Hacker

Cyber crime punishments in the UK (what courts can actually do)

Cyber News / Leave a Comment
The main “pure cyber” law: Computer Misuse Act 1990 (CMA)

Most hacking-style cases still get charged under the CMA, with the maximum sentence depending on harm and intent:

  • Section 1: Unauthorised access (basic hacking / “getting in”)
    Up to 2 years’ imprisonment on indictment. 
  • Section 2: Unauthorised access with intent to commit further offences (hacking to steal, blackmail, etc.)
    Up to 5 years’ imprisonment on indictment. 
  • Section 3: Unauthorised acts impairing operation (malware deployment, DDoS, disrupting systems)
    Up to 10 years’ imprisonment on indictment. 
  • Section 3ZA: Unauthorised acts causing (or risking) serious damage (critical services, major harm)
    Up to 14 years, and up to life where there’s serious risk/damage to human welfare or national security. 
  • Section 3A: Making/supplying/obtaining “articles” for CMA offences (malware, exploit kits, hacking tools)
    Up to 2 years’ imprisonment on indictment. 
https://upload.wikimedia.org/wikipedia/commons/thumb/8/8e/Central_Criminal_Court_of_England_and_Wales_%28The_Old_Bailey%29_The_Grand_Hall.jpg/800px-Central_Criminal_Court_of_England_and_Wales_%28The_Old_Bailey%29_The_Grand_Hall.jpg

The “money and misery” add-ons courts use all the time

A lot of “cyber crime” sentencing is actually driven by non-cyber offences bundled with the hacking:

  • Fraud Act tool offences (possession/making/supplying articles for use in fraud)
    Up to 5 years (possession) and up to 10 years (making/supplying). 
  • Blackmail/extortion, theft, money laundering, conspiracy
    Often charged alongside CMA when there’s ransomware demands, data theft, laundering, or organised groups (these can push sentences up sharply because the harm is clearer and the legal maxima can be higher).
What punishments look like in practice (not just prison)

Courts can stack consequences that actually hurt criminals more than dramatic courtroom speeches:

  • Confiscation of criminal benefit (think: taking the crypto, cash, assets) and forfeiture (devices, funds).
  • Compensation orders (paying victims).
  • Serious Crime Prevention Orders and other restrictive orders (limits on devices/communications/business activity).
  • Ancillary orders (e.g., disqualifications, restraining orders where relevant).

Yes, it’s almost like the justice system can do more than wag a finger. Sometimes.

How successful has the UK been at catching cyber criminals in the last 2 years?

You asked two things: success in apprehending and how many got away. The first can be measured (sort of). The second is, by definition, a fog.

https://media-exp1.licdn.com/dms/image/C4E05AQGmHrecQse8KQ/videocover-high/0/1669385166568?e=2147483647&t=FEpOp4QxPYRF6_8kY5ltchmMoVlOYP4uMOIpKntxPk4&v=beta

What the NCA says it achieved (FY 2023–24 vs FY 2024–25)

The National Crime Agency’s annual reports give a rare, government-level view of operational outputs:

2023–24 (1 Apr 2023 to 31 Mar 2024)

  • 4,740 total disruptions (their term for evidenced impact against serious/organised crime threats). 
  • 376 “high-impact pursue” disruptions (bigger, nastier targets). 
  • More than 1,000 arrests of suspected serious/organised criminals (not all cyber, but includes cyber operations). 
  • Flagship cyber example: LockBit disruption (Operation Cronos), including infrastructure seizures, arrests overseas, account takedowns, crypto freezes, and thousands of decryption keys. 

2024–25 (1 Apr 2024 to 31 Mar 2025)

  • 6,989 total disruptions (record volume). 
  • More than 2,000 arrests (again across serious/organised crime, including cyber). 
  • 450 high-impact disruptions, with Cyber = 12 in the threat breakdown. 
  • 400+ cyber protection notifications, including 170 ransomware-related, with an estimate of £221m potential losses averted. 

Expert quote (government/NCA leadership): the Home Secretary’s foreword cites “over 400 cyber protection alerts… helping to avert an estimated £221 million” in losses. 
And the NCA Director General describes nearly 7,000 disruptions as “equivalent to 19 disruptions each and every day.” 

That’s the output story: lots of disruption activity, some big international wins, and a heavy emphasis on ransomware.

https://cdn.britannica.com/52/171852-050-4FAE9FA4.jpg

What the courts pipeline suggests (prosecutions for “computer misuse” offences)

For England & Wales (not whole-UK), Ministry of Justice data published via a Parliamentary Question shows CMA offences reaching a first hearing of:

  • 199 in 2023/24
  • 197 in 2024/25

That’s not “all cyber crime” (many cases are charged as fraud, blackmail, etc.), but it’s a solid indicator that pure CMA prosecutions remain relatively small compared with the scale of offending.

How many have “got away”?

This is where humans demand a neat number for something inherently uncountable. Still, we can bound it.

The scale problem (England & Wales best-available)

The Crime Survey for England and Wales estimated:

  • ~952,000 incidents of computer misuse in year ending June 2024. 
  • Only about 1 in 14 computer misuse offences were reported to police/Action Fraud. 

If ~952,000 happened and ~1/14 are reported, that implies roughly ~68,000 reported and ~884,000 not reported (and therefore not even in the starting blocks for identification, arrest, or prosecution). That’s before we even get to cases that are reported but have no usable leads.

ONS also notes Action Fraud/NFIB dynamics: NFIB reported a 70% increase in computer misuse offences referred by Action Fraud (to 45,345) in YE June 2024, driven by hacking of social media/email doubling. 

What you can honestly say in an investigation piece
  • “Got away” (unknown exact number): there is no single UK-wide measure of “offenders who escaped justice,” because you’d need to identify every offender first (good luck with that).
  • What the evidence supports: given hundreds of thousands of incidents, low reporting rates, and a modest volume of CMA court starts, the majority of offenders are never identified, especially those operating overseas or behind criminal service ecosystems (RaaS, bulletproof hosting, laundering networks). The NCA itself notes under-reporting and that much of the threat comes from abroad. 

So: some are caught, many are disrupted, most are never personally apprehended. Not inspiring, but realistic.

What “success” looks like now (and why it still feels like losing)

The state’s strongest lever is disruption, not imprisonment

The last two years show the UK leaning hard into:

  • International takedowns and ecosystem hits (LockBit-style operations). 
  • Preventive warnings at scale (cyber protection notifications), essentially trying to reduce victim count because you can’t arrest your way out of the internet. 
Why lots still “get away”
  • Volume (hundreds of thousands of incidents). 
  • Under-reporting (most victims never report). 
  • Overseas dominance and service-based cybercrime markets (RaaS, laundering-as-a-service). 

The UK can and does arrest people. But the bigger trend is: the government is measuring wins by harm reduction and disruption, because “everyone gets tried at the Old Bailey” is not a serious plan in 2026.

We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.

Share

More Posts