Industry of Anonymity

There sometimes appears to be about as many definitions for the concept of “organised crime” as there are organised crime groups in the world. Almost every country has their own approach, often reflecting the specific challenges facing their law enforcement agencies. This means that those investigating whether there is such as thing as “organised cybercrime” face a very difficult task. Not only is there very limited hard information on the organisation of cybercriminal groups, but there is no singularly accepted definition of organised crime to apply to them.

At minimum, most definitions of an organised crime group include some basic features: 1) more than one person involved; 2) some semblance of structure; 3) a level of continuous operation beyond a one shot deal or job; 4) an element of profit motivation. When talking about online cybercriminal groups, it is possible that some would meet such broad definitions. In my research, one of the most regular types of cybercriminal “organisation” that pops up is something akin to a “crew”. Just like crews that physically knock over banks with shotguns, some cybercriminals appear to operate in similar small online groups. They have a loose hierarchy, sometimes with a leader of sorts, operate together for up years at a time with certain constant members, and have a clear financially motivated goal. These groups can be involved in anything from fraud, hacking, identity theft, malware, extortion of companies, spamming or a whole range of other activities.

But such definitions of organised crime are so broad that they lump together very diverse groups. A crew of three teenage thieves may be more “organised” than a lone wolf operator, but such a crew is also quite distinct from other “organised” groups like drug cartels and mafias. This is why some attempting to define organised crime also include a notion of violence and coercion as part of the business. Others go further, such as the economist Thomas Schelling who argues that organised crime is not simply “crime that is organized”. In explaining his approach, Schelling has provided the famous account of why organised burglars do not fall into the category of organised crime:

…burglars are never reported to be fighting each other in gangs for exclusive control over their hunting grounds. Burglars are busy about their burglary, not staking claims and fighting off other burglars. It is when a gang of burglars begins to police their territory against the invasion of other gangs of burglars, and makes interloping burglars join up and share their loot or get out of town, and collectively negotiates with the police not only for their own security but to enlist the police in the war against rival burglar gangs or nonjoining mavericks, that we should, I believe, begin to identify the burglary gang as organized crime.

What this approach appears to be getting at is that organised crime is a form of governance within the criminal world. In this conception, organised crime groups attempt to regulate and control some form of illegal industry. As I noted in my previous post on trading forums as mafias, even criminals need some form of rules and order, or else things fall apart…

So can online cybercrime groups be classified as fully fledged organised crime groups under this more rigid approach? Despite suggestions of such organised crime on the web, there are a number of obstacles to applying this classification. First, violence is at the heart of traditional organised crime groups’ regulation and control of various markets, but in the context of the Internet, there appears to be no directly analogous and effective tool for enforcing order. Second, issues of territory, and control over that territory, are also central to conceptions of traditional organised crime, but something akin to physical territory is difficult to find online and anything similar (hosting, domain names, private online spaces) practically operates in quite different ways. Third, online groupings larger than small crews tend to very fragile, being both difficult to form and to hold together in the dynamic environment of the Internet. Finally, perhaps for similar reasons, providing criminal governance for aspects of seemingly infinite cyberspace appears an extremely challenging task for such groups to undertake.

While some hints of “organised cybercrime” might present themselves online, we don’t know enough to paint a clear picture. There is still a lot of speculation on what cybercriminal groups actually look like and not that much real data on them.  Continuing definitional debates over what constitutes organised crime don’t help the task much either. While broad definitions of organised crime are probably met by known cybercrime groupings, the more rigid definitions applying to traditional organised crime groups appear a bridge too far. But in the end, given the novel landscape of cyberspace, we should not necessarily expect exact replicas of traditional criminal organisation online. Crime remains crime, but we have reached a new frontier.

Read more about “Organised Cybercrime” in “How Organised is Organised Cybercrime?”

There is a lot of discussion online comparing cybercriminal trading forums (where stolen credit/debit card details can be traded among other illicit goods and services) to mafias. This is not just the cause of lone bloggers, but has also been taken up by various law enforcement spokesmen and major technology company analysts. This is not to mention certain forums themselves helping to promote this view, like the early site Carder Planet which used mafia titles (like Capo) to describe the various ranks on their boards.

But most of these comparisons seem to involve loose, almost pop-culture, understandings of what a mafia actually is. There is a whole body of academic theory investigating precisely what mafias are and how they function. Yes, that’s mafias not just the mafia. The idea of the mafia might have grown out of the Sicilian mafia and then the Italian-American mafia, but in reality a mafia is any organised crime group that attempts to control the supply of protection. That’s why you can have the Russian mafia made up of Russians not Italians, or that the Yakuza in Japan or the Triads in Hong Kong can be classified as mafias.

Maybe the best definition of a mafia is provided by Henry Hill, the lead (real-life) mobster in Scorcese’s Goodfellas, when he described the role of his local Lucchese family captain Paulie:

The guys who worked for Paulie had to make their own dollar. All they got from Paulie was protection from other guys looking to rip them off. That’s what it’s all about. That’s what the FBI can never understand – that what Paulie and the organization offer is protection for the kinds of guys who can’t go to the cops. They’re like the police department for wiseguys.

Essentially, mafias provide a form of governance for the criminal world that is beyond the control of the state. Even criminals need order and rules…

So with this understanding of what a mafia is, can cybercriminal forums really be classified as mafias? Well, there is some evidence to make a case. For one, forums do have a hierarchical pyramidal structure (from administrators to moderators and then various ranks of members), just like mafias do. But then so do various other organizations, like armies and corporations. So simplistic analogies on this point should be considered far from enough to make the case.

What should be more interesting to us is that forum administrators and moderators seem to seek a level of governance over aspects of the cybercriminal world. The purpose of trading forums is not simply to provide a place for cybercriminals to meet and trade, but one where they can do so relatively safely. This is why administrators restrict access to forums to those who have been vetted by other members or passed certain tests. They also maintain ranks based on proving trustworthiness over time.

But even more importantly, site officers directly police scamming or “ripping”. They often maintain “name and shame” boards for offenders and exclude them from the forum if they have wronged other users. They have been known to arbitrate disputes and some sites even provide an escrow service, with site officers reducing opportunities for fraud by guaranteeing transactions and taking a cut in the process.

When site administrators and moderators enforce forum rules and monitor user behaviour like this, they begin to look like a mafia providing online protection. Some forum administrators even exude the desire to monopolise the protection business, which is also required for classification as a mafia.  The best example of this is the story of the hacker Iceman (aka Max Butler aka Max Ray Vision), who was the administrator of CardersMarket. As described in Kevin Poulsen’s excellent account Kingpin, though ultimately unsuccessful, Iceman launched a hacking campaign to unify the major cybercriminal forums under his control.

Ultimately, cybercriminal forums are like mafias but they are not mafias. Forums struggle to act as mafias because the task of governing the cybercrime trade is inherently difficult. Monitoring and enforcement on the Internet are virtual rather than physical, as one cannot simply “pay a visit” to a malefactor like a Mafioso would. The most serious and effective form of punishment on a forum is exclusion from the site, which pales in comparison to possible death.

Maybe the fundamental challenge to online trading forums being classified as mafias is that it is difficult to classify these markets as criminal organisations at all. As many of their names indicate (DarkMarket, Ghostmarket and CardersMarket), they should be viewed as marketplaces rather than anything else. A mafia is not a marketplace. A mafia may attempt to govern various marketplaces, but its existence is distinct from the individual enterprises it is involved with. The Sicilian mafia has controlled the Palermo fish market for some time, but the fish market is not itself a mafia. The Sicilian mafia is the mafia.

The real problem facing the conception of online forums as mafias is that their structure and organisation are tied to the architecture of each site rather than to any autonomous group behind them. The major markets generally operate for only a few years. They usually crumble when law enforcement scrutiny of the sites increases and their key leaders are arrested. This is in contrast to mafia groups, which might be damaged by such scrutiny or arrests, but can often limp on or rebuild. A mafia is an institution that is sustainable and independent from its individual enterprises and key leadership.

So should we support the view that cybercriminal trading forums are mafias? Probably not.

Read more about trading forums as mafias in “How Organised is Organised Cybercrime?”