Unpacking the Structure of Modern Cybercrime Organizations
The last 20 years have seen the cyberthreat landscape transform markedly: From an era of cyberattacks with damaging payloads, the cybercrime space has evolved to one where malicious actors have organized themselves into groups, mainly driven by financial gain.
Consequently, organizations now contend with a new breed of cybercriminals fiercely competing among themselves to claim a bigger stake in a highly lucrative market. Given present circumstances, malicious actors have organized themselves in ways that show a remarkable resemblance to legitimate corporations. Our research findings show that as revenues and membership of cybercriminal groups expand, their organizational structure becomes more complex because new tiers in the hierarchy inevitably arise in the process.
Our research paper titled “Inside the Halls of a Cybercrime Business” closely examines small, medium, and large criminal groups based on cases from law enforcement arrests and insider information. We also juxtapose each of these to traditional businesses of comparable size to obtain relevant insights about these criminal organizations.
Our report discusses how threat researchers and law enforcement can use information on the structure of a criminal organization to aid their investigation. In particular, such knowledge can lead them to discover new key pieces of information that might help in the fight against their cybercriminal adversaries.
Defining the sizes of criminal groups
Cybercrime organizations operate clandestinely by default. Such covertness makes it impossible to apply the conventional definition of legitimate corporations to them because doing so renders all criminal groups as small-size businesses.
Therefore, we set the definition ourselves for the purpose of this research, to determine the sizes of criminal groups according to their employee headcount, their layers of hierarchy, and their annual revenues, as gathered from our substantial body of research into various criminal groups that we have published so far.
To address the lack of a rigid set of criteria for ascertaining the business size of criminal groups, we created a guide (Figure 1) that cyberthreat researchers can use to classify a criminal organization’s size and supplement other available information. For consistency, a criminal organization’s classification under a given category means that it has adequately met the prescribed criteria.
Number of staff and affiliates | Annual revenue | Management layers | |
Small | 1-5 | Under US$500,000 | 1 |
Medium | 6-49 | Up to $50 million | 2 |
Large | 50+ | $50 million+ | 3 |
Small criminal businesses that earn moderate yearly revenues dominate the underground marketplace
Small groups of criminals that generate moderate annual revenues of no more than US$500,000 comprise most of the cybercrime space. A team leader, a coder, a support role, and a network administrator make up a typical small criminal group. With only a few members operating under a partnership model, each employee often multitasks to perform various roles like advertising, recruitment, and finance, among others. Members of small criminal groups often hold day jobs in additon to their involvement with the gang.
One or more entrepreneurs establish a small criminal enterprise to develop and sell a unique product or service. These entrepreneurs finance the operation themselves and funnel resources to pay for the fees of the malware code developers, servers, and other attendant costs.
We used Scan4You in our research as an example of a small business group that made a notable reputation for itself in the underground from 2012 to 2017. During its five-year operation, it was one of the most prominent Counter Antivirus (also known as Counter AV or CAV) services in the cybercrime realm.
The structures of midsize criminal groups and their traditional counterparts share similarities
Medium-size criminal organizations have a more complex structure compared to the flat organizational setup of small criminal businesses, as they deal with additional layers of management like those found in conventional businesses of the same size. Midsize criminal groups have basic functional groups and reporting lines with a headcount between six and 49 employees, with one person occupying the topmost tier of their organizational chart and leading the entire operation. These groups produce revenues of not more than US$50 million a year, which affords their group members full-time employment.
To investigate the structure of midsize criminal groups, we selected MaxiDed. The gang started as a small hosting provider without overtly marketing itself as catering to illicit activities. In 2011, MaxiDed shifted its business model to become a bulletproof hosting provider for underground businesses that deal with command-and-control servers (C&C) for distributed denial-of-service (DDoS) botnets, cyberespionage, malvertising, spam, and hosting of child abuse materials.
Like large legitimate corporations, large criminal enterprises have functional departments and a multilevel organizational structure
The existence of functional departments like human resources and IT is a central feature of large criminal enterprises that is strikingly like the setup of ordinary corporations. Given a workforce size of more than 50 employees, it comes as no surprise that reporting lines are also highly hierarchical with middle management and upper management forming a pyramid-like structure.
A noteworthy revelation from our research findings is how closely managers supervise employee performance, even going as far as implementing programs to cultivate and sustain their employees’ motivation to meet their financial goals. Large criminal organizations generate more than US$50 million in annual revenues, which is on par with revenues gained by large, legitimate companies.
We chose the Conti ransomware group to unpack the inner workings of a large criminal enterprise. Conti is a well-known ransomware-as-a-service (RaaS) provider deemed by many as the successor of the Ryuk ransomware. Conti operators have gained notoriety for their deft use of double-extortion techniques and have reportedly peddled access to victim organizations that refused to pay the ransom, in addition to publishing stolen data.
A cybercrime analyst’s knowledge of the size of criminal organizations can lead to new information to aid their investigation
Having an estimation of the size of a target cybercrime group when an infiltration takes place can pave the way for threat analysts to discover new information. These new vital pieces of information might include a group’s financial statements, organizational charts, list of employees, the cryptocurrency wallets of group members, and department-specific documentation, among others. Such information can be instrumental for investigators and law enforcement who share the goal of inflicting serious damage on a gangs’ operations.
- For cybercrime investigators: Knowing criminal groups’ management structure provides them with baseline information on the roles and number of people to look for while also giving insights on key people within the group that need to be monitored and probed more closely.
- For law enforcement: Knowing the size of a target criminal organization can help enforcers pinpoint which groups need to be pursued first to make the most significant impact on cybercriminal operations.
Although knowledge of a criminal organization’s size has advantages for threat researchers, this does not automatically mean that these groups can be easily accessed. Nevertheless, getting hold of sensitive information can deal a more damaging blow to cybercrime operations than mere server takedowns. The leaked Conti chats and their repercussions are strong evidence of this. For more insights on the size and structure of different criminal groups, read our paper, “Inside the Halls of a Cybercrime Business.”