Crime Law Soc Change (2017) 67:21–37
DOI 10.1007/s10611-016-9662-2
A typology of cybercriminal networks: from low-tech
all-rounders to high-tech specialists
E. Rutger Leukfeldt 1,2 & Edward R. Kleemans 3 &
Wouter P. Stol 2
Published online: 22 November 2016
# Springer Science+Business Media Dordrecht 2016
Abstract Case studies show that there are at least two types of groups involved in
phishing: low-tech all-rounders and high-tech specialists. However, empirical criminological research into cybercriminal networks is scarce. This article presents a taxonomy
of cybercriminal phishing networks, based on analysis of 18 Dutch police investigations into phishing and banking malware networks. There appears to be greater variety
than shown by previous studies. The analyzed networks cannot easily be divided into
two sharply defined categories. However, characteristics such as technology use and
offender-victim interaction can be used to construct a typology with four overlapping
categories: from low-tech attacks with a high degree of direct offender-victim interaction to high-tech attacks without such interaction. Furthermore, clear differences can be
distinguished between networks carrying out low-tech attacks and high-tech attacks.
Low-tech networks, for example, make no victims in other countries and core members
and facilitators generally operate from the same country. High-tech networks, on the
contrary, have more international components. Finally, networks with specialists focusing on one type of crime are present in both low-tech and high-tech networks. These
specialist networks have more often a local than an international focus.
Keywords Cybercrime . Phishing . Malware . Criminal networks . Theory . Organized
crime
* E. Rutger Leukfeldt
RLeukfeldt@nscr.nl
1
Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), De Boelelaan 1077a,
1081 HV, Amsterdam, The Netherlands
2
Open University of the Netherlands, Valkenburgerweg 177, 6401 DL, Heerlen, The Netherlands
3
VU University Amsterdam, De Boelelaan 1105, 1081 HV, Amsterdam, The Netherlands
22
Leukfeldt E.R. et al.
Introduction
‘Warning! The security of your online bank account needs to be updated. Update today
or your account will be blocked. Click here to go to our secure website directly.’
Criminals use these kinds of e-mail messages to lure bank customers to phishing
websites with only one goal: obtaining user credentials to clear out their bank accounts.
This article is a follow-up to the work of Soudijn and Zegers [20] and Leukfeldt
[15]. These studies described phishing networks, based on police files, and showed that
phishing networks can have totally different characteristics. The ‘crime script’ of the
two different networks was quite similar: the formation of a criminal core group,
contacting other capable criminal enablers, capturing login details from victims and
transferring funds to money mule accounts. However, the origin, growth, and criminal
opportunities of these networks – and thus the possibilities for crime prevention – were
completely different. In the first group [20], technology played a major role: e.g. malware
was used to steal user data, a forum functioned as offender convergence setting to meet
new criminals, contacts between offenders were primarily online, and spam e-mails were
used to recruit money mules. In the other case [15], social ties played an important role:
e.g. e-mails and telephone calls were used to steal user data, other criminals were recruited
through social contacts, and encounters took place on the streets of large cities.
These two case studies confirm what a priori one might expect: that cybercriminal
groups are not all the same. However, empirical criminological research into
cybercriminal networks is scarce (see for an overview e.g. [5, 6, 22]). Only a few case
studies on a limited number of criminal groups exist. It is clear that more research into
cybercriminal groups is required to map the range of possible compositions. This article
takes a more comprehensive approach and analyzes all known phishing and banking
malware cases in the Netherlands in the period 2004–2014. This gives more insight into
the different types of criminal groups that are involved in these cybercrimes and may
help to develop effective crime prevention methods.
This article uses a social opportunity structure perspective to study cybercriminal
phishing and banking malware networks (see section 2 for a more detailed explanation).
It elaborates upon the criminal capabilities of networks (e.g. modus operandi and the use of
technology, secondary criminal activities, and international components) and the composition of networks (e.g. functions within networks). Section 3 describes data and research
methods. Subsequently, the results of the study are presented regarding criminal capabilities of networks (section 4) and composition of networks (section 5). Section 6 contains a
taxonomy of networks, whereas section 7 contains the main conclusions and discussion.
Social opportunity structure
The studies by Soudijn and Zegers [20] and Leukfeldt [15] show that there are at least
two types of groups involved in phishing. As Leukfeldt [15] pointed out, an explanation for these differences can be found in the concept of social opportunity structure.
Social opportunity structure plays a major role in organized crime networks. Social ties
and networks provide access to criminal opportunities and their nature further determines the opportunity structure, which facilitates different types of crime (e.g. [9, 18,
19]). Social relationships, however, are highly clustered and therefore always limited in
A typology of cybercriminal networks
23
certain ways (e.g. because of geographical or social barriers between countries, lack of
access to different ethnic groups, or barriers between illicit networks and the licit world
– see [7]: 179–180). In order to expand opportunities, it is necessary to establish
relationships with ‘outsiders’ (persons outside someone’s existing social network). Therefore, access to ‘offender convergence settings’ (cf. [3, 4]) and key figures that are able to
arrange these new contacts determine the growth and criminal opportunities of a given
network. Studies into traditional criminal networks showed that access to these important
brokers causes some offenders to remain local, whereas other offenders became international players (e.g. [9]). The local offenders commit all sorts of crimes in their own region,
but they have no contacts outside their region and have no expertise others depend on. A
condition for evolving into an international player is having contacts with brokers who
give access to new export markets, or who have capital or expertise.
The degree of access to key figures and (digital) offender convergence settings
provides an explanation for the differences between the cases described in Soudijn and
Zegers [20] and Leukfeldt [15]. In fact, a parallel of the distinction between local and
international offenders can be observed. The second group had no access to digital
offender convergence settings and was constrained to a local social cluster. Accomplices were recruited through local social contacts and were all living in the Netherlands. All the victims were Dutch too. They also committed all kinds of other crimes to
earn easy money. Conversely, the offenders of the first group met each other at a digital
forum. Specific criminal services could relatively easily be acquired through the forum:
victims were targeted, and accomplices were recruited in foreign countries. It also
seems that the criminals were specialized in phishing attacks, as no other criminal
activities were described in this case. Offenders were able to recruit new members in
other countries and attack victims in multiple countries.
The social opportunity structure perspective can be used to explain differences between
the nature and capabilities of cybercriminal groups described above. The two case studies
show that there are differences between the criminal capabilities of cybercriminal networks
and the composition of networks. In this article, we analyze 18 cybercriminal networks
and test if these differences hold or need to be nuanced. The data and variables used in this
article to gain insight into these elements will be described in the next section.
Data and methods
Eighteen Dutch criminal investigations were analyzed in order to gain insight into the
composition and the criminal capabilities of criminal networks. These police files
provide unique knowledge about cybercriminal networks and their members due to
the use of special investigative powers such as wiretaps (telephone and internet traffic),
observation, undercover policing, and house searches.
Cybercriminal networks: a demarcation
This study is part of the Research Program Safety and Security of Online Banking.
Therefore, this study only includes networks that carry out attacks on online banking.
Briefly, this means phishing attacks and malware attacks. In the literature, different
definitions of phishing are used (see, for example, Lastdrager [14] for an analysis of
24
Leukfeldt E.R. et al.
113 definitions). The common thread is: Phishing is the process aimed at retrieving
users’ personal information by criminals who, by using digital means such as e-mail,
pose as a trusted authority. User credentials can be intercepted in a more technical way,
namely by using malicious software such as Trojans or spyware. This kind of malware
could log keystrokes, screenshots, e-mail addresses, browsing habits, or personal
information such as credit card numbers.
Case selection
In our analysis, only completed criminal investigations are used. In these cases, the public
prosecutor has decided that enough evidence has been collected to prosecute the suspects
successfully. This, however, does not mean that there has already been a court decision.
There is no central registration system in the Netherlands that allows for a quick
overview of all criminal investigations into phishing networks. The selection of cases
was, therefore, done by using the snowball method. Starting points were cybercrime
and fraud teams on a national and (inter)regional level. Using existing contacts within
the Dutch police and the Dutch Police Academy, team leaders and senior investigators
of these teams were asked whether they knew any investigations into phishing networks. Subsequently, public prosecutors who deal with cybercrime and fraud cases
were asked the same question. Furthermore, an online database in which (a limited
number of) court documents are published, was used, and a media analysis was done to
find news reports about phishing cases. During the file study, people involved in the
criminal investigation were asked whether they knew any other phishing cases. In total,
eighteen criminal investigations into phishing networks were obtained. The investigations
ran between six months and three years and were carried out between 2004 and 2014.
Analytical framework
The criminal investigation files contained records of interrogations and information
obtained through special investigative powers (e.g. transcripts of phone taps, internet
traffic and other surveillance reports). Relevant information was systematically gathered from the investigation files using an analysis framework. The framework was
based on the analytical framework used in the Dutch Organized Crime Monitor. This is
a long-running research program on organized crime (see [9–13, 21]).
The analytical framework consists of a list of topics the researcher has to describe
(rather than a closed questionnaire). The topics and questions of the framework include
inter alia composition (hierarchy, fluid cooperation, important roles/functions, use of
enablers) and criminal capabilities (modus operandi, use of technology, secondary
criminal activities, working area of the network).
Interviews
The analyses of the criminal investigation were complemented by interviews with the
public prosecutor, the police team leader, and senior detectives (e.g. financial or digital
experts). The same analytical framework was used. The interviews were conducted
because the information in the police files is aimed at providing evidence of criminal
activity, meaning that other relevant information to this analysis is often lacking.
A typology of cybercriminal networks
25
Hierarchy and secondary criminal activities, for example, are not always described.
Respondents, however, were sometimes able to provide more insight into these topics.
Criminal opportunities
Modus operandi
All networks are engaged in attacks on online banking. The scripts of the crime networks
have many similarities in common. The first step is to intercept login credentials from
victims to gain access to their online bank accounts. However, that is not enough to
transfer money from the account of victims. In order to do this, so-called ‘one-time
transaction authentication codes’ are required. Obtaining these codes is, therefore, step 2.
With these transaction authentication codes, transactions can be done from victim accounts
to the accounts of money mules.1 Once the money has been transferred successfully, it is
cashed out and, via various links, given to core members. There are some networks
experimenting with other ways of cashing. These, for example, buy goods using the
account of victims or buy Bitcoins. However, all networks predominantly use bogus front
accounts to cash out the money.
Although the scripts of all criminal networks are roughly similar, there are some
important differences. These differences concern obtaining user credentials and transaction authentication codes. The extent of ICT-use and degree of contact between the
criminals and the victims differ. The high-tech capability of offenders makes it possible
to limit the direct contact with the victim, but there is variation within the networks
studied regarding the extent to which criminal attackers actually reduce contact with the
victim. At one end of the continuum, there are networks limiting the use of ICT to a
minimum and where victims issue codes to the criminals. These networks use e-mails
(and sometimes phishing sites) to get user credentials. Subsequently, victims are
phoned by criminals posing as bank employees in order to elicit necessary transaction
authentication codes. At the other side of the continuum, there are networks using
advanced malware that requires no direct contact with the victim. These networks, for
example, infect websites that have outdated security. Once someone visits this website,
his or her computer becomes infected with malware. This malware gives criminals
access to and control over the victim’s computer and enables the attacker to adjust or
change online banking sessions.
The differences between these two types of attacks relate to the extent of ICT use during
the attack, as well as the degree to which criminals have direct contact with the victims.
The crime scripts can, therefore, be divided into two main categories: low-tech attacks and
high-tech attacks. Moreover, each category of attacks can be subdivided by the degree of
interaction between offenders and victims (Fig. 1). As a result, 4 attack variants can be
identified: low-tech attacks with a high degree of direct interaction between attacker and
1
In cybercrime literature, the term ‘money mule’ is often used to describe these offenders (see Choo [2];
McCombie [17]; Aston et al. [1]; [15, 20]). In our opinion, ‘money mule’ is not entirely the right term as these
offenders are not used to physically move money from one place to another, but instead solely to disguise the
financial trail from victims’ bank accounts leading back to the core members (see Leukfeldt et al. [16] for a
more comprehensive description). As the term money mule is so widely used, we have chosen to use it in this
article.
26
Leukfeldt E.R. et al.
victim (10 cases), low-tech attacks with a low degree of direct interaction (5 cases), hightech attacks with a low degree of interaction (4 cases) and high-tech attacks without
interaction (1 case). Networks that are carrying out low-tech attacks sometimes use several
types of attacks (both with a low degree of contact and a high degree of contact). The total
number of type of attacks is, therefore, higher than the total number of networks. Below a
brief description will be given for each category.
Type 1: Low-tech attacks with a high degree of victim-attacker interaction
The 10 networks executing low-tech attacks with a high degree of interaction
between the criminals and victims all use phishing e-mails and websites. As a rule,
victims receive an e-mail appearing to be sent by their bank. The e-mail refers to the
security of online banking, and the victim is asked to take immediate action to ensure
that his or her account remains secure. Sometimes the victim has to reply to the e-mail
itself and sometimes via a link in the e-mail (which usually links to a ‘secure section of
the website of the bank’). In both cases, offenders obtain user credentials and other
relevant information. Subsequently, the victim is contacted by a member of the
criminal network by telephone. The caller poses as a bank employee. During the
telephone conversation, the caller refers to the phishing e-mail. Besides, the caller
is able to give the victim information only the bank is supposed to know. This
provides confidence that the victims are actually talking to a bank employee.
During the telephone call, victims are asked to give one-time security codes, ‘to
finalize the latest security updates’. Using these security codes, offenders are able
to transfer money from the victim’s bank account to money mule accounts.
Type 2: Low-tech attacks with a low degree of victim-attacker interaction
Seven networks also use phishing e-mails and websites to acquire user credentials
and other victim information. However, the crime script of these groups does not
require a telephone call. Just like in the first attack variant, victims receive a phishing
e-mail containing a link to a phishing site. This website has an additional entry field in
which a telephone number has to be entered. Once the victim logs on to this phishing
site, the criminals have access to the online bank account, and they consequently know
the victim’s telephone number. The criminals request a new SIM card in the name of
the victim. Once this has been approved by the telecom company, all communication to
High degree of
interaction
Low degree of
interaction
No interaction
Low tech 1
Low tech 2
High tech 1
Fig. 1 Degree of technology use and contact between offender and victim
High tech 2
A typology of cybercriminal networks
27
the phone number of the victim goes to the criminals. Transaction authentication codes
sent to the mobile phone of the user are now received by the criminals, and can be used
for transactions from the victim’s bank account.
Type 3: High-tech attacks with a low degree of victim-attacker interaction
Networks using malware do not need to have direct interaction with victims to
intercept user credentials and transaction authentication codes. The malware gives the
criminal network control over the user’s computer. As soon as this has been accomplished, transfers made by the victims can be manipulated. The most important part of
this attack is infecting computers of potential victims with malware. 4 networks use a
method installing malware when victims click on a link in an e-mail. Network 15, for
example, first hacks into several databases of companies to obtain e-mail addresses.
The group also hacks a hosting company to send large amounts of e-mail via the servers
of that company (in at least one case over 250,000 e-mails). The e-mail appears to
originate from a major utility company in the Netherlands. The e-mail states that the
recipient is in arrears and that the utility company has tried to contact the victim several
times without success. It also contains a link to the invoice that has not been paid.
When the recipient clicks on the link in the e-mail, the computer is infected with a
Trojan. This gives the criminals control over the browser of the victim. Information the
victim enters can be adjusted without the victim noticing this. Criminals alter information that the victim enters when transferring money from his or her online bank account.
Type 4: High-tech attacks without victim-attacker interaction
Thus, high-tech attacks also require some degree of victim-attacker interaction; if
users do not click on the link in the e-mail, their computers never become infected.
Network 18, however, uses an attack method in which there is no victim-attacker
interaction at all. This network infected a number of websites with outdated security.
When someone visits this website, his or her computer is infected with malware
automatically; the user does not need to perform any actions. When the victim uses
his or her online bank account to transfer money, the malware alters the highest
transaction. The amount is split in two: one part goes to the original beneficiary,
whereas the other part goes to the account of a money mule. The victim has to approve
the transaction, as usual and enter the transaction authentication codes. The victim does
not suspect anything because the total amount is not changed, and the victim does not
see anything abnormal on the screen. The malware ensures that the split payment is not
visible in the transaction overview of the online bank account. The only way for the
victim to find out that there has been a fraudulent transaction is by logging into their
online account using a computer that has not been infected with malware.
Secondary criminal activities
The activities of the analyzed networks are not always limited to phishing or
malware attacks. In 10 cases, it is clear that core members also perform other
criminal activities. It seems to be a matter of ad hoc alliances: subgroups of core
members working together on specific types of crime. Sometimes core members
28
Leukfeldt E.R. et al.
collaborate with people outside the core group of the analyzed network. Most
criminal activities relate to financial crimes.
Six networks, for example, also carry out fraud-related activities. Five of these are
low-tech networks. Two of those networks are involved in attacks on payment transactions in which technology is not used at all. These groups use postal officials to
intercept newly requested debit cards and official post from the bank containing PIN
numbers and login details of online bank accounts. Other groups also engage in
skimming or trading stolen goods. Some low-tech groups use their money mules for
other purposes than transferring money alone. In the name of these money mules, for
example, tax returns are requested or multiple telephone subscriptions are registered.
The phones belonging to the subscriptions are resold, and the money mules are left with
the subscription fees.
Four low-tech networks are also involved in drug trafficking. This varies from
setting up a cocaine line into the Netherlands to the sale of different types of pills.
Furthermore, three networks are involved in burglaries, muggings, and/or trading stolen
goods. One network is involved in human trafficking.
One group performing malware attacks is also engaged in credit card fraud. On
forums, they buy stolen credit card information. In the Netherlands, this information is
used to buy goods and to travel. Another group performing malware attacks is also
involved in phishing attacks aimed at Dutch webshops (to get access to their store credit
and/or credit card credentials). The core member of this network also sells goods on
online auction sites without delivering these goods.
International components
To determine how ‘international’ a network is, we looked at the countries from which
the network members operated and from where the victims originated.
In 11 cases, the core members operate from the Netherlands and only use enablers
and money mules that have been recruited in the Netherlands. All these networks carry
out low-tech attacks. The 7 other networks have core members (2), professional
enablers (5), recruited enablers (2) or money mules (2) operating outside of the
Netherlands or having been recruited outside of the Netherlands. One of these networks
performs low-tech attacks. This network uses a foreign professional facilitator to
develop phishing websites. The other networks with core members from outside the
Netherlands are engaged in high-tech attacks.
The two networks in which the core members come from countries other than the
Netherlands, use a forum to recruit professional enablers. Whether the core members
themselves have become acquainted with each other through this forum is unknown.
The 4 high-tech networks use professional enablers from outside the Netherlands to
purchase malware, spam services, user credentials, or money laundering services. Core
members use various forums on which such criminal services are offered.
Recruited enablers from outside the Netherlands provide services to 2 networks. One
facilitator sets up a ring of money mules in England; and another facilitator helps
money mules from Latvia to cross the border in Ireland. Two networks use money
mules from countries other than the Netherlands. One network, which operates from
Eastern Europe, recruits money mules in the Netherlands and Russia. Another network
recruits money mules in Latvia and arranges buses to transport them to the Netherlands
A typology of cybercriminal networks
29
and other countries where the network is active. Their goal is to open bank accounts,
possibly with forged identity papers.
The low-tech networks are responsible for the majority of attacks on victims in the
Netherlands. Twelve low-tech networks only attack customers of Dutch banks. One
low-tech network also attacks people in Germany and the UK. One high-tech network
only attacks customers of Dutch banks, whereas the other 4 high-tech networks also
attack customers of banks in Germany, Belgium, UK, France, Swiss, and Spain.
Mapping the networks
Within all networks, there are dependency relationships and different functions. In
addition to a more or less fixed group of core members, the composition of the
networks changes regularly. In subgroups, core members carry out other criminal
activities, individual core members commit crimes with criminals outside the network
occasionally, new enablers are recruited when crime scripts change in response to new
security measures, core members are constantly recruiting new enablers, and there is a
constant flow of new money mules. Despite all these changes, four positions can be
recognized within all networks: core members, professional enablers, recruited enablers, and money mules.
Core members are those members of the network initiating and coordinating
attacks on online banking. Without the core members, the crimes in the investigations analyzed could not be committed, and they direct other members of the
network. Within the group of core members, there can also be a hierarchy. For
example, one core member who directs the other core members, and subgroups of
core members with a specific set of tasks. However, such a hierarchy is not a
necessary part of these enterprises.
Individuals providing services to the criminal network are in the layer below the core
members. These services are necessary to execute the criminal activities. Some enablers
play a more important role than others for the core members. Some services are simply
rarer or more sought after. Hence, also within the group enablers, a distinction can be
made between professional enablers and recruited enablers. The professional enablers
provide certain services to the core members, e.g. falsifying identity documents or
developing malware. These enablers are qualified ‘professional’ because they offer
their services to the core members on their own initiative. They, for example, offer their
services on online forums which are used by cybercriminals, or they are ‘well known’
criminal enablers in the offline criminal underworld. Recruited enablers also provide
services to the core members, but they are encouraged or forced by the core members to
do this. They have access to information that is of interest to the core members or they
are able to provide ‘simple’ services; services that core members could also perform on
their own or without which the crime script could still be executed. Examples include
employees of call centers of banks, postal workers and employees of telecommunication companies. Similar to professional enablers, the recruited enablers provide services
to the core members. The difference between the two groups is that the recruited
enablers are less important for the execution of the crime script and are more easily
replaceable than the professional enablers. Recruited enablers receive a small fee for the
work and are only used by one particular network.
30
Leukfeldt E.R. et al.
Money mules are the bottom layer of the networks. As a rule, these people are used
by the core members or by enablers to interrupt the financial trail to the core members.
In all networks, amounts of money were transferred from victims’ online bank accounts
to bank accounts of money mules.2 The money was then cashed by the money mule, a
facilitator, or a core member. This makes it impossible to follow the money trail.
In all networks, we can identify core members, enablers, and money mules. However, the number of people involved in the levels of the networks differs. Network 14,
for example, is a relatively small network of three core members who carry out almost
all criminal acts. The core members only use a professional facilitator to obtain fake
identification documents. Conversely, network 1 consists of eight core members who
use at least two professional enablers and 11 recruited enablers (regarding ICT support,
fake identification documents, information from banking systems, and intercepting post
from banks). Naturally, we only have information about the members that came up
during the criminal investigation. It is quite conceivable that there are other members of
the criminal network that never attract police attention.
Core members
In 11 cases, there is information about the core members, but in the other 7 cases, the
investigation stopped before core members were actually identified and could be
prosecuted. This section is based on the 11 networks for which we have information
about core members.
The number of core members and their tasks differs for each network. The networks
consist of between 1 and 8 core members. Typical for networks with multiple core
members is that during the investigation these people jointly manage the criminal
activities. From that perspective, there is a group of criminals who work together
for an extended period. That does not mean that the individual core members do
not cooperate with other criminals outside this network. Below an outline is given
of the core members of two groups with a relatively large group of core members
and a relatively small group of core members. Both cases include both phishing
and malware networks.
Network 1 is a phishing network consisting of 8 core members. These core members
know each other from the criminal underworld in Amsterdam and work together in
loosely connected subgroups. There is not one specific leader controlling the other core
members. According to police respondents, this group could also represent 2 or 3
smaller criminal partnerships that employ all kinds of criminal activities and only
collaborate on specific types of crime. Core members discuss how to carry out phishing
attacks and how to recruit the right people, but most of the core members also have
their own specific tasks. There is, for example, one core member having a contact
providing fake identification documents, one core member having a contact outside the
Netherlands making phishing websites, three core members being responsible for
cashing the illegally obtained money, and two other core members transferring money
from victims’ accounts to the accounts of money mules.
2
Money from the victims’ accounts can also be cashed in other ways. Criminals, for example, also buy goods
or Bitcoins directly from the victims’ accounts. However, all networks mainly used accounts of bogus men to
get the money.
A typology of cybercriminal networks
31
Network 6 is an international network performing malware attacks. This network
consists of five core members. There is one core member who directs the other core
members and who has contacts with professional enablers (providing malware, spam
services, and other relevant services). The other core members have specific roles, for
example, getting access to online bank accounts of infected bank customers, managing
the European and Russian money mules, or recruiting new money mules.
There are also networks with a limited number of core members. Network 10
performs phishing attacks and consists of a stable core group of three persons. A
man and a woman who are in a romantic relationship together are responsible for all the
main criminal activities. The woman calls victims, tries to obtain transaction codes, and
transfers money to accounts of money mules. The man recruits money mules and
directs enablers that also recruit money mules for this network. He is also responsible
for cashing the money from money mules accounts. Sometimes he cashes the money
himself and sometimes the person who recruited the money mules is responsible for
this. In addition, a long-time friend of the main recruiter who is a major supplier of
money mules is also part of the group of core members.
Network 13 carries out malware attacks and has only one core member. This person
is able to gain control over bank accounts by using malware. He meets enablers from
other countries on forums (e.g. to buy specific malware or e-mail addresses), whereas
he directs postal employees and money mules in the Netherlands.
Professional enablers
For 15 networks, it is clear that core members use services of professional enablers, or
that the network itself consists of professional service providers. In 7 of these networks,
the police investigation, however, is not directed at this group of suspects and provided
little insight into this group of offenders. 3 networks do not use services of professional
enablers at all. The networks that do use professional enablers, use them for ICT
services such as malware writing or developing phishing sites (7 networks), supplying
false identity documents (6 networks), recruitment of money mules (6 networks),
cashing of money (4 networks) and money laundering (1 network). Below some
examples of these services are described.
The IT services used by 7 networks include the development of phishing sites,
supplying large amounts of e-mail addresses and manufacturing of malware. The core
members of network 13 and 15 purchase malware through a forum. One of the core
members of network 15 is the technical man of this network. He is responsible for
technical aspects of the crime script, such as infecting computers with malware and
encrypting communication. The network uses unique malware, which has most likely
been developed by the technical man himself, but this core member also uses forums to
look for new criminal tools. The core member of network 13 does not make the
malware he uses in attacks himself but buys malware from a forum. Furthermore,
internet taps show that he frequently visits forums where criminal enablers offer all
kinds of services. He places several requests on these forums, for example, to send large
amounts of e-mails. He also places a call in which he asks for a programmer who can
solve a specific problem with a website of a bank.
The core members of network 6 also use malware to carry out their attacks. It is
unclear whether the malware was purchased or self-developed. It is, however, clear that
32
Leukfeldt E.R. et al.
the core members use a forum to come into contact with people who can translate texts
of phishing mails and e-mails to recruit money mules. The texts are translated from
Russian into English, German, and Dutch. Furthermore, one of the core members
negotiates with a member of the forum who offers spamming services that can be used
to send large amounts of e-mails.
Another service for which core members use enablers is forging identity papers. Five
phishing networks and one malware network used enablers for this purpose. These
forged documents are used by money mules to open multiple bank accounts, to collect
large sums of money in bank offices (identification is required to withdraw large
amounts of money), or to send money abroad using money transfers. In none of the
networks it becomes clear who these enablers actually are.
Recruited enablers
Networks also regularly use recruited enablers. 14 of the 18 networks use this type of
enablers. Examples are money mules recruiters (N = 14), cashers who ensure the
money which has been withdrawn from the accounts of money mules gets to the core
members (N = 9), bank employees who, for example, provide core members with
information about potential victims (N = 2), postal employees who intercept post with
newly requested logins to online bank accounts (N = 2), callers who telephone victims
and try to obtain transaction codes (N = 2), and an employee of a telecommunications
company who is able to swap SIM cards of telephones allowing transaction codes sent
to victims’ mobile phones to be redirected to the criminals (N = 1). Below some
examples of money mules recruiters / cashers and bank employees will be presented.
14 networks use recruiters providing new money mules to the core members. Within
9 networks, money mules recruiters are also responsible for cashing the money. Money
mules are essential to the core members because money from victim accounts is
transferred to the money mules accounts. Without the bank account of money mules,
the money would be transferred directly to the core members and they would be easily
identified by the bank or the police. Recruiters often operate within the area in which
they live and use their social network to recruit new money mules. In the case of
network 8, for example, only young people in the city of The Hague are used. One of
the core members of this network operates from Amsterdam. This core member is in
contact with a network that is specialized in the recruitment of money mules and
cashing the illegally obtained money. The group of recruiters and cashers in The Hague
only recruit money mules in their own region. One of the money mules states: ‘I
already said that everybody in the Netherlands is doing this. Particularly young people.
You can make easy money and many want to do that. Many young people or junkies
who have nothing to lose.’ This money mule was recruited on the streets of The Hague
by someone he vaguely knew from his neighborhood. He came across this person every
once in a while and was offered money multiple times to lend his bank card and PIN
code. Another example of recruitment within one particular area is case 10. The
network of recruiters employed by network 10 only recruited money mules within a
particular ethnic community in a medium-sized town in the North-West of the Netherlands. These money mules received a fee for their services, so it was not difficult
for recruiters to engage new money mules. New money mules even approached
recruiters on their own initiative. Interrogations provide evidence that ‘on the
A typology of cybercriminal networks
33
street’ everybody knew that the recruiter was involved in criminal activities in
which easy money could be made.
The bank employees involved in the criminal activities are all in the immediate
vicinity of core members. They are approached by core members or recruiters to deliver
specific services. Some bank employees reported being put under pressure; others
cooperated because they got financial compensation. The bank employees provide
detailed information from bank systems that is used by the core members. The bank
employees work in the call centers of several large banks. In order to work there, they
need a ‘Certificate of Good Conduct’. Furthermore, these employees usually have
completed a relevant study (e.g. Financial Services). Through their work, these employees have access to customer data and are able to make changes in customers’
accounts. Core members use these data, for example, to cherry pick wealthy customers,
to convince customers they talk with a bank employee because they can provide
information that only the bank knows, and to increase cashing limits of victims’
accounts (so stolen money can be cashed more easily).
Money mules
17 networks use money mules. These people are used to break the money trail to core
members. Money mules are recruited by core members themselves (4 networks),
professional enablers (4 networks), and/or recruited enablers (14 networks). In most
cases, money mules also offer their ‘services’ spontaneously to recruiters. This happens, for example, if a recruiter recruits long enough in one specific area. After some
time, it becomes ‘common knowledge’ that easy money can be made by providing a
debit card and security code. New money mules then approach recruiters or previously
recruited money mules, and make clear that they also want to earn money.
Taxonomy
Section 4 and 5 provide evidence that networks have different characteristics. There are
differences in the composition of networks (e.g. the number and type of enablers) and
criminal capabilities (e.g. degree of technology use and interaction between offenders
and victims). Additionally, international components can be recognized at different
levels within the networks (at the level of core members, enablers, and victims). Finally,
there are both specialists and generalists; networks carrying out one specific type of
attack and networks performing a variety of criminal activities.
To provide insight into the relationship between the crime script, international
components, and the degree of specialization of networks, we created a taxonomy of
the networks. In Fig. 2, the 18 networks are plotted along an X-axis and Y-axis. The Xaxis indicates the degree to which a network has international components. Each
network has a score between 1 and 4 points. The network gets 1 point if both the core
members and enablers only operate from the Netherlands, and if only victims are made
in the Netherlands. If there are (also) core members or enablers involved operating from
countries other than the Netherlands or if there are victims outside of the Netherlands, a
network receives one extra point for each of these categories. In total, a network is able
to get 4 points. The Y-axis represents the degree of technology use and the offender-
34
Leukfeldt E.R. et al.
victim interaction. Again, networks can get a score between 1 and 4 points.
Networks performing low-tech attacks with a high degree of offender-victim
interaction get 4 points. 3 points are for networks performing low-tech attacks
with a low degree of offender-victim interaction. Networks executing high-tech
attacks with a low degree of offender-victim interaction receive 2 points and
networks carrying out high-tech attacks without offender-victim interaction get 1
point. Finally, Fig. 2 shows whether networks consist of specialists who are
engaged in one type of attack or that a network deployed all kinds of criminal
activities. Specialist networks are grey in Fig. 2.
Figure 2 shows that the 18 networks cannot easily be divided into two sharply
defined categories. However, there are clear differences between networks carrying out
low-tech attacks and high-tech attacks. Low-tech networks, for example, make no
victims in other countries and core members and enablers generally operate from the
same country. The high-tech networks, on the contrary, have more international
components. The 4 high-tech networks with the highest ‘international’ score consist
of core members and/or enablers from different countries and get victims from several
countries. The two high-tech networks with the lowest degree of international components carry out high-tech attacks in the Netherlands and operate from the Netherlands.
Forums are used to recruit other suitable co-offenders in other countries (both core
members or professional enablers).
Low Tech
Local
International
High Tech
Fig. 2 Taxonomy of phishing and malware networks. The X-axis indicates the degree to which a network has
international components (ranging from networks with all the members of the networks and victims operating
from the same country to networks with members operating from different countries and victims in different
countries). The Y-axis represents the degree of technology use and the offender-victim interaction (ranging
from networks performing low-tech attacks with a high degree of offender-victim interaction to networks
carrying out high-tech attacks without offender-victim interaction). Finally, specialist networks carrying out
one type of attack are grey. For a more extensive explanation, see section 6
A typology of cybercriminal networks
35
Furthermore, networks with specialists focusing on one type of crime can be seen in
both low-tech and high-tech networks. These specialist networks have more often a
local than an international focus.
Conclusion and discussion
Conclusion
There appears to be a greater variety of networks than the empirical studies of Soudijn
and Zegers [20] and Leukfeldt [15] show. Networks cannot simply be classified into
high-tech networks with specialists who perform international attacks versus low-tech
networks of criminal all-rounders who perform local attacks: technology use, the
degree of offender-victim interaction, and international components create a more
variegated set of arrangements. The most obvious differences are related to the
international capabilities of low-tech networks and high-tech networks. And apparently,
high-tech networks are able to carry out their attacks with fewer core members and
enablers.
The crime scripts of networks have much in common. First, getting hold of
credentials and one-time transaction authentication codes of victims in order to gain
control over online bank accounts. Second, making transactions from victim accounts
to the accounts of money mules, cashing out the transferred money, and getting the
money to the core members. However, there are differences in exactly how networks
carry out their crime scripts. These differences are related to obtaining user credentials
and transaction authentication codes. The extent of ICT use and degree of offendervictim interaction differ. The modus operandi of the networks can, therefore, be divided
into four categories: low-tech attacks with a high degree of direct offender-victim
interaction, low-tech attacks with a low degree of direct interaction, high-tech attacks
with a low degree of interaction and high-tech attacks without interaction.
The networks in our analysis are fluid. Although the core members of the networks
form a more or less consistent group of criminals, the general composition of networks
changes frequently. Subgroups of core members execute secondary criminal activities,
and individual core members work together with criminals from outside the criminal
network to commit all kinds of crimes.
Within all networks, four roles can be distinguished: core members, professional
enablers, recruited enablers, and money mules. Core members are those members
initiating and coordinating attacks on online banking. They direct and/or control the
members with other roles. Enablers provide necessary services for the execution of
criminal activities. A distinction can be made between professional enablers (offering
their services to all kinds of criminal networks) and enablers who are recruited by core
members themselves. Money mules are used by the core members or enablers to
interrupt the financial trail to the core members.
Discussion
Differences between the analyzed networks mainly boil down to technology use. The
higher the degree of technology use, the less interaction between offenders and victims.
36
Leukfeldt E.R. et al.
Thanks to technology use, high-tech networks are able to execute successful attacks
without much interaction with victims. The degree of offender-victim interaction is
important because the victim has the opportunity to notice the attack during these
interactions. If there is no direct interaction at all, such as in the attacks by network 18,
the possibilities for users to protect themselves are very limited.
It also appears that high-tech networks more often than low-tech networks operate
internationally and consist of relatively few core members and enablers. For these
networks, forums play an important role as digital offender convergence settings. On
forums, core members are able to search and find other suitable co-offenders and/or
purchase malware to carry out attacks. Forums enable a small group of core members to
have a high impact. Some of our analyzed cases show that individual core members end
up at criminal forums out of curiosity. On these forums, they connect with other
members, ask all sorts of questions, and experiment with offered criminal tools and
services. From core members of other networks, it is unknown how they ended up at
the forums they used to search for co-offenders or criminal tools. This is an important
topic for further research. Questions that need to be answered include what the
exact role of forums is in the origin and growth of cybercriminal networks,
how core members end up on a forum for the first time, and how new criminal
alliances are forged.
Research limitations
The analysis of criminal investigations presented in this article provides a
unique view of the different roles and functions within cybercriminal networks
and the criminal capabilities of these networks. The methodology, however, also
has some limitations.
First of all, our analyses are based on a limited number of criminal networks in the
Netherlands. We were able to track down 18 criminal investigations. Our study shows
that investigations provide a good picture of the different layers and roles within
cybercriminal networks and the criminal capabilities of these networks. However,
because of differences in priorities, capacity, and expertise in the area of cybercrime,
the same sort of analysis in other countries might provide different insights. The
methodology used in our study can also be applied in other countries to supplement
our analysis.
Furthermore, only criminal investigations and interviews with persons who
were involved in carrying out these investigations are used. We only have information about cybercriminal networks known to and investigated (successfully) by
the police. There is no knowledge about networks that remain invisible for law
enforcement. For a more extensive review of methodological questions concerning
the use of police investigations, see [8]. Future research should also focus on
criminal networks that are able to avoid police attention and should also use other
methods than file analysis.
Finally, we only analyzed cybercriminal networks carrying out phishing and
malware attacks on online banking. Whether criminal networks engaged in other forms
of cybercrime, such as extorting businesses with ransomware or DDoS attacks, have
the same characteristics is unknown. Future research should therefore also focus on
criminal networks that commit other types of cybercrime.
A typology of cybercriminal networks
37
References
1. Aston, M., McCombie, S., Reardon, B. & Watters, P. (2009) A preliminary profiling of internet money
mules: an Australian perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous,
Autonomic and Trusted Computing, IEEE Computer Society, 482–487.
2. Choo, K.K.R. (2008). Organised crime groups in cyberspace: aa typology. Trends in Organized Crime,
3(11), 270–295.
3. Felson, M. (2003). The process of co-offending. In M. J. Smith & D. B. Cornish (Eds.), Theory for
practice in situational crime prevention (volume 16) (pp. 149–168). Devon: Willan Publishing.
4. Felson, M. (2006) The ecosystem for organized crime (HEUNI paper nr 26). Helsinki: HEUNI.
5. Grabosky, P. N. (2004). The global dimensions of cybercrime. Global Crime, 6(1), 146–157.
6. Holt, T. J., & Bossler, A. M. (2014). An assessment of the current state of cybercrime scholarship. Deviant
Behavior, 35(2014), 20–40.
7. Kleemans, E. R. (2007). Organized crime, transit crime, and racketeering. Crime and Justice. A Review of
Research, 35, 163–215.
8. Kleemans, E. R. (2014). Organized Crime Research: Challenging Assumptions and Informing Policy. In
J. Knutsson & E. Cockbain (Eds.), Applied Police Research: Challenges and Opportunities. Crime
Science Series. Cullompton: Willan.
9. Kleemans, E. R., & De Poot, C. J. (2008). Criminal careers in organized crime and social opportunity
structure. European Journal of Criminology, 5(1), 69–98.
10. Kleemans, E. R., & Van de Bunt, H. G. (1999). The social embeddedness of organized crime.
Transnational Organized Crime, 5(2), 19–36.
11. Kleemans, E.R., Van der Berg, A.E.I.M. & Van de Bunt, H.G. (1998). Georganiseerde criminaliteit in
Nederland. Rapportage op basis van de WODC monitor. [Organized crime in the Netherlands] Den Haag:
WODC.
12. Kleemans, E.R., Brienen, M.E.I., Van de Bunt, H.G., Kouwenberg, R.F., Paulides, G. and Barensen, J.
(2002) Georganiseerde criminaliteit in Nederland. Ttweede rapportage op basis van de WODC-monitor.
[Second report on organized crime in the Netherlands] Den Haag: WODC.
13. Kruisbergen, E.W., Van de Bunt, H.G., Kleemans, E.R. and Kouwenberg, R.F. (2012) Georganiseerde
criminaliteit in Nederland. Vierde rapportage op basis van de Monitor Georganiseerde Criminaliteit.
[Fourth report on organized crime in the Netherlands] Den Haag: Boom Lemma.
14. Lastdrager, E. E. H. (2014). Achieving a consensual definition of phishing based on a systematic review
of the literature. Crime Science, 3(9), 1–6.
15. Leukfeldt, E.R. (2014). Cybercrime and social ties. Phishing in Amsterdam. Trends in Organized Crime,
17(4), 231–249.
16. Leukfeldt, E.R., Kleemans, E.R., and Stol, W.P. (2016) Cybercriminal Networks, Social Ties and Online
Forums: Social Ties Versus Digital Ties within Phishing and Malware Networks British Journal of
Criminology (accepted for publication / online first).
17. McCombie, S.J. (2011). Phishing the long line. Transnational cybercrime from Eastern Europe to
Australia. (PhD-thesis). Sydney: Macquarie University
18. McGloin, J. M., & Kirk, D. S. (2010). An overview of social network analysis. Journal of Criminal
Justice Education, 21(2), 169–181.
19. Scott, J., & Carrington, P. J. (2011). The SAGE Handbook of Social Network Analysis. London: SAGE
Publications.
20. Soudijn, M. R. J., & Zegers, B. C. H. T. (2012). Cybercrime and virtual offender convergence settings.
Trends in Organized Crime, 15(2–3), 111–129.
21. van de Bunt, H.G. and E.R. Kleemans (2007) Georganiseerde criminaliteit in Nederland, derde
rapportage op basis van de Monitor Georganiseerde Criminaliteit. [3rd report on organised crime in
the Netherlands] Den Haag: WODC.
22. Wall, D. S. (2007). Cybercrime. The Transformation of Crime in the Information Age. Cambridge: Polity
Press.
Crime, Law & Social Change is a copyright of Springer, 2017. All Rights Reserved.
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
Copyright © 2014 International Journal of Cyber Criminology (IJCC) ISSN: 0974 – 2891
January – June 2014, Vol 8 (1): 1–20.
This is an Open Access paper distributed under the terms of the Creative Commons Attribution-NonCommercial-Share Alike License, which permits unrestricted non-commercial use, distribution, and
reproduction in any medium, provided the original work is properly cited. This license does not permit
commercial exploitation or the creation of derivative works without specific permission.
Organizations and Cyber crime: An Analysis of
the Nature of Groups engaged in Cyber Crime
Roderic Broadhurst,1 Peter Grabosky,2 Mamoun Alazab3 & Steve Chon4
ANU Cybercrime Observatory, Australian National University, Australia
Abstract
This paper explores the nature of groups engaged in cyber crime. It briefly outlines the definition and
scope of cyber crime, theoretical and empirical challenges in addressing what is known about cyber
offenders, and the likely role of organized crime groups. The paper gives examples of known cases
that illustrate individual and group behaviour, and motivations of typical offenders, including state
actors. Different types of cyber crime and different forms of criminal organization are described drawing
on the typology suggested by McGuire (2012). It is apparent that a wide variety of organizational
structures are involved in cyber crime. Enterprise or profit-oriented activities, and especially cyber crime
committed by state actors, appear to require leadership, structure, and specialisation. By contrast,
protest activity tends to be less organized, with weak (if any) chain of command.
Keywords: Cybercrime, Organized Crime, Crime Groups; Internet Crime; Cyber
Offenders; Online Offenders, State Crime.
Introduction
Discussions of cyber crime, and of organized crime more generally, are plagued by
stereotypes. On the one hand, the image of the lone hacker belies the collective nature of
much cyber crime. On the other, conventional definitions of organized crime tend to be
out of date, having been overtaken by the evolution of the phenomenon itself. This article
will explore variations in the organization of cyber crime. It will note that while most
organized cyber crime today is the work of skilled technicians who apply their knowledge
to criminal activity, there are those “terrestrial” or conventional crime groups who have
begun to harness digital technology in furtherance of criminal objectives. This distinction
will erode in the fullness of time, as digital technology becomes more pervasive.
1
Professor and Expert Advisor, ANU Cybercrime Observatory, Australian National University,
Canberra ACT 0200, Australia. Email: roderic.broadhurst@anu.edu.au
2
Professor Emeritus and Expert Advisor, ANU Cybercrime Observatory, Australian National
University, Canberra ACT 0200, Australia. Email: peter.grabosky@anu.edu.au
3
Research Associate, ANU Cybercrime Observatory, Australian National University, Canberra
ACT 0200, Australia. Email: mamoun.alazab@anu.edu.au
4
Cybercrime Researcher, ANU Cybercrime Observatory, Australian National University,
Canberra ACT 0200, Australia. Email: steve.chon@anu.edu.au
1
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
Today, it requires an exceptionally closed mind to deny that states are also capable of
criminal acts. Throughout recorded history, crimes by state actors have occurred in times of
peace, as well as during armed conflicts. Most recently, one notes allegations of drug
manufacture and counterfeiting by agents of the Democratic People’s Republic of Korea
(Perl, 2007). States have also engaged periodically in kidnapping and assassination, at home
and abroad. Nevertheless, the literature on organized crime has thus far tended to
overlook state and state-sponsored crime. Governments have long engaged in criminal
activity directly, or have sought the assistance of terrestrial criminals to do their “dirty
work.” Today, we find that numerous governments (or their proxies) are using Internet
technologies to commit crime. Allegations that Russia has executed or encouraged
distributed denial of service attacks, and that Chinese authorities are engaged in
widespread economic and industrial espionage, have been matched by the disclosures of
Edward Snowden that the United States Government has engaged in massive programs of
cyber-surveillance. One might also note the offensive cyber operations against Iranian
nuclear enrichment facilities (Sanger, 2012). Such activities may not be defined as criminal
under the laws of the state that undertakes them, but are usually regarded as crimes by the
state that is on the receiving end. And the activities in question are nothing, if not
organized.
Following discussions of organized crime and cyber crime respectively, the article will
review the work of McGuire (2012) and Chabinsky (2010) on varieties of cyber crime
organization, then introduce a number of cases of cyber crime committed by individuals
and by organizations. It will conclude by differentiating the objectives of individual and
organizational cyber crime offenders, and then will assess the robustness of the McGuire
and Chabinsky typologies.
Organized criminal groups in the cyber space
While many types of cyber crime require a high degree of organization and
specialization, there is insufficient empirical evidence to ascertain if cyber crime is now
dominated by organized crime groups and what form or structure such groups may take
(Lusthaus, 2013). Digital technology has empowered individuals as never before.
Teenagers acting alone have succeeded in disabling air traffic control systems, shutting
down major e-retailers, and manipulating trades on the NASDAQ stock exchange (US
Securities and Exchange Commission, 2000). What individuals can do, organizations can
also do, and often better. It is apparent that many if not all types of criminal organization
are capable of engaging in cyber crime. The Internet and related technologies lend
themselves perfectly to coordination across a dispersed area. Thus, an organized crime
group may be a highly structured traditional mafia like group that engages delinquent IT
professionals. Alternatively, it could be a short-lived project driven by a group that
undertakes a specific online crime and/or targets a particular victim or group. Rather than
groups, it may involve a wider community that is exclusively based online and dealing in
digital property (e.g. trading in ‘cracked’ software or distributing obscene images of
5
children). It may also consist of individuals who operate alone but are linked to a macro-
5
The Internet has been used to communicate a wide variety of content deemed offensive to the point of
criminal prohibition in one or more jurisdictions. Such material includes child pornography, neo Nazi
propaganda, and advocacy of Tibetan independence, to list but a few. Jihadist propaganda and incitement
messages also abound in cyber space.
2
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
criminal network (Spapens, 2010) as may be found in the ‘darknet’ and underground Tor6
sites.
Governments, law enforcement agencies, academic researchers, and the cyber-security
industry speculate that ‘conventional’ organized crime groups have become increasingly
involved in digital crime. The available empirical data suggest that criminals, operating
online or on the ground, are more likely to be involved in loosely associated illicit
networks rather than formal organizations (Décary-Hétu & Dupont, 2012). In recent
years, insurgent and extremist groups have used Internet technology as an instrument of
theft in order to enhance their resource base. Imam Samudra, convicted architect of the
2002 Bali bombings, reportedly called upon his followers to commit credit card fraud in
order to finance militant activities (Sipress, 2004).
Cyber criminals may operate as loose networks, but evidence suggests that members are
still located in close geographic proximity even when their attacks are cross-national. For
example, small local networks, as well as groups centred on relatives and friends, remain
significant actors. Cybercrime hot spots with potential links to organized crime groups are
found in countries of Eastern Europe and the former Soviet Union (Kshetri, 2013a; see
also Jones, 2010). Hackers from Russia and Ukraine are regarded as skilful innovators. For
example, the cyber crime hub in the small town of Râmnicu Vâlcea in Romania is one of a
number of such hubs widely reported in Eastern Europe (Bhattacharjee, 2011). There is
also increasing concern about cyber crime in China (China Daily, 2010; Pauli, 2012). The
source and extent of malware attacks (whether of domestic or foreign origin) and the scale
of malware-botnet activity remain unclear, but a substantial proportion of Chinese
computers are compromised and it is likely that local crime groups play a crucial role
(Kshetri, 2013a; Chang, 2012; Kshetri, 2013b; Broadhurst & Chang, 2013). A recent
study of spam and phishing sources found that these originated from a small number of
ISPs (20 of 42,201 observed), which the author dubbed ‘Internet bad neighbourhoods.’
One in particular, Spectranet (Nigeria), was host to 62% of IP addresses that were spam
related. Phishing hosts were mostly located in the United States, while spam originated
from ISPs located in India, Brazil and Vietnam (Moura, 2013).
Given the diversity of the types and sources of cyber crime, it is important to avoid
stereotypical images of cyber criminals, or spreading an alarmist or ‘moral panic’ narrative.
Popular images include the menacing Russian hacker in pursuit of profit, or more recently
the Chinese ‘hacker patriot.’ Such offender images offer a specific type of ‘folk devil;’
Wall (2012) regards them as inherently misleading about the assumptions of offender
action and sources of cyber crime. Despite the media image, offenders come from many
7
nations and motivations are diverse, although financial goals appear to dominate.
6
Tor is an encrypted re-routing service designed to obscure the original source of an email or website on
the Internet, sometimes known as The Onion Router. Law enforcement concerns about the widespread
misuse of Tor recently led Japanese police to recommended blocking access to the service to those that
misuse it (BBC Technology, ‘Japanese police target users of Tor anonymous network’, 22 April 2013,
Available at http://www.bbc.co.uk/news/technology-22248692.
7
The 2012 Verizon Data Breach Investigation Report identified that 75% of 621 confirmed breaches of data
were financially motivated. Available at http://www.verizonenterprise.com/resources/reports/rp_databreach-investigations-report-2012_en_xg.pdf.
3
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
The standard definition of organized crime contained in the UN Palermo Convention,8
based on the participation of three or more persons acting in concert, does not extend to
certain highly sophisticated forms of organization such as the mobilization of robot
networks that may be operated by a single person. So-called botnets involve an offender
using malicious software to acquire control over a large number of computers (the largest
including more than a million separate machines). Even though the individual and
institutional custodians of compromised computers may be unwitting participants in a
criminal enterprise, some commentators maintain that botnets mobilized by a sole offender
should be considered a form of organized crime (Chang, 2012).
Based as it is on diplomacy, consensus, and inclusiveness, the UN is disinclined to
confront state and state-sponsored criminal activity, whether on the ground or in
cyberspace. Although one can appreciate the difficulties inherent in regarding one or more
member nations as criminals, it is nevertheless unfortunate that the UN, one of the largest
and most prestigious organizations concerned with transnational organized crime,
overlooks this important dimension.
Challenges of Theory and Evidence
The absence of evidence about the extent, role, and nature of organized crime groups in
cyber space impedes the development of sound countermeasures. While a growing number
of experts consider that cyber crime has become the domain of organized groups and the
days of the lone hacker are past, little is yet known about the preferred structures and
longevity of groups, how trust is assured, and the relationship with other forms of crime.
There is an absence of evidence-based research about offender behaviour and recruitment
in cyber space, although learning and imitation play important roles (Broadhurst &
Grabosky, 2005). Hence, organized crime groups cannot be understood from their
functional (illicit) activities alone, that is – as rational profit-driven networks of criminal
actors- since socio-cultural forces also play an important role in the genesis and
sustainability of such groups. In some cases obsessive-compulsive behaviour is evident; in
others, a sense of impunity (born of over-confidence in anonymity) is apparent. As noted
above, greed may be only one of many motives. Others may be present to varying degrees,
depending on the types of crime.
Structure
McGuire’s (2012) review, based on a large sample of known cases, found that up to
80% of cyber crime could be the result of some form of organized activity. This does not
mean, however, that these groups take the form of traditional, hierarchical organized
crime groups or that these groups commit exclusively digital crime. Rather, the study
suggests that traditional organized crime groups are extending their activities to the digital
world alongside newer, looser types of crime networks. Crime groups show various levels
of organization, depending on whether their activity is purely aimed at online targets, uses
online tools to enable crimes in the ‘real’ world, or combine online and offline targets.
8
Article 2(a) of the United Nations Convention against Transnational Organized Crime defines an
‘organized criminal group [as] a structured group of three or more persons, existing for a period of time and
acting in concert with the aim of committing one or more serious crimes or offences established in
accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material
benefit’. Article 2(c) clarifies that ‘a structured group shall mean a group that is not randomly formed for the
immediate commission of an offence and that does not need to have formally defined roles for its members,
continuity of its membership or a developed structure’ (United Nations, 2004).
4
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
McGuire’s review estimated that half the cyber crime groups in his sample comprised six
or more people, with one-quarter of groups comprising over 10 individuals. One-quarter
of cyber crime groups had operated for less than 6 months. However, the size of the
group or the duration of their activities did not predict the scale of offending, as small
groups can cause significant damage in a short time.
McGuire (2012) has suggested a typology of cyber crime groups, which comprises six
types of group structure. He emphasized that ‘these basic organizational patterns often
cross-cut in highly fluid and confusing ways’ and the typology represents a ‘best guess,’
based on what we currently know about cyber offenders. He notes that the typology is
likely to change as the digital environment evolves. McGuire’s typology includes three
main group types, each divided into two subgroups depending on the strength of
association between members:
Type I groups operate essentially online and can be further divided into swarms and
hubs. They are mostly ‘virtual’ and trust is assessed via reputation in online illicit activities.
• Swarms share many of the features of networks and are described as ‘disorganized
organizations [with] common purpose without leadership.’ Typically swarms have
minimal chains of command and may operate in viral forms in ways reminiscent of
earlier ‘hacktivist’ groups. Swarms seem to be most active in ideologically driven
online activities such as hate crimes and political resistance. The group Anonymous
illustrates a typical swarm-type group (Olson, 2012): see Figure 1.
Figure 1: Simplified visual illustration of a swarm.
•
Hubs, like swarms, are essentially active online but are more organized with a clear
command structure. They involve a focal point (hub) of core criminals around
which peripheral associates gather. Their online activities are diverse, including
piracy, phishing attacks, botnets and online sexual offending. McGuire reports that
the distribution of scareware often involves hub-like groups. Markets that trade in
credit card details and narcotics bazaars such as Silk Road would also fit this model
(United States of America v Ross William Ulbricht, 2013): see Figure 2.
5
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
Figure 2: Simplified visual illustration of a hub.
Type II groups combine online and offline offending and are described as ‘hybrids’,
which in turn are said to be ‘clustered’ or ‘extended.’
• In a clustered hybrid, offending is articulated around a small group of individuals and
focused around specific activities or methods. They are somewhat similar in
structure to hubs, but move seamlessly between online and offline offending. A
typical group will skim credit cards, then use the data for online purchases or onsell the data through carding networks (McGuire, 2012, p. 50; Soudijn & Zegers,
2012).
• Groups of the extended hybrid form operate in similar ways to the clustered hybrids
but are a lot less centralized. They typically include many associates and subgroups
and carry out a variety of criminal activities, but still retain a level of coordination
sufficient to ensure the success of their operations.
Type III groups operate mainly offline but use online technology to facilitate their
offline activities. McGuire argues that this type of group needs to be considered because
they are increasingly contributing to digital crime. Like the previous group-types, Type III
groups can be subdivided into ‘hierarchies’ and ‘aggregates’, according to their degree of
cohesion and organization.
• Hierarchies are best described as traditional criminal groups (e.g. crime families),
which export some of their activities online. For example, the traditional interest
of some mafia groups in prostitution now extends to pornography websites; other
examples include online gambling, extortion, and blackmail through threats of
shutting down systems or accessing private records via malware attacks or hacking.
6
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
(US v Fiore et al (2009); United States Attorney, Eastern District of New York,
2003).
• Aggregate groups are loosely organized, temporary, and often without clear purpose.
They make use of digital technologies in an ad hoc manner, which nevertheless can
inflict harm. Examples include the use of Blackberry or mobile phones to
coordinate gang activity or public disorder, as occurred during the 2011 UK riots
or the Sydney riots in September 2012 (Cubby & McNeilage, 2012).
The most sophisticated cyber crime organizations are characterized by substantial
functional specialization and divisions of labour. The following roles, outlined in a speech
by a representative of the US Federal Bureau of Investigation’s Cyber Division, illustrate
the kind of roles that a major fraud conspiracy may entail (Chabinsky, 2010):
•
•
•
•
•
•
•
•
•
•
Coders or programmers write the malware, exploits, and other tools necessary to
commit the crime.
Distributors or vendors trade and sell stolen data, and vouch for the goods
provided by the other specialties.
Technicians maintain the criminal infrastructure and supporting technologies, such
as servers, ISPs, and encryption.
Hackers search for and exploit vulnerabilities in applications, systems, and
networks in order to gain administrator or payroll access.
Fraud specialists develop and employ social engineering schemes, including
phishing, spamming, and domain squatting.
Hosts provide “safe” facilities of illicit content servers and sites, often through
elaborate botnet and proxy networks.
Cashers control drop accounts and provide those names and accounts to other
criminals for a fee; they also typically manage individual cash couriers, or “money
mules.”
Money mules transfer the proceeds of frauds which they have committed to a third
party for further transfer to a secure location.
Tellers assist in transferring and laundering illicit proceeds through digital currency
services and between different national currencies.
Executives of the organization select the targets, and recruit and assign members to
the above tasks, in addition to managing the distribution of criminal proceeds.
This ideal type is not necessarily limited to a formal, fixed organization. Some functions
may be outsourced, as was the case with the Koobface group discussed below. The
organization of cyber crime may also occur at a wider level involving networks of
individuals who meet and interact within online discussion forums and chat rooms. Some
discussion forums function as 'virtual' black markets that advertise, for example, stolen
credit card numbers (Holt & Lampke, 2010). Among Chinese cyber criminals, QQ is a
popular instant messaging and chat service, as well as the preferred choice for private
contact linked to ‘carding’ – the market in stolen credit cards and their acquisition (Yip,
2011). Given the ephemeral nature of many of the interactions, such networks operate as
criminal macro-networks rather than closely knit groups.
7
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
There may also be other potentially useful paradigms of describing organizations in
cyber crime. Drawing from economic geography, the clustering of businesses that provide
similar products in the same vicinity is commonly found throughout the world. Tor sites,
such as Silk Road, become ‘hot spots’ for illicit markets by attracting buyers and sellers
involved in the online drug trade. Likewise, Râmnicu Vâlcea, mentioned previously,
consists of a high concentration, or cluster, of offenders in a single city in Eastern Europe.
In organizational studies, complexity theory, derived from systems theory, may also help
explain the dynamic nature and collective behaviour of groups. Cybercrime groups may,
engage in one type of crime, and then move to other crimes that use different modus
operandi. Carberp, a software tool kit designed to steal from banks, initially intended for
private use, accessible only to small exclusive group of cyber criminals, but was later
available for sale to others; an illustration of the way a criminal business model evolves.
Examples of cyber crimes and offenders
The first set of illustrative cases involves individual offenders.
1. Ryan Cleary: DDoS on SOCA
Police in the UK arrested 19-year-old Ryan Cleary for allegedly orchestrating a
distributed denial-of-service (DDoS) attack against the website of the British Serious
Organised Crime Agency (SOCA) website in 2011, and the websites of the International
Federation of the Phonographic Industry and the British Phonographic Industry during
the previous year. Cleary allegedly rented and sublet a large botnet to conduct the attack.
He was associated with the hacking group LulzSec, although the group itself denied that
he was a member, claiming that he was merely a loose associate. Cleary’s arrest followed
his exposure by Anonymous who published his name, address, and phone number as
retaliation for his hacking into the group AnonOps’ website and exposing over 600
nicknames and IP addresses. Cleary was reported as stating that AnonOps was ‘publicity
hungry.’ He pleaded guilty to most of the charges, and in May 2013 was sentenced to
imprisonment for 32 months (The Guardian, 2013; see also Olson, 2012). The motive
here appears to have been grounded in ideology and the desire to challenge powerful
interests.
2. Andrew Auernheimer: Apple iPad Snoop
In June 2010, 25-year-old Andrew Auernheimer managed to obtain the email addresses
of 114,000 iPad users including celebrities and politicians, by hacking the website of the
telecommunication company AT&T. Auernheimer was a member of the group Goatse
Security, that specializes in uncovering security flaws. The attack was carried out when
Auernheimer and other hackers realized they could trick the AT&T site into offering up
the email address of iPad users if they sent an HTTP request that included the SIM card
serial number for the corresponding device. Simply guessing serial numbers, a task made
easy by the fact that they were generated sequentially during manufacturing, allowed
access to a large number of addresses. Auernheimer and Goatse released details about the
attacks to Gawker Media. Shortly after, the FBI arrested Auernheimer in connection with
the breach. In March 2013, he was sentenced to 3 ½ years in prison for exploiting an
AT&T security flaw (Chickowski, 2011; Thomas, 2013). The facts here are consistent
with a desire to demonstrate technical proficiency.
8
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
3. Aaron Swartz: Content Downloader
A programmer and Fellow at Harvard University’s SafraCenter for Ethics, 24-year-old
Aaron Swartz was indicted in 2011 after he downloaded more than 4 million academic
articles through the Massachusetts Institute of Technology (MIT) network connection to
JSTOR, an online academic repository. Swartz used anonymous log-ins on the network
in September 2010 and actively worked to mask his log-ins when MIT and JSTOR tried
to stop the massive drain of copyrighted material. After JSTOR shut down the access to its
database from the entire MIT network, Swartz went on campus, directly plugged his
laptop in the information infrastructure of a MIT networking room, and left it hidden as it
downloaded more content. However, an IT administrator reported the laptop to the
authorities. A hidden webcam was installed and when Swartz came and picked up his
laptop, he was identified and arrested. Swartz did not steal any confidential data and, once
the content of the site had been secured, JSTOR did not wish to initiate legal action;
however, federal prosecutors went ahead and charged Swartz with 13 felony counts
(United States of America v Aaron Swartz, 2012).
Swartz was known as ‘a freedom-of-information activist’ who called for civil
disobedience against copyright laws, particularly in relation to the dissemination of
publicly funded research. Swartz said he was protesting how JSTOR stifled academic
research and that he had planned to make the articles he downloaded publicly and freely
available. Swartz committed suicide in early 2013, before his court case was finalised. His
family accused the government of having some responsibility for his death because of the
overzealous prosecution of what they described as a non-violent victimless crime. In
March 2013 he was posthumously awarded the James Madison Award by the American
Library Association, a prize to acknowledge those who champion public access to
information (Bort, 2013; Cohen, 2013). Swartz, whose activities were consistent with the
hacker ethos that information should be free, was obviously rebelling against the prevailing
system of intellectual property protection.
4. Christopher Chaney: Celebrity Hackerazzi
In what amounted to ‘cyber stalking’, celebrity-obsessed Christopher Chaney, aged 35,
used publicly available information from celebrity blog sites to guess the passwords to
Google and Yahoo email accounts owned by over 50 stars, including Scarlett Johansson,
Mila Kunis, and Christina Aguilera. He successfully managed to hack into the accounts
and set up an email-forwarding system to send himself a copy of all emails received by the
stars. From November 2010 to October 2011, Chaney had access to emails, photos, and
confidential documents. He was responsible for the release of nude photos of Scarlett
Johansson that subsequently circulated on the Internet. He was also accused of circulating
nude photos of two (non-celebrity) women but he denied this. FBI investigators did not
give details of how they tracked Chaney, who was sentenced to 10 years jail in December
2012. Chaney apologized for his actions; he said that he empathized with the victims but
could not stop what he was doing (Eimiller, 2011; Chickowski, 2011). The facts indicate
voyeurism reinforced by obsessive/compulsive behaviour.
5. Sam Yin: Gucci Hacker
Fired after being accused of selling stolen Gucci shoes and bags on the Asian grey
market, a former Gucci IT employee, Sam Yin, aged 34, managed to hack into the
9
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
company’s system using a secret account he had created while working, and a bogus
employee’s name. He shut down the whole operation’s computers, cutting off employee
access to files and emails for nearly an entire business day. During that day he deleted
servers, destroyed storage set-ups and wiped out mailboxes. Gucci estimated the cost of
the intrusion at $200,000. Yin was sentenced to prison for a minimum of 2 years and a
maximum of 6 years in September 2012 (Italiano, 2012). This appears to have been a clear
case of retaliation by a disgruntled former employee.
6. Edward Pearson: Identity Theft
Originally from York, Northern England, 23-year old Edward Pearson stole 8 million
identities, 200,000 PayPal account details, and 2,700 bank card numbers between January
2010 and August 2011. Using the malware ZeuS and SpyEye, which he used to suit his
purpose, he managed to not only hack into the PayPal website but also into the networks
of AOL and Nokia, which remained down for two weeks. Pearson was finally caught after
his girlfriend tried to use forged credit cards to pay hotel bills. He was described as
‘incredibly talented’ and a clever computer coder, who had been active in cyber crime
forums for several years prior to his hacking spree. His lawyer, however, argued that
Pearson was not so interested in making money but that hacking was ‘an intellectual
challenge’. A prosecutor estimated that based on the information he had taken, he could
potentially have stolen $13 million; yet, before his arrest, he had only stolen around
$3,700, which he had spent on takeaway meals and mobile phone bills. Pearson was
sentenced to 26 months jail in April 2012 (Liebowitz, 2012).
All the above offenders were male; four were under 30 when they committed their
offences, the other two were in their mid-30s. Only one of these cases had a financial
motive, although Pearson, the offender, denied this. Cleary and Auernheimer claimed that
the reason for their offending was, at least in part, altruistic. They wanted to demonstrate
that despite claims to the contrary, the data repository of large corporations and
organizations, which kept important confidential information on their clients, was not
secure. It is likely that the desire for fame and recognition of their skills also played a part
in their actions. Swartz was also motivated by ideology and believed that information
should be freely accessible. The two other hackers were pushed by emotional reasons:
Chaney by his obsession with celebrities, and Yin, by his desire for revenge after losing his
job. Pearson benefited financially from hacking, but he could potentially have stolen much
more. The final case illustrates the potential harm that just one cyber criminal might cause.
All faced the risk of long prison sentences, but none was deterred by the prospect.
The next set of cases involves small groups or networks of offenders, and illustrates the
diversity of criminal organizations operating across crime types.
7. LulzSec and Sony Hackers
Cody Kretsinger (nicknamed Recursion) was arrested for allegedly carrying out an
attack against Sony Pictures on behalf of LulzSec in September 2011. Kretsinger, aged 25,
was arrested when the UK-based proxy server HideMyAss, a service that disguises the
online identity of its customers, provided logs to police. These allowed them to match
time-stamps with IP addresses and identify Kretsinger (Chickowski, 2011; Olson, 2012).
In April 2012, Kretsinger pleaded guilty to unauthorised access, conspiracy and attempting
to break into computers, and he was later sentenced to one year in jail and 1,000 hours
community service. Kretsinger, along with other members of LulzSec, obtained
10
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
confidential information from the computer systems of Sony Pictures by using an SQL
injection attack against the website. They disseminated the stolen data on the Internet.
The stolen data contained confidential information such as names, addresses, phone
numbers, and e-mail addresses for thousands of Sony customers. The hackers did not use
the data illegally but wanted to demonstrate that Sony’s website was not secure. Hector
Xavier Monsegur, 28, the former alleged leader of LulzSec, was arrested in June 2011 and
agreed to act as an informant for the FBI. He provided information on his fellow hackers
and is believed to have played an important role in their identification and arrest. Other
members of LulzSec included Ryan Cleary (19), Ryan Ackroyd (27), Mustafa al-Bassam
(18), Jake Davis (18). All pleaded guilty and were sentenced in May 2013 (Italiano, 2012).
On 24 April 2013, the Australian Federal Police (AFP) arrested a Sydney man, Matthew
Flannery, known online as Aush0k, alleged to have been the leader of the LulzSec hacking
group. The activities in question constituted a protest against the commercialism of the
online entertainment industry, as well as a desire to demonstrate technical proficiency.
8. Dreamboard
Dreamboard was a members-only group that exchanged illicit images of children under
the age of twelve, until its interdiction by a multi-national police investigation begun in
2009. The operation resulted in charges against 72 people in 14 countries across five
continents. Servers were situated in the United States, and the group’s top administrators
were located in France and Canada. Rules of conduct on the site’s bulletin board were
printed in English, Russian, Japanese and Spanish. It was a very sophisticated operation
that vetted prospective members, required continuing contributions of illicit material as a
condition of membership, and rewarded those who produced and shared their own
content. Members achieved status levels reflecting the quantity and quality of their
contributions. The group used aliases rather than their actual names. Links to illicit
content were encrypted and password-protected. Access to the group’s bulletin board was
through proxy servers. These routed traffic through other computers in order to mask a
member’s true location, thereby impeding investigators from tracing the member’s online
activity (US Department of Homeland Security, 2011). The primary objective of
participants in the enterprise was sexual gratification, although competition for status
within the group was also evident.
9. DrinkOrDie
DrinkOrDie, founded in Moscow in 1993, was a group of copyright pirates who
illegally reproduced and distributed software, games, and movies over the Internet. Within
three years the group expanded internationally and counted around 65 members in 12
countries including Britain, Australia, Finland, Norway, Sweden, and the US. The
membership included a relatively large proportion of undergraduate university students
and IT professionals who were technologically sophisticated and skilled in security,
programming, and Internet communication. The group was highly organized, hierarchical
in form, and entailed a division of labour. A new program was often obtained through
employees of software companies; ‘crackers’ stripped the content of its electronic
protection; ‘testers’ made sure the unprotected version worked; and ‘packers’ distributed
the pirated version to around 10,000 publicly accessible sites around the Internet. The
content was available to casual users and to other criminal enterprises for commercial
distribution. Members were not motivated by profit but by their desire to compete with
11
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
Broadhurst, et. al. - Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime
other pirates and to achieve recognition as the first group to distribute a perfect copy of a
newly pirated product. DrinkOrDie’s most prominent achievement was its illegal
distribution of Windows 95 two weeks prior to the official release by Microsoft. The
group was dismantled by authorities in 2001 and 20 members were convicted worldwide.
Eleven people, including one woman, were prosecuted in the US in 2002. Their ages
ranged between 20 and 34 years. Two of the leaders were sentenced to 46 and 33 months
jail respectively (US Department of Justice, 2001, 2002). The principals in this case were
seeking “bragging rights”—the celebrity (or notoriety) that accompanies being the first to
distribute a perfect version of pirated content prior to the commercial release of the
product.
10. DarkMarket
DarkMarket, founded in 2005, was a website providing the infrastructure for an online
bazaar where buyers and sellers of credit card and banking details could meet, and illicit
material such as malicious software could be purchased. Banking and card details were
illicitly obtained by various means, including surreptitious recording at ATMs using
‘skimming’ devices, unauthorized access to personal or business information systems, or
techniques of ‘social engineering’ where victims were persuaded to part with the details.
Initially, trading in stolen information occurred on a one-to-one basis, but given the sheer
volume of such material, using a forum where prospective parties could interact
collectively was much more efficient. At its peak, DarkMarket was the world’s preeminent English language ‘carding’ site, with over 2500 members from a number of
countries around the world, including the UK, Canada, the US, Russia, Turkey,
Germany and France. The group was highly organized. Prospective vendors had to prove
that they were able to provide useable credit card information, which was assessed for its
validity. Members were nominated and vetted. A maximum of four administrators ran the
site at any time. They ensured the security of the site, provided an escrow service, and
patrolled the site for ‘illicit’ activity such as dealing in drugs or child pornography. It
seemed that reputation and status was more important for these VIP members than was
self-enrichment. Ordinary members, who traded in information and used the information
they bought to make money, generally sought to keep a low profile. The forum was
infiltrated by an FBI agent and the investigation resulted in 60 arrests worldwide. One of
the most prominent members, a 33-year-old Sri-Lankan born British man, was sentenced
to 5 years imprisonment in March 2010 (Glenny, 2011; Davies, 2010).
11. DNSChanger
Six Estonian men, posing as the legitimate company Rove Digital, were arrested in
November 2011 for creating and operating the DNSChanger malware, which allowed
them to control Domain Name System (DNS) servers. DNS is an Internet service that
converts domain names into numerical data that computers understand. Without DNS
and DNS servers, Internet browsing, access to websites, and emails would be impossible.
The group was running an Internet fraud operation that enabled them to manipulate
Internet advertising. The malware was propagated using social engineering techniques; in
one instance, the malware was offered as a video code that was supposedly required to
watch adult movies. At its peak, an estimated four million computers worldwide were
infected with the malware. DNSChanger worked by substituting advertising on websites
with advertising sold by Rove Digital and by redirecting users of infected computers to
12
© 2014 International Journal of Cyber Criminology. All rights reserved. Under a creative commons Attribution-Noncommercial-Share Alike 2.5 India License
International Journal of Cyber Criminology
Vol 8 Issue 1 January - June 2014
rogue servers controlled by affiliates of the group. When users clicked on the links to a
licit official website, they were in fact taken to a fake website that resembled the legitimate
website but promoted counterfeit, and sometimes dangerous, products. The group
allegedly netted $14 million in stolen advertising views. Operation Ghost Click, a fiveyear collaboration between the FBI and private corporations, began after Trend Micro
researchers identified the gang’s botnet. The six offenders were aged between 26 and 31
years. It is likely they will all be extradited to the US for trial. A seventh member of the
group, a 31-year-old Russian man, has not yet been arrested (US Federal Bureau of
Investigation, 2011; Krebs on Security, 2011). The primary motive of participants was
clearly financial.
12. Carberp
Carberp is malicious software designed to steal banking information. When it first
appeared in 2009, Carberp was used exclusively by a small, closed group operating only in
Russian-speaking countries. In 2011 the malware’s creators started selling it to a few
customers in the former Soviet Union. In March 2...
Purchase answer to see full
attachment