- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: The cybercriminal ecosystem
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
The cybercriminal ecosystem
A mature cybercriminal economy
The main motivation of cybercriminals is financial gain. This is underlined by the fact that this form of crime cannot be separated from a large underground service economy. Specialisation and diversification play an important role here: almost every step for both committing and protecting cybercrime is offered as a service. The cybercriminal ecosystem can therefore increasingly be characterised as a mature, global economic sector where supply and demand come together in cybercriminal forums, among others, and where rational economic trade-offs are made between investment, risk and return. This service makes cybercrime accessible to a wide range of perpetrators. ICT (and its outsourcing) has a significant amplifying effect here: with minimal effort and resources, a perpetrator can carry out a large number of criminal acts worldwide and thus achieve maximum effect. This form of scalability is what distinguishes cybercrime from other forms of crime.
Cybercrime is also highly transnational. Perpetrators, service providers, victims and used or misused infrastructures can be located all over the world, which poses challenges in terms of detection, prosecution and the fight against it. The Netherlands stands out as a country where an above-average amount of cybercriminal infrastructure is hosted. This is evident from numerous investigations and foreign requests for mutual legal assistance.
Cybercriminal service providers
These service providers offer Cybercrime-as-a-Service (CaaS). They offer their products and services primarily on underground, online platforms such as closed cybercriminal forums, but also on so-called booter and stresser sites or Telegram channels. They are often able to optimise their business processes, automate them and make them very user-friendly, which contributes to the scalability of cybercrime. For example, Webstresser, a DDoS-as-a- Service provider taken down by the Police and the Public Prosecutor's Office, carried out around 4 million DDoS attacks with primarily criminal motives on over 150,000 users worldwide in the space of six months.
Dependent perpetrators
These are the main customers of cybercriminal services. This is a very diverse and large category of perpetrators that can operate both individually and in groups and commit various forms of cybercrime. These perpetrators do not have high technical skills to develop malware themselves, for example. To be able to commit cybercrime and protect themselves from detection by law enforcement agencies, they are therefore largely dependent on products and services from cybercriminal service providers.
Autonomous groups
This category of perpetrator is smaller in size, but responsible for often sophisticated attacks with a high degree of organisation and global impact. These are mostly loose, non-hierarchical partnerships that have been active for a long time and therefore have a lot of capital and expertise and are able to conduct long- term cybercriminal attack campaigns. Such campaigns require a long lead time, in the beginning characterised by a lot of investment and little return. If successful, however, the proceeds could run into millions of euros. These groups are autonomous because they develop and carry out their cybercriminal process mainly on their own. An exception is the purchase of very specific and specialised services, such as the laundering of large financial flows.
In recent years, there has been increasing cooperation between autonomous groups. This involves combining different specialities into combined attacks that, through their persistence, complexity and sophistication, approach the level of cyber attacks by state actors. However, autonomous groups differ from state actors as they act out of individual self-interest and not out of national (geopolitical) interests. In some cases, however, there is overlap or cooperation between these two actor groups. In addition to the transnational nature of cybercrime, this intertwining makes the investigation and prosecution of especially serious, organised cybercriminals even more complex.