The cybercrime industry is characterised by work specialisation to the point that it has become a volume industry with various “as-a-service” offerings. One well-established “as-a-service” business model is blackmarket pay-per-install (PPI) services, which outsource the spread of malicious programmes to affiliates. Such a business model represents the archetype of specialisation in the cybercrime industry: a mass of individuals, known as affiliates, specialise in spreading malware on behalf of a service. Extant literature has focused on understanding the scope of such a service and its functioning. However, despite the large number and aggregate effect of affiliates on cybercrime, little research has been done on understanding why and how affiliates participate in such models. This study depicts the motivations and challenges of affiliates spreading Android banking Trojan applications through a blackmarket PPI service. We conducted a thematic analysis of over 6,000 of their private chat messages. The findings highlight affiliates’ labour-intensive work and precarious working conditions along with their limited income, especially compared to their expectations. Affiliates’ participation in cybercrime was found to be entangled between legal and blackmarket programmes, as affiliates did not care about programmes’ legal status as long as they yielded money. This study contributes to the literature by providing additional evidence on the downsides of work specialisation emerging from the cybercrime industry.

Over the past years, decentralized finance (DeFi) has been the target of numerous profit-driven crimes. However, until now, the full prevalence and cumulative impact of these crimes have not been assessed. This study provides a first comprehensive assessment of profit-driven crimes targeting the DeFi sector. To achieve this, we collected data on 1155 crime events from 2017 to 2022. Of these, 1050 were related to the DeFi industry and 105 to the centralized finance (CeFi) industry. Focusing on the former, a taxonomy was developed to clarify the similarities and differences among these crimes. All events were mapped onto the DeFi stack to assess the impacted technical layers, and the financial damages were quantified to gauge their scale. The findings show that the entire cryptoasset industry has suffered a minimum loss of US$30B, with two thirds related to centralized finance (CeFi) and one third to DeFi. Focusing solely on the latter, the results highlight that during an attack, a DeFi actor (an entity developing a DeFi technology) can serve as a direct target, as a perpetrator, or as an intermediary. The findings show that DeFi actors are the first victims of crimes targeting the DeFi industry: 52% of crime events targeted them, primarily due to technical vulnerabilities at the protocol layer, and these events accounted for 83% of all recorded financial damages. On the other hand, in 40% of crime events, DeFi actors were themselves malicious perpetrators, predominantly misusing contracts at the cryptoasset layer (e.g., rug pull scams). However, these events accounted for only 17% of all financial damages. The study's findings offer a preliminary assessment of the size and scope of crime events within the DeFi sector and highlight the vulnerable position of DeFi actors in the ecosystem.

Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main topic discussions in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: 1) Business, 2) Technical, 3) Internal tasking/Management, 4) Malware, and 5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS oper5086933ator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.

Through an inductive thematic analysis of semi-structured interviews with experts, this study corroborates key findings on contextual and organisational dynamics behind profit-driven cybercrime. The findings pinpoint three contextual factors influencing individuals to participate in profit-driven cybercrime: lack of legal economic opportunities, lack of deterrents, and drifting means. The findings also highlight how experts perceive group structures of those behind profit-driven cybercrime: as organised, enterprise-like, loose networks, or communities. Experts’ narratives, moreover, emphasise the presence of a workforce at the periphery of cybercrime groups. Such a workforce is not actively involved in developing criminal schemes, yet it helps their orchestration by achieving necessary tasks such as writing texts or developing software. The study results confirm key insights on crime participation related to both cyber and non-cybercrime literature while also raising new research avenues, including questions concerning to what extent those forming the peripheral workforce are willing to participate in cybercrime.

As the decentralized finance industry gains traction, governments worldwide are creating or modifying legislations to regulate such financial activities. To avoid these new legislations, decentralized finance enterprises may shop for fiscally advantageous jurisdictions. This study explores global tax evasion opportunities for decentralized finance enterprises. Opportunities are identified by considering various jurisdictions’ tax laws on cryptocurrencies along with their corporate income tax rates, corporate capital gains tax rates, level of financial development and level of cryptocurrency adoption. They are visualized with the manifold approximation and projection for dimension reduction (UMAP) technique. The study results show that there exist a substantial number of tax evasion opportunities for decentralized finance enterprises through both traditional offshore jurisdictions and crypto-advantageous jurisdictions. The latter jurisdictions are usually considered high-tax fiscal regimes; but, given that they do not apply tax laws, tax evasion opportunities arise, especially in jurisdictions that have high financial development and high cryptocurrency adoption. Further research should investigate these new opportunities and how they are evolving. Understanding the global landscape surrounding tax evasion opportunities in decentralized finance represents a first step at preventing corporate capital flight of cryptocurrencies.

Many activities related to cybercrime operations do not require much secrecy, such as developing websites or translating texts. This research provides indications that many users of a popular public internet marketing forum have connections to cybercrime. It does so by investigating the involvement in cybercrime of a population of users interested in internet marketing, both at a micro and macro scale. The research starts with a case study of three users confirmed to be involved in cybercrime and their use of the public forum. It provides a first glimpse that some business with cybercrime connections is being conducted in the clear. The study then pans out to investigate the forum population's ties with cybercrime by finding crossover users, that is, users from the public forum who also comment on cybercrime forums. The cybercrime forums on which they discuss are analyzed and the crossover users’ strength of participation is reported. Also, to assess if they represent a sub-group of the forum population, their posting behavior on the public forum is compared with that of non-crossover users. This blend of analyses shows that (i) a minimum of 7.2% of the public forum population are crossover users that have ties with cybercrime forums; (ii) their participation in cybercrime forums is limited; and (iii) their posting behavior is relatively indistinguishable from that of non-crossover users. This is the first study to formally quantify how users of an internet marketing public forum, a space for informal exchanges, have ties to cybercrime activities. We conclude that crossover users are a substantial part of the population in the public forum, and even though they have thus far been overlooked, their aggregate effect in the ecosystem must be considered. This study opens new research questions on cybercrime participation that should consider online spaces beyond their cybercrime branding.

Objectives Brokers are said to be the oiling chain of illicit networks, facilitating the efficient flow of illicit products to destination. Yet, most of the available brokerage measures focus on local or individual networks, missing the brokers who connect others across communities, such as market levels. This study introduces a robust measure that uncovers, scores, and positions these community brokers.

Methods We used network data aggregated from numerous investigations related to 1,800 criminal entrepreneurs operating in Western Canada. After uncovering the communities using the Leiden algorithm, we developed a community brokerage score that assesses individual potential reach and control at the meso level, and that accounts for individual position changes due to different community structures. We examined how the score relates to brokerage and structural hole measures as well as seriousness of involvement in criminality.

Results We found that the illicit network studied has a strong and stable community structure, and community brokers form about 9% of the population. The score developed is statistically robust and is not strongly related to network and structural hole measures, which confirms the need for a novel measure that captures this strategic position in illicit and other networks.

Conclusions Community brokers are especially important in illicit networks where large-scale covert coordination among criminal entrepreneurs is risky. The measure we propose is not overlapping with currently existing brokerage measures and has the potential to contribute to our understanding of how products and information flow beyond local networks, in criminology and other fields.

Malware authors constantly obfuscate their files and defenders regularly develop new techniques to detect them. Given this cat-and-mouse game, specialized obfuscation services have appeared in the cybercrime industry. These services allow malware authors to obfuscate their code for a fee. This study investigates an automated obfuscation-as-a-service platform for Android applications and yields unique insights on the technical difficulties and business reality of those behind such a specialized service. The service investigated was found to be average in quality, mainly using known obfuscation techniques, and generating obfuscated applications that were still detected by anti-viruses. It had a small clientele of large-scale attackers who used the service to decrease anti-virus detections of highly malicious applications, thus increasing their chances of compromising devices. Depending on the price bundles considered, operators offering the service were estimated to have made a minimum revenue ranging from USD 5,100 (conservative) to USD 61,160 (optimistic) for a six-month operation. This study illustrates that even though obfuscation-as-a-service is a market niche, taking advantage of the value added from this specialization is not effortless nor easily accessible to everyone involved in cybercrime.

In the past year, a new spamming scheme has emerged: sexual extortion messages requiring payments in the cryptocurrency Bitcoin, also known as sextortion. This scheme represents a first integration of the use of cryptocurrencies by members of the spamming industry. Using a dataset of 4,340,736 sextortion spams, this research aims at understanding such new amalgamation by uncovering spammers' operations. To do so, a simple, yet effective method for projecting Bitcoin addresses mentioned in sextortion spams onto transaction graph abstractions is computed over the entire Bitcoin blockchain. This allows us to track and investigate monetary flows between involved actors and gain insights into the financial structure of sextortion campaigns. We find that sextortion spammers are somewhat sophisticated, following pricing strategies and benefiting from cost reductions as their operations cut the upper-tail of the spamming supply chain. We discover that one single entity is likely controlling the financial backbone of the majority of the sextortion campaigns and that the 11-month operation studied yielded a lower-bound revenue between $1,300,620 and $1,352,266. We conclude that sextortion spamming is a lucrative business and spammers will likely continue to send bulk emails that try to extort money through cryptocurrencies.

Ransomware can prevent a user from accessing a device and its files until a ransom is paid to the attacker, most frequently in Bitcoin. With over 500 known ransomware families, it has become one of the dominant cybercrime threats for law enforcement, security professionals, and the public. However, a more comprehensive, evidence-based picture on the global direct financial impact of ransomware attacks is still missing. In this article, we present a data-driven method for identifying and gathering information on Bitcoin transactions related to illicit activity based on footprints left on the public Bitcoin blockchain. We implement this method on-top-of the GraphSense open-source platform and apply it to empirically analyze transactions related to 35 ransomware families. We estimate the lower bound direct financial impact of each ransomware family and find that, from 2013 to mid-2017, the market for ransomware payments has a minimum worth of USD 12 768 536 (22 967.54 BTC). We also find that the market is highly skewed with only a few number of players responsible for the majority of the payments. Based on these research findings, policy-makers and law enforcement agencies can use the statistics provided to understand the size of the illicit market and make informed decisions on how best to address the threat.

The internet has evolved into a distribution channel for the illicit sale of drugs. Since 2011, criminal entrepreneurs have taken advantage of anonymous online marketplaces, called cryptomarkets. These platforms facilitate transactions of illegal products and services among many sellers and buyers, leveraging sophisticated technologies, like the Tor network and cryptocurrencies, to ensure anonymity among all participants. Illicit drugs are the most common products sold on cryptomarkets, but other goods and services are also offered, such as stolen financial information and counterfeit products. Cryptomarkets represent a low-risk environment where transactions can take place in an organized manner. The main objective of this report is to understand the illicit cannabis trade by Canadians on cryptomarkets, particularly since very little is known on cryptomarkets at a national level beyond a handful of studies providing fragmented results. This analysis is crucial at a time when the sale of recreational cannabis has been legalized in Canada with the objective of eliminating the black market for recreational cannabis. An examination of trends in cryptomarket sales as cannabis has become legal is an essential step towards understanding the impact of the legalization of recreational cannabis in Canada. To reach the main objective, this project drew from two data sources: the DATACRYPTO software tool and a cryptomarket drug dealer survey. We find that, following the legalization of cannabis, sales of cannabis on cryptomarkets by Canadian dealers appear to show an upward trend. The noted increase is mainly related to sales targeting an international market. When comparing July 2018 to November 2018 sales, Canada moves from 8th to 4 th position in terms of cannabis sales on cryptomarkets. It should be noted that the analyses presented in this report are exploratory as the follow-up period post-legalization was extremely short and the data are sparse. These results could change in the long-term, when the legal supply of recreational cannabis is more firmly established, and the legal market has matured.

There is no doubt that there has been an increasing interest in understanding the industry of social media fraud (SMF) – which is the process of creating fake ‘likes’ and ‘follows’ on online social networks (OSN) – and its potential deceptive capabilities. This paper explores an undocumented segment of this industry: wholesaling, from botnet supply operations to bulk reselling.

To begin, the paper focuses on a previously unexplored aspect of Linux/Moose, an IoT botnet conducting SMF. Linux/Moose infects devices in order to use them as proxies to relay traffic to social networks. Its architecture includes a whitelist of IP addresses that can push traffic through those proxies – a feature reminiscent of a reseller model. We analyse the traffic fingerprints left by each IP address on the systems we infected and uncover the value of the whitelisted IPs, which is not what we had anticipated. Then, we collect information on bulk reseller panels, the direct working partners of the botnet operators. While analysing their striking similarities, we discover a new key actor in the industry: the software panel seller. We investigate the panels in an attempt to understand how they are connected to main SMF providers like Linux/Moose.

Finally, we map the SMF supply chain, discuss key actors that, if targeted, would disrupt the entire industry and show the likely unequal revenue division in the chain. This is a first review study of the wholesale industry of SMF. It provides key insights for actors willing to curb this illicit activity, from law enforcement agencies to policy makers and cybersecurity professionals.

Article only available in French This article explores how online drug sellers interact on cryptomarket discussion forums. The results suggest that the sellers' interactions are modulated by their status as sellers. Sellers fuse two roles to adjust their status, combining the role of entrepreneur and the role of volunteer expert. As entrepreneurs, sellers post promotional messages to take advantage of the visibility provided by the forums. They also take on an expert volunteer role, making “effort donations” to the community by helping other participants. These effort donations may be made with the aim of raising their reputation within a community, a key element in the sale of illegal products online. These donations could also be motivated by a form of participatory act, which benefits the maximum number of participants and ensures the welfare and development of the virtual community.

Abstract Background Since 2011, drug market participants have traded illegal drugs through cryptomarkets, a user-friendly infrastructure in which drug market participants can conduct business transactions. This study assesses market competition and the size and scope of drug vendors’ activities on one of the largest cryptomarkets, AlphaBay, in order to better understand the challenges that drug vendors face when selling on this venue.

Methods Relying on data collected from AlphaBay, we calculate the degree of competition within the drug market using the Herfindhal-Hirshmann Index (HHI). We then follow a micro analytical approach and assess the size and scope of vendors’ accounts. This is done by evaluating each vendor’s market share over time using a group-based trajectory model (GBTM). Results from the GBTM are then used to assess vendors’ exposure, diversity and experience based on their selling position in the market.

Results The HHI scores demonstrate that cryptomarkets offer a highly competitive environment that fits in a top-heavy market structure. However, the distribution of vendors’ market share trajectories shows that only a small portion of vendors (referred to as high-level vendors) succeed in generating regular sales, whereas the majority of vendors are relegated to being mere market spectators with almost zero sales. This inequality is exacerbated by the aggressive advertising of high-level vendors who post many listings. Overall, product diversity and experience is limited for all market participants regardless of their level of success. We interpret these results through Reuter’s work on traditional illegal markets, e-commerce studies and the growing field of cryptomarket research.

Conclusion We conclude that, while offering a new venue for illegal drug transactions, in many ways, the economics of cryptomarkets for drug dealing are consistent with Reuter’s classic assessment of illegal markets and the consequences of product illegality that underlie it. Cryptomarkets conflicting features, a relatively open setting with relatively high barriers to entry and sales, shape the competitive, yet top-heavy market that emerges from our analysis. This creates a challenging environment for cryptomarket drug dealers.

Drawing on Sutherland’s theory of behaviour systems in crime, this study investigates social media fraud (SMF) facilitated by botnets to understand the onset and maturation of this new online offending behaviour. We find legitimate actors in the system – Internet of Things manufacturers, online social networks, hosting companies and law enforcement agencies – share a way of life that prioritises private gains and avoids implicit responsibility for security. They arrive at a Nash equilibrium that provides a weak and disorganised social response to crime. SMF providers, on the other hand, are cleverly organised and exploit weaknesses in security, adapting to change and developing working relationship with those who benefit from their activities and share their lenient behaviour towards fraudulent activities. We conclude that the rise in cybercrime is a result of the behaviours of all actors in the system, not just those who offend.

The size of a social media account's audience -- in terms of followers or friends count -- is believed to be a good measure of its influence and popularity. To gain quick artificial popularity on online social networks (OSN), one can buy likes, follows and views, from social media fraud (SMF) services. SMF is the generation of likes, follows and views on OSN such as Facebook, Twitter, YouTube, and Instagram. Using a research method that combines computer sciences and social sciences, this paper provides a deeper understanding of the illicit market for SMF. It conducts a market price analysis for SMF, describes the operations of a supplier -- an Internet of things (IoT) botnet performing SMF -- and provides a profile of the potential customers of such fraud. The paper explains how an IoT botnet conducts social network manipulation and illustrates that the fraud is driven by OSN users, mainly entertainers, small online shops and private users. It also illustrates that OSN strategy to suspend fake accounts only cleans the networks a posteriori of the fraud and does not deter the crime -- the botnet -- or the fraud -- SMF -- from happening. Several solutions to deter the fraud are provided.

Illegal drug markets have been described as “stateless” systems. Drug dealers, moreover, are commonly considered to have a predilection toward the use of violence to resolve disputes arising from dealing activities. While some studies have undermined this popular perception, new trends surrounding the distribution of illegal drugs via online channels (drug cryptomarkets) have shifted the transactional setting from the physical to virtual realm, thus decreasing the likelihood of violent resolution outcomes even further. This article examines conflict management strategies within cryptomarkets by coding discussion forums between vendors and buyers. Violence, as expected, is absent. Strategies more likely reflect alternatives that have been recognized in conflict management research within and beyond illegal market settings: tolerance, avoidance, ostracism, third-party intervention, negotiation, and threats. The overall setting from which such resolutions emerge is clearly not subject to formal regulations, but our analyses illustrate the multitude of informal social control mechanisms that are consistently at play and which underlie the self-regulatory and communal processes that are firmly in place.

Popular imagery and scholarly research have differed significantly in their perceptions and understanding of the structure and scope of organized crime and gang settings. While the common image is that of the corporate-like or formal criminal organization, past research has been more likely to argue and demonstrate in favour of market and network flexibility. In this study, we pursue this latter line of inquiry by demonstrating the market and network features that shape illegal drug distribution settings. In doing so, we rely on the Quebec Hells Angels accounting books for a one-year period, which brings us within the same empirical domain as Levitt and Venkatesh’s (2000) study of the Black Knights in 1990s Chicago. Our study sways from the main premise that oriented the Black Knight’s case study—namely that performance within the illegal drug distribution structure was directly tied to that organization’s rigid hierarchical structure. While the Hells Angels can be analyzed as a corporation, this does not mean that Hells Angels members are, by definition, at an advantage because of their organizational status in the illegal drug distribution setting in which some members are active. What our findings indicate is that a participant’s ability to adapt to market dynamics and take on a core network position within an illegal drug market (cocaine, in this study) matter most. Overall, we demonstrate that: 1) Quebec’s cocaine market was structured primarily around traditional market forces; 2) the transaction network around the Hells Angels was not centralized around a single person or small group of people; 3) Hells Angels members were not the most active participants; and 4) being a Hells Angels member did not increase one’s volume of transactions within the network—quite differently, core network positioning did.

Cybercrime is an evolving phenomenon and offenders are continuously developing new techniques to gain unauthorized access into computer systems. This paper will showcase just how ingenious botmasters have become by analyzing a specific botnet, the Linux/ Moose botnet, and the illicit online market it thrives in. The Linux/Moose botnet was first discovered by the ESET research team in 2015 and their analysis of the botnet was published in a technical report. Following the publication of this report, the botnet operators transitioned to a new version of their Linux/Moose botnet infrastructure, but essentially kept the same end-goal: social media fraud, which can be defined as the process of creating false endorsements of social networks accounts in order to enhance a user’s popularity and visibility. This can be achieved by liking posts (or any similar endorsement) or following a user.

Linux/Moose stands out among all other botnets for three reasons. First, it is part of a new generation of Internet of Things (IoT) botnets that run on embedded systems such as routers rather than computers. It is therefore much stealthier and difficult to detect since no antivirus and little security software monitor these devices’ traffic and behavior. Second, rather than sending instructions to the bots it has compromised, the botnet uses the bots only as proxies to hide the origin of the requests it sends to social media websites exclusively. The bots therefore do not need much computational power; their bandwidth and their “clean” IP address is what the botnet is after. Lastly, the botnet specializes in social media fraud, a very different activity from other botnets, which usually send spam, commit ad fraud and launch distributed denial of service (DDoS) attacks.

To investigate the Linux/Moose botnet, we infected several honeypots around the world. We performed a man-in-the-middle attack to decrypt the botnet’s traffic, analyzed its operations and studied the illicit online market where social media fraud services are bought and sold. This paper presents the results of our months-long investigation and blends a technical understanding of the botnet with a social assessment of its activities.

Background Since 2011, we have witnessed the rise of ‘dark net’ drug marketplaces known as cryptomarkets. Cryptomarkets operate on the same model as eBay as they provide a platform where authorized vendors can set up a virtual shop and place listings. Building on a growing body of literature that seeks to understand cryptomarket participants, this paper seeks to explain the decision of cryptomarket vendors to take on risk.

Methods We collected data on Silk Road 1 (SR1), the first cryptomarket launched in 2011. We propose a multilevel model that takes into account the characteristics of listings, vendors and their environment to explain the decision of vendors to take on risk.

Results Our results demonstrate that all levels in the model significantly explain the decision to take on risk. Risk taking, operationalized as a willingness to ship drugs across international borders, was associated with the weights of drug packages mailed, the vendors’ reputations and numbers of listings, the country-level perceived effectiveness of law enforcement according to experts, and the opportunities available to vendors as measured by the wealth and the drug expenditures of potential customers.

Conclusions Our results support some previous research findings on the factors explaining risk taking. We extend existing literature by emphasizing the relevance of the environment of drug dealers to predict risk taking.