William Lyne of the UK’s National Crime Agency joins us live at Infosecurity Europe to talk ransomware, AI threats, and the future of cybercrime disruption.
William Lyne of the UK’s National Crime Agency joins us live at Infosecurity Europe to talk ransomware, AI threats, and the future of cybercrime disruption.
When the UK’s top cyber intelligence strategist sits down with you in London, you listen — and you hit record.
At Infosecurity Europe 2025, the ITSPmagazine podcast team — Marco Ciappelli and Sean Martin — sat down with William Lyne, Deputy Director and Head of Cyber Intelligence at the UK’s National Crime Agency (NCA). This is the guy who not only leads cyber strategy for the NCA, but has also represented the UK at the FBI in the U.S. and now oversees national-level ransomware disruption efforts. It’s not just a conversation — it’s a rare front-row seat into how one of the world’s most serious crime-fighting agencies is tackling ransomware 3.0.
The message? Ransomware isn’t just a cyber issue. It’s a societal one. And it’s evolving faster than we’re prepared for — unless we change the game.
“It went from niche to national threat fast,” Lyne explains. “The tools were always there. It just took a few threat actors to stitch them together.”
From banking malware to fully operational cybercrime-as-a-service ecosystems, Lyne walks us through how the underground economy has industrialized. Ransomware isn’t just about tech — it’s about access, scale, and business models. And most importantly, it’s no longer limited to elite coders or closed-door Russian-speaking forums. The barrier to entry is gone, and the dark web is wide open for business.
Sean brings up the obvious: “Why does this still feel like we’re always reacting?”
Lyne responds: “We’ve shifted. We’re going after the ecosystem — the people, the infrastructure, the business model — not just the payload.” That includes disrupting ransomware-as-a-service, targeting marketplaces, and yes, investing in preemptive intelligence.
Marco flips the script by comparing today’s cyber landscape to something deeply human. “Extortion is nothing new — we’ve just digitalized it. This is human behavior, scaled by tech.”
From there, the conversation takes a future-facing turn. Deepfakes, AI-powered phishing, the commoditization of generative tools — Lyne confirms it’s all on their radar. But he’s quick to note that cybercriminals aren’t bleeding-edge innovators. “They adopt when the ROI is right. But AI-as-a-service? That’s coming. And it will reshape how efficient — and damaging — these threats become.”
And then the real insight lands:
“You can’t wait to be a victim to talk to law enforcement. We may already have access to the infrastructure. The earlier we hear from you, the better we can act — and fast.”
That kind of operational openness isn’t something you heard from law enforcement five years ago. It signals a cultural shift — one where collaboration is not optional, it’s essential.
William also highlights the NCA’s partnerships with private sector firms, academia, and international agencies, including the Kronos operation targeting LockBit infrastructure. These kinds of collaborations prove that when information moves, so does impact.
Why does this matter?
Because while most cybersecurity media gets stuck in product buzzwords and vendor hype, this is the real stuff — how ransomware groups behave, how law enforcement thinks, and how society can respond. It’s not theory. It’s strategy, lived on the front lines.
🎧 Listen to the full episode and explore more Infosecurity Europe 2025 coverage at ITSPmagazine.com.
If you’re in cybersecurity, public safety, critical infrastructure, or just trying to keep your business alive in 2025 — you don’t want to miss this one.
Keywords:
cybersecurity, ransomware, cybercrime, national security, threat intelligence, encryption, data breach, AI in cyber, phishing, law enforcement collaboration, cyber ecosystem, cyber resilience, digital forensics
___________
Guest: William Lyne, Deputy Director and Head of Cyber Intelligence at the UK’s National Crime Agency (NCA) https://www.linkedin.com/in/will-lyne-3a2549188/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
___________
Resources
Learn more and catch more stories from Infosecurity Europe 2025 London coverage: https://www.itspmagazine.com/infosec25
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
Marco Ciappelli: we've done this before.
Sean Martin: Yeah.
Marco Ciappelli: Sean,
Sean Martin: Marco.
Marco Ciappelli: What are you doing here and what is here?
Sean Martin: We are in London, info [00:01:00] Security Europe. Uh, I can tell from the weather,
Marco Ciappelli: right? I think it's so
Sean Martin: windy and rainy that it's coming through the window.
I,
Marco Ciappelli: I love it. I, no, no. Maybe it's because I live in Los Angeles, so for me, a rainy day is a good day, you know? That's right. It's a, the difference of response. It's not
Sean Martin: 70 and sunny. Or,
Marco Ciappelli: or a hundred is involved or
Sean Martin: a hundred. Yeah,
Marco Ciappelli: let's not go there. Alright. Let's stay in London. Stay in London, security Europe, and, uh, having great conversation.
And I wanna thank, uh, you know, will to fi for finding the, the, this
Sean Martin: I know.
Marco Ciappelli: Time to squeeze in a conversation
Sean Martin: with us. You're, you're a busy, busy guy this week, at least today. No, it's a pleasure.
William Lyne: Thanks very much for the, for the invite. Looking forward to the conversation.
Sean Martin: Yeah, absolutely. So you have a speaking spot here.
Which is really good. Well, you're on a panel, so I'm not Yeah. On a panel. Yeah. Um, so we'll hear, we'll get a little bit about that. But actually before we get into the topic, uh, your role, your interest in cybersecurity, obviously those two are connected. Yeah. Um, so give [00:02:00] us a little background on who will.
William Lyne: Yeah, so, so currently the head of cyber intelligence at the UK's National Crime Agency, the, the NCA. So we're, we're kinda a little bit like federal law enforcement in, in the uk, but we're specifically focused on serious organized crime. Um, and the unit that, that I'm a part of is the National Cyber Crime Unit.
So we have responsibility for, um. For, for cyber crime, but, but specifically really focused on the criminal side as opposed to, as opposed to state threats or a PT threats. So we are, we're just focused on, on cyber crime. So big focus for us on, on ransomware as you, as you can imagine. Um, I've worked in and around cyber now for kind of over 10 years actually.
So, uh, have, I've run teams in the uk uh, doing cyber investigations and I was the NCAA's liaison to. Uh, FBI cyber division over in the US from 2016 to, to about 2020. Uh, and then came back and, uh, and have worked, uh, in a couple of intelligence roles within, uh, within the NCA specifically focused on cyber since then.
So, uh, yeah, kind of probably over, over 10 years, specifically focused on [00:03:00] cyber, uh, which,
Marco Ciappelli: which was this industry is a long time.
William Lyne: Yeah, it is. It is a long time. Yeah. Um, yeah, I, I just find it fascinating. I think it's such a, such an interesting threat area to be involved in.
Sean Martin: Can I ask this? The role of technology in, well, I'll just simplify it, both sides of the crime coin, if you will, enabling criminals and making it easier, potentially less, less easy for an investigators.
I'm thinking things like Signal and other encrypted communication channels where a lot of stuff goes underground and it's. Maybe harder to find and dig up the, the source and the activities and all that stuff. So kind of the role of both sides.
William Lyne: Yeah, I mean, technology is an increasing. Part of everyday life.
And I think, you know, in many ways, uh, lots of crime is now enabled or supported by technology. So cyber crime in specific, uh, cyber crime specifically, I like to think about it as, [00:04:00] as existing and a product of like a big cyber crime ecosystem where you have threat actors. I. Uh, accessing tools and capabilities within that ecosystem.
Um, so, so yeah, it does change the nature of the threat and it, and it absolutely does mean that in law enforcement we have to evolve our response and change what we do to deliver outcomes against the threat in, in response to that. So, uh, but you know, in many ways the kind of like core facets of investigation and delivering outcomes, you know, in many ways are common with us.
Whether you are very focused on technology enabled crime or, or, or kinda a more traditional serious crime, you know, drug trafficking and such like that we've, that we've done for a much longer period of time.
Sean Martin: Is there a lot of overlap between the physical and the cyber?
William Lyne: Uh, yeah. I mean, I think I. Yeah, I think increasingly in the cyberspace we see kinda like everything operating within a spectrum, uh, you know, on, on a, on a spectrum.
So it used to be the case that, uh, you know, we had quite clear stovepipes what might be cyber dependent crimes. So, you know, offending that you could only commit with a computer. It's like [00:05:00] ransomware's a really obvious one. Mm-hmm. Or cyber enabled crime where, you know, there are crimes you can commit without a computer, but technology.
Enables you to scale them up and all that type of stuff. Like, so, like fraud is a, is a big one. You know, lots of fraud is conducted online. I think, yeah, there used to be some clear kind of like daylight between those two things. And I think increasingly we're seeing everything kind of incorporating a little bit more.
It's all a little bit more of a melting pot, isn't it? And I think everything is placed on a bit of a spectrum, uh, as opposed to having these clear, delineated threats. So, yeah. Well we do see, um, significant cover overlaps in, in, in threats in, in crime.
Marco Ciappelli: So my vision when I try to explain. To people like the, the hybrid world that we live in, right?
You know, there is a digital, like it's another dimension. Well, in reality is part of who we are right now. So I always think about like when, when, uh, apple and Microsoft, they brought the dashboard on the computer. They didn't just create new object that we'll bring the desktop and the file folder and you know, [00:06:00] everything that we use in normal daily life and we put it in, in the digital world.
And as we. Can do that to, to work. We took ransomware, which existed before the Digital War. That, and it, it became, you know, I mean ransom, it became ransomware. So the, the overlap, what I'm saying is inevitable, but the scale of it.
William Lyne: Yeah. Yeah. Extortion has been around for a really long time, right. The human, um, you know, ransomware is that mashed together of ransom and, and malware.
Um, and I think sometimes when I reflect back and look at Tom, look. Back in the late 2010s, for example. And at that point in time, we were really focused on banking malware. You know, banking malware was kind of like the big threat of the day. Uh, but all of the elements that you needed for ransomware to become a really significant issue for us, were all there.
You had kind of like commodity ransomware variants. You had, uh, people being able to utilize [00:07:00] modern encryption techniques, you had access to all of these victims. Um, and, and yet it just took some threat actors to kind of innovate and put those things together. And it meant the ransomware kind of went from a niche cybercrime problem probably in the late 2010s to a really significant national security issue for us in the UK and across the west in a really short period of time.
Uh, and I think. That's why now in the NCA we're, we're quite invested and we really focus on that cybercrime ecosystem. 'cause we think that understanding that we think that lots of cybercrime threats are kinda like manifestations or products of that ecosystem. So hopefully we'll insure ourselves against that in the future.
But, um, uh, let's see.
Marco Ciappelli: And, and the, the 3.0, I know it's part of the, the panel, you, you, your habit ransomware 3.0, what. What would define a 3.0 evolution? I don't.
William Lyne: Good. I don't know. I'm not sure what I, if I know what Ransomware 3.0 is, um, I think, I think it's just a representation, isn't it? That it's a constantly evolving threat, right?
Uh, and it's [00:08:00] evolving and it's adapting and it's innovating all the time. You know, I think that there's two kind of like broadly connected trends that this ransomware ecosystem drives. It, it, it loads the barrier of entry to get into cyber crime, right? It's easier than it's ever been to, to, to, to access tools and capabilities.
And it perforates those tools and capabilities within that ecosystem. Uh, and that delivers innovation. The threats changing all the time. Um, I think, yeah, lots of that. I think that's what we mean when we're saying ransomware 3.0
Sean Martin: and that so many questions. I'll, I'll ask this one first. It seems that, uh, we look at like hospitals being compromised and, and held for ransom, and patients not being treated as fast or effectively as possible.
Um, it, it's a lot big impact at a big scale, yet I don't think we've found a way to kind of lessen the threat. It seems like we're still responding to an incident [00:09:00] and not really finding a way to block the threat from a, I dunno if it's a technology, a cultural thing or legal thing, or, I don't. What, what's your perspective on how well we're dealing with it?
Before it's an issue versus just fine investigating and hopefully kept cracking down on
William Lyne: what's going on. Yeah, I, I think, you know, as, as we spoke about ransomware kind of came about quite quickly, didn't it? I think it really kind of burst into the public consciousness on the back of some really significant ransomware instance in round 2021 period.
Kind of like still in COVID times a little bit. Um, uh, and I, I think it has meant that you do it, it does pose quite. A unique challenge to law enforcement in many ways. But I think that we actually have pivoted lots of our response and lots of our tactics and, and, and the way that we are responding. Um, uh, you know, I think we are less reactive than we were, you know, reacting to this online ecosystem that innovates and changes and evolves really quickly, particularly now where you see groups kind of disappear, [00:10:00] rebrand, or reestablish really quickly.
And there's, and there's lots of groups. I think there's probably more ransomware groups operating now than there's probably ever been. So tracking it from. Like a, a, a malware variant perspective is really challenging 'cause you're gonna be reactive and looking at what that's doing. Um, uh, and so we proactively instead look at that online cyber crime ecosystem, those things that enable and support the cyber crime business model, uh, in a way to, to, to get in front of the threat and, and, and ultimately be more impactful to protect people and our communities.
Okay.
Marco Ciappelli: So, oh, you go? Yeah. No, I, I wanna bring something that I bring out quite a bit since the day that it came out, which was with Nico Hippo and, and we were talking about ransomware. I said, it's more randomware like, it's not really targeted. You just put it out there and something is gonna stick. And sometimes it is the individual, sometimes it's the small business, sometimes it's the, it is the big business.
Do, do you treat. As a, as a, you know, crime investigation is [00:11:00] differently or you actually, again, try to get to the root of. Avoiding to happen, but what can we do for the people that are affected by it?
William Lyne: Yeah. So, so I think improving the victim experience is, is, is really important. And, you know, of course we take a vic, a victim centric approach to, to lots of our investigations.
Um, but, but you're totally right, as in ransomware is by and large opportunistic. Uh, and lots of the opportunities that these threat actors are exploiting are, um, you know. Relatively easy to mitigate against if you do the basics of cybersecurity really well. Um, it's really easy to say, do the basics well and really difficult to implement doing that.
So, um. Uh, you know, there's some great advice and, and support available to, to, to people out there to, to kind of build their resilience. Um, but, but yeah, we, we take that victim centric, uh, approach. Um, we want to understand what victimization looks like, uh, and [00:12:00] understand what targeting looks like from a UK perspective.
Um, so we'd encourage people to engage with law enforcement, uh, when, when, when you are unfortunate enough to be. Uh, to be a victim. Um, and you know, part of that is because you might not necessarily know what we are doing from a lawful perspective at any one point in time. So, you know, if you look at K Chronos for example, we had access to lots of the lock bit infrastructure at a point in time, which only those victims that we were aware of that were potentially able to help before we publicly, um, came out and kinda like launched and, and avowed that operation.
So, uh, yeah, yeah, that's just one of the benefits of, of, of kinda like that engagement with law enforcement. Help us understand the threat and, and, and in turn we may be able to help you.
Sean Martin: So I, the, the other question that's kind of burning in my mind, and I don't know how much you can share, but what, what do you see coming?
William Lyne: Yeah.
Sean Martin: I mean, I, I can go to like deep fakes and things like that. I don't, I don't know, does the agency kind of researching and [00:13:00] preparing for what might be coming so that you can again, kind of get ahead of what's going. What's happening?
William Lyne: Yeah. So we put a lot of time and effort into kind of like understanding the threat and understanding the innovations and, and how the threat's evolving.
'cause that informs what what we want to deliver, um, at, at any one point in time. So I think we're gonna continue to see that lowering the barrier of entry and the proliferation of tools and capabilities. So, you know, that has some implications for, uh, things like ransomware and, you know, what the threat profile of ransomware loops looks like, and, and, and perhaps how they behave and operate.
Um, I think secondly. Uh, kind of ai, I guess you can't go through a cybersecurity interview about I was waiting for that ai
Sean Martin: right? I was waiting for, I kind of tried to go around it with deep, with deep fakes, but
William Lyne: yeah, I, I, I would, I would say that, you know, cyber criminals tend to operate on kind of like an MVP type basis, so they'll only change what they're doing.
They'll only change what works. If there's an opportunity to make way more money. [00:14:00] Or the way that they'd be making money is kind of like, it is not working as, as well as it did in the past. So they're probably slower adopters of some technology like AI than perhaps other kind of, um, you know, tech or tech dependent, um, people are, uh, but yeah, you, you, AI is being utilized by threat access to kind of like make some different steps of that cyber crime business model more efficient or perhaps a little bit more effective.
There's some really obvious ways you can do that. You know, improving phishing emails. Right. Um, uh, but I think in time you, you, you could see the kind of like the integration of AI capability, the commoditization of AI into a kind, like as a service offering within that ecosystem. And that will have implications for us from a, um, perspective.
Um, but yeah, something that we are tracking and, and aware of at the moment. And I
Marco Ciappelli: think that one last question. Maybe I, I know you have to go, but maybe you have another last question too.
Sean Martin: I know we'll be sensitive time. Okay.
Marco Ciappelli: Mine is, mine is actually quick. It's [00:15:00] about, I think it's quick how the mentality of the cyber criminal may have changed with so much more access to technology.
'cause I, I, I feel like at the beginning was more of a social engineer based, now even the social engineer cap on ai. Mm-hmm. And. May use more technology, but is there other things that you guys are noticing in the way that they operated is different from what it used to be?
William Lyne: I think from a threat actor perspective, you know, we've seen Ransomwares predominantly a Russian speaking, um, threat who dominated by Russian speaking threat actors.
Uh, and, and you know, it used to be a relatively closed shop. You know, access to that ecosystem was closely guided. You need to be potentially a native Russian speaker or neo native Russian speaker. You needed to have. Kind of like a history and a reputation within the ecosystem on cyber crime forums or from even being involved in criminal activity in the past.
But I think lots of that has kind of melted away now. You know, it's very accessible to different threat [00:16:00] actors. Um. Uh, and, and yeah, that changes the nature of the threat that changes the profile of the threat actors and it changes the, the kind of like number of individuals that we see, uh, involved. And, um, you, there's opportunity for us in comfort, targeting the ecosystem and understanding that, but you know, also opportunity for the threat actors to, to kind of like think of new ways to, um, to generate money.
Sean Martin: Alright, maybe one more quick one in intelligence sharing. Public, private, um, researchers, universities, um, things your, your group are doing to kinda help promote that perhaps?
William Lyne: Yeah, so I think in law enforcement we absolutely recognize what important role, you know, particularly the private sector have to play in, in both understanding and then partnering technically, uh, tactically us to deliver response to the threat.
So, you know, culturally I think we've. We've shifted and come a really long way to, to absolutely recognizing that and embracing that. You saw private sector partners who were named as being involved in the Kronos, [00:17:00] the, the log bit activity last year. Um, uh, and. Us in the NCA, uh, we are really lucky to have, uh, a set of brilliant, both national and international partners from a law enforcement and a private sector, uh, perspective.
And, and also within academia, uh, as you mentioned it, um, that help us, uh, yeah, on those two facets. Kinda like, understand the threat, understand how it's changing, understand, uh, you know, keep up with it, uh, whilst also collaborating to, to, to deliver the most impactful. Response that we possibly can as a community.
'cause in many ways we, we all want the kind of same thing, right? Yeah. Um, I hope so. Yeah. So ideally, yeah. You know, I think we've come a long way as law enforcement. Yeah. But of course, there's always more that we can do both the, the public and the private sector side. Yep. Very good.
Marco Ciappelli: Well, we really appreciate you finding the time.
Um, I know you have a lot of other meetings and panels to do so. Uh,
Sean Martin: and crime fight.
Marco Ciappelli: Yeah. In between, you know, after that, you know, there's a special three [00:18:00] days, which is important for the community comes together and, uh, and then of course back to work or the, I'm sure it doesn't stop to get somebody there working.
Uh, for everybody listening, we're still at infosecurity Europe. Uh, in London. We'll come back with many more conversation in the next few days, so stay with us. Yeah, subscribe and, uh, share. If you like what you're hear, let everybody know about it.
Sean Martin: Yep. That's it. Itsp magazine.com/oh yeah, thanks too. InfoSec 25, all the coverage.
Thanks everybody.
Marco Ciappelli: Take care. Thanks guys. Thank you.
​[00:19:00]