login credentials from legitimate subscribers — often sourced via phishing scams or data breaches — and then repackage multiple over-thetop libraries into a single, unauthorized service. They often use specialised software or devices to intercept and record live or on-demand streams, relaying the pirated content through internet protocol television (IPTV) servers or file-sharing platforms.
Online pharmaceuticals
Online platforms facilitate the sale of counterfeit falsified, substandard or fraudulently obtained legitimate medicines. These are often paid with cryptocurrencies, and the pharmaceuticals are delivered by postal and parcel services.
AI and technological advancements, including 3D printing, will continue to be leveraged by criminal networks to manufacture tablets.
4. Emerging Technologies and Organised Crime
Criminal organisations are quick to adopt emerging technologies, including artificial intelligence, to enhance their operations.
An “AI fraud epidemic”?
Europol described the current online fraud landscape as follows:
The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.
The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.
Investment fraud
Investment fraud is one of the most common and growing types of online fraud, nurtured through the use of digital tools and accelerated by new technologies. The main types are Ponzi schemes, pyramid schemes, and advance fee frauds. Cryptocurrencies remain the most significant investment fraud product in the EU. While fraudsters mostly target individuals, companies are also occasionally targeted. Criminal networks have been adapting the modus operandi to the availability of digital and AI tools and to exploit new and developing markets.
Internet-enabled investment fraud is becoming more prominent than unsolicited contacts, like cold calling. Online advertisements, including social media platforms, news sites and sponsored search engine results are the main advertisement channels used by criminal networks to attract victims.
Business email compromise
In business email compromise (BEC) cases, fraudsters gain unauthorised access to the mailbox of an employee to intercept and analyse information contained in official correspondence. Once email accounts are taken over, spoofed or new versions are created. Fraudsters request payment, misleading victim by closely resembling corporate communication style and accompanying their request with well-crafted, identical falsified documents such as invoices containing modified bank accounts.
Identity theft and identity fraud are an intrinsic part of the sophisticated and targeted scheme crafted around the victim. AI, including large language models (LLMs) and deepfakes, is creating new opportunities and capabilities for criminals active in BEC. As the rapid pace of technological development continues, BEC fraud is also expected to increase. Convincing fraud emails can be easily generated with the support of LLMs, while deepfake technologies, an emerging type of impersonation replicating people’s voices, images, and videos, are now being used in CEO fraud, in which fraudsters seek to trick an organisation’s employees by impersonating their CEO.
Romance fraud
Criminal actors from around the globe are actively involved in romance fraud. Victims seeking companionship are approached on social media or dating sites by fraudsters, who impersonate individuals using fake accounts and profiles
Romance scams are expected to increase in the future, accelerated by AI tools. Voice cloning technology, deepfakes, LLM-generated scripts, and AI-driven translation will all continue to enhance fraudulent schemes, creating new fake scenarios and social engineering techniques.
A ‘transformation in child sexual exploitation material’
Child sexual exploitation and the production and distribution of child sexual abuse material (CSAM) is transforming. By creating highly realistic synthetic media, criminals are able to deceive victims, impersonate individuals and discredit or blackmail targets. The addition of AI-powered voice cloning and live video deepfakes amplifies the threat, enabling new forms of fraud, extortion, and identity theft. These tools are easily accessible and do not require specific technical skills. The accessibility of AI tools has multiplied the volume of CSAM available online, creating challenges in the analysis of imagery and identification of offenders.
Generative AI has emerged as a new means to produce CSAM, leading to growing concerns. It can support the editing of existing CSAM and the creation of new content. Explicit pictures of adults can be manipulated to make the individual look younger or applications can ‘nudify’ non-explicit images. Text-to-video models have emerged, following the rapid development of text-to-image models. Given their pace of advancement, text-to-video technology is likely to evolve just as quickly. In one of the first cases of its kind, a suspect was recently arrested for running an online platform with AI generated CSAM which he produced and shared around the world (see also this press release about ‘Operation Cumberland’)
The majority of offenders take part in online communities on the dark web and clear web, including forums, groups, and chatrooms. They discuss abuse, fantasies, how to acquire original CSAM, techniques to groom children and tips related to operational security. Offenders also use online means other than chatrooms for one-on-one interactions, with different levels of encryption and data transfer methods.
Money laundering
In the financial realm, the emergence of blockchain technology and cryptocurrencies has been leveraged to facilitate payments and launder proceeds, supported by decentralised systems and unregulated exchanges.
Cash still features prominently in money laundering schemes today. Criminals often use cash-intensive businesses—such as restaurants, hotels, car washes—to mix illicit funds with the businesses’ legitimate income. When illicit proceeds are moved physically across borders, cash is often transported via cash couriers. Increasingly, young and vulnerable people are recruited, often via social media and gaming platforms, to act as money mules.
However, the criminal exploitation of cryptocurrency as a payment method now has moved beyond the scope of cybercrime, and is encountered increasingly in more traditional crime areas such as drug trafficking or migrant smuggling.
Europol also points out a mix of digital crime and traditional crime through the report. According to Europol, professional money launderers, increasingly with specialised knowledge in digital asset trading, have developed parallel, underground financial systems that operate outside the regulatory frameworks governing legal financial institutions.
Reflection: Methodology and a Word of caution
The EU SOCTA report is based on intelligence generated by Europol analysts from data from national law enforcement agencies. While many of its findings seem to align with criminological research and Dutch court cases relating to cryptophone operations, it is important to remember that the report is not a scientific study.
At the end of the report, there is a section: “Reflection of the academic advisory group”. This group mostly praises the report, but do have one important suggestion:
“While the current approach provides significant added value to policymakers and law enforcement agencies, the inclusion of even more peer-reviewed research, established theoretical frameworks, and interdisciplinary expertise would further enhance EU-SOCTA’s analytical depth and academic rigor”.
They welcome Europol’s decision to involve the academic community in refining the methodology for the next edition.
Involving the academic community is indeed a good step and presumably a big task. Academics will look at these contents from their own perspective and knowledge base.
For example, while the academic advisory group “particularly appreciated” the chapter on hybrid threats, I found this chapter particularly weak. The underlying message of “destabilising society” is very alarming, but I don’t think it is argued well, as it lacks clear definitions, evidence thresholds, and references. Statements about “undermining democracy” or “destabilising economies” are not well substantiated, raising questions about the frequency and impact of these threats. But then again, my view is also influenced by my own perspective, experiences, and research interests 😊!
Despite this criticism and questions, the report may provide valuable and new insights to policy makers and professionals seeking to understand the digital transformation of organised crime.
jjoerlemans.com 