BBC Technology reports on Europe's Advanced Cyber Defence Centre (ACDC), of which members of the WISER consortium, Atos and XLAB are partners. 
A cyber criminal is much harder for the police to pursue than a car thief, bank robber or mugger. The rise of online crime has brought about a change in the way hi-tech crimes are tackled, making infrastructures, not individuals, the focal point. According to Steve Santorelli of Team Cymru, this is part of the realisation among info-security workers and law enforcement that traditional investigations are not working. 

Server shutdown
“Cross-continental co-operation between police forces has improved in recent years”, said veteran computer security expert Chester Wisniewski from Sophos, “but the procedures required to mount international operations remain formidable”. Typically, official requests for help between forces are done via a diplomatic agreement known as a Mutual Legal Assistance Treaty (MLAT).

Network cables
The MLAT process can take a year among friendly nations, so between nations that do not have the best relationship it might never happen. MLATs are also not designed to handle the volumes of cases revealed by work to combat cross-border cybercrime, but is meant for a few high profile cases.
Police forces have found other ways to collaborate internationally and this has prompted a change in tactics. Now, instead of going after the criminals they go after the servers and compromised computers used to carry out the crimes. "You need to increase the cost of them doing business," said Mr Santorelli, "taking away servers, cutting off access to the armies of compromised PCs all makes it more troubling, and costly, for criminals to operate".

Europe's Advanced Cyber Defence Centre
One large-scale effort to get at the criminal infrastructure is Europe's Advanced Cyber Defence Centre (ACDC). Funded by the European Commission, this has led to the creation of call centres in nine European nations. These get information about infected machines from ISPs who tell customers to contact the call centre to get help to clean up their compromised machines.
Peter Meyer, co-ordinator of the Centre, said that removing machines from botnets is essential for a couple of reasons: shutting down the command and control systems is really important to prevent others from taking control and removing that infrastructure forces criminals to recruit more machines, thus soaking up their time and resources. This is a big job because up to 5% of the computers on domestic ISPs are believed to be part of a criminal botnet. 
ACDC is also trying to help police forces, as the fight against cyber crime is not something one individual can win. Meyer said that law enforcement is really interested in getting a better picture because they are often not well-funded and ACDC has the data.

Knocked offline
The change in tactics has led to a flurry of raids. In early April, the FBI, Europol and the UK's National Crime Agency took action against the Beebone botnet. The forces seized web domains used by the botnet's owners to control the distributed system of infected machines. Knocking these out meant control of the botnet was taken away from its operators. It was one of a rash of raids carried out in 2014 and early 2015.
In mid-2014 a huge operation was mounted against the botnet GameOver Zeus that, by itself, was responsible for infecting millions of computers every year. It was also one of the main routes by which the notorious cryptolocker bug was spread. This malicious programme encrypted data and demanded a ransom of 400 US dollars or 367 Euros within a short time limit or the scrambled data would be deleted. The gang behind cryptolocker is believed to have made about $3m (€2.75/£2m) via the ransomware. Seizing its infrastructure helped security experts decode cryptolocker and get at the keys it used to lock data away. 
The operations against Beebone and Gameover Zeus took lots of time, planning and international co-operation. At other times, security firms have moved more quickly simply because the scale of the criminal activity demands it. A case in point was the action that Cisco's Talos security team and Level 3 took against a cybercrime group known as SSH Psychos. "The attacks they were carrying out were just so blatant and aggressive," said Craig Williams, technical head of the Talos team.
The Psychos were scanning the entire internet looking for servers running the secure SSH protocol. This is the technology that protects your credit card and payment information when you buy something online. At its peak, the SSH Psycho scanning consumed more than one-third of all net traffic intended for servers capable of handling it. On every server, the attack tried 300,000 common passwords in succession to see if any worked. Some did and very quickly the Psychos had compromised about 1,000 machines. Usually such attacks are much more stealthy, said Mr Williams, adding: "These guys didn't care they were being noticed."
In response, Level 3 and Cisco changed the way data from the attack was handled by net hardware they controlled. They essentially poured it into a virtual dustbin. This ended the scanning and stopped the password attacks. It got more even effective when some other large ISPs joined in.

How a sinkhole works
With a sinkhole, law enforcement attempts to cut the link between cyber-criminals and the computers they compromise. Instead of hijacked PCs reporting in to the hi-tech criminals the data is diverted so it never reaches them. Instead it is analysed to help security firms tackle infections and make the business of cybercrime more expensive.
The Psychos responded and mounted an attack from elsewhere on the net. This too was poured into the trash can. The tactic seems to have worked as the Psychos have not come back. Not yet.
Williams said that he suspects they will move again and that they can block them again. Dale Drew from Level 3 said he hoped this action was the start of a broader effort by the security community to take on cyber-thieves. The security community spends a significant amount of time just observing when really we need to take action. Drew sees this as a real opportunity to be more fluid and responsive than the bad guys.