There are many questions that fascinate security researchers. One near the top of the list is ‘how do cyber-criminals become criminals’? Similarly, ‘once we cut through the bravado and mistruths, how much do they earn from their activities’? Obtaining these answers is not idle curiosity; it is key to understanding why cyber-criminals behave as they do and helps us shape our defense strategies against them.
As you can imagine, most cyber-criminals are reluctant to allow many details of their personal lives to shine through, lest law enforcement or rivals take too much of an interest. Yet there are nuggets of intelligence that can help form a picture of common routes to the underground.
I’m just here for ‘research’ purposes
One common pathway is individuals joining cyber-criminal forums for ‘research purposes’. Once there, many find a welcoming environment as some forums have taken to encouraging rookies. For instance, CryptBB, an English‐language cyber-criminal forum known to previously only accept new members following a rigorous application and interview process recently introduced a ‘newbie’ section and now promotes itself as a place for novice threat actors.
In September 2020, the administrator of the Russian-language cyber-criminal forum XSS launched a new ‘e‐learning’ section, with an announcement stating that ‘the main concept of the existence of our forum is [to be] an old‐school technical and thematic place, friendly to newbies.’ With such support available, you can see how newcomers to the scene could quickly develop their technical and cybercrime skills.
There is some evidence that this approach works: In June 2020, a thread on XSS asked how forum members had found the site and begun their cybercrime journey. One user in this thread predicted that five percent of cyber-criminal forum users were members of such platforms for research purposes.
Competitions are another way in
Competitions are another route in to entice wannabe criminals. One recent competition on XSS was sponsored by the Sodinokibi/REvil ransomware group, partly with the aim of finding skilled new recruits to join their team. A technically-minded forum user, seeing these competitions as an opportunity to showcase their expertise, could easily be dragged into cybercrime if they impressed, and were then courted by, a ransomware group like this one.
Is ‘crime as a service’ a factor?
The increasing prevalence of ‘as‐a‐service’ offerings and detailed tutorials on cyber-criminal platforms may also ease curious individuals’ paths into cybercrime. These offerings mean even those without programming skills can quickly become prolific cyber-criminals.
These services can, initially, be more expensive than developing a project yourself and writing the code. Still, many probably see it as worth the initial outlay if the promise of significant profits is fulfilled over the longer term.
Not forgetting the ‘insider’ threat
Another interesting aspect of the cyber-criminal development story is the potential intersection between real‐life employment and online activities. Having spent time on these sites, sometimes curious forum users realize they can use their privileged position in their real‐world employment to make a splash in the cyber-criminal scene.
We found examples of individuals working in telecommunications companies offering to conduct SIM‐swapping operations, leak customer information databases, or conduct targeted research on individuals. Such an approach is incredibly high stakes: It risks jeopardizing users’ real‐life employment and is more likely to attract law enforcement attention.
How much money does a cyber-criminal make?
In February 2020, a user on the Russian‐language cyber-criminal forum Verified initiated a poll asking forum members how much they earned from cybercrime in the past two years. The most common answer was ‘less than $12,000’, although ‘more than $21,500’ took second place. Even a profit of $12,000 would appeal to many curious newbies, especially those in countries where the average wage is much lower than this.
In fact, low wages compared with potential cybercrime earnings is often cited as a reason for the high proportion of cyber-criminals originating from former Soviet Union nations.
On the other end of the scale, the well‐known extortionist ‘TheDarkOverlord’ ran several recruitment campaigns at the height of their activity. It is unclear if these recruitment campaigns were legitimate, but one such post on the now‐defunct English‐language cyber-criminal forum KickAss offered an ultimate salary of $70,000 per month for several technical roles on their team.
What can we learn from this?
The ecosystem underpinning cybercrime is clearly thriving; there is no shortage of new recruits attracted by relatively high salaries and—depending on where you live—limited chance of getting caught.
This research shows that many cyber-criminals are relatively unskilled, and large organizations still fall victim to relatively unsophisticated tactics. While it is impossible to defend against every attack, basic cyber hygiene could curb the enthusiasm of some novice attackers and prevent them moving up the ladder to more sophisticated attacks.