2025 Aspen Cyber Summit

Top US cyber leaders will headline the 2025 Aspen Cyber Summit on November 18.

Help us celebrate a decade of dialogue and action. Register now to join us in Washington, DC.

So You Want to Hack Back

Here’s What You Should Know

October 9, 2025
  • John P. Carlin
  • Strategic Advisor and Chair Emeritus for Cybersecurity, Aspen Digital

A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are—by definition—not passive defensive measures.

Hack back tactics can help deter cyberattacks, as they could increase prospective risks and actual costs for attackers; if attackers begin weighing the possibility of a retaliatory counterattack that could wipe out their servers or networks, malware that would help law enforcement track them down, or the potential corruption or encryption of any data they do exfiltrate, they may decide that an attack’s risks outweigh its reward. As compared to purely offensive tactics, calculated hack backs—such as malware booby traps—can, in theory, be precisely targeted to harm only the attacker’s systems, reducing the collateral damage to innocent parties.

But these tactics also carry significant risks. First, and perhaps most significant, is the risk of misattribution and collateral damage to unwitting third-parties. Threat actors engaged in organized hacking campaigns often use commercial cloud service providers, botnets of compromised home or small office routers, VPNs, and other infrastructure controlled by unwitting third-parties to obfuscate the source of their attacks. In this context, there is a  risk that in retaliation, a counterattacker might strike a system belonging to an unwitting and innocent third-party. Second, even if the counterattacker tracks down the attacker, retaliation against the attacker might still lead to collateral damage to distinct connected networks and systems that played no role in the attack. Finally, deploying a hack back tactic against an attacker may lead the attacker to retaliate in turn, leading to a cycle of escalating countermeasures in which each party, believing it is deploying a form of active defense, deploys new cyberattacks and increases the risk of conflict or harm to innocent parties.

The prevailing view is that there is a blanket prohibition on “hacking back” by private parties. The Computer Fraud and Abuse Act (“CFAA”), codified at 18 U.S.C. § 1030, is the primary federal computer crime statute and provides broad civil and criminal liability for hacking.1 While the full extent of the CFAA’s application to hack backs is uncertain, the law creates two major barriers to private-party hack backs:

  • First, 18 U.S.C. § 1030(a)(2)(C) prohibits any “intentional[] access[]” to a computer2 “without authorization or exceed[ing] authorized access.”  Both courts and commentators have analogized this to trespass. Because courts have interpreted the term “access” extremely broadly, there is a risk that hack backs could run afoul of this provision—especially as many hack back techniques inarguably intend to interact with the hacker’s computer.3
  • Second, 18 U.S.C. § 1030(a)(5) prohibits “knowingly caus[ing] the transmission of a program, information, code, or command” and, as a result of such conduct, “intentionally caus[ing] damage” to a computer without authorization. Also prohibited is “intentional access” to a computer “without authorization,” that causes “damage and loss.” The CFAA defines damage as “any impairment to the integrity or availability of data . . . [or] a system.” This creates a blanket prohibition on impairing the integrity of data on someone else’s computer, for instance, by encrypting or deleting it.

Taken together, these two sections appear to strictly circumscribe a private entity’s ability to engage in hack back tactics that involves accessing a hacker’s systems, but do not necessarily proscribe active defense measures undertaken entirely within the private entity’s own systems.

A victim defending such measures in litigation might argue that they had not “intentionally access[ed]” the attacker’s system, or “knowingly cause[d]” the transmission of the code to the attacker’s system in violation of the CFAA so long as the attacker was the one to cause its exfiltration to their own system, and the victim did not issue commands to the tools after they left the victim network.

While certain hack back strategies might violate the CFAA when undertaken by private parties alone, certain federal statutes contemplate that private action might be permissible when paired with government oversight or authorization. Specifically, 18 U.S.C. § 1030(f) provides that the CFAA “does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency,” arguably could allow federal agencies to deputize private cybersecurity forms, authorize them to trace intrusions, or permit them to carry out certain countermeasures on the government’s behalf. Similarly, Section 104 of the Cybersecurity Information Sharing Act of 2015 (“CISA”) authorizes private entities to, “for cybersecurity purposes, monitor” or “operate a defensive measure” on its own information system or—if they have written authorization—on “another non-Federal entity.” Although Section 104 expressly excludes from “defensive measures” any measures that would “render unusable” or “substantially harm[]” another entity’s information or information system, there arguably remains room for limited government-sanctioned private hack back tactics.

Questions about the legal permissibility of hack backs by private actors should begin with an evaluation of the broad range of hack back tactics. The following chart traces the existing authority for eight “hack back” tactics, ranging from pure active defense to offensive measures.

Such authorization or oversight might involve direct cooperation with federal law enforcement, but it can also be obtained through the pursuit of private rights of action, as illustrated by three use cases from Microsoft’s Digital Crimes Unit discussed below. 

In 2013, Microsoft’s Digital Crimes Unit, acting under a civil seizure warrant issued under a district court’s general equitable powers,4 and in coordination with the FBI, helped disrupt roughly 1,400 botnets created with “Citadel,” a malware toolkit used to steal more than $500 million from financial institutions. The operation, code-named “b54,” “marked the first time that law enforcement and the private sector [] worked together .  .  .  to execute a civil seizure warrant as part of a botnet disruption operation.” 

In 2020, Microsoft’s Digital Crimes Unit engaged in an investigation that allowed it to identify details about Trickbot, one of the world’s largest malware operations used to infect and control victim computers, including the IP addresses of Trickbot’s command and control servers. Acting pursuant to a temporary restraining order issued by the U.S. District Court for the Eastern District of Virginia,5 Microsoft disabled the IP addresses, rendered the content stored on the command and control servers inaccessible, suspended all services to the botnet operators, and blocked any effort by the Trickbot operators to purchase or lease additional servers.  Microsoft was able to obtain the court order in connection with a complaint alleging violations of the Copyright Act, the Electronic Communications Privacy Act, the Lanham Act, and state tort law resulting in injuries to Microsoft, its customers, and the public. 

In September 2025, Microsoft’s Digital Crimes Unit announced that it disrupted the RacoonO365 phishing service, which has been used to steal Microsoft 365 credentials. This disruption was possible because Microsoft was able to engage directly with the threat actor without revealing its identity in order to acquire phishing kits and additional information. This allowed the Microsoft  team to engage in Bitcoin transaction analysis to identify the threat actor. After obtaining this information, and pursuant to a temporary restraining order issued by the U.S. District Court for the Southern District of New York,6 Microsoft seized 338 websites associated with the service.

As the law currently stands, specific forms of purely defense measures are authorized so long as they affect only the victim’s system or data.

As for the broad range of other hack back tactics that fall in the middle of active defense and offensive measures, private parties should continue to engage in these tactics only with government oversight or authorization. These measures exist within a legal gray area and would likely benefit from amendments to the CFAA and CISA that clarify and carve out the parameters of authorization for specific self-defense measures. But in the absence of amendments or clarification on the scope of those laws, private actors can seek governmental authorization through an array of channels, whether they be partnering with law enforcement or seeking authorization to engage in more offensive tactics from the courts in connection with private litigation.


[1] This statute is not without controversy. Professor Orin Kerr has argued that the language is so broad that courts might feel obligated to adopt narrow constructions to avoid unconstitutional vagueness concerns. Orin Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010).  Some have suggested that the law invokes the rule of lenity, which would give parties engaging in hack backs the benefit of the doubt under ambiguous terms of the statute. And others have suggested that common-law doctrines of self-help, under which victims of physical theft are authorized to take limited, non-violent steps to recover property, could counsel in favor of interpreting the statute narrowly to exclude hack backs by private victims or even provide a separate legal basis for such activity. Jeremy Rabkin and Ariel Rabkin, Hacking Back Without Cracking Up, Hoover Working Group on National Security, Technology, and Law 14 (2016).

[2] Although the statute formally protects only specific classes of computers, any computer that is “used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States” is covered. 18 U.S.C. § 1030(e)(2).

[3] The argument that hack backs serve constructive goals, such as identifying hackers or deterring data theft, might be irrelevant for CFAA purposes: In Van Buren v. United States, 593 U.S. 374, 383 (2021), the Supreme Court adopted a narrow interpretation of “authorization” for the purposes of the CFAA, holding that the purpose or goal of the access was irrelevant.

[4] See Microsoft Corp. v. Does, No. 3:13-cv-00319, 2013 U.S. Dist. LEXIS 168237, at *8 (W.D.N.C. Nov. 13, 2013).

[5] Ex parte Temporary Restraining Order, Microsoft Corp. v. Does, No. 1:20-cv-01171-AJT (E.D. Va. Oct. 6, 2020).

[6] Ex parte Temporary Restraining Order, Microsoft Corp. v. Ogundipe, No. 25-cv-7111 (S.D.N.Y. Sept. 16, 2025).

The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.