Cross-cutting crimes and challenges

1.1 Crime-as-a-service continues to proliferate

The crime-as-a-service (CaaS) model remains a prominent feature of the cybercriminal underground and is a cross-cutting factor throughout the cybercrime sub-areas. The availability of exploit kits and other services not only serves criminals with low technical skills4, but also makes the operations of mature and organised threat actors more efficient.

In the past 12 months, European law enforcement agencies have reported an increase in MaaS offerings on the Dark Web, of which ransomware affiliate programs seem to be the most prominent. These programs are an evolution of the Ransomware-as-a- Service (RaaS) model in which the operators share profits with partners who can breach a target network and either harvest all the information required to launch an attack or deploy the malware themselves. This has expanded the market of selling access to compromised infrastructure and data breaches.

Related to the activities of ransomware and mobile malware operators, access-as-a-service (AaaS) is also in high demand as it is an enabler for both advanced malware crews and low-level criminals renting the tools to access corporate networks.

The by-product of the rise of multi-layered extortion schemes and wide-scale mobile information theft campaigns is an influx of personal information to illegal markets. This type of data is sought after by a wide range of offenders as it can drastically improve the success rate of social engineering deployed in any form of attack. As it stands, the user is often still the weakest link in the IT-security framework, which means social engineering remains an important vector for acquiring access to an information system or, in cases of fraud, the victim’s bank account.

One of the challenges related to the ongoing evolution of the market for criminal services is the planning of investigatory resources. Most often, the offenders actually causing harm to the victims are end users of criminal services. This means that investigations against these individuals are rather low-impact in terms of the disruption to the criminal ecosystem. Although all the available tools must be utilised to arrest the perpetrators, this needs to be done in parallel to internationally coordinated actions against the key players who are running the platforms and services that enable these crimes in the first place.

1.2 Expansive use of grey infrastructure enhances criminals’ operational security

Besides CaaS, various other services, tools and technologies continue to help facilitate cybercrime. Some of these are legitimate services that are widely used, but are inadvertently useful for achieving the goals of cybercriminals: secure communication, anonymity, obfuscation and laundering of criminal proceeds, and more. Other services can be classified as operating in a ‘grey’ area. Such services are often located in countries with very strong privacy laws or a history of not cooperating with the international law enforcement community. These are used by criminals and advertised in criminal forums. Grey infrastructure services include bulletproof hosters, rogue cryptocurrency exchanges, and VPNs that provide safe havens for criminals.

Legitimate services that are abused by cybercriminals are common place. The most well-known feature of such services is strong end-to-end encryption. Messaging application providers are unable to disclose the contents of the messages exchanged on their service even when subpoenaed. The amount of (meta)data stored on users is very limited. 

Other legitimate tools and techniques that are abused by cybercriminals include cryptocurrencies and VPNs. Cybercriminals obfuscate and launder illicitly earned funds via cryptocurrencies. Fortunately, many legitimate cryptocurrency exchanges have strengthened their know-your-customer (KYC) regulations since the introduction of guidelines and directives at various levels. Unfortunately, cryptocurrency laundering remains possible through the persistence of mixers, swapping services and exchanges operating in grey areas (see section 5.5). Cybercriminals may also use legitimate VPN providers, as these will provide them with a safe and secure browsing experience. These companies will still comply with lawful requests for information when their services are abused for cybercriminal activity. European law enforcement, however, increasingly focuses on services that do not simply operate to give users a secure experience, but rather optimally shield cybercriminals from the grasp of law enforcement. Some recent examples include the takedowns of ANOM, Sky ECC, EncroChat, and several VPNs and cryptocurrency mixers.

These services are the grey infrastructure that makes cybercriminals thrive: they services abuse jurisdictions with lagging legislation for hosting, do not store user data in a sufficient manner, and/or do not comply with lawful requests. Although not all users of such services are necessarily criminals, the level of criminality associated with such services is often so high that national law enforcement agencies, after finding enough evidence of criminal abuse, could consider them to be criminal enterprises.

During the last year, Europol has – together with its partners – coordinated takedowns of various services operating in grey areas, such as the takedowns of two VPNs that provided safe havens for cybercriminals: DoubleVPN8 and Safe-Inet. In addition, the takedowns of encrypted communication providers (also known as ‘crypto phones’) have led to the arrests of hundreds of criminals and the seizure of tons of illegal drugs, firearms, and millions of euros. However, more importantly, these operations have provided global law enforcement agencies with invaluable insights into the operations of criminals and their networks.