Cyber 19 October 2018 Cyber criminals are not who you think they are Exploring a dangerous and evolving trade. shutterstock/ thea design Sign UpGet the New Statesman's Morning Call email. Sign-up At the turn of the millennium, a group of Russian-speaking cyber criminals founded a website called CarderPlanet. This forum became a key online marketplace in the global trade of stolen credit card data, along with other illicit goods and services. One could view it as a criminal eBay of sorts, which significantly predated the much-hyped “Darknet” forums that dominate today’s media coverage. Led by a mercurial figure known by the handle “Script”, it succeeded in establishing a professional model for how cyber criminal trade could be professionalised. Users could publish product reviews. Arbitration was provided for the site’s vendors and customers who came into dispute. Meanwhile, other members could choose to more safely trade through an escrow service. An interesting feature of the site was that the forum officers adopted existing mafia ranks such as Capo (short for the Italian Caporegime which means Captain). The network appeared to be appropriating the mystique of both traditional organised crime groups and their popular depictions in films and TV. This self-ascribed association perhaps contributed to a number of commentators and security professionals conflating cyber crime and organised crime. And, in some sense, it has now become a mainstream position. For instance, one expert quote in a CNN article stated: “The Russian mafia are the most prolific cyber criminals in the world.” But how much empirical evidence actually supports the view that organised crime is taking over cyber crime? I carried out a seven-year study into the organisation of cyber crime. The findings suggest that cyber criminals aren’t necessarily who we think they are. And, with regard to the example above, they may not even be who they think they are. As part of this study, I conducted 238 interviews with law enforcement, the private sector and former cyber criminals – across some 20 countries, including fieldwork in purported cyber crime “hotspots” such as Russia, Ukraine, Romania, Nigeria, Brazil, China and the United States. While I was open to the possibility of heavy mafia and organised crime involvement in cyber crime, I was surprised by how few cases of this I encountered. There are certainly instances where there is such a crossover. But there are many others where cyber criminals operate on their own. One Eastern European former cyber criminal I interviewed called Andrey (all names have been replaced with pseudonyms), suggested: “All the relations between traditional mafia and gangs are eventual and personal, so there are no more connections than in any other industry or enterprise. Some individuals do, and if they do, they use it. Others don’t.” He went onto explain that, “of course, regular criminals show interest in certain aspects of cyber crime, but they show interest in many other things. More advanced carders and hackers, however, usually show strong disgust to ‘traditional’ criminals and usually join whatever cause there might be on a temporary basis. In turn, ‘traditional’ criminals often regard cyber criminals as ‘milk cows’ and nerds.” Another former cyber criminal in the region, Ivan, stated that he had never encountered a direct connection between cyber criminals and traditional organised crime groups. In South America, Thiago said that he and his collaborators never engaged with organised criminals, and actively avoided them. Of the cases of organised crime involvement I did encounter, there appeared to be four key roles that serious criminals can play in cyber crime: protector; investor; service provider; guiding hand. These are largely tied to their existing skill sets and resources. In terms of protection, one of the few cases can be found in Brian Krebs’ book Spam Nation. Krebs recounts an episode of violent behaviour between cyber crime competitors. In it, a Belarusian cyber criminal called Alexander Rubatsky, formed an alliance with a group of heavies, associated with the “The Village” organised crime group in Minsk. In one instance, these men posed as local police and then kidnapped Rubatsky’s main rival, holding him for ransom. Yet such examples proved rare in my research. One of the surprising findings from the data was that it is not common for mafias and organised crime groups to provide protection for cyber criminals. Instead, it seems that law enforcement agents and political figures are more frequently providing this service. After all, bent politicians and police are in a much better position to shield cyber criminals from arrest. The evidence suggests that in lieu of trying to control, or govern, the entire world of cyber crime – as they have done with various illicit industries in the past – organised crime groups are more likely to play a smaller role within it. The more common ways they choose to involve themselves is either as a service provider or guiding hand in various enterprises. For example, the money side of cyber crime is a plausible point of entry for organised crime involvement. One interesting example I encountered was a Los Angeles street gang converting prostitution operations into cyber fraud schemes. “Fraud pimps” send women out to make purchases with counterfeit credit cards, rather than to turn tricks. While such evidence shows involvement in cyber crime, we should seriously call into question the popular perception of cyber crime as predominately run by violent, organised criminals. And that is not the only problematic stereotype we need to contend with. At the other end of the spectrum, is the ingrained view that cyber crime is driven by nerdy and socially awkward hackers – the archetypal hooded teen in his parents’ basement. Returning to the example of CarderPlanet, these cyber criminals were clearly organised and sophisticated. While few of the leaders had past lives as mafia members or serious histories of violent crime, neither were they isolated geeks without social skills or any management ability. They were the pioneers of the multi-million dollar “carding” industry and adopted commercial principles that we might expect to find in corporations across the world. They even organised a number of offline gatherings, including at least two business conventions held in Odessa, Ukraine, in 2001 and 2002. That was then. The cyber crime industry and its professionalisation have only grown since then. As US Law enforcement agent Terry summed up the threat: “They are businessmen.” Jonathan Lusthaus is author of Industry of Anonymity: Inside the Business of Cybercrime, published next month by Harvard University Press › The Tories are unrealistic about Brexit – and Theresa May is feeding their delusions Subscribe To stay on top of global affairs and enjoy even more international coverage subscribe for just £1 per month!