International law has a timing problem. When a new technology enables serious harm, the legal response follows a familiar sequence: harm occurs, victims and advocates demand action, legislators and treaty negotiators draft rules, states ratify and implement them. In a stable technological environment, this cycle eventually produces adequate governance. The problem of the digital age is that the technology rarely stays still long enough for the cycle to complete. By the time the legal norm arrives, the harm has evolved into something the norm was not quite designed to address.

Two recent international instruments test this claim directly. The UN Convention against Cybercrime, adopted in December 2024 and known as the Hanoi Convention, is the most significant expansion of the global criminal law architecture for digital space since the Budapest Convention of 2001. The UN Global Mechanism on Cybersecurity, which held its inaugural session on March 30th, 2026, institutionalises two decades of work on responsible state behaviour in cyberspace. Both arrived after the harms they address had already scaled beyond the reach of any cooperative enforcement response the norms themselves could generate.

Three ways technology breaks the law

The first failure mode is the classification gap. Existing legal categories eventually catch up with new forms of harm, but by the time they do, the technology has evolved to produce enforcement-resistant versions of the same harm. Courts across Europe, the United Kingdom, and Singapore spent more than a decade debating whether cryptocurrency constitutes “property” for the purposes of fraud law. The English High Court confirmed in 2019 that it does. The Singapore High Court followed in 2022. By then, cryptocurrency fraud had reorganised around architectures deliberately designed to be enforcement-proof.

The second failure mode is the implementation gap. Norms are adopted faster than the infrastructure required to enforce them. The Hanoi Convention’s mutual legal assistance procedures have been updated and expedited. But cryptocurrency can be moved across jurisdictions, converted into privacy coins (cryptocurrencies specifically designed to obscure transaction trails, such as Monero), and made untraceable within hours of a law enforcement action becoming known. The convention’s procedures are measured in weeks. The relevant asset movements are measured in minutes.

The third failure mode is the attribution gap. The harm originates from actors and locations that the cooperative framework structurally cannot reach. This is not a problem of legal classification or enforcement speed. It is a problem of political geography: the states from whose territory some of the most serious cybercrimes are conducted are not merely uncooperative but are, in some cases, implicated.

Pig butchering: engineering a crime to outlast the law

Cryptocurrency investment fraud known as “pig butchering” – named after the practice of fattening livestock before slaughter – is a long-running scheme in which perpetrators cultivate fake online relationships before navigating victims toward fraudulent investment platforms. It combines identity fraud in the grooming phase, platform manipulation in the extraction phase, and large-scale money laundering in the proceeds phase. Each element is independently criminalised under the Hanoi Convention and across European domestic law. The legal qualification is clear. The enforcement pathway is not.

The fraud compound infrastructure concentrated in Myanmar, Cambodia, and Laos extracted an estimated $9.9 billion in 2024 alone, according to Chainalysis. The United Nations Office on Drugs and Crime has estimated that a very large number of individuals are being held in these compounds, many of whom are trafficking victims compelled to carry out online fraud under threat of violence. None of the principal states hosting these compounds were parties to the Budapest Convention, and although Cambodia signed the Hanoi Convention, it had not ratified it as of April 2026.

The compound architecture was deliberately designed around the cooperative enforcement landscape as it existed at the time of the compounds’ construction. Financial flows routed through unregulated cryptocurrency channels, perpetrators physically separated in non-cooperative jurisdictions, victim contact conducted through end-to-end encrypted platforms: these are not incidental features. They are an engineered response to the law.

AI-generated child sexual abuse material: when technology resolves the debate by making it irrelevant

European criminal law spent two decades arguing about whether computer-generated child sexual abuse imagery met the “close to reality” threshold required by the Lanzarote Convention and implemented across domestic penal codes. The debate was substantive: animated avatar content from platforms like Second Life raised questions about whether artificial imagery fell within the criminal prohibition.

That debate was resolved, but not by any court or legislature. It was resolved by technology. Contemporary open-source generative AI models produce photorealistic imagery of non-existent persons that is visually indistinguishable from photographs of real individuals. The “close to reality” threshold is satisfied by AI-generated image of sufficient resolution as a matter of visual inspection. The law did not decide whether the threshold was met; the technology made the question trivially answerable.

The Internet Watch Foundation recorded a 380 percent increase in actionable AI-CSAM reports between 2023 and 2024, with a surge in AI-generated videos recorded in 2025. European legislatures have responded: Germany, Austria, and the United Kingdom have updated their criminal codes; the EU AI Act classifies AI systems used to generate such material as categorically prohibited. The legislative framework is being updated at precisely the moment when the volume of harm is increasing at an extraordinary pace.

The enforcement problem cuts deeper than scale. The Hanoi Convention’s procedural toolkit assumes a third-party service provider holding identifying data. AI-CSAM generated on a locally installed open-source model requires no internet connection, leaves no server-side record, and cannot be detected through hash-matching technology, because each AI-generated image produces a unique hash. The classification question has been answered. The implementation and attribution gaps remain wide open.

Two institutions that need to talk to each other

The Hanoi Convention (which remains far from entering into force, as it is still pending the required number of ratifications) and the Global Mechanism on Cybersecurity address the same underlying harms through formally separate institutional frameworks. The Convention is a criminal law instrument operating through the UN General Assembly’s Third Committee. The Mechanism is a state responsibility instrument operating through the First Committee. By deliberate geopolitical design, cybercrime falls outside the Mechanism’s mandate.

The separation is indefensible. Where a state knowingly tolerates pig butchering compounds operating from its territory, it violates not only its criminal cooperation obligations under the Convention but also its due diligence obligation under customary international law, confirmed as applicable in cyberspace by the 2021 UN Group of Governmental Experts. The criminal law track cannot compel cooperation from a state that is structurally implicated. The state responsibility track can impose binding obligations that the Convention alone cannot generate. Neither track currently acknowledges the other’s existence in institutional terms.

The Global Mechanism’s two thematic working groups offer a starting point. Using them to build a deliberate institutional bridge between the two tracks would not require amending either instrument – only the political will to acknowledge that the harms are the same and that the frameworks addressing them need to work together. Their potential will be realised only if the institutional separation between them, a product of geopolitical compromise rather than legal logic, is deliberately bridged. The technology will not wait.