Application security, Threat Management, Ransomware

Cybercrime, Inc.: How the bad guys adopted the business model

A young man types on an illuminated computer keyboard typically favored by computer coders on Jan. 25, 2021, in Berlin. (Photo by Sean Gallup/Getty Images)

Cybercrime is big business, making hundreds of millions of dollars a year. Yet cybercriminal groups don't act like traditional organized-crime groups. Instead, they function like typical tech-industry businesses, with coding, management, recruitment and even public-relations departments hiring and outsourcing to fill positions as needed.

The most profitable cybercrime groups follow the model of "platform capitalism," combining high reward with low risk by providing services and support to lower-level criminals who carry out the actual cyberattacks. Cybercrime has also become increasingly intertwined with legitimate businesses, both by exploiting lawful platforms and by corrupting individuals within the business world.

"It's a completely different subset of crime, " said Frank Catucci, chief technical officer and head of security research at Invicti. "It's more white-collar crime, rather than bust-your-kneecaps, get-out-and-enforce-things crime. "

The pervasiveness and persistence of organized cybercrime makes it difficult to defeat by simply stopping attacks and shutting down botnets. Instead, law enforcement and the information-security industry will have to stop the flows of money and stolen data that keep cybercrime profitable.

The beginnings of cybercrime

The first malicious hackers had motives beyond money. The Brain virus that infected PCs in the mid-1980s was meant to deter copyright infringement; the Morris worm that crippled the internet in 1988 was a proof-of-concept exploit gone wrong.

In the following decades, individual hackers gained fame by breaking into difficult targets, such as the Florida teenager who hacked into NASA and the Department of Defense in 1999. In the early 2010s, groups like Anonymous and LulzSec aimed to make political points or amuse themselves. 

Yet some hackers realized they could make money by stealing data. Two of the worst early data breaches were the thefts of 145 million credit-card numbers from TJX and Heartland Payment Systems in 2006 and 2008, respectively; the same crew was responsible for both.

Cybercriminal groups at this time often came together for individual jobs, then might break apart. Everyone acted as a freelancer, and the groups were more loose crews than tightly bound organizations.

"Cybergangs easily come and go as opportunities develop," wrote G. Stevenson Smith of Southeastern Oklahoma State University in an academic paper published in 2015. "These new criminal networks are based on knowledge relationships and quickly disappearing network connections."

Cybercriminal groups, then as now, do not fit the traditional organized-crime model of a group bound by loyalty to family or ethnicity, with a hierarchy of soldiers, captains and a top boss, and in which underlings must carry out orders without question and often without reward.

"Cybergangs can successfully operate with a much smaller profile and with more flexibility than can traditional criminal gangs," noted Smith. "They also have less need for managers to oversee their members and operations."

Smith added that cybercrime groups are often organized by skill, not hierarchy, a trend echoed by University of Oxford sociologist Jonathan Lusthaus in 2019.

Lusthaus said a malware coder might be at the center of an operation, but with an assistant to help code and vendors earning commissions selling malware in cybercrime forums.

"It's a crime of equal opportunity, " said Catucci. "With traditional organized crime, you need physical resources. With cybercrime, you can spray and pray at different organizations. There aren't a lot of resource constraints. "

However, Lusthaus noted that cybercriminal groups suffer deficits of trust. Whereas traditional organized-crime groups are bound together by family ties, and loyalty is enforced by threats of physical violence, cybercriminals have neither.

"It is difficult to assess trustworthiness and enforce agreements when one doesn't even have physical interactions, which would normally indicate the identity of partners," Lusthaus wrote in a 2018 study.

Instead, trust among cybercriminals, if there is any, is based on reputation and third-party references. Jobs are purely transactional, and tasks and services must be paid for rather than commanded.

"The cybergang has little loyalty to other members in the gang," wrote Smith in 2015. "Once a cybergang member is caught by law enforcement, they are more concerned about their own welfare rather than the organization or other gang member's welfare."

The maturing of cybercrime as a business

In the past decade, cybercriminal groups have matured. Many are no longer ad hoc groups coming together for specific jobs, but permanent organizations with long-term strategies and goals, such as the group that has managed, developed and distributed Emotet malware for nearly a decade.

Yet inherent trust is still lacking. As a result, it makes sense that mature cybercrime groups don't act like typical organized-crime groups. Instead, they resemble another type of organization in which loyalty and services are bought, risks are minimized, and self-interest is assumed. They look and act like modern businesses.

"What we're seeing now is much more bidirectional communication, which requires a business model that's almost more customer service or retail," said Catucci. "They use ransomware and encrypt your files, then 'assist' you to open a bitcoin wallet and get your files back. It's moving more to a corporate customer-centric type of business model."

Britain's National Cyber Security Centre in 2017 delineated the different professions that might be found in a modern cybercrime group: coders and malware developers, intrusion specialists to break into targets, network administrators who supervise command-and-control servers and botnets, data miners who extract value from stolen information and monetizing specialists who figure out how to best sell the organization's products.

Some groups even have PR specialists who tell journalists about data breaches before the targeted companies reveal them or keep support technicians on call to assist purchasers of malware kits. Others can openly rent out office space, trade stolen data on forums and even sell ads, as long as they're based in a location, as the NCSC observed, "where such activity is not actively prosecuted by the authorities."

"If you're in North Korea, China or Russia, you're not gonna get extradited for computer crimes," said Catucci. "It's a real opportunity to make a lot of cash with very little work. You can scale with very little risk or resources, with very large ROI. It might be very opportunistic to make a year's salary with very little risk or overhead. "

Lusthaus cites the Russian Business Network, "effectively an ISP for criminals," which kept salaried employees and offices in St. Petersburg, and the no-questions-asked electronic payment system Liberty Reserve, which operated out of an office park in Costa Rica.

Large cybercrime groups are also mature about handling their profits. While younger crews might buy up fast cars, drugs or luxury vacations, the top groups succeed by being boring and plow profits into property, investments or research and expansion, said Dr. Michael McGuire of the University of Surrey in a 2017 paper sponsored by Bromium.

Around these groups has grown an entire cybercrime ecosystem. The NCSC lists several services that cybercrime groups might use, such as bulletproof hosting services, escrow services, money transferrers and testing services that make sure malware goes undetected by antivirus software.

"For the most organized and technically advanced groups, many of the services described are carried out 'in-house' as part of their own business model," says the NCSC. "For smaller groups or individual criminals, these services can be hired on the cybercriminal 'online marketplace' using a plug-and-play approach to crime."

Cybercrime as a service

In fact, cybercrime itself has become a service. The potential profits attract so many newcomers that the most mature groups now make money by catering to wannabe criminals rather than by carrying out attacks themselves.

The result is that attackers don't need to possess technical skills. Anyone can purchase or rent an exploit kit or a piece of ransomware in a cybercrime forum, then deploy it on their own and collect the profit — although they might have to cut in the malware creator for a percentage.

"I don't have to spam, or come up with an exploit, or find a company using out-of-date software, " said Catucci. "If I know I'm gonna get the ROI by just spending a few bucks, I'm gonna do it. "

Catucci added that for the cybercriminal organization providing the service, "the goal is to deliver value and convenience at a price that's not exorbitant. "

This business model began more than a decade ago, when botnet controllers would rent out access to third parties who could launch DDoS attacks against websites of their choice. Later, ransomware coders found it was more profitable, and less risky, to sell licenses to their malware than to actively use it.

McGuire calls this "a post-crime world ... one where varieties of criminality that involve less crime, or that take on a secondary form and benefit indirectly, become more attractive in terms of revenue generation."

Such "platforming" makes the top cybercrime groups akin to Uber or Airbnb, making money in the background by taking cuts of other people's profits.

"In the same way our traditional economy has shifted toward gig workers for efficiency," a 2022 Microsoft blog post said, "criminals are learning that there's less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves." However, there's still no expectation of loyalty. Smith noted in 2015 that "the person who is paying and executing the attack may be the individual who is caught by law enforcement ... while the master hacker behind the operation remains untouched."

How cybercrime infects legitimate business

Modern cybercrime not only parallels legitimate business. It infiltrates and uses it, just as skilled attackers breaking into servers might use legitimate software to "live off the land" and avoid detection. This infection goes far beyond stealing data, said McGuire.

"The range of ways in which many of our leading and most respectable online platforms are now implicated in enabling or supporting crime (albeit unwittingly, in most cases) is astonishing and represents a significantly under-researched area of cyber-criminality," he wrote.

McGuire cited platforms used for malware distribution, such as online ad networks; a more recent example would be Discord's content-delivery network. He also included counterfeit items sold on Amazon and eBay and drug sales on social-media networks; money laundering accomplished with the cooperation of crooked ride-share drivers or short-term-rental hosts; and secure messaging platforms used by criminals to communicate.

Respectable businesses may also get actively involved in cybercrime. McGuire cites banking and finance insiders trading corporate secrets on dark-web forums, money laundering abetted by international banks and illicit money transfers by wire-payment services. "We are not simply dealing with 'hackers in hoodies'," McGuire said. "We are tackling an economic ecosystem that enables, funds and supports criminal activity on a global scale."

How to completely combat cybercrime

To McGuire, the cybercrime ecosystem runs primarily on the theft, processing and sale of stolen data, which offers a choke point that law enforcement and regulators can focus on.

"Data and data protection is now about far more than privacy," he wrote. "As one of the key raw materials for generating wealth in both the legitimate and cybercrime economies, data needs to be handled more like traditional currencies and protected with more specific safeguards."

Combatting cybercrime will take a lot more effort than just blocking intrusions and shutting down servers. The flows of illicit money and stolen data will have to be interrupted, although that might be a tall order when there are countries where cybercriminals can operate with impunity and when cybercrime has infiltrated legitimate businesses.

"Unless the close interrelations between the cybereconomy and the legitimate economy are taken into consideration, there is a danger that clinging to traditional models of criminality — or, indeed, cyber-criminality — will impede more effective ways of conceptualizing responses," wrote McGuire. "The cybersecurity industry will need to move beyond simplistic firefighting or responsive measures to cybercrime and focus more clearly on how to respond to the cybercrime economy as a whole."

Catucci thinks the business and law-enforcement communities in the United States, historically somewhat wary of each other, need to embrace more cooperation and mutual trust to combat cybercrime.

"I think if we can get the right people on the government and law-enforcement side that are willing to share and do more, then we have a chance, " he said. "We are seeing things like bug bounties for the Department of Defense, major walls that have fallen in the last decade. We need to keep working on that from both sides and do more to share useful and impactful information."

Paul Wagenseil

Paul Wagenseil is custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.