37 percent. That is the share of cybercrime arrests accounted for by people aged 35 to 44, according to sweeping new research that should prompt a serious rethink of how governments, insurers, and corporate security teams picture their adversaries.
The findings come from Orange Cyberdefense's Security Navigator 2026, which analysed 418 publicly announced law enforcement actions taken between 2021 and mid-2025. The data shows offenders in the 35-to-44 bracket form the single largest age cohort. Add the 25-to-34 group (30 percent of cases) and you have nearly six in ten arrests concentrated in people who are fully into working-age adulthood, as reported by The Register.
The under-18 cohort? Barely 5 percent. The much-discussed 18-to-24 bracket accounts for 21 percent. The "teenager in a hoodie" archetype makes for compelling television, but the arrest sheets tell a markedly different story.
Follow the money by age group
Here's the thing: the type of crime shifts sharply with age, and the shift is always toward higher returns. Among the 18-to-24 group, activity is relatively scattered. Hacking accounts for 30 percent of cases, with selling stolen data and launching distributed denial-of-service (DDoS) attacks each contributing around 10 percent.
By the time offenders reach their late twenties and early thirties, the portfolio tightens. Selling stolen data rises to 21 percent of cases, cyber extortion climbs to 14 percent, and malware deployment accounts for 12 percent. The pattern is clear: monetisation becomes the dominant objective.
Among the 35-to-44 cohort, cyber extortion tops the crime list at 22 percent, followed by malware at 19 percent, cyber espionage at 13 percent, and even money laundering at 7 percent. These are not impulsive acts of digital vandalism. They require infrastructure, negotiation skills, cryptocurrency handling, and sustained operational discipline.
Charl van der Walt, Head of Security Research at Orange Cyberdefense, put it plainly:
"Cybercrime careers appear to peak much later into adulthood, accompanied by vastly more sophisticated and intentional techniques."
An industrialised threat, not a teenage pastime
Cyber extortion has exploded on a global scale, with the number of victims tripling since 2020 and reaching up to 19,000 organisations, the data reveals. Small and medium enterprises account for two-thirds of those affected, and critical sectors have been hit hard, with finance and insurance recording a 71 percent increase and healthcare a 69 percent rise in victim numbers.
Cybercrime has not just been professionalised; it has become industrialised, operating on a "Crime-as-a-Service" model. The dissolution of major groups such as LockBit and Black Basta has given way to a multitude of smaller players, each operating on a comparable scale, with the list of active malicious actors almost tripling from 33 to 89. Running extortion campaigns at that scale demands experienced operators, not curious adolescents.
A legitimate caveat worth taking seriously
The data does carry an important limitation. The open-source dataset likely under-represents arrests involving young teenagers, partly because law enforcement agencies are generally reluctant to charge young teenagers at all, leading to a potential underestimation of how early youth involvement in cybercrime begins.
High-profile cases involving groups like Lapsus$ and Scattered Spider serve as a reminder of the need for proactive and preventive approaches to help talented young people channel their abilities lawfully. Prevention programmes targeting youth remain a legitimate policy priority, even if the headline arrest figures point firmly toward middle age.
For Australian businesses and the Australian Cyber Security Centre, the practical implication is pointed. If the most damaging cyber operations are run by experienced adults operating professional criminal enterprises, then the response needs to match that reality: hardened enterprise defences, serious law enforcement resourcing, and public-private cooperation that goes beyond awareness campaigns aimed at teenagers.
The numbers reveal a threat that has grown up. The policy response should too. Australia's cyber security strategy acknowledges this shift toward organised, industrialised adversaries, but translating that acknowledgement into concrete, funded action remains the harder task.