Cyber crime can feel “invisible” (VPNs, crypto, encrypted apps, overseas hosting), but in the UK people do get identified, charged, convicted, and jailed — including for phishing-kit sales, unauthorised access, extortion/blackmail, and attacks that disrupt systems.
What’s most important to understand is this:
- Some offences are “pure” cyber (charged under the Computer Misuse Act 1990).
- Many are cyber-enabled (fraud, blackmail, money laundering), where the computer is the tool but prosecutors may use Fraud Act / Proceeds of Crime / blackmail charges alongside (or instead of) Computer Misuse Act counts.
How people actually get caught in the UK
1) Digital traces are messy (and investigators rely on that)
Even skilled offenders leave evidence:
- seized phones/laptops (messages, tools, logs)
- cloud accounts and backups
- crypto trails (especially when cashed out or mixed badly)
- domain/hosting trails, Telegram/Discord evidence, payment records
- operational mistakes (re-using handles, emails, or infrastructure)
Investigations are often built from lots of small proof points rather than one “smoking gun”.
2) “Cyber” arrests are often triggered by victims and businesses
A common pattern is:
- an organisation spots unusual access (new monitoring, alerts, audit logs)
- reports to police / Action Fraud / regulator
- devices and accounts are seized
- prosecutors build a timeline tying a person to the activity (devices, chats, transactions)
A real UK example: the RAC installed monitoring, suspicious access was detected, and that intelligence became part of the enforcement process.
3) Serious cases involve specialist units and international partners
For larger cyber cases (especially cross-border), you’ll often see:
- specialist police cyber units
- City of London Police (notably around fraud)
- National Crime Agency / NCCU support
- overseas law enforcement cooperation
That international element matters because many UK cases involve infrastructure or victims abroad (or vice-versa).
So… do people actually go to prison? Real UK examples
Example A: Selling phishing kits → 7 years in prison
A university student (Ollie Holman) was jailed for selling over a thousand phishing kits used to defraud victims at scale. The CPS said the case should warn others that “you cannot hide behind online anonymity or encrypted platforms.”
Why it matters: this is the modern cybercrime business model—selling “crime-as-a-service” kits to others—and UK courts have shown they will hand out long sentences when harm is large and the offender profited.
Example B: Unauthorised computer act risking national security → 7.5 years
A former GCHQ intern (Hasaan Arshad) was jailed after copying top secret files and taking them home, convicted under section 3ZA of the Computer Misuse Act (serious damage / risk of serious damage).
The CPS framed it as a deliberate breach that created a serious risk, and the sentence shows how sharply the system escalates when national security or critical harm is involved.
Example C: Lower-level “insider misuse” can still lead to criminal court (sometimes suspended)
Two former RAC employees were sentenced to six months’ imprisonment (suspended) after unlawfully accessing and selling personal information (Computer Misuse Act + Data Protection Act offences).
This is a good “reality check” example: not every cyber offender goes straight to immediate custody, but you can still end up with:
- a criminal conviction
- a prison sentence (even if suspended)
- unpaid work requirements
- proceeds of crime proceedings
Example D: High-profile intrusion/extortion investigations can lead to arrests
In major incidents (for example, the reported arrests linked to cyber attacks on well-known UK retailers), authorities have arrested suspects on offences including Computer Misuse Act, blackmail, and money laundering.
Arrest ≠ conviction, but it illustrates that high-impact UK cases are actively pursued, even when offenders are young and operating in groups.
What prison time is possible under UK law (in plain English)
Computer Misuse Act (England & Wales) — penalties can be severe
CPS guidance sets out that the maximum sentence can reach 14 years on indictment for some offences, and life imprisonment where serious damage / risk of serious damage to human welfare or national security is involved (depending on the section and facts).
Why some cyber criminals get longer sentences under non-cyber laws
Even when “the hack” is the headline, sentencing can be driven by:
- fraud losses
- blackmail/extortion
- money laundering
- organised crime involvement
So the “cyber bit” may be only part of the final sentence.
Why it can feel like cyber criminals “get away with it” (but often don’t)
1) Many cases never make the news
Local court reporting is patchy, and lots of prosecutions (especially smaller ones) don’t trend online.
2) Some offenders are dealt with in different ways
Depending on harm, age, and guilty plea:
- suspended sentences can be used
- community orders are possible
- serious crime prevention orders and confiscation can follow (financially devastating)
You still end up with life consequences (criminal record, restrictions, confiscation).
3) The highest-end offenders may be overseas
UK law enforcement can still disrupt them, but prosecution is harder if extradition/cooperation isn’t available.
Reference links (for “read more” / transparency)
- CPS press release: student jailed for selling phishing kits (7 years).
- CPS press release: former GCHQ intern jailed (7.5 years) under CMA s3ZA.
- CPS prosecution guidance: Computer Misuse Act overview and sentencing context.
- ICO prosecution update: RAC employees convicted (CMA + DPA) with suspended sentences.
- Reported arrests linked to major UK retail cyber incidents (example of active enforcement).
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
