In The World of Cybercrime, It’s Business Attire, Not Hoodies

Ostra’s Cybersecurity 101 Series is a deeper dive for the non-technical reader who wants to better understand cybersecurity mechanics. This 5-part series covers how the cyber-crime world operates, the evolution of threat generations, why traditional defense models fall short, what a modern attack scenario looks like, and the hallmarks of an effective security platform.

The Cyber-crime World

A Google search of cybercrime results in images of hooded faceless attackers with spying eyes behind bytes of stolen data. The reality is a little less mysterious, but a lot more frightening. The incredible variety of hidden services and significant information exchange happening out of sight of the mainstream web allow cybercriminals to organize and collaborate, bringing businesses of all sizes, governments, healthcare and education targets to their collective knees. In Part 1 of Ostra’s 5-part Cybersecurity 101 we explore how the world of cyber-crime works like any business, except that their revenue streams come from stolen data and extortion.

The Dark Web

Understanding how the cyber-crime world works begins with the dark web. This is a part of the internet that is not included in search engine indexes. The dark web started in 2000, driven in part by advancements in technology and software (MP3 and Napster), that allowed large amounts of multi-media data to be shared online. The early dark web provided a way for illegal pornographic material and pirated content to pass around uncensored.

The dark web became much more powerful with another piece of technology called TOR (The Onion Router). This technology was created by the US military as a way to help spies exchange information anonymously. TOR directs Internet traffic through an overlay network consisting of thousands of relays to conceal a user’s location and usage from network surveillance or traffic analysis. Anonymity would be impossible if only the military used TOR, so in 2003 it was released to the public for everyone to use.

While some legitimate activities occur in the dark web, its anonymity makes it a hotbed of criminal activity. A 2019 study, Into the Web of Profit, shows that 60% of dark web listings are potentially harmful. Stolen credit card numbers, drugs, guns, counterfeit money, credentials, hacked accounts, and software to commit cybercrime are all available for purchase on the dark web. With the advent of cryptocurrency late in the 2000’s, the dark web became a viable place of business for hackers and cybercriminals to collaborate, organize and profit.

Cybercriminals Organize

Experts estimate that in the mid-2000’s approximately 80% of cybercriminals were free-lancers and 20% were a part of a cybercriminal organization. But today, the opposite is true. It is estimated that 80% of cybercriminals are now part of an cybercrime underground organization. These well coordinated groups can combine many different skill sets to accomplish big goals and bigger returns. 

For cybercriminals to make money, they need to distribute their malware as widely as possible, maintain a command-and-control infrastructure, and cash out by converting stolen data to hard cash.

 Each of these requires a separate skill set, creating an opportunity for threat actors to provide specialized services to the underground.

At the base of the organized cybercrime world are the general members of the cybercriminal underground. They are cybercriminals with little technical knowledge, and are buyers in the cybercrime organization because they purchase tools on the dark web. They purchase malware and rent botnet to spam out emails to distribute it.

These criminals monetize their efforts by stealing data to be sold on the dark net; or encrypting data to be sold back to the victim via ransom. Common cybercriminals may also engage in other scams such as denial-of-service attacks that threaten to take down a website, or threaten to exploit a flaw and break a website unless paid a fee. A more recent trend for the common cybercriminal is to embed software on a hacked computer to surreptitiously mine for cryptocurrency, which is then deposited into the hacker’s account. These crimes of opportunity create significant damage and cost to the victim.

At the center of the organized cybercrime world are the contractors, intermediaries, brokers and vendors. These criminals are real world equivalent of business and infrastructure owners and operators. They sell products and services to the general members of the cybercrime underworld. Some examples are: spammers for malware distribution; botnet owners for computer processing power; hosted system providers for operating platforms; cashiers for payment distribution; and money mule services to launder stolen money or merchandise. They draw from the general members and witting mules of the cybercriminal underworld as their workforce to carry out low-skill criminal tasks.

Sophisticated and highly skilled subject matter experts are part of the top tier in the cyber-crime underground specialization hierarchy. These are the elite technical exploit researchers and developers who find vulnerabilities; and malware writers and programmers who develop code. They are also the criminals with skills to target specific systems, companies or victims. At the top of the cybercriminal underworld hierarchy are cyber-crime family leaders, who are the decision makers in organized cybercrime.

Cybercrime: A Growing Industry

The cybercriminal underground market is highly organized with different levels of participation making it an efficient criminal operation. Netscout summarized this commercialized trend at the end of 2018 as “a robust marketplace driven by well-stocked innovation pipelines from rapidly growing organizations. If this sounds like a business story, that’s because it is. The cybercriminal underground operates much like a legitimate business on the right side of the law, with the huge proviso that cybercrime organizations cause billions of dollars in damage and negatively impact major enterprises and governments.”

Europol’s 2019 Internet Organized Crime Threat Assessment highlights the “persistence and tenacity of a number of key threats”, noting that “criminals only innovate when existing modi operandi have become unsuccessful”. In other words, organized cybercriminal groups are going to keep doing what they are doing, because it is working.

Organized cybercrime groups are capable of mounting attacks on banks, law firms, and both large and small businesses. These attacks are increasingly long-term, targeted attacks instead of indiscriminate “smash and grab” campaigns. It’s worth noting that even a small business or an individual could end up a target, especially those who are part of a supply chain to larger organizations.

Ostra’s 5-part Cybersecurity 101 series is designed for the non-technical reader who wants to better understand cybersecurity mechanics. Part 2 of the series showcases the Evolution of Cyberthreats and the technology used to combat each generation of cyberattacks.


Ablon, L., Martin, L. C., & Golay, A. A., Markets for Cybercrime Tools and Stolen Data. Produced by the Acquisition and Technology Policy Center of the RAND National Security Research Division, with funding from Juniper Networks (2014).

Argonne National Laboratory. (2016). DarkNet Terminology: Definitions of the DarkNet, the Dark Web, and the Deep Web. Retrieved from

Butler, Sydney (2018, December) Dark Web History: Where Did It Come From [Blog Post]. Retrieved from

Europol. (2019). Internet Organized Crime Threat Assessment (IOCTA) 2019. Retrieved from

Guccione, Darren (2019, July 4) What is the dark web? How to access it and what you’ll find [Blog Post]. Retrieved from

Netscout. (2018). Netscout Threat Intelligence Report. Retrieved from

Ranger, Steve (2018, December) Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you [Blog Post]. Retrieved from

Schedule a Free Consultation

Ostra Enterprise Grade Security

Ostra was founded on the principle of bringing top-of-the-line cyber security tools to small businesses who do not have large IT budgets or an entire division of cyber security experts.  Our founders bring years of experience protecting large organizations to provide digital security to small businesses.

Ostra, LLC

18300 Minnetonka Blvd
Suite 208
Deephaven, MN 55391

 © 2020 Ostra, LLC

Get Started Now