Bromium®, Inc., the pioneer and leader in virtualization-based endpoint security that stops advanced malware attacks via application isolation, has announced the findings of an independent study that looked into the interconnected dynamics of cybercrime, and examines how new criminality platforms and a booming cybercrime economy have resulted in $1.5 trillion in illicit profits being acquired, laundered, spent and reinvested by cybercriminals. Complete findings will be presented at the RSA Conference in San Francisco by researcher Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey in England.
This is one of the first studies to view the dynamics of cybercrime through the lens of revenue flow and profit distribution, and not solely on the well-understood mechanisms of cybercrime. The new research exposes a cybercrime-based economy and the professionalization of cybercrime. This economy has become a self-sustaining system – an interconnected Web of Profit that blurs the lines between the legitimate and illegitimate.
The research points to an emergence of platform criminality, mirroring the platform capitalism model currently used by companies like Uber and Amazon, where data is the commodity. The report also raises concerns about new criminality models that these platforms enable, which fund broader criminal activities such as human trafficking; drug production and distribution; and even terrorism.
“The findings of Dr. McGuire’s research provide shocking insight into just how widespread and profitable cybercrime has become,” commented Gregory Webb, CEO of Bromium. “The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum. We can’t solve this problem using old thinking or outmoded technology. It’s time for new approaches.”
Revenue Generation in the Hyper-Connected Web of Profit
Conservative estimates in The Web of Profit research show cybercriminal revenues worldwide of at least $1.5 trillion – equal to the GDP of Russia. In fact, if cybercrime was a country it would have the 13th highest GDP in the world. This $1.5 trillion figure includes:
- $860 billion – Illicit/illegal online markets
- $500 billion – Theft of trade secrets/IP
- $160 billion – Data trading
- $1.6 billion – Crimeware-as-a-Service
- $1 billion – Ransomware
The report finds evidence that cybercrime revenues often exceed those of legitimate companies – especially at the small to medium enterprise size. In fact, revenue generation in the cybercrime economy takes place at a variety of levels – from large ‘multi-national’ operations that can make profits of over $1 billion; to smaller SME style operation where profits of $30,000-$50,000 are the norm. However, the report asserts that comparing cybercrime to a business is misleading. Cybercrime is more accurately described as an economy: “a hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale,” says Dr. Michael McGuire.
The report suggests that there is now a growing interconnectedness and interdependence between both the illegitimate and legitimate economies. This inter-dependence is creating what Dr. McGuire terms ‘The Web of Profit’. Dr. McGuire argues that “companies and nation states now make money from The Web of Profit. They also acquire data and competitive advantages from it, and use it as a tool for strategy, global advancement and social control. There is a range of ways in which many leading and respectable online platforms are now implicated in enabling or supporting crime (albeit unwittingly, in most cases).”
Platform Criminality in a Post-Crime Era
Platform capitalism – a term used to describe the likes of Uber, Facebook and Amazon – is offering fertile ground for hackers to further their gains. Whether by hacking companies to acquire user data; intellectual property; disseminating malware; selling illegal goods and services; setting up fake shop fronts to launder money; or simply connecting buyers and sellers, it is evident that cybercriminals are adept at manipulating existing platforms for commercial gain. Yet beyond platforms being the targets and unwitting enablers of cybercrime, the report suggests they have provided inspiration – as a model of platform criminality emerges.
According to Dr. McGuire, “this is creating a kind of ‘monstrous double’ of the legitimate information economy – where data is king. The Web of Profit is not just feeding off the way wealth is generated there, it is reproducing and, in some cases, outperforming it.” The report points to the success of modern ‘platforms’ – companies like Facebook, Google and Amazon – highlighting their role as facilitators rather than creators. “The main contribution of platforms is to connect individuals with a service or product. The platforms produce nothing themselves in this process, but the end-user consumers provide platforms with the most precious of all commodities within an information-based economy – their data. We are now seeing the same thing in the cybercriminal underworld,” states Dr. McGuire.
The report shows that cybercriminal platform owners are likely to receive the biggest benefit from this new wave of cybercrime, and that the owners will distance themselves from the actual commission of crime. In fact, it has been estimated individual hackers may only earn around $30,000 per year. Managers can earn up to $2 million per job – often with just 50 stolen card details at their disposal. Dr. McGuire refers to this as a shift to ‘post-crime’ reality, where cybercriminals are taking a ‘platform capitalism’ approach to selling, rather than committing crime.
In fact, McGuire found criminal sites offering ratings, descriptions, reviews, services, and even technical and customer support. These platforms are improving the criminal ‘customer experience’ and allowing easy access to services and products that support the commission of crime on a global scale. Some examples of services and products include:
- Zero-day Adobe exploits, up to $30,000
- Zero-day iOS exploit, $250,000
- Malware exploit kit, $200-$600 per exploit
- Blackhole exploit kit, $700 for a month’s leasing, or $1,500 for a year
- Custom spyware, $200
- SMS spoofing service, $20 per month
- Hacker for hire, around $200 for a “small” hack
These platforms fuel industrial scale revenue generation, with their own sets of digital currencies and exchanges, production zones, tools supply, technical support, global distribution mechanism and marketplaces. They deal with specialized producers, suppliers, service providers and consumers. Interestingly, advertising is a core revenue generator too: before being taken down in 2016, the ‘Kickass Torrents’ platform was worth over $54 million, with estimated $12.5-$22.3 million annually in ad revenue alone.
Reinvestment and Furthering of Crime
As in the legitimate economy, criminal enterprises are going through digital transformation and diversifying into new areas of crime. Cybercriminals were found to be reinvesting 20% of their revenues into further crime, which suggests up to $300 billion1 is being used to fund future cybercrime and other serious types of crime – including drug manufacturing, human trafficking or terrorism.
For example, the takedown of Alphabay – one of the largest dark web online markets – revealed that in addition to more than 250,000 listings for illegal drugs, there were also listings for toxic chemicals, firearms, counterfeit goods, malware, and over 100,000 listings for stolen and fraudulent identification documents and access devices. This demonstrates that platform criminality can easily adapt to include other areas of crime.
The report identifies the development of cybercrime growth cycles, where money generated from cybercrime is being reinvested into further crime. Many of the larger cybercrime operations which have been detected typically reinvest revenues into expanding and developing the operation – for instance buying more crimeware, maintaining a website, paying mules, or other criminal requirements. Reinvestment also includes spending money to support other types of crime.
Dr. McGuire continues: “We can clearly link cybercrime to the spread of new psychoactive substances with over 620 new synthetic drug types on the market since 2005. Many substances of this kind are manufactured in China or India, purchased via online markets, then shipped in bulk to Europe. But there is also evidence that groups who acquire revenues from cybercrime are involved in the active production of drugs. For example, the arrest of a Dutch money laundering gang also led to the discovery of ingredients they possessed to make ecstasy – further highlighting a material link between cybercrime actives and organized crime activities.”
The report also points to the fact that platform criminality is contributing to the issue of human trafficking. McGuire continues, “Pimps frequently use the internet as a tool for gathering revenues from clients and workers, and then recycle this back into the logistics (and costs) of trafficking victims from target locations with economically vulnerable populations.”
Dr. McGuire also found a connection between cybercrime and terrorism. The report highlights one case where cybercrimes were committed specifically to generate revenues for terrorist activities. “One British-born follower of Al Qaeda, who provided technical assistance to the terror group in relation to uploading videos, quickly realized that his technical skills could also be used to commit cybercrimes,” McGuire explains. “He began to acquire stolen credit card numbers through transactions on online forums, such as Cardplanet, gathering over 37,000 separate card data files and generating more than $3.5 million in revenues.”
“This new cybercrime economy has created new digital businesses, making it even easier to conduct cyberattacks,” said Gregory Webb, CEO of Bromium. “The walls between the criminal and legitimate worlds are blurring, and we are no longer simply dealing with ‘hackers in hoodies.’ We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cybercrime, the security community can better understand how to disrupt and stop them. New approaches to cybersecurity will be required.”
The Web of Profit report is available to download here (Bromium.com/cybercrime). The findings will also be discussed during the RSA Conference in San Francisco. Dr. McGuire will present the full findings during his speaker slot on April 20th from 09:00-09:45 AM on the Security Mashup track – code MASH-F01.
Into the Web of Profit is a nine-month academic study by Dr. Mike McGuire, Senior Lecturer in Criminology at Surrey University. It draws from first-hand interviews with convicted cybercriminals, data from international law enforcement agencies, financial institutions, and covert observations conducted across the Dark Web.