Honour Among Cyberthieves

by Jonathan Lusthaus

Most people would not look to active criminals when seeking out an honourable and trustworthy person to do business with. It is assumed that those who deal in theft, deceit and sometimes violence do not make good partners. Yet for the criminals themselves, they have little choice. They must build working relationships with other criminals to carry out their enterprises and to trade in illegal goods and services. Along with a good reputation, one of the most useful tools conventional criminals have for building trust with other criminals is the option of physical enforcement. If a partner steps out of line, they get “paid a visit”.

But cybercriminals do not have things as easy. How do cybercriminals build trust online when they often don’t even know who they are dealing with? How do they trade goods and services when their partners could potentially scam them without fear of violent retribution? These are the complex questions facing cybercriminals online, in an environment where anonymity is as much a cost as it is a benefit.

In a previous post, I discussed how cybercriminals require ways of “spotting the fed” in the online meeting places where illicit business is done. I argued that, without knowing it, cybercriminals try to unmask undercover agents by looking for what sociologists and others call “discriminatory signals”, statements and actions that are very costly to fake. And I noted the well-known example of a discriminatory signal of the suspected poisoner proving his innocence by drinking the “poison”. A real poisoner would be unlikely to take the drink, knowing death would follow.

In practice, cybercriminals use similar signaling mechanisms for trying to differentiate a trustworthy partner from a possible “ripper”. First, they might just ask for a display of trustworthiness. This could be some sort of smaller exchange that, if performed well, could lead to a larger deal. In the case of money mules, who help transfer ill-gotten gains around the world, this would be the movement of a small sum of money at first, but followed by incremental increases in the amount the mule is trusted with as they demonstrate they are worthy over time. Of course, sometimes there is no honour among thieves, and the mules simply run off with the money. But in a surprising number of cases, they stick around, probably recognizing that they have more to gain in the long run by establishing trust with a regular customer (or building a reputation in a community), than cheating them in a specific instance.

Yet building trust through such practices is still inherently risky, particularly in the early exchanges. As a result, cybercriminals often use other tools to reinforce cooperation as well. They are quite fond of referrals, regularly vouching for each other, whether for general purposes or for joining specific groups/forums or criminal enterprises. They may also “dox” each other, drawing up another user’s online footprint, and decide for themselves whether the trail of interactions suggests a trustworthy partner or not. But it is also a world full of ego and demonstrations of prowess can often be important for showing trustworthiness in terms of ability, as much as ethics. One way of demonstrating prowess, particularly with regard to other less experienced/competent users, is to post some form of tutorial on the appropriate part of a forum.

The cybercriminal trading forums themselves formalise some of these mechanisms used by cybercriminals to buttress trust. Certain forums have ranks of members based on their trustworthiness (such as the imaginatively titled “Trusted Member”). Promotion to these ranks is usually down to a good track record and being vouched for by other forum members. Forums also often maintain a “name and shame” section where scammers can be outed. These systems put reputations out into the open, thereby reducing the need for potential collaborators to carry out various investigations themselves or require references.

Cybercriminal trust mechanisms are surprisingly effective at weeding out scammers and posers. They make good tests of trustworthiness because they often have a public component and/or are verifiable: referrals can be easily checked with the referee; it is very difficult to mimic a communication trail left on the web; displays of prowess are publicly posted and therefore open to critique and ridicule; good and bad reputations are widely advertised on forums. While “ripping” certainly occurs quite regularly, there appears to be some degree of honour even among cyberthieves. In fact, one former spammer who now works as a security professional told me that he was never scammed during his spamming career: “I’ve been ripped off more times by corporates and commercials, companies I am working for legitimately with a f***ing contract, than I have by people that you would consider to be scum of the earth”.

Read more about honour among cyberthieves in “Trust in the World of Cybercrime”.