a16z Podcast - Cybercrime, Incorporated
Episode Date: July 18, 2020A dive into the sociological, operational, and tactical realities of this murky underworld, Lusthaus and de la Garza discuss who the players are, what they are motivated by, and specialize in—as wel...l as how basic ideas like trust and anonymity function in a world where no one wants to get caught. How do criminal nicknames function as brand? Which countries tend to specialize in what kinds of crime, and why? And most of all, what changes when you begin to think of the business of cybercrime as an industry?
Transcript
Discussion (0)
Hi and welcome to the A16Z podcast. I'm Hannah. This conversation is all about the business of cybercrime
and is a rerun of one of our popular episodes on security from last year. The episode with Joel de la Garza,
operating partner of information security at A16Z and former CISO at Box, myself and Jonathan Lusthouse,
director of the Human Cybercriminal Project at the University of Oxford, is all about how these cybercrime
organizations function, who is behind them, and what changes when we begin to understand cybercrime
as an industry. For the latest on what's happening in security, as well as tips for securing yourself,
please visit A16Z.com slash security trends. So the idea of the lone troublemaker hacker,
the kind of hobby hacker, political activist, is sort of what we, for a long time,
have culturally thought of as the cyber criminal, right? But that's no longer the case.
It's now really a much larger, highly organized, and profit-driven organization. So can you walk us
through how that actually happened.
The shift from the loan hacker to the highly organized industry
is really one that's taken place over quite a long period of time.
I mean, this is something that actually wasn't criminal to begin with, really.
When it started to become a little bit more of a criminal activity,
that's when we started to see people operating in this kind of lone wolf capacity
and causing trouble, you know, sometimes in small groups, but largely just as individuals.
When we start to see something that's far more structured, organized, and profit-driven,
really begins to occur mostly in the 90s
because this is the period
that we're starting to put things of value online.
So until we have the actual targets there
that make it worth people's time to go after them.
Right, it was a hobby
because there wasn't any actual value to it.
Exactly. See, there wasn't really a reason
to be a profit-driven cybercriminal.
But once we start to see those targets
emerging and that value to be had,
that's when we begin to get the higher levels of sophistication,
the high levels of organization.
And the reason for that, basically,
is once you have that value there,
you need people who can maximize profit
and you need people who begin to specialize
in different areas of the business
who can help each other out
and it suddenly becomes much more profitable
to be part of sometimes a group of people
who have different skill sets
or to be in a marketplace
that people can offer different things of value.
What did that look like in the early days?
Right around 1999, 2000,
there was just a rapid, rapid commercialization of cybercrime.
You could go on to online chat rooms
and just see people's personal information scale by
tens of thousands of credit card numbers scaling by
and starting to see kind of the formation of the marketplace
and that was really just kind of a pivotal moment
where it became really obvious
that it was no longer the hunt for the Wiley Hacker
it was becoming big business
and that was scale in sort of information available
in the numbers of players involved
but also in how they were coordinating?
Absolutely right so they would essentially have these
large chat rooms either on IRC
or various other marketplaces that they would build
and they would just coordinate
with each other. And they'd say, for example, that they had 20,000 credit card numbers.
They'd post a few to validate that you could prove that they were actually having those
numbers. And then there would be sort of a negotiation in plain sight for the transfer of this
information. Carter Planet was the first marketplace where things really started to take off.
And if we're looking for that kind of shift, at least in a symbolic way, that's probably
the case where it happened, because you started to see for the first time the sort of large-scale
trade in, say, stolen credit card data and other products and services. But you also started
to see a drawing together of a community of people and network of fairly sophisticated actors
throughout Eastern Europe and also other parts of the world who had started to bring a real
sort of technical knowledge and ability and a real sophistication to what they were doing in
business terms. And you see a very sort of important drawing on the sort of local technical
talent and the local business brains as well. So what were those sophisticated business
activities that were suddenly being imported into this? Yeah, I mean they're sophisticated in the
sense that they're sophisticated for crime, but actually they're quite similar to
what we see in other types of business. In fact, what we're seeing is the application of
traditional business principles from conventional life. So one, we have the marketplace. This is where
we have many, many different actors trading. And that, even at this point, you can still
have lone wolves involved in some way, trading within a market. But the operational structures
is another interesting aspect of this, which is basically people coming together, not just to
trade, but to actually work together. And in some cases, these groups look a lot like firms,
whether it's a Avenger capitalist firm,
whether it's people selling various products.
For criminals, actually, and for cybercriminals,
they're also employing a similar structure,
which is to have a team of people.
Some have different skill sets from each other.
There's usually someone with some organizational capability,
and they're going to perform the role of a business
because that's how they can maximize their profits as well
by bringing people together in a kind of unified endeavor.
The way that we were looking at it back then
was that this was essentially a regulatory arbitrage, right?
It was there are these disciplines and practices
that you could apply in places where these activities weren't necessarily illegal.
And so you saw the proliferation of these syndicates in places where law enforcement
wouldn't pursue them and they had the ability to operate freely.
And that was a pretty interesting development in terms of as they became more sort of coalesced
around certain networks and entities that were operating, they actually started to target
each other.
And so you had this process of another layer.
Absolutely.
So they would hack each other's websites.
They would sell exploit code.
There was all sorts of shenanigans.
that they were doing to each other, basically these guys would inform on each other, right?
So they were just as unscrupulous with each other as they were with themselves,
but they built those trust relationships and how they built that network, right?
And I think the really interesting thing from my perspective is that we're going through
a rapid decentralization of everything because of technology and society.
And essentially, this is the quintessential Byzantine generals problem, right?
It's like the how do you trust all these people will act in a coordinated way,
and how do you posit that sort of activity?
And these folks came up with very, you know, interesting ways to work through that.
that problem. What do those operational structures look like today? How much more complicated are they?
So the complications really come into the criminality involved, which is obviously as much as they want to
operate in a very business-like function, there's still going to be, in some sense, an extra
tax on top of them, which is law enforcement interest. And so this in some ways limits how business-like
they can get. So you really see two kind of approaches. One is online structures, which are usually
limited in size, because even when you develop various mechanisms to try and help
trust each other, there's still going to be a kind of a limit to how far you can probably
get in terms of group size because you ultimately don't really know who you're doing business
with. Because the risk. The risk is high. The risk opens up. Yeah. The bigger the group, the bigger the
group. And then, you know, you don't know if people are going to be running off with money,
running off with code, all sorts of things. You might also have a problem just with getting people
to do their jobs within the firm. Just like within a large firm. Yeah. So you see this with like
malware groups that generally the, you know, eight to 10 is probably going to be the largest
size involved in, you know, kind of malware operation of writing the code and dealing
with the code, because it becomes quite difficult to actually sustain the group structure.
So that's the kind of online element. The offline element is interesting because this allows
some of these firms and businesses to scale up in size. And in some cases, we see people operating
out of physical office space. And they really begin to look like technology companies.
And actually, they are technology companies. They're just criminal ones. And so that's only possible
in jurisdictions where either they're operating in a kind of grazer.
zone in terms of what the laws are around what they're doing, or they're operating in a gray
zone because there's not such strong enforcement either due to a lack of capacity or because
there's some other thing going on in terms of an arrangement they have of protection or other
things like this. When we start to think about the large organizations, and that's when you can
see potentially thousands of members of a particular marketplace. But in some way, that's not that
different from a mafia, because mafia group structures, people often think of many, many members,
But in a lot of cases, actually, a number of these people are not formal members of the organization.
They're people doing criminal activity under the protection of the mafia group.
Oh, that's an interesting distinction.
And so the trading marketplaces offer a similar type of structure in terms of a safe place to do business,
somewhere where you have some sense of rules and order.
And so if they find themselves in a place like this, they can scale up and start to become much more entrenched.
But I think over this period of time, we've actually seen an improvement in law enforcement around the world.
And so it's actually this sort of bound.
act between where you sit on this spectrum and how entrenched do you want to get, because that's
going to bring greater risk ultimately.
And as these became more professionalized, right, they started to come under the same pressures
that technology companies have today.
So it's how do you find a Ph.P developer that's really good at writing code, right?
Recruiting.
It takes six months, right?
And you're dealing with these highly specialized super talented folks who, much like in
the valley, they get to appoint an organization and they branch off and do their own thing, right?
So the first big malware that kind of got deployed to steal banking credentials was Zeus.
And then you started to see people spin out of the Zeus program.
And you had this kind of fracturing of that market, right?
So, you know, it's just like the normal technology industry.
It's under the same pressures and it developed in much the same way.
When you talk about this kind of specialization, let's actually break that down.
So do you mean both specialization in terms of roles or like in terms of sectors or both?
What does that specialization look like?
It operates on a very high level in some sense, which there's a type of
geographical specialization that we get different regions in the world producing really different
types of cybercriminals.
Oh, yeah, you had a great table in the book that you kind of had associated with each
country, the different, can you walk us through that?
So basically, if we think about sort of former Soviet Union states there, are very well
known for the more technical aspects of cybercrimes.
So these are primarily the cybercriminals from here are the ones who are responsible for actually
coding the malware for really developing a lot of the products that get sold in the underground.
So that's, in some sense, what they're known for.
And if we look at the opposite end of that spectrum, if we think about the West and places like
the US or the UK, I think what the West is known for is cash out experts.
So these are people who are primarily responsible for converting these sort of virtual gains
into monetary or physical ones.
And we see a kind of natural partnership between the sort of supply end, which is the
sort of technical actors in the East with those who are actually turning this into a meaningful
profit in the West.
And we see a whole range of other activities in between, a whole,
a bunch of different types of fraud.
Everyone's familiar with Nigerian types of fraud
from the emails, which have a very long history.
They branched out into other types of fraud as well,
like business email compromise,
which is sort of one of the ways in which you can impersonate someone
in an organization to try and get an invoice
or something else paid out where it shouldn't be paid to.
And we see Romania is also known for particular types of fraud,
which is particularly online auction fraud,
which is basically selling things that don't exist.
It's a very simple fraud,
but it's actually quite sophisticated on the organizational level.
Is that like the fake house listings that you see?
Oh, sure.
Yeah, yeah.
They started with a kind of original scam type,
but when they see opportunity, they adapt.
And also when, you know, their existing ways of doing business
might find some resistance in terms of the enforcement efforts
or in terms of how companies adapt.
And then pivot.
They look for new.
Exactly.
They pivot.
So one of the things they've done is branching out from what was originally selling cars on eBay.
Then they start to sell other things.
They then move platforms.
And one of the things they do today is rent out apartments that don't exist.
Anything that doesn't exist, that's kind of their business model.
That's their specialization.
This doesn't exist specialization.
For me, one of the really interesting moments was probably sometime in the mid-2000s
when you started to see a lot of postings for work-at-home opportunities,
the sort of like sit at home, do some work, earn $2,000 a week.
In reality, that was those cash-out experts, right?
Like the online version of those flyers on the telephone polls.
They were actually the flyers.
You'd go talk to these folks that had,
cashed some hot checks or had moved money in a way that was against the law. And they legitimately
thought they were doing like work at home for a small to medium sized business that was having
inventory management problems or something. Or just even just acting as a go-between, right? They would
set themselves up as an intermediary to get business supplies to this like local office. And lo and
behold, you know, they'd run out like $250,000 worth of bad checks and the FBI would come and visit
them. What's interesting is on the technical end, you actually see quite a similar process, which is
Some of the coders and the programmers involved in this know exactly what they're doing,
but others are also just actually responding to advertisements on various forums or other sites.
And what do they think they're doing? Like bug bounties?
It depends. I mean, you could argue in some cases that they should know what they're doing.
But what it basically is, is there might be a particular, you know, programming job that's required.
It might be something that's quite a small part of a broader operation.
And it's not always clear exactly what the end goal is.
So they might be willfully turning a blind eye.
but they also might just be doing some sort of niche thing.
It might not even be part of the kind of criminal aspects,
just part of the sort of broader running at things.
And so we see that same issue at the technical end as well
with these sort of just broader advertisements
to people who might otherwise not know any better.
And, you know, interestingly enough,
there has been more than one malware author that was arrested
and actually it turned out that they were working
for an antivirus or anti-malware company.
It's really common to find people kind of on both sides of that fence.
Oh, I bet.
So if you're saying basically now in a piece,
this looks a lot like legitimate industry in terms of size, but also different businesses
and goods and services and operational structures. What shifts when you start thinking about it that
way? You're getting a better understanding of motivations and you gain a better understanding
of how some of these organizations function. And so I think for those who are thinking about
potential disruption, then that offers some pinch points in terms of the economics of how this
works and you can think about well if this is a business operation what is going to limit the sort
of profits of this business because ultimately I think for me arrests are a very you know important
tool in the fight against cybercrime but there's also limitations in how far arrests can go in
terms of the transnational nature of this in terms of difficulties whether it's to do with
international cooperation whether it relates to corruption there are limitations on how far arrests can
go and this is something you'll hear from people with a law enforcement background as well
So I think once you start thinking about the economics of this and the business aspects of this,
it offers a new kind of suite of alternatives.
And one of the ones that I'm very interested in is actually how can we shift so that we don't
have such a supply of people actually going into the cybercrime business in the first place,
in terms of having a talent pool that's now putting their sort of intelligence and ability to positive things.
And is that just de-incentivizing it in terms of the actual profit?
Or what is the way to do that to funnel that talent stream somewhere else?
The incentives for going into cybercrime are particularly strong in certain parts of the world
because they're simply not that many options.
I think one of the biggest problems in this area is really, if we think about somewhere like
Eastern Europe, particularly form a Soviet bloc.
What we're seeing is a massive pool of very, very talented people who are highly educated,
actually, have an excellent university system.
These are people with degrees in math, science, technology, engineering.
And what's happening is they're coming out and they don't actually have the opportunities
following that, like you do in Silicon Valley, for instance, to have a startup. They don't have
capital. This is a big limitation on what is a very intelligent group of people who just can't make
that transition. So what they look at instead is, instead of creating a legitimate business,
is to create a criminal business, because you don't require the capital to get you going in the
first place. You actually saw a lot of the ringleaders of these groups become, you know,
the pillars of their society earn tremendous amounts of money and get a lot of legitimacy. You know,
there were rumors that several members of the Ukrainian parliament, for example, had profited from
this industry, right? And there were photos. I remember being shown by a Secret Service guy that,
you know, is one of these prominent sort of ringleaders actually meeting Governor Schwarzenegger
when he was doing his tour of Eastern Europe, right? And they got this legitimacy, and they got
into kind of the machinations of government. And there's this melding of sort of criminal enterprise,
the government, and the intelligence apparatus in places like Russia. So they'd be targeting your
home users, you know, the grandmother in Jacksonville, Florida to empty your bank account,
and then they'd pivot and start targeting State Department workers, right? And you'd start to
see commonality in the malware, and then the operational security got a little better, and they'd
start to mix it up a bit. And so I think to some extent, in some of these places, you just have
this industrialization and this complete and total integration with the state, and that's just like
the startup accelerator for them. Well, and what's even really more interesting is in other
countries. So there's the clear integration between organized crime and the state. But, you know,
right around the time that President Obama got after the Chinese for their cyber activities against
the United States on the intelligence side, a lot of those cyber actors kind of stood down and actually
pivoted into cybercrime, right? So you started to see ransomware that typically was compiled in Russian
language or Eastern European language compilers starting to come out with Chinese language compilers, right? And
you had sort of the proliferation of cryptocurrencies and Bitcoin, which made this actually a scalable
business, right? Because you've solved, with a bearer asset like a cryptocurrency, you've
kind of solved the laundering problem. You don't need money mules. You get the cash. And so
you've seen this kind of professionalization of ransomware. So now it's not just sort of the
traditional, here's an email attachment that's going to encrypt all your documents. It's actually
targeted at specific companies. We've seen ransomware targeted at specific individuals, right? They're
going after entire market verticals, right? There's a Chinese group right now that's focused on
ransomware for hospitals because hospitals pay up, right?
Talk about specialization.
Absolutely.
So it goes very much with that sort of like,
what specialization does this group have
and how are they going to scale it across the rest of the world?
I loved this portrait that you opened the book with,
this multimillionaire criminal tech entrepreneur, you called him.
And that description alone was such an eye-opener to me.
Can you describe who this man was
and what that portrait looks like today?
Yes. Roman Salisnev, who is a, well, I guess now you can say
a former Russian cyber criminal.
He's in prison in the U.S.
So he was on holidays in the Maldives with his family, and he was arrested by U.S. law enforcement agents
and then extradited to the U.S.
And so he's a very interesting case because he and his group had made tens of millions of dollars out of credit card fraud.
He's a very, very well-known Carter.
And for all intents and purposes, he looks like a businessman.
And, you know, he's gone on holidays with his family.
He's gone to a place that doesn't have an extradition treaty with the U.S.,
but little does he know that an arrangement was worked out that he was being effectively tracked by U.S.
enforcement over this time. They're waiting for an opportunity to pick him up. He's an interesting
case, I think, because his father is actually a member of Russian parliament. I found actually
more than a handful of people who were involved in cybercrime in parts of Eastern Europe
actually had parents who are very influential people, whether they're law enforcement agents,
whether they're political figures. In one case, I found someone who was a famous pop star.
So there's this sort of interesting angles to this whole issue in terms of how you create the space
for these types of people to operate and what gives them the kind of comfort.
to do what they do. Let's go back to demographically who we're talking about here. Who are these
people from the coders who don't maybe know what they're doing all the way up to the multi-millionaire
tech entrepreneur with links, maybe shady links? Is that kind of a classic spectrum there?
So the short answer is there's no profile of a cybercriminal because really due to the high
levels of specialization, we're not talking about one group of people. We're actually talking about
many, many groups of people across the world and across different specialties.
And so as a result of that, we see a lot of different backgrounds coming into this.
So on the technical end, particularly those who are operating in, say, Eastern Europe,
the profile looks very much like someone who's working in the legitimate sector.
So moonlighting on the side.
Or if you look at it this way, they're trying to make a living by the best means that they have.
And sometimes that means doing legitimate white work, so to speak,
and sometimes that means taking on more darker criminal jobs.
And so those people, the profile is, you know, generally these are educated people, many of them have university degrees, some of them are higher level degrees.
They don't have to because obviously we see this profile in the West and elsewhere of people being exceptionally good coders who don't have a university background.
But the profile is quite similar.
The profile of the entrepreneurs, I think, is actually not that different from other people with an entrepreneurial spirit.
These are, again, people who are intelligent, who are educated, and they're very good at organizing.
They're good at management.
That's their skill set.
They probably have some technical knowledge, but they don't necessarily need to be the elite.
coder. They can also draw on others around them who are, you know, quite frankly, just
better at coding than they are at managing or organizing. And then you see a whole range
who, you know, can just be anybody who's just looking for a bit of extra money, a bit of work.
Or you can see people being drawn into cash out schemes who come from drug user communities.
I've seen cases of people who are involved in other types of criminality who are then brought
into this. One of the most interesting ones I think I encountered was examples of street gangs in
LA, who basically were traditionally running prostitution operations. But what they would do was from
time to time convert these operations into a cashing out scheme. So they would call the leader of this
the fraud pimp. And the fraud pimp basically would send out the women instead of turning tricks,
would send them out with some credit cards that they'd bought the data online in a marketplace
of one kind or another. They'd then sort of manufactured counterfeit credit cards and then given it
these women to go and make purchases with these cards. And so you see really just in that cash-out
illustration that there's not really a profile. It could be anyone. There's just a huge, huge
variation in terms of who's involved. At some fundamental level, right, like all cybercrime is local.
So whatever the organization is doing locally, it takes an online flavor to that. Like you see
several gangs in the United States that are doing similar schemes where they take stolen credit cards
and then sign up as Uber drivers and run credit cards through Uber or through Lyft or through
various other sort of sharing economy type services. And it's really just about, you know, the
physical kind of criminal infrastructure in the local, you know, place in which you're operating,
kind of leveraging that online capability. And then as you look out across the world, if you look
at sort of the North Koreans and what they've been doing in terms of the swift transfer thefts
and those sorts of things, that takes on very much its own special flavor, right? It's very much
kind of a regional variance. The fraud-pimp thing and the whole kind of like offline to online evolution,
when you think about this sort of becoming part of now this level of sophistication where we're taking online cybercrime that it's trickling into offline real world as well.
What are some of the other interesting ways that you see that this cyber criminal organized world touching now again sort of the real world in that kind of loop?
Talking about this as a local phenomenon is actually a great way of doing this because it absolutely is fundamental, I think, to understanding how cyber crime works.
Because rather than it being this broad field of cyber crime, which largely exists online.
and this kind of mysterious sort of cyberspace, right?
Actually, what we're seeing more is people from different localities
getting involved and using technology to do what they do.
And so if we go back to the Romania example,
that's a very good case about how important the offline is
and how important the local is.
These people often know each other in person who are behind these scams.
So the scam is happening online.
They're duping victims in the UK, the US, Australia, Germany, wherever it might be.
But the people actually carrying out the scams are based in Romania.
And a lot of these people know each other in person, and they've grown up, in some cases, with each other, or they've come from the same community or the same school or even the same university.
It seems like very old-fashioned, old-world crime syndicate in that way.
Absolutely.
And so what they're doing is really leveraging that offline structure, the trust networks that they already have.
And this actually gives them a strong base to then be able to run the scams online.
Nigeria is another place where many, many of the offenders in Nigeria are known to each other.
They come from sort of close links.
And if we think about the evolution of that type of fraud, this evolved out of actually a letter writing campaign that occurred earlier, where the same type of fraud was attempted just using pen and paper.
And what happens is you have the internet coming along, you have these sort of cyber cafes coming into existence, and this offers a way to really maximize a number of victims that they can reach.
So instead of doing it manually, they now start to do it using these new technologies and still leveraging the existing kind of relationships that they have amongst the people that they know.
Yeah, and I think, you know, to sort of add another example of kind of the what's old is new again, right?
You're seeing instances, and I think there was one recently in Canada where a bunch of armed folks kind of stormed into a cryptocurrency exchange and held everyone at gunpoint and tried to get the private key to steal their Bitcoin.
This is the direction things are heading, right?
It's sort of the blending of these two worlds will become pretty seamless as software eats the world, right?
Like it's going to bleed together.
And so you're going to start to see these things convert.
And I think also criminals actually don't really care about these distinctions.
So they're not thinking, well, I'm a cyber criminal now, or I'm going to stop being a cyber criminal and become a traditional criminal.
They just want to make money. And so they use what's available to them. And if that takes them into a space that we regard as being cyber, then they're cyber criminals. But actually in reality, I think they're just criminals who use technology.
All right. So how does the very nature of a criminal organization, right, which especially on this scale, by definition, requires an enormous amount of coordination. How do you deal with anonymity on a basic level in this context?
Nobody wants to be found out.
Nobody does want to be found out.
And in a way, it's why the book is called Industry of Anonymity,
because ultimately that, to me, is what defines what cybercrime is all about,
which is how do you stay under the radar, how do you stay safe,
which is really what a lot of cybercriminals are interested in.
That's, in some sense, what defines who they are.
How do you do that while also operating businesses
that are increasingly successful, increasingly sophisticated and large, right?
And you get these two sort of competing tensions.
For cyber criminals, their only way they can be identified online is through nicknames that they use.
And actually, this plays a very important role in terms of their reputation,
in terms of the brands that they can build.
So you want to have a nickname that you use for a long period of time
because then people know they can come to you if they want this particular good.
It's fascinating because it really is a nickname as brand.
It's absolutely what it is.
And really, they want good brands.
So they want to hold these brands.
They don't want to throw them away.
They don't want to waste them.
But at the same time, there's a great risk there.
cybercriminals, which is the longer you hold one of these brands, the longer you hold
one of these nicknames, the more you're tied to them.
And this is a problem when you start being investigated by law enforcement.
And this is a problem when maybe you've ripped some people off in the underworld.
So you need consistency of brand in order to run your business, but too much of it and it's a
liability.
It's impossible.
How do you manage, even manage that?
So ultimately, it's down to different players in the industry approach this problem
in a different way.
So I've encountered one case, actually, I had to talk about in the book of a particular former cybercriminal who's never changed his nickname online.
He's basically held the same name, the same nickname over the course of his entire cybercriminal career, and he even holds it now that he's left the business for legitimate industry.
How many years?
If not decades, and certainly at least one decade.
Because ultimately, for this person, the reputation associated with that name is just essential to who they are.
who they are online. And valuable. And valuable. But on the other extreme, you get certain
cybercriminals who will change their names very regularly. So you might see this particularly
around very high-level Russian-speaking malware coders. So people who are really the top layer
of the industry, obviously I think they're relatively cautious and they're doing this as a strategic
move. But they don't need to deal with that many people in terms of the business that they run.
What they need to do is code really good malware that then can be sold. And so the problem becomes
more for someone who's, say, the vendor of this particular product. So those people on particular
marketplaces, they actually need to hold the brand. They need to hold a nickname for long periods
of time because they're the ones that you know you buy that product from. And so what they're
doing, this particular person who's the vendor, is basically by agreeing to sell this malware,
they're taking on the risk, right? So that's what they're doing by... They're the front man.
They're the front man. So their role, their specialty in the industry, is to eat the risk, right?
But what is the trust role of the brand there when you've got the vendor?
Are you assuming that the trust piece between the front man and the coder is existing offline
or that they understand, you know, that the nickname and the brand is continuous?
So it's complicated.
So sometimes you get the offline online link that there's certain people who know.
And in other cases, you get people who just work together online.
But the key thing is when you're looking at the online space, the value of the brand,
the value of the nickname is this person,
a lot more to lose if they burn it, because they're losing potentially years of time that
they've spent accruing a good reputation and building a brand. Of course, they can still do that
and some people wait for the kind of big payoff to do that. But that's going to be a strong
signal to people that the longer you've been around for, the stronger the brand. And so you know
what you're in for if you do business with this person. I mean, it's pretty akin to just every
other industry, right? I think it's the same sort of branding exercise that they go through.
Nobody ever gets fired for buying IBM, right? That same kind of inertia applies to the
e-crime world. Oh, that's interesting. So it's sort of like we have bought malware from this
person for X number of years and multiple people have bought malware from this person or this
organization. They will continue to sell quality malware, right? That's generally the
motion that happens. And you have to remember that a lot of these folks, like it is very much
a network, right? There is a lot of connectivity between these people. There's a really dense
connective tissues and they talk rather frequently. And if you look at the systems,
what's even more interesting, a lot of the systems that they grew up building, so the messenger
boards, the websites and IRC, these chat channels, I mean, they mimic things. It's pretty much,
you know, the first version of Slack, the first version of Twitter, right? So a lot of those same
dynamics apply. The kind of blue checkmark on your Twitter account is the same as some of these
nicknames that these folks buy. And then when they do switch nicknames or they do decide to go
through a rebranding exercise, it's always sort of suggested that this person has a lineage
that came from this sort of organization. How is that suggested? So in the postings that they make
and some of the ads that they'll advertise,
they'll sort of drop hints that they're part of it.
I lived less in the message boards
and more in the actual code.
What we spent a lot of time was looking at the code,
looking at the artifacts and the metadata around the code,
the IP addresses that it was accessing,
and building kind of a profile that way.
And are those signals that other people are picking up on as well?
Oh, absolutely.
In building the brand,
that they're intentionally leaving
as signals of that continuous lineage?
To some extent,
they were. I mean, we were investigating it to try to find out who was doing it and prosecute them.
And that's a little bit different than someone looking to buy malware. But basically, you would
look through the code for artifacts and find these kind of connecting links. You know, attribution
is the hardest part of the whole security ecosystem. Like putting fingers on keyboards, that's what
governments do. In the private industry and private sector and financial services, it was
more about just unwinding the technicalities of it and finding ways to stop it. And that was
generally what we had to go by. Because it's very easy to shift identities online, but code is
something that's relatively immutable. So when we talk about that kind of old world organized crime
versus the new and the ways that some of it is old made new again or just carried over,
are there ways in which it's not just scaling technology? Are there ways in which this sort of
new world of cybercrime and the organizational structures or the way that the entire organization
is working is fundamentally different? The difference is down to who's involved. So I think, you know,
there's a lot of talk about traditional organized crime groups taking over cybercrime. The search I've done,
I don't think that's the case.
I think they're involved in certain ways, particularly on the money side of things.
That's a particular skill set that they have.
And by they, you mean the mafia.
The mafia groups, violent groups, gangs.
The mafia doesn't exist.
There's a lot of public comments about the Russian mafia taking over cybercrime.
And I think what people really mean is Russian cybercriminals are involved in cybercrime
in a big way, and that's true.
But Russian mafia, there's actually like specific groups you can track this to.
They have names.
And if you actually drill down into those groups,
groups. They're not that commonly involved. And I've spoken to certain people with the knowledge
in this space who say, actually, you know, there's some people dipping their toe, but a lot of
cases, this is not their skill set. You're not going to find, you know, Marfi members suddenly
wanting to get heavily involved in hacking because they don't know about hacking, right? What you're
going to find them doing is getting involved in technology in a way that leverages and improves their
sort of existing resources and their existing ability to do the crimes that they do. And so that's
the kind of crossover you're more likely to see.
Sort of the innovator's dilemma applied to crime, right?
They got their incumbency in the rackets that they're running and they're not really
looking to expand.
Cybercrime is very much a green field opportunity, the same way that technology is,
and you do see a lot of the same dynamics at play.
That's really interesting.
Just on a research kind of point of view, how did you find these people?
Well, it took me seven years of field research to do it, and so that's the short answer.
Did you respond to any work from home ads?
What it was was was a seven years.
a process of networking, of educating myself, and across law enforcement, across the private
sector and former cybercriminals as well, shared a huge amount of knowledge with me. They also
shared contacts. So in academic research, we'd call the snowball sampling, basically that when
you meet some people, they can then offer you introductions to others. But there was still some
sense of, I guess, paranoia, actually, not just amongst the people from criminal backgrounds,
but also those in the security sector are very paranoid. So that had its limits. And even towards
the end of the study, I was still just actually, to be perfectly honest, finding people on
LinkedIn. The amount of information that people put online is frightening. And the final way,
really, that I did this in terms of talking particularly to those from a cybercriminal background
was to begin to look at those who'd actually been arrested and actually became, in some ways,
pen pals with some people who were in prison who, as part of this research, shared really some of
the most valuable information and were very, very helpful as well. So when we talk about this
kind of anonymity and the trends in the space and on the internet overall, how is the
organized structure of cybercrime evolving and changing over time? So in some sense, I think
it's surprising how little it's evolved. So we've seen, obviously the technology is changing
a lot. I think in terms of the responses to those technical threats, you see a lot of change
in that regard as well. But on the human level, actually the changes are not large. It's
quite a slow process. And in fact, we don't see a lot of change because ultimately humans
behave in very similar ways.
And I think it's important to remember
that cybercriminals are humans too.
And so a lot of the things that they do
in terms of how they run the industry,
how they trust each other, how they work together,
how they run a business,
is very, very similar to how other people run businesses
and how they work together
and how they trust each other.
And so ultimately, we often see
a kind of return to things
that have happened in the past
in terms of how they operate, how they organize.
Like if we take the example of these sorts of marketplaces,
we hear a lot now about darknet.
actually, marketplaces have been around for decades, these online marketplaces.
And while some of the underlying technology has changed in terms of tour and other things,
the actual human aspects of this in terms of people trading and the way they trust each other on these platforms
is very much the same as it was 20 years ago, not that much has shifted in terms of how they operate.
I mean, the whole problem with cyber crime for me, like just at a very fundamental level,
is that it's not necessarily a criminality issue.
It's not, you know, there are a lot of issues that it gets attributed to,
and it's just not. It's ultimately, at its core, secrets management problem, right?
Like, it is about the ease at which you can steal secrets from people and then weaponize those
secrets to commit fraud. If you look at the data for breaches and for security incidents,
93% of all breaches are spearfishing emails, right? 80% of those is just straight credential
theft. When we were chasing down the Zeus botnets back in the day, it was just painfully obvious
that, like, a strong two-factor authentication would stop, like most of this.
Right? And I think what you're seeing now with the,
evolution of this space. As more second factor authentication happens, banks are getting better about
protecting their sites. We have really great consumer tools now to protect our accounts. You're seeing
this pivot where they're starting to go back more to sending you threatening messages. They're doing
extortion. They're kind of driving a different way. A different kind of crime. Yeah, absolutely, right?
The days of like I could grab 15,000 bank accounts log in to them and then transfer the money out are
kind of coming to an end, hopefully. Right. So I think that's generally the direction these things are
heading. Well, thank you so much for joining us on the A16Z podcast. Thanks very much for having
me. Thank you.