Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Organized: The Kingpins of Cybercrime

Purple playing cards with men's faces silhouette with white hats, hair, eyebrows and mustaches. On black background.


As our reliance on interconnectivity, automation, analytics, cloud storage, social media, and e-commerce (to name a few) continues to increase at an astronomical rate, cyber criminals have adapted every step of the way to capitalize on this phenomenon. Long gone are the days where your only cybersecurity concern was a stolen password or two. Cybercriminals can selectively target their victims for profit and disrupt the modern world as we know it.

Such a profitable endeavor doesn’t exist in a vacuum. Cybercriminal enterprises have transformed to support bigger operations. They have personnel staff, marketing campaigns, talent recruitment, and they run their organizations to be scalable, profitable, and competitive.

In this blog, we will explore the metamorphosis that cybercrime groups have undergone and why potential victims should pay attention.

The Makeup of A Modern Cybercriminal

Cybercriminals have always had a certain mystique about them; however, as criminal enterprises endure, more details are emerging about the people behind the attacks. A 2019 study examined data from the U.S. Department of Justice press releases from 2009-2017 to shed light on commonalities amongst a sample size of 225 cybercriminals. A whopping 68% of defendants were found to be working in groups, contrary to the popular belief that cybercriminals are lone-wolfs. In cyber space, international organized crime networks are easy to join and offer criminals a wide array of ‘career’ options. The sample was overwhelmingly male (at 94%) and young (with an average age of 35).

In another look at the people behind the computers, a study focused on data from 18 separate cybercriminal investigations in the Netherlands. Researchers concluded that participants within these criminal networks operated at different levels of sophistication and most networks showed organizational maturity based on division of labor and extended operational pace. Most of the sample was categorized as “teams” or “formal organizations” with no lone-wolves present. 

Behind Closed Doors

Despite international law enforcement cooperation, arrests, and indictments, the cybercrime ecosystem has matured into one that emulates modern, legitimate businesses — except with stolen data or extortion as revenue streams. Demand for cybercrime work is high. Experts estimate that 90% of posts on popular dark web forums are from buyers looking to contract someone for hacking services – so, it is no surprise that the supply chain has exploded.

The Org Chart

Just like mainstream corporations or businesses, many cybercriminal groups have personnel organization charts with leaders who act like CEOs, finance departments, human resources, marketing, R&D, and project managers. Due to the complexity of the operations, the need for scalability and specialized skill sets, groups outsource and hire people to focus on specific aspects of their crime business. A group of ‘project managers’ in a cybercrime group, for example, each specialize in or oversee a part of the supply chain – malware development and engineering, phishing email deployments, or conducting lateral movement to find the most lucrative information for extortion or sale on the dark web. Some groups might also employ a clean-up crew to hide or destroy the exploitation evidence.

Hackers, believe it or not, deal with talent shortages just like the regular world and use job boards, postings, and interviews to add to their enterprises. Reputation and references go a long way to getting in a hacker's good graces.

In possibly the most interesting twist of cybercriminal business development, some groups have stood up customer service departments that facilitates communication with the victims. This dates back to 2015 and is becoming mainstream with ransomware groups. Customer service helps trouble shoot technical problems with things like decrypters so that the victims receive access to their data again and the attackers get paid. “You’ve been hacked, and we are attempting to steal large sums of money from you, but we’ll make sure that it is a smooth process.”

Competitive Market

Cybercriminals compete against each other for services, customers, and a share of the market. Banking trojan malware and money laundering specialists have lost business due to less demand and more ransomware supply – it is faster, easier money to be made. There are many types of ransomware families on the market to choose from, so it behooves ransomware-as-a-service (RaaS) operators to provide a decent ROI – ease of use for buyers that will enable expedient attacks and payment from victims.

Buy Into the Franchise

Subscription services and affiliates programs are commonplace with ransomware groups. Some groups offer their ransomware and associated services for a price – think of it like buying into a franchise. You don’t necessarily work directly for the corporation, but you have paid for the branding and the right to sell the products. This also enables much less capable criminals to be on the playing field because they don’t have to be the innovators – they pay someone for that and simply buy the product, which in this case is ransomware. 

A Modernized Cybercrime Ecosystem

The cybercrime ecosystem, not unlike any other enterprise, has modernized alongside its victims’ increased reliance on technology. It has proven and predictable business models that enable cybercriminals to scale and attract partners. Gaining partners lets criminals expand their enterprises – more people to carry out their business by simply sharing a portion of the data they obtain through hacking or the profit from selling stolen data. Adding to the pace of global cybercrime, ‘as-a-service' exploits give the most low-skilled, aspiring criminal a shot at launching impactful attacks and stacking up their bitcoins. The bottom line is that cybercriminals have modernized and commoditized in many of the same ways that the businesses and organizations they steal from have done, which puts attack surfaces at greater risk.

There are signs that traditional organized crime is also venturing into digital crime for financial gains:

  • Recent announcements from international law enforcement agencies indicate that traditional organized crime syndicates have hired freelance European hackers to exploit bank accounts. An elaborate operation was uncovered in which hackers were hired to gain access to victims’ bank accounts via SIM swapping, spear phishing emails, and phony customer support phone calls that tricked victims into installing malicious applications.
  • European law enforcement found hundreds of individuals connected to established crime groups who laundered 10 million euros through a flurry of hacking operations and violent coercion last year across Italy, Spain, Germany, Lithuania, Ireland, and the U.K.

Final Thoughts

The best defense is a great offense. Today, we all have to think like attackers and understand how they operate to level the playing field. We can’t win if we don’t know what we are up against and what to protect.

Red Teaming can assist enterprises in understanding how highly organized cybercriminals breach attack surface perimeters and find crown jewels. Continuous attack surface management can also make it much harder for attackers to gain a foothold by continuously mapping your perimeter, illuminating exposures, and accelerating remediation with human-in-the-loop analysis.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Beth Robinson BF Headshot

About the author, Beth Robinson

Senior Content Writer

Beth Robinson is a Senior Content Writer at Bishop Fox. She joins Bishop Fox with nearly 20 years of experience focused on technical intelligence issues.

More by Beth

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.