Jonathan Lusthaus is director of the Human Cybercriminal Project at the University of Oxford, and the author of Industry of Anonymity: Inside the Business of Cybercrime.
Cybercrime is a shadowy world. One only needs to do an image search on Google to find the stereotype of the hooded, faceless attacker.
But as a sociologist, my primary interest is people. I began studying cybercrime because I was interested in this hidden world and the unseen faces within it. I wanted to peel back the hoodie. I spent seven years traveling around the globe, from Russia and Ukraine, to Romania, China, Nigeria, Brazil, and the United States. Over this time, I interviewed almost 250 law enforcement agents, security professionals and former cybercriminals about the business.
What this research taught me was that cybercriminals are not all that mysterious. While the tools have changed, the underlying crime types remain the same: theft, fraud, extortion and so on—what Peter Grabosky called “old wine in new bottles”.
The organizational features commonly found in the underground also look a lot like traditional business structures. One of the most striking aspects of modern day cybercrime is how specialized it has become. Few actors are skilled across every aspect of the business. It makes greater economic sense to invest in a particular “trade” and rely on others to provide specialist functions around other areas of the industry. Offenders have carved out a multitude of roles, from technical areas, such as malware production, to “cashing out,” which is decidedly less technical and involves converting virtual gains into monetary or physical ones.
Even within a specialization, sub-specialties will emerge. For instance, there might be a project lead to develop malware, supported by a couple of programmers, who might have distinct coding expertise. This manager then needs to find a salesman who can sell the malware, perhaps in an online marketplace. Whoever buys the malware might then need to hire a team to successfully deploy it, which requires a number of further sub-specialties.
In the parlance of recent law enforcement and industry reports, this breakdown of roles is often known as “crime-as-a-service.” This could suggest that cybercriminals have invented something new. In reality, it is a manifestation of basic economics—the division of labor—that has been present throughout human history.
For cybercrime to operate as an industry—for these disparate service providers to unite—there also has to be a way for criminal actors to successfully work together. This creates a puzzle: how do anonymous criminals trust each other?
On the face of it, criminals should not make trustworthy partners. This is particularly problematic when a criminal is known only by his or her online handle, and can’t be “paid a visit” if a deal goes awry.
In an online setting, perhaps the most important factor is reputation. Cybercriminals like to deal with partners they have worked with before. They have a sense of who they are collaborating with, which reduces the risk involved in transactions and operations. When they need to find a new partner, they ask for recommendations from people they know or seek out published information on a particular person’s character.
Many of the criminal virtual marketplaces operate in a similar way to legitimate platforms like eBay. There are numerical rating scales, along with qualitative reviews. If a vendor has provided poor quality products, that vendor often has poor reviews. By making this information publicly available, cooperation can be scaled up from a handful of criminals to potentially thousands of forum members. Each member can spend less time checking out potential partners, and more time carrying out crime.
There are other ways that cybercriminals enhance cooperation, primarily through mechanisms that help guarantee deals. Cybercriminals have adopted virtual regulatory systems that are reminiscent of legitimate legal and commercial systems.
When they are carrying out large transactions, online criminals may use escrow, where a trusted third party holds the payment (and sometimes the goods too), until everything has checked out. Arbitration is also available if a dispute develops. A senior member of the community will be appointed to listen to what each side has to say, assess the evidence and then make a ruling. In certain cases, the loser might be banned from the relevant marketplace.
This guarantor function is akin to the role that mafias play in a number of traditional criminal markets. Beyond that, it is similar to enforcement systems that can be found throughout the evolution of civilization.
Cybercrime is often regarded as a new frontier. People are always looking for signs of innovation in this underground, and in many aspects of the business, cybercriminals are innovative. But we shouldn’t forget that much of its core is actually old. Cybercriminals often behave like other people. Humans will be humans.