Industry of Anonymity

Inside the world of profit-driven cybercrime

Category: Evolution of Cybercrime

All’s Fair in Love and War?

As someone who studies trust among cybercriminals, I often field queries from the curious about what factors disrupt cooperation among online criminals. Until a recent visit to Eastern Europe, one element I hadn’t considered was the significant role that political animosity might play in damaging relationships. My visit to the region made clear that the war in eastern Ukraine is leading to a number of unexpected consequences in the cybercrime sphere, sowing the seeds of distrust among certain players in the Russian-speaking “scene”.

This was an issue raised by a number of local researchers I met with, who go “undercover” and monitor the key Russian-speaking marketplaces. In the past, most Eastern European actors rarely expressed their political views. But recent events have seen a shift. With the conflict simmering on the ground, a number of “flame wars” have developed online, between those broadly in support of Russia and those against it. This has damaged cooperation and led to the breakdown of some long-term and trusting partnerships. Some forums have even had to bring in and enforce rules against political discussion. Max Goncharov’s new report on the Russian underground suggests similar developments as a result of the Ukrainian conflict: fights between forum members with some even being banned or retreating into exile.

In order to understand the significance of these developments, it is important to note that the Russian underground is not actually Russian. It is merely Russian-speaking. While Russian nationals play a key role, and some may have a sense of centrality or superiority, cybercriminals from countries like Ukraine, Belarus and the Baltic States have played an important role in the business since the early days. Russian provided a common tongue and operating in a Russian-speaking online community opened up a much larger market for cybercriminals in the region. In self-preservation terms, the use of Russian also helped shield each participant’s nationality from local authorities or other criminals taking an interest in them.

A fundamental norm also quickly developed: don’t seek targets in the former Soviet Bloc. Part of this norm can be explained ideologically, stemming from Soviet era propaganda, in that wealthy “bourgeois” foreigners made more deserving targets than economically struggling “comrades” in Eastern Europe. There is also a practical explanation of not wanting to draw the wrath of local law enforcement and security agencies, especially when well insulated against foreign investigations. As Police Dog, one of the well-known CarderPlanet era cybercriminals, wrote: “If we didn’t make a mess on our own doorstep then our local cops and intelligence services didn’t have a problem with us”.

While these explanations have their place, there is almost certainly an economic component involved here as well. In the 1990s and early 2000s, some low-level scams seem to have targeted locals due to the ease of monetisation, avoiding the complications of moving money across borders. But as the West began to rapidly develop the Internet, comparatively wealthy victims and their data became available to those with the right skill sets. It was much more lucrative for Russian-speaking cybercriminals to invest their time and efforts in this new area, especially when Eastern Europeans were less likely to be using credit cards, online banking or purchasing products online and companies in the region were not adopting new technologies to the same degree as those in the West. Locals in former communist countries generally had far less money to steal in the first place, so it seemed only logical to focus attacks overseas.

But change is afoot: there is no longer a dearth of targets in the former Soviet Bloc. The widespread use of the Internet and other new technologies has taken hold in Eastern Europe. New wealth is also emerging. There is money to be made by cybercriminals seeking targets closer to home and there is no doubt that some have been taking advantage of the new opportunities. One Ukrainian researcher suggested that for the last few years Russian-speaking cybercriminals have begun to work “quietly” within their own part of the globe. Of course, there was a loud bang when those behind the Carberp malware began to target online bank accounts in the region, subsequently leading to a number of arrests. This case led to more open talk on forums about Eastern European targets, but many still operate cautiously.

The question now becomes whether recent geopolitical events will lead to the complete dismantling of the norm against carrying out attacks in the former Soviet Bloc. As tensions in the region continue, will the Russian-speaking cybercriminal community become increasingly disjointed and frayed? There is no doubt that politically motivated cyber attacks, whether state directed or not, have increased since the outbreak of war. Local security professionals that have spent much of their careers handling profit-driven cases are now having to shift some of their attention towards cyber espionage, sabotage, activism and terrorism. But some cybercriminals may also harness this opportunity to profit from citizens and institutions in “enemy” countries in the region, using this new political context as cover for their actions, just as the old Soviet propaganda could be used to justify targeting those in the West. Such actions are also likely to bring little heat from national law enforcement when the target is a (newly) unfriendly state’s citizens. Meanwhile, other cybercriminals might care little about politics and simply focus on business, being happy to collaborate with anyone and target any country in the region, as long as there is money to be made.

While norms can seem entrenched, the work of social scientists like Gerry Mackie suggests that if a convention ends, it does so quickly. The inherent nature of a norm is that it is widely agreed upon and applied by interdependent actors. As soon as a tipping point of dissatisfaction is reached, a norm can become unsustainable and almost immediately dissolve. Only time will tell whether the prohibition against targeting former Soviet countries will face this same swift fate.

Where the Money Is

When I interview people from a US law enforcement background, it is clear that the Willie Sutton legend has a special place in their hearts. The story goes that a reporter asked Sutton, an infamous bank robber from the mid-twentieth century, why he robbed banks. Sutton’s reply was to the point: “because that’s where the money is”. Leaving aside the fact that Sutton may never have actually uttered these words, for many the “Sutton principle” has become essential for understanding contemporary cybercrime. The money is now moving online, so it’s only natural that crime would migrate there too.

Cybercrime has come a long way since the early days of hacking, with its focus on intellectual curiosity and recreational pursuits. The first hackers were creative problem solvers and pioneers, experimenting with a new frontier. A strong sense of openness, freedom and information sharing defined their world… and sometimes a degree of mischief. But those “golden years” are largely in the past now. While some hobby hackers still remain and hacktivists continue to operate with great visibility, there is no doubt that cybercrime has become big business. It is a difficult to precisely estimate how much business is being done…but it’s a lot!

Cybercrime has “corporatised”, adopting a strong profit-motivation, greater organisation and a sense of professionalism. While there was some money-making to be done in earlier days, much of this turn to profit began to emerge at the end of the 20th century. Online theft of credit card data was one of the first major prizes for economically motivated hackers. With the birth of cybercriminal trading forums like CarderPlanet in 2001, where online criminals could meet, share information and trade stolen credit card data among other illicit goods/services, a real market had emerged.

Cybercriminal forums demonstrate that what began as world centred on hackers, has now evolved into an industry that includes a wide range of people who perform a wide range of functions, some without strong computing skills at all. There are still elite coders but also business savvy front men; there are bot herders (who control botnets) but also “cashing out” specialists who may have a toe in more traditional forms of crime. Cybercriminals have become increasingly professional and, for many, the old hacking ethos seems to matter little as the call for profit takes over.

So how did this corporatisation of cybercrime take place? One model might be found in the corporatisation of street gangs in the United States. About fifteen years ago the sociologist Sudhir Venkatesh and the economist Steven Levitt famously noted a shift that took place in Chicago gangs: they had moved away from the social activities and minor delinquency that previously defined them, towards a more organised criminal network, with a strong hierarchy, clearly defined roles and a spirit of entrepreneurialism. Some gangs were even keeping books accounting for all their financial activities, just like a regular business. The introduction of crack cocaine onto the market in 1986 appeared to be the key driver behind this shift. Crack was cheap, highly addictive and well suited to distribution by gang networks with widespread street presence and control over local “turf”. So a number of gangs gradually altered their DNA and went where the money was.

There is no doubt that some of “the money” is now on the Internet and cybercriminals are capitalising on this opportunity. This “money” is essentially performing the same role that crack did for street gangs. The massive shift of business operations and financial and other personal data into cyberspace in recent years has created enormous profit-making potential for those who have, or want to develop, the right skills. Some are old school hackers adapting to a new world of opportunity, but others have little connection to that world and have come for the money alone. In either case, they have increasingly developed their organisation and operations for business functions.

But “the money” being on the Internet is not the sole explanation for how cybercrime has corporatised. One other key factor is that the architecture of the Internet needed to evolve to allow greater online congregation and collaboration. For instance, one former hacker I spoke with, who operated in Britain in the 1980s before hacking had been criminalised, had very little collaboration with other hackers. What collaboration he did have with his hacker friends was offline: meeting for meals every few months to discuss their activities and “share passwords”. At this early point there were few alternatives, as the Internet had not been developed in the way that it is now and there were hardly any online meeting places, such as forums and encrypted chat rooms. Even with an increased drive for profit, greater cybercriminal organisation could not have taken place without the online means for doing it.

Finally, an increase in Internet security in recent years paradoxically may have made hobby hacking more difficult and pushed cybercrime further towards the profit-driven professionals. A former American hacker I have interviewed suggested it was becoming increasingly difficult to operate as a pure hobby hacker who didn’t have financial motivations. When this hacker was operating as a high schooler in the 2000s, security was much more lax and it took little experience for successful hacks. But now that the security situation has tightened up considerably, he believed there has been a major decline in the number of hobby hackers around, as it’s simply not worth the trouble any more. Exploits are only useful for a very short period of time, before the security industry is onto them, so “you better make a ton of money off it and move off to something else…”

This is a summary of a paper titled “The Corporatisation of Cybercrime” presented at the ECPR General Conference 2013 in Bordeaux.