Return of letters of marque: The US may be on the verge of taking an unprecedented step in the fight against cybercrime: With the Scam Farms Marque and Reprisal Authorization Act of 2025, Congress wants to revive a centuries-old instrument – letters of marque and reprisal, also known as letters of marque. Historically, these allowed private ship owners to capture enemy merchant fleets on behalf of their country.
Now, cyber pirates are to be given similar rights to combat foreign hackers, fraud networks, and state-sponsored cybercriminals. But what at first glance appears to be an innovative solution turns out, on closer inspection, to be a highly controversial undertaking that raises profound legal, ethical, and strategic questions.
From naval warfare to cyber warfare
A historical model for the digital world: The bill, introduced by Republican Representative David Schweikert, aims to empower private actors—whether security companies or individuals—to carry out cyberattacks on criminal organizations abroad. The reasoning is understandable: traditional law enforcement is failing in the face of the growing threat from ransomware, crypto fraud, and state-sponsored hacker groups. But the method raises the question of whether the fight against cybercrime can really be won by privatizing warfare – or whether this will instead create a dangerous precedent that blurs the lines between justice and revenge.
Letters of marque have a long but ambivalent history. In the 18th century, the US used private ships to disrupt British trade routes during the War of Independence. These privateers were not pirates, but state-licensed actors who gave up a share of their spoils in return for their services. The new bill now transfers this principle to the digital realm: instead of boarding ships, cyber specialists are to hack accounts, seize cryptocurrencies, and cripple criminal infrastructure.
But while the historical model emerged at a time when state power was limited, the modern version raises entirely new problems. The draft bill provides for the US president to issue letters of marque to private actors, who would then be allowed to confiscate the assets of cybercriminals. The definition of “cybercrime” is deliberately broad: it includes not only ransomware attacks and identity theft, but also state-sponsored hacker groups – which opens the door to politically motivated cyberattacks.
The figures supporting the bill are alarming: according to the FBI’s 2024 Internet Crime Report, there were 859,000 complaints with a total loss of $16 billion, with seniors ($5 billion in losses) and businesses being particularly affected. Many of these attacks originate in countries such as North Korea, China, or Russia, where criminal networks often operate with impunity because local authorities turn a blind eye or even collude. Given this law enforcement gap, Schweikert argues that private actors could act more quickly and effectively than overburdened authorities.
And this is precisely where the dilemma begins: Is it really a solution for a modern democratic state to legalize private hackers—or does that just create a new, uncontrollable problem?
The tempting idea: swift justice without bureaucracy
At first glance, the concept certainly has its charms, which are widely recognized: Proponents argue that government cyber defense is often too slow and bureaucratic to keep up with the methods of modern criminals. Private security companies or ethical hackers could act more flexibly without having to adhere to international diplomacy or lengthy court proceedings. Historically, privateers have been more successful than official navies—why should it be any different in cyberspace?
Another argument is cost efficiency: instead of building expensive government cyber armies, the state can leverage existing expertise from the private sector. In addition, the prospect of criminals being hacked and robbed of their loot at any time could have a deterrent effect. If fraudsters know that their accounts are not secure, it could make the entire business model of ransomware and fraud networks less attractive.
From a constitutional perspective, this approach is not entirely unreasonable either. Article I, Section 8 of the US Constitution expressly permits the issuance of letters of marque – a relic from a time when states used private actors to wage war. But while this took place at sea back then, today it is about digital sovereignty, a terrain that is far more complex and unpredictable.
The dark side: When justice becomes revenge
But as tempting as the idea may sound, the risks far outweigh the benefits. The biggest problem lies in the lack of control: Who guarantees that the pirates will abide by the rules? Who compensates innocent victims whose accounts are wrongfully seized—or ensures that victims get their stolen money back from criminals? And who decides who is considered a “criminal” in the first place?
The draft law stipulates that the president alone will decide on the granting of letters of marque – a dangerous concentration of power that invites abuse. Even more problematic is the vague regulation on the distribution of booty. While in historical cases the booty was divided between privateers and the state, it remains unclear what will happen to the confiscated assets. Will they flow into the state treasury? Will the victims of cybercrime be compensated? Or will it end up in the hands of the privateers themselves – thus creating a profitable business model for state-sanctioned hacking?
This highlights the real problem: the draft focuses on punishment and deterrence, not victim protection or redress. Instead of creating justice, it could establish a system of revenge in which private actors act on behalf of the state—without sufficient democratic legitimacy. It is particularly problematic that the draft does not set clear boundaries. If private actors hack banks or attack crypto exchanges on behalf of the US in order to seize criminal assets, innocent users could become collateral damage. Moreover, it would only be a matter of time before other countries enacted similar laws – and suddenly we would have a globally escalating arms race in cyberspace.
International law concerns: A step toward digital anarchy
Even more controversial are the implications under international law. Hacking in foreign countries is a clear violation of the prohibition of intervention (Art. 2 UN Charter), unless it is done with the consent of the states concerned. If the US now legalizes private hackers attacking foreign servers, this could be considered an act of aggression—with unforeseeable consequences.
The danger of escalation is real: countries such as China or Russia could respond with countermeasures, for example by authorizing their own “cyber pirates” or attacking US infrastructure. The result would be a digital Wild West in which every state enforces its own rules – and in the end, the weakest (ordinary citizens, small businesses) are left behind.
Irony: The US is becoming what it is fighting against
Perhaps the most paradoxical element of this bill is that the US would be doing exactly what it criticizes authoritarian regimes for doing. China and Russia have been using state-sponsored hackers for years to spy on or sabotage their opponents. The only difference would be that the US would provide its cyber pirates with a legal cover—but at its core, it is the same principle: state-sanctioned hacking, only with a different justification.
Instead of strengthening international cooperation—for example, through Interpol, Europol, or new cyber agreements—the draft focuses on individual solutions that exacerbate the problem rather than solve it. Instead of investing in state cyber defense, responsibility is delegated to private actors—with incalculable risks. And anyone who is nevertheless pleased should bear in mind that the fight against crime should focus on the victims – if North Korean hackers earn billions every year by defrauding the Western population, this money should be returned to those who have suffered losses. But that is probably not what this is about.
outlook
The Scam Farms Marque and Reprisal Authorization Act is a fascinating but dangerous thought experiment. It shows how desperately the US is searching for solutions in the fight against cybercrime—but the proposed approach is not a step forward, but a step backward.
Instead of legalizing private hackers, we need:
- Stronger international agreements against cybercrime.
- Better victim compensation instead of revenge campaigns.
- Transparent, democratically controlled cyber defense—not privatized warfare.
The history of letters of marque teaches us that private actors often create more problems than they solve in times of war. In the digital age, where the boundaries between war and crime are already blurred, such a law would be a step in the wrong direction. The real question is therefore: Should we really create a system in which justice becomes a commodity—or do we not rather need more legal certainty, more cooperation, and more protection for victims?
Availability: By email, callback, Threema or Whatsapp. Information about our fees.
Our law firm specializes in criminal defense, cybercrime, commercial criminal law including criminal tax law as well as IT law and manager liability. We only take on criminal defense cases for consumers—we are based in the Aachen area and operate nationwide.
- Cyber pirates: Does the US want to legalize malicious hackers? - 5. October 2025
- Coffee Tax in Germany - 30. September 2025
- Drone defense in German law - 26. September 2025