The FBI is adding more cyber-focused agents to U.S. embassies

The FBI is increasing the number of agents deployed to American embassies abroad to focus on cyber-related crime, part of the bureau’s latest effort to improve the way it combats international cybercrime.

The six new positions represent a nearly 40% increase of the FBI’s cyber assistant legal attachés (ALATs) and will include new postings in New Delhi, Rome and Brasilia, an agency spokesperson told CyberScoop exclusively. The increase brings the total number of cyber-focused FBI agents deployed to U.S. embassies to 22.

Enabled by digital infrastructure dispersed across the world, cyber criminal operations increasingly involve victims and perpetrators in wildly disparate locations, making it difficult for domestic law enforcement agencies to coordinate their investigations and to collect perishable evidence.

“Their playing field, if you will, is the world,” said Brian Abellera, the FBI’s cyber assistant legal attaché stationed in Ottawa.

Cyber assistant legal attachés are part of the much bigger legal attaché program, which dates to the early 1940s and provides law enforcement and intelligence agencies a mechanism to liaise with their foreign counterparts. The FBI has 63 legal attaché offices in embassies and consulates around the world, covering more than 180 countries, according to the agency.

The bureau began placing cyber-focused agents in U.S. embassies in 2011, with agents deployed to Romania, Australia, the Netherlands, Estonia, Ukraine and Canada.

The expansion of the cyber program is part of a broader shift by the FBI and the Department of Justice toward a more proactive approach to combating cybercrime operations and infrastructure, which has led to several major international disruptions and takedowns in recent years. Rather than investigating crime after the fact, U.S. law enforcement is increasingly trying to disrupt the work of criminal groups.

“In days gone by, that might have been heresy,” U.S. Deputy Attorney General Lisa Monaco said in remarks at the RSA security conference last year.

That approach is resulting in fewer arrests — like when law enforcement agencies seized infrastructure belonging to the Hive ransomware group but failed to put any of its members in cuffs. That operation enabled the FBI to obtain decryption keys for victims and avert more than $130 million in ransomware payments, Monaco said at the time.

The April 2023 operation to disrupt the Genesis Market — a robust marketplace selling access credentials for various online services — is a prime example of the necessity of cyber legal attachés, Abellera said.

That operation involved 17 countries and resulted in 119 arrests, 208 property searches and 97 “knock and talk measures,” Europol said at the time. In the United States, the operation spanned 45 FBI field offices, led by the Milwaukee Field Office, working on a scale the DOJ called “unprecedented.”

The FBI’s Milwaukee office probably could have carried out some of that work on its own and had some disruptive effect, Abellera said.

“But what if 60 agencies across 16 countries across 10 time zones, within one day, were able to lash up as one unified team and conduct an action together?” he added. “Where Milwaukee maybe alone would have done a couple operations throughout the US with other 45 field offices, we expand that out and scale it out to over 400 actions across multiple countries.”

The FBI’s cyber-focused attachés played an important role in coordinating the work of sending police officers around the world to knock on the doors of Genesis users, which resulted in both arrests and also helped to undermine trust in the community that had come to rely on the marketplace.

The operation required careful coordination and a sequence of events spanning multiple time zones that essentially “follow[ed] the sun,” Abellera said.“If it were done in a haphazard way,” or if police in one country “jumped the gun,” Abellera said, participants in the criminal scheme may realize “something may be afoot” and cause evidence in another country to be lost.

Going forward, Abellera said that he is focused on combating international ransomware operations targeting cross-border critical infrastructure, work that has both law enforcement and intelligence collection applications.

All of it is contingent on continued trust and cooperation with the international partners, he said.

“There’s no way that the FBI alone can ever have the resources, expertise or reach to maximally impose risk and consequences on adversaries without our international partners,” Abellera said. “We need them, and that’s why this program is of paramount importance.”