This article examines the network structure, criminal cooperation, and external interactions of cybercriminal networks. Its contribution is empirical and inductive. The core of this study involved carrying out 10 case analyses on closed cybercrime investigations – all with financial motivations on the part of the offenders - in the UK and beyond. Each analysis involved investigator interview and access to unpublished law enforcement files. The comparison of these cases resulted in a wide range of findings on these cybercriminal networks, including: a common division between the scam/attack components and the money components; the presence of offline/local elements; a broad, and sometimes blurred, spectrum of cybercriminal behaviour and organisation. An overarching theme across the cases that we observe is that cybercriminal business models are relatively stable.
DOCUMENT
Presentation by Rutger Leukfeldt on Financially motivated cybercriminal networks, during workshop on Cybercrime Offenders. Cybercrime perpetrators are as diverse and complex as the cybercrime that they commit. For example, they come from different backgrounds and have different (egotistical, technical, monetary, ideological, political, professional, vengeful, sexual or other) motivations. They may or may not be professional criminals, and individuals or part of organised groups or networks (example of Advanced Persistent Threats). Some may commit crime on their own account or make their services available to others, and some may be supported by or be state actors. A better understanding of the types of perpetrators and their motivations and techniques can be instrumental for the prevention of cybercrime and for a more effective criminal justice response. The aim of this workshop is to contribute to such a better understanding and to initiate steps towards a typology of offenders.
DOCUMENT
Hacktivism represents the promotion in the cyber landscape of ideo-logically motivated agendas using hacking techniques. Despiteresearch on the topic has provided some clues on how hacktivistnetworks develop, the processes behind their evolution remain mostlyunknown. This gap in the literature prompted us to research the role ofonline/offline social relationships and of the offender convergencesettings in the creation, recruitment process and development ofhacktivist networks. This study is based on 30 interviews with hackti-vists, and it uses the social opportunity structures framework to ana-lyze the development of 21 hacktivist networks. The results show thatsaid networks can be divided in sub-categories based on the type ofconnections used to create them. Online social relationships andonline convergence settings (particularly social media platforms andIRC channels) seem to play a key role in the development of hacktivistnetworks, while offline contacts are limited. For the recruitment pro-cess, hacktivists use comparable strategies to any organization, butthree different categories were identified when discussing the level ofsophistication applied to the selection of new candidates.
DOCUMENT
This dissertation focuses on the question how money mules are recruited and which mechanisms play a role. Money mules are people who receive money from victims of online fraud. They are an indispensable link in the commission of financial-economic cybercrimes, such as phishing and bank helpdesk fraud, because they break the financial trail from victims to core members. The crucial role of money mules in the crime script and the possible consequences for young money mules themselves make them a valuable target group for scientific research. Almost no empirical research has been conducted into money mules and the involvement mechanisms of cybercrime. However, this knowledge is necessary for the development and application of prevention measures: interventions aimed at money mules disrupt the execution of various forms of online fraud, which can reduce victimization of cybercrime among citizens and businesses. In total, the dissertation consists of six empirical chapters, in which different research methods were used. This includes questionnaires and expert interviews, but also more unique and innovative methods such as online field experiments and analysis of police investigations into cybercriminal networks. The dissertation shows that money mules - still - form a crucial link in the world of financial-economic cybercrime. It is clear that this phenomenon manifests itself in different ways over time: online bank accounts, international bank accounts and crypto wallets are currently popular among cybercriminal networks because they offer even more anonymity than bank accounts at large traditional banks. This also means that money mules are also recruited for their identification cards instead of their bank card, which offenders use to open up accounts for themselves. It can be concluded that the social environment of money mules forms a criminal opportunity structure. Money mules are approached via-via and actively addressed; online on social media such as Instagram and Telegram but also offline on the street, at school or at the metro station. Social relationships therefore offer cybercriminal networks access to co-offenders, including money mules, and can explain why young people become involved in the world of cybercrime. Financial motivations play a role here, because money mules often look up to the luxurious lifestyle of criminals and give up bank account details in exchange for compensation. Risk perceptions regarding the likelihood of being caught and the consequences of money muling are low and money mules justify the criminal behavior. In addition to financial considerations, some recruiters also exert pressure or even threaten with violence. This reflects the heterogeneous nature of the target group and makes it clear that various involvement mechanisms play a role.
LINK
The organizational aspects of hacktivist networks are seldom studied, withresearch mainly focused on exploratory and descriptive case studies. Tonarrow the gap, we have used the sociological model for the social organiza-tion of deviants developed by Best and Luckenbill (1994). Said model illus-trates how hacktivist networks are organized and contributes to a clear-cutcategorization useful when dealing with hacktivism. Our study uses a richdataset obtained from 32 semi-structured qualitative interviews conductedwithin 23 different networks. By expanding on past research on cybercrim-inal and hacktivist networks, the results show that hacktivists operate atvarying levels of sophistication, favoring small, well-organized teams whereroles and tasks are clearly divided. While there are differences among net-works, our analysis reveals the importance of individual actions within largeroperations: being affiliated with like-minded people, the existence of internalrules, and the importance of hacking skills to determine, if not hierarchies,then who is the most influential. Most of the networks analyzed wereclassified as “peers” or “teams,” although the landscape shows considerableheterogeneity. Compared to other cybercriminal networks, hacktivists seemto have lower level of sophistication, while embracing the hacking subcul-ture that places importance on the role of the individual within the network.
DOCUMENT
Criminologists have frequently debated whether offenders are specialists, in that they consistently perform either one offense or similar offenses, or versatile by performing any crime based on opportunities and situational provocations. Such foundational research has yet to be developed regarding cybercrimes, or offenses enabled by computer technology and the Internet. This study address this issue using a sample of 37 offender networks. The results show variations in the offending behaviors of those involved in cybercrime. Almost half of the offender networks in this sample appeared to be cybercrime specialists, in that they only performed certain forms of cybercrime. The other half performed various types of crimes on and offline. The relative equity in specialization relative to versatility, particularly in both on and offline activities, suggests that there may be limited value in treating cybercriminals as a distinct offender group. Furthermore, this study calls to question what factors influence an offender's pathway into cybercrime, whether as a specialized or versatile offender. The actors involved in cybercrime networks, whether as specialists or generalists, were enmeshed into broader online offender networks who may have helped recognize and act on opportunities to engage in phishing, malware, and other economic offenses.
DOCUMENT
Prior research on network attacks is predominantly technical, yet little is known about behavioral patterns of attackers inside computer systems. This study adopts a criminological perspective to examine these patterns, with a particular focus on data thieves targeting organizational networks. By conducting interviews with cybersecurity experts and applying crime script analysis, we developed a comprehensive script that describes the typical progression of attackers through organizational systems and networks in order to eventually steal data. This script integrates phases identified in previous academic literature and expert-defined phases that resemble phases from industry threat models. However, in contrast to prior cybercrime scripts and industry threat models, we did not only identify sequential phases, but also illustrate the circular nature of network attacks. This finding challenges traditional perceptions of crime as a linear process. In addition, our findings underscore the importance of considering both successful and failed attacks in cybercrime research to develop more effective cybersecurity strategies.
MULTIFILE
Based on the results of two research projects from the Netherlands, this paper explores how street oriented persons adapt and use digital technologies by focusing on the changing commission of instrumental, economically motivated, street crime. Our findings show how social media are used by street offenders to facilitate or improve parts of the crime script of already existing criminal activities but also how street offenders are engaging in criminal activities not typically associated with the street, like phishing and fraud. Taken together, this paper documents how technology has permeated street life and contributed to the ‘hybridization’ of street offending in the Netherlands—i.e. offending that takes place in person and online, often at the same time.
DOCUMENT
In our highly digitalized society, cybercrime has become a common crime. However, because research into cybercriminals is in its infancy, our knowledge about cybercriminals is still limited. One of the main considerations is whether cybercriminals have higher intellectual capabilities than traditional criminals or even the general population. Although criminological studies clearly show that traditional criminals have lower intellectual capabilities, little is known about the relationship between cybercrime and intelligence. The current study adds to the literature by exploring the relationship between CITO-test scores and cybercrime in the Netherlands. The CITO final test is a standardized test for primary school students - usually taken at the age of 11 or 12 - and highly correlated with IQ-scores. Data from Statistics Netherlands were used to compare CITO-test scores of 143 apprehended cybercriminals with those of 143 apprehended traditional criminals and 143 non-criminals, matched on age, sex, and country of birth. Ordinary Least Squares regression analyses were used to compare CITO test scores between cybercriminals, traditional criminals, and non-criminals. Additionally, a discordant sibling design was used to control for unmeasured confounding by family factors. Findings reveal that cybercriminals have significantly higher CITO test scores compared to traditional criminals and significantly lower CITO test scores compared to non-criminals.
DOCUMENT
Previous quantitative studies applying Routine Activity Theory (RAT) to cybercrime victimization produced mixed results. Through semi-structured interviews with cybersecurity experts, the current study aims to qualitatively reevaluate the applicability of RAT to cyber-dependent crime, specifically data theft from organizations. An in-depth assessment of environmental factors appearing to affect data thieves’ actions resulted in concrete operationalizations of theoretical concepts. Importantly, we highlight the distinction between target selection and strategic choices made during the attack. Furthermore, RAT appeared to be as relevant, if not more, for explaining offender actions during an attack as for the initial convergence of offenders and digital targets.
DOCUMENT
