NCSC neutralizes fewer cyber crime campaigns for first time in six years

NCSC logo superimposed with a translucent background in front of an office building
(Image credit: Getty Images)

The UK’s National Cyber Security Centre (NCSC) announced today that the total number of cyber crime takedowns has fallen for the first time in six years.

According to its annual Active Cyber Defence (ACD) report, it shut down 1.8 million malicious campaigns and 2.4 million malicious URLs throughout 2022, representing a 33% and 22.5% fall on 2021’s figures respectively.

The NCSC started publishing its ACD reports in 2017 and until 2023, every year had led to an increasing number of takedowns.

Much of the reduction came from a drop in takedowns of extortion mail servers. Its figures for 2022 stood at 528,000, down from 2021’s 1,867,439,  and cryptocurrency investment scams which dropped to 459,278 from 610,621 the previous year.

The cyber security arm of GCHQ didn’t offer a concrete explanation regarding why the number of takedowns had fallen, and the campaign-by-campaign breakdown of the takedown data showed mixed conclusions. 


Whitepaper cover with title over image of colleagues chatting in an office with red circular digital icons around them

(Image credit: Zscaler)

ThreatLabz 2023 Phishing Report

Helping you realize the tactics used in phishing attacks, in order to prevent costly data breaches


Some attacks dropped in frequency, like extortion mail servers, but others soared, like the takedowns of malware-associated URLs.

Both malware infrastructure URLs and web-inject malware URLs were in the top ten list of  campaign types that were taken down this year.

The former rose to 18,337 takedowns in 2022, up from 5,270 in 2021, and the latter rose to 6,287 from 1,466 the previous year.

One of the possible explanations for the drop in takedowns could be due to apparent low uptimes of the campaigns.

Mail servers have a median availability of 25.5 hours, according to the report, and cryptocurrency investment scams stand at one hour. In comparison, the next top five attack types have a combined median of 56.29 hours. 

The figures suggest that the longer an attack is available, the more time there is for a takedown to occur.

The report also noted a drop in attacks hosted from the UK to the tune of 25%.

While phishing attacks remained at the top of the list, the number of attacks fell markedly, from 113,457 in 2021 to 77,471 in 2022 and a reduction from ten to seven hours of median availability.

Brute force attacks also formed part of the report and, despite the ACD only starting the use of honeypots in August 2022, 40,890 takedowns were recorded. 

SSH was the protocol that led to most takedowns - more than 32,000 were reported from August 2022 to December 2022 - followed by RDP, WordPress, and Exchange some way behind.

Other services covered in the NCSC report include the suspicious email reporting service, which permits members of the public to report suspicious emails and web sites. According to the report, malicious URLs were removed from the internet in an average of six hours. 

What is the NCSC’s Takedown service?

The ACD’s Takedown service finds malicious sites and removes them before significant harm can be done. 

It is focussed on what it deems would cause the most harm to UK interests and also targets all malicious activity hosted in the UK.

It was initially developed with just UK government organizations in mind, but has broadened to cover a wider range of users over the years.

In 2020 it commenced takedowns against cryptocurrency investment scams, takedowns of which peaked in January 2021 before following a consistent downward trend into December 2022.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.