The a16z Show - Cybercrime, Incorporated
Episode Date: July 18, 2020A dive into the sociological, operational, and tactical realities of this murky underworld, Lusthaus and de la Garza discuss who the players are, what they are motivated by, and specialize in—as wel...l as how basic ideas like trust and anonymity function in a world where no one wants to get caught. How do criminal nicknames function as brand? Which countries tend to specialize in what kinds of crime, and why? And most of all, what changes when you begin to think of the business of cybercrime as an industry? Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi and welcome to the A16Z podcast. I'm Hannah. This conversation is all about the business of cybercrime
and is a rerun of one of our popular episodes on security from last year. The episode with Joel de la Garza
operating partner of information security at A16Z and former CISO at Box, myself and Jonathan Lusthouse,
director of the human cybercriminal project at the University of Oxford, is all about how these
cybercrime organizations function, who is behind them, and what changes when we begin to understand
cybercrime as an industry. For the latest on what's happening in security, as well as tips for securing
yourself, please visit A16Z.com slash security trends. So the idea of the lone troublemaker hacker,
the kind of hobby hacker, political activist, is sort of what we, for a long time,
have culturally thought of as the cyber criminal, right? But that's no longer the case. It's now really
a much larger, highly organized and profit-driven organization. So can you walk us through how that
actually happened. The shift from the loan hacker to the highly organized industry is really one that's
taken place over quite a long period of time. I mean, this is something that actually wasn't
criminal to begin with, really. When it started to become a little bit more of a criminal activity,
that's when we started to see people operating in this kind of lone wolf capacity and causing
trouble, you know, sometimes in small groups, but largely just as individuals. When we start to see
something that's far more structured, organized and profit-driven, really begins to occur mostly in the
90s, because this is the period that we're starting to put things of value online.
So until we have the actual targets there that make it worth people's time to go after them.
Right, it was a hobby because there isn't any actual value to it.
Exactly. See, there wasn't really a reason to be a profit-driven cybercriminal.
But once we start to see those targets emerging and that value to be had, that's when we
begin to get the higher levels of sophistication, the high levels of organization.
And the reason for that, basically, is once you have that value there, you need people
who can maximize profit.
And you need people who begin to specialize in different areas of the business who can help each other out.
And it suddenly becomes much more profitable to be part of sometimes a group of people who have different skill sets
or to be in a marketplace that people can offer different things of value.
What did that look like in the early days?
Right around 1999, 2000, there was just a rapid, rapid commercialization of cybercrime.
You could go on to online chat rooms and just see people's personal information scale by,
tens of thousands of credit card numbers scaling by
and starting to see kind of the formation of the marketplace
and that was really just kind of a pivotal moment
where it became really obvious
that it was no longer the hunt for the Wiley Hacker
it was becoming big business
and that was scale in sort of information available
in the numbers of players involved
but also in how they were coordinating?
Absolutely right so they would essentially have these
large chat rooms either on IRC
or various other marketplaces that they would build
and they would just coordinate with each other
and they'd say, for example,
that they had 20,000 credit card numbers,
they'd post a few to validate
that you could prove that they were actually having those numbers
and then there would be sort of a negotiation
in plain sight for the transfer of this information.
Carter Planet was the first marketplace
where things really started to take off.
And if we're looking for that kind of shift,
at least in a symbolic way,
that's probably the case where it happened
because you started to see for the first time
this sort of large-scale trade
in, say, stolen credit card data
and other products.
But you also started to see a drawing together of a community of people network of fairly
sophisticated actors throughout Eastern Europe and also other parts of the world who had started
to bring a real sort of technical knowledge and ability and a real sophistication to what
they were doing in business terms.
And you see a very sort of important drawing on the sort of local technical talent and the
local business brains as well.
So what were those sophisticated business activities that were suddenly being imported into this?
Yeah, I mean, they're sophisticated in the sense that they're sophisticated for
crime, but actually they're quite similar to what we see in other types of business. In fact,
what we're seeing is the application of traditional business principles from conventional life.
So one, we have the marketplace. This is where, you know, we have many, many different actors
trading. And that, even at this point, you can still have lone wolves involved in some way,
trading within a market. But the operational structures is another interesting aspect of this,
which is basically people coming together not just to trade, but to actually work together.
And in some cases, these groups look a lot like firms, whether it's a venture capitalist firm,
whether it's people selling various products.
For criminals, actually, and for cybercriminals,
they're also employing a similar structure,
which is to have a team of people.
Some have different skill sets from each other.
There's usually someone with some organizational capability,
and they're going to perform the role of a business
because that's how they can maximize their profits as well
by bringing people together in a kind of unified endeavor.
The way that we were looking at it back then
was that this was essentially a regulatory arbitrage, right?
It was there are these disciplines and practices
that you could apply in places,
where these activities weren't necessarily illegal.
And so you saw the proliferation of these syndicates in places where law enforcement wouldn't pursue
them and they had the ability to operate freely.
And that was a pretty interesting development in terms of as they became more sort of coalesced
around certain networks and entities that were operating, they actually started to target
each other.
And so you had this process of another layer.
Absolutely.
So they would hack each other's websites.
They would sell exploit code.
There was all sorts of shenanigans that they were doing to each other.
basically these guys would inform on each other, right?
So they were just as unscrupulous with each other as they were with themselves,
but they built those trust relationships and how they built that network, right?
And I think the really interesting thing from my perspective
is that we're going through a rapid decentralization of everything
because of technology and society.
And essentially this is the quintessential Byzantine generals problem, right?
It's like the how do you trust all these people will act in a coordinated way
and how do you posit that sort of activity?
And these folks came up with very, you know, interesting ways to work through that problem.
What do those operational structures look like today?
How much more complicated are they?
So the complications really come into the criminality involved,
which is obviously as much as they want to operate in a very business-like function,
there's still going to be, in some sense, an extra tax on top of them,
which is law enforcement interest.
And so this in some ways limits how business-like they can get.
So you really see two kind of approaches.
One is online structures, which are usually limited in size,
because even when you develop various mechanisms to try and help trust each other,
there's still going to be a kind of a limit to how far you can probably get in terms of group size
because you ultimately don't really know who you're doing business with.
Because the risk.
The risk is high.
The risk is high.
The risk is high.
The risk is high.
The bigger the group.
And then, you know, you don't know if people are going to be running off with money,
running off with code, all sorts of things.
You might also have a problem just with getting people to do their jobs within the firm.
Just like within a large firm.
Yeah.
So you see this with like malware groups that generally the, you know,
8 to 10 is probably going to be the largest size involved in, you know,
kind of malware operation of writing the,
code and dealing with the code because it becomes quite difficult to actually sustain the group
structure. So that's the kind of online element. The offline element is interesting because this
allows some of these firms and businesses to scale up in size. And in some cases, we see people
operating out of physical office space. And they really begin to look like technology companies.
And actually, they are technology companies. They're just criminal ones. And so that's only possible
in jurisdictions where either they're operating in a kind of gray zone in terms of what the
laws are around what they're doing, or they're operating in a grey zone because there's not
such strong enforcement either due to a lack of capacity or because there's some other thing going on
in terms of an arrangement they have of protection or other things like this. When we start to
think about the large organisations, and that's when you can see potentially thousands of members
of a particular marketplace. But in some way, that's not that different from a mafia, because
mafia group structures, people often think of many, many members, but in a lot of cases, actually
a number of those people are not formal members of the organisation.
They're people doing criminal activity under the protection of the mafia group.
Oh, that's an interesting distinction.
And so the trading marketplaces offer a similar type of structure in terms of a safe place to do business,
somewhere where you have some sense of rules and order.
And so if they find themselves in a place like this, they can scale up and start to become much more entrenched.
But I think over this period of time, we've actually seen an improvement in law enforcement around the world.
And so it's actually this sort of balancing act between where you sit on this spectrum and how entrenched you want to get.
because that's going to bring greater risk ultimately.
And as these became more professionalized, right,
they started to come under the same pressures
that technology companies have today.
So it's how do you find a PHP developer
that's really good at writing code, right?
Recruiting.
It takes six months, right?
And you're dealing with these highly specialized
super talented folks who,
much like in the Valley,
they get to appoint an organization
and they branch off and do their own thing, right?
So the first big malware
that kind of got deployed
to steal banking credentials with Zeus.
And then you started to see people,
People spin out of the Zeus program.
And you had this kind of fracturing of that market, right?
So, you know, it's just like the normal technology industry.
It's under the same pressures, and it developed in much the same way.
When you talk about this kind of specialization, let's actually break that down.
So do you mean both specialization in terms of roles or like in terms of sectors or both?
What does that specialization look like?
It operates on a very high level in some sense, which there's a type of geographical specialization
that we get different regions in the world producing really different types of cybercriminals.
Oh yeah, you had a great table in the book that you kind of had associated with each country, the different...
Right.
Can you walk us through that?
So basically, if we think about sort of former Soviet Union states, they're very well known for the more technical aspects of cybercrimes.
So these are primarily the cyber criminals from here are the ones who are responsible for actually coding the malware,
for really developing a lot of the products that get sold in the underground.
So that's, in some sense, what they're known for.
And if we look at the opposite end of that spectrum, if we think about the way,
and places like the US or the UK,
I think what the West is known for is cash out experts.
So these are people who are primarily responsible for converting these sort of virtual gains
into monetary or physical ones.
And we see a kind of natural partnership between the sort of supply end,
which is the sort of technical actors in the East,
with those who are actually turning this into a meaningful profit in the West.
And we see a whole range of other activities in between,
a whole bunch of different types of fraud.
Everyone's familiar with Nigerian types of fraud from the emails,
have a very long history. They've branched out into other types of fraud as well, like business
email compromise, which is sort of one of the ways in which you can impersonate someone in an
organization to try and get an invoice or something else paid out where it shouldn't be paid to.
And we see Romania is also known for particular types of fraud, which is particularly online
auction fraud, which is basically selling things that don't exist. It's a very simple fraud,
but it's actually quite sophisticated on the organizational level.
Is that like the fake house listings that you see? Oh, sure. Yeah, yeah. They started with a kind of
original scam type, but when they see opportunity, they adapt. And also when, you know, their existing
ways of doing business might find some resistance in terms of the enforcement efforts or in terms
of how companies adapt. They look for new. Exactly. They pivot. So one of the things they've done is
branching out from what was originally selling cars on eBay. Then they start to sell other things.
They then move platforms. And one of the things they do today is rent out apartments that don't
exist. Anything that doesn't exist, that's kind of their business model. That's their specialization.
this doesn't exist specialization.
For me, one of the really interesting moments was probably sometime in the mid-2000s
when you started to see a lot of postings for work-at-home opportunities,
the sort of like, you know, sit at home, do some work, earn $2,000 a week.
In reality, that was those cash-out experts, right?
Like the online version of those flyers on the telephone polls.
They were actually the flyers.
You'd go talk to these folks that had cashed some hot checks
or had moved money in a way that was against the law,
and they legitimately thought they were doing like work at home for a small to medium-sized business
that was having inventory managers.
Or just even just acting as a go-between, right?
They would set themselves up as an intermediary to get business supplies to this like local office.
And lo and behold, you know, they'd run out like $250,000 worth of bad checks and the FBI would come and visit them.
What's interesting is on the technical end, you actually see quite a similar process,
which is some of the coders and the programmers involved in this know exactly what they're doing.
but others are also just actually responding to advertisements on various forums or other sites.
And what do they think they're doing? Like bug bounties?
It depends. I mean, you could argue in some cases that they should know what they're doing.
But what it basically is, is there might be a particular programming job that's required.
It might be something that's quite a small part of a broader operation.
And it's not always clear exactly what the end goal is.
So they might be willfully turning a blind eye.
But they also might just be doing some sort of niche thing.
It might not even be part of the kind of criminal aspects, just private.
of the sort of broader running at things. And so we see that same issue at the technical end as well
with these sort of just broad advertisements to people who might otherwise not know any better.
And, you know, interestingly enough, there has been more than one malware author that was arrested
and actually it turned out that they were working for an antivirus or anti-malware company.
It's really common to find people kind of on both sides of that fence.
Oh, I bet. So if you're saying basically now in appearance, this looks a lot like legitimate
industry in terms of size, but also different businesses.
and goods and services and operational structures.
What shifts when you start thinking about it that way?
You're getting a better understanding of motivations,
and you gain a better understanding of how some of these organizations function.
And so I think for those who are thinking about potential disruption,
then that offers some pinch points in terms of the economics of how this works,
and you can think about, well, if this is a business operation,
what is going to limit the sort of profits of this business?
Because ultimately, I think for me, arrests are a very important tool in the fight against cybercrime.
But there's also limitations in how far arrests can go in terms of the transnational nature of this, in terms of difficulties, whether it's to do with international cooperation, whether it relates to corruption.
There are limitations on how far arrests can go.
And this is something you'll hear from people with a law enforcement background as well.
So I think once you start thinking about the economics of this and the business aspects of this, it offers a new kind of suite of alternatives.
And one of the ones that I'm very interested in is actually how can we shift so that we don't have such a supply of people actually going into the cyber crime business in the first place in terms of having a talent pool that's now putting their sort of intelligence and ability to positive things.
And is that just de-incentivising it in terms of the actual profit?
Or what is the way to do that to funnel that talent stream somewhere else?
The incentives for going into cybercrime are particularly strong in certain parts of the world because they're simply not that many options.
I think one of the biggest problems in this area is really if we think about somewhere like Eastern Europe, particularly form a Soviet bloc.
What we're seeing is a massive pool of very, very talented people who are highly educated, actually, have an excellent university system.
These are people with degrees in math, science, technology, engineering.
And what's happening is they're coming out and they don't actually have the opportunities following that, like you do in Silicon Valley, for instance, to have a startup.
They don't have capital.
This is a big limitation on what is a very intelligent group of people.
who just can't make that transition.
So what they look at instead is, instead of creating a legitimate business,
is to create a criminal business
because you don't require the capital to get you going in the first place.
You actually saw a lot of the ringleaders of these groups become,
you know, the pillars of their society
earn tremendous amounts of money and get a lot of legitimacy.
You know, there were rumors that several members of the Ukrainian parliament,
for example, had profited from this industry, right?
And there were photos, I remember being shown by a Secret Service guy
that, you know, is one of these prominent sort of ringleaders actually meeting Governor Schwarzenegger
when he was doing his tour of Eastern Europe, right?
Amazing.
And they got this legitimacy, and they got into kind of the machinations of government.
And there's this melding of sort of criminal enterprise, the government, and the intelligence apparatus
in places like Russia. So they'd be targeting your home users, you know, the grandmother in Jacksonville,
Florida to empty your bank account. And then they'd pivot and start targeting state department workers,
right? And you'd start to see commonality in the malware and then the online.
operational security got a little better and they'd start to mix it up a bit. And so I think to some
extent in some of these places, you just have this industrialization and this complete and total integration
with the state. And that's just like the start of accelerator for them. Well, and what's even
really more interesting is in other countries. So there's the clear integration between organized
crime and the state. But, you know, right around the time that President Obama got after the Chinese
for their cyber activities against the United States on the intelligence side, a lot of those cyber actors kind of
stood down and actually pivoted into cybercrime, right? So you started to see ransomware that
typically was compiled in Russian language or Eastern European language compilers starting to come out
with Chinese language compilers, right? And you had sort of the proliferation of cryptocurrencies
and Bitcoin, which made this actually a scalable business, right? Because you've solved,
with a bearer asset like a cryptocurrency, you've kind of solved the laundering problem. You don't
need money mules. You get the cash. And so you've seen this kind of professionalization of
ransomware. So now it's not just sort of the traditional, here's an email attachment that's
going to encrypt all your documents. It's actually targeted at specific companies. We've seen
ransomware targeted at specific individuals, right? They're going after entire market verticals,
right? There's a Chinese group right now that's focused on ransomware for hospitals because hospitals
pay up, right? Talk about specialization. Absolutely. So it goes very much with that sort of like,
what specialization does this group have and how are they going to scale it across the rest of the world?
I loved this portrait that you opened the book with, this multi-millionaire criminal tech entrepreneur, you called him.
And that description alone was such an eye-opener to me.
Can you describe who this man was and what that portrait looks like today?
Yes, Roman Selluznev, who is a, well, I guess now you can say a former Russian cybercriminal.
He's in prison in the U.S.
So he was on holidays and the Maldives with his family, and he was arrested by U.S. law enforcement agents and then extradited to the U.S.
And so he's a very interesting case because he and his group had made tens of millions of dollars out of credit card fraud.
He's a very, very well-known Carter.
And for all intents and purposes, he looks like a businessman.
And, you know, he's gone on holidays with his family.
He's gone to a place that doesn't have an extradition treaty with the US.
But little does he know that an arrangement was worked out that he was being effectively tracked by US law enforcement over this time.
They're waiting for an opportunity to pick him up.
He's an interesting case, I think, because his father is actually a member of Russian parliament.
I found actually more than a handful of people who were involved in cybercrime and parts of Eastern Europe
actually had parents who are very influential people, whether they're law enforcement agents,
whether they're political figures.
In one case, I found someone who was a famous pop star.
So there's this sort of interesting angles to this whole issue in terms of how you create the space for these types of people to operate
and what gives them the kind of confidence to do what they do.
Let's go back to demographically who we're talking about here.
Who are these people from the coders who don't maybe know what they're doing all the way up to the multi-millionaire tech entrepreneur with links, maybe shady links?
Is that kind of a classic spectrum there?
So the short answer is there's no profile of a cybercriminal because really due to the high levels of specialization, we're not talking about one group of people.
We're actually talking about many, many groups of people across the world and across different specialties.
And so as a result of that, we see a lot of different backgrounds coming into this.
So on the technical end, particularly those who are operating in, say, Eastern Europe,
the profile looks very much like someone who's working in the legitimate sector.
So moonlighting on the side.
Or if you look at it this way, they're trying to make a living by the best means that they have.
And sometimes that means doing legitimate white work, so to speak,
and sometimes that means taking on more darker criminal jobs.
And so those people, the profile is, you know, generally these are educated people.
Many of them have university degrees.
some of them are higher level degrees. They don't have to because obviously we see this profile
in the West and elsewhere of people being exceptionally good coders who don't have a university
background. But the profile is quite similar. The profile of the entrepreneurs, I think, is actually
not that different from other people with an entrepreneurial spirit. These are, again,
people who are intelligent, who are educated, and they're very good at organizing. They're good
at management. That's their skill set. They probably have some technical knowledge, but they don't necessarily
need to be the elite coder. They can also draw on others around them who are, you know, quite
frankly just better at coding than they are at managing or organizing. And then you see a whole
range who can just be anybody who's just looking for a bit of extra money, a bit of work. Or you can
see people being drawn into cash out schemes who come from drug user communities. I've seen cases
of people who are involved in other types of criminality who are then brought into this. One of the
most interesting ones I think I encountered was examples of street gangs in LA who basically were
traditionally running prostitution operations.
But what they would do was from time to time
convert these operations into a cashing out scheme.
So they would call the leader of this the fraud pimp.
And the fraud pimp basically would send out the women
instead of turning tricks,
would send them out with some credit cards
that they'd bought the data online
in a marketplace of one kind or another.
They'd then sort of manufactured counterfeit credit cards
and then given it to these women to go
and make purchases with these cards.
And so you see really just in that,
cash out illustration that there's not really a profile. It could be anyone. There's just a huge,
huge variation in terms of who's involved. At some fundamental level, right, like all cybercrime is
local. So whatever the organization is doing locally, it takes an online flavor to that. Like, you see
several gangs in the United States that are doing similar schemes where they take stolen credit
cards and then sign up as Uber drivers and run credit cards through Uber or through Lyft or through
various other sort of sharing economy type services. And it's really just about, you know, the physical
kind of criminal infrastructure in the local place in which you're operating, kind of leveraging
that online capability. And then as you look out across the world, if you look at sort of the North
Koreans and what they've been doing in terms of the swift transfer thefts and those sorts of
things, that takes on very much its own special flavor, right? It's very much kind of a regional
variance. The fraud-pimp thing and the whole kind of like offline to online evolution, when you
think about this sort of becoming part of now this level of sophistication where we're taking online
cyber crime that it's trickling into offline real world as well. What are some of the other
interesting ways that you see that this cybercriminal organized world touching now again sort of
the real world in that kind of loop? Talking about this as a local phenomenon is actually a great way
of doing this because it absolutely is fundamental, I think, to understanding how cybercrime
works. Because rather than it being this broad field of cybercrime, which largely exists online
in this kind of mysterious sort of cyberspace, right? Actually, what we're seeing more is,
people from different localities getting involved and using technology to do what they do.
And so if we go back to the Romania example, that's a very good case about how important the offline
is and how important the local is. These people often know each other in person who are behind
these scams. So the scam is happening online. They're duping victims in the UK, the US, Australia,
Germany, wherever it might be. But the people actually carrying out the scams are based in Romania.
And a lot of these people know each other in person. And they've grown up in some cases with each other
or they've come from the same community or the same school
or even the same university.
It seems like very old-fashioned, old-world crime syndicate in that way.
Absolutely.
And so what they're doing is really leveraging that offline structure,
the trust networks that they already have.
And this actually gives them a strong base
to then be able to run the scams online.
Nigeria is another place where many, many of the offenders in Nigeria
are known to each other.
They come from sort of close links.
And if we think about the evolution of that type of fraud,
this evolved out of actually a letter-writing campaign
that occurred earlier, where the same type of fraud was attempted just using pen and paper.
And what happens is you have the internet coming along, you have these sort of cyber cafes
coming into existence, and this offers a way to really maximize a number of victims that they can reach.
So instead of doing it manually, they now start to do it using these new technologies and still
leveraging the existing kind of relationships that they have amongst the people that they know.
Yeah, and I think, you know, to sort of add another example of kind of the what's old is new again, right?
You're seeing instances, and I think there was one recently in Canada where a bunch of armed folks kind of stormed into a cryptocurrency exchange and held everyone at gunpoint and tried to get the private key to steal their Bitcoin.
This is the direction things are heading, right?
It's sort of the blending of these two worlds will become pretty seamless as software eats the world, right?
Like it's going to bleed together.
And so you're going to start to see these things convert.
And I think also criminals actually don't really care about these distinctions.
So they're not thinking, well, I'm a cyber criminal now or I'm going to stop being a cyber criminal.
and become a traditional criminal.
They just want to make money.
And so they use what's available to them.
And if that takes them into a space
that we regard as being cyber,
then they're cyber criminals.
But actually, in reality,
I think they're just criminals who use technology.
All right.
So how does the very nature of a criminal organization, right,
which especially on this scale, by definition,
requires an enormous amount of coordination,
how do you deal with anonymity on a basic level in this context?
Yeah.
Nobody wants to be found out, right?
Nobody does want to be found out.
And in a way,
That's why the book is called Industry of Anonymity, because ultimately that, to me, is what
defines what cybercrime is all about, which is how do you stay under the radar, how do you
stay safe, which is really what a lot of cyber criminals are interested in.
That's, in some sense, what defines who they are.
How do you do that while also operating businesses that are increasingly successful,
increasingly sophisticated and large, right?
And you get these two sort of competing tensions.
For cybercriminals, the only way they can be identified online is through nicknames that they
use.
this plays a very important role in terms of their reputation in terms of the brands that they can build.
So you want to have a nickname that you use for a long period of time because then people know they can come to you if they want this particular good.
It's fascinating because it really is a nickname as brand.
It's absolutely what it is. And really they want good brands. So they want to hold these brands. They don't want to throw them away. They don't want to waste them.
But at the same time, there's a great risk there for cyber criminals, which is the longer you hold one of these brands, the longer you hold one of these nicknames, the more you're tied to them.
And this is a problem when you start being investigated by law enforcement.
And this is a problem when maybe you've ripped some people off in the underworld.
So you need consistency of brand in order to run your business, but too much of it and it's a liability.
Yeah, how do you manage, even manage that?
So ultimately it's down to different players in the industry approach this problem in a different way.
So I've encountered one case, actually, that I've talked about in the book, of a particular former cybercriminal who's never changed his nickname.
online. He's basically held the same name, the same nickname over the course of his entire
cybercriminal career, and he even holds it now that he's left the business for legitimate
industry. How many years? If not decades, and certainly at least one decade. Because ultimately,
for this person, the reputation associated with that name is just essential to who they are and
who they are online. And valuable. And valuable. But on the other extreme, you get certain cyber
criminals who will change their names very regularly. So you might see this particularly around very
high-level Russian-speaking malware coders. So people who are really the top layer of the industry,
obviously I think they're relatively cautious and they're doing this as a strategic move. But they
don't need to deal with that many people in terms of the business that they run. What they need to do
is code really good malware that then can be sold. And so the problem becomes more for
someone who's, say, the vendor of this particular product. So those people on particular marketplaces,
actually need to hold the brand. They need to hold a nickname for long periods of time because they're
the ones that you know you buy that product from. And so what they're doing, this particular
person who's the vendor, is basically by agreeing to sell this malware, they're taking on the
risk, right? So that's what they're doing by... They're the front man. They're the front man. So
their role, their specialty in the industry, is to eat the risk, right? But what is the trust role
of the brand there? When you've got the vendor, are you assuming that the trust piece between
the front man and the coder is existing offline or that they understand, you know, that the
nickname and the brand is continuous?
So it's complicated.
So sometimes you get the offline online link that there's certain people who know.
And in other cases, you get people who just work together online.
But the key thing is when you're looking at the online space, the value of the brand,
the value of the nickname is this person has a lot more to lose if they burn it, because they're losing
potentially years of time that they've spent accruing a good reputation and building a brand.
Of course, they can still do that, and some people wait for the kind of big payoff to do that.
But that's going to be a strong signal to people, that the longer you've been around for,
the stronger the brand, and so you know what you're in for if you do business with this person.
I mean, it's pretty akin to just every other industry, right?
I think it's the same sort of branding exercise that they go through.
Nobody ever gets fired for buying IBM, right?
That same kind of inertia applies to the e-crime world.
Oh, that's interesting.
So it's sort of like we have bought malware from this person for X number of years,
and multiple people have bought malware from this person or this organization,
they will continue to sell quality malware, right?
That's generally the motion that happens.
And you have to remember that a lot of these folks, like it is very much a network, right?
There is a lot of connectivity between these people.
There's a really dense connective tissues, and they talk rather frequently.
And if you look at the systems, what's even more interesting,
a lot of the systems that they grew up building,
so the messenger boards, the websites, and IRC, these chat channels,
I mean, they mimic things.
It's pretty much, you know, the first version of,
Slack, the first version of Twitter, right? So a lot of those same dynamics apply. The kind of
blue checkmark on your Twitter account is the same as some of these nicknames that these folks
buy. And then when they do switch nicknames or they do decide to go through a rebranding
exercise, it's always sort of suggested that this person has a lineage that came from this
sort of organization. How is that suggested? So in the postings that they make and some of the
ads that they'll advertise, they'll sort of drop hints that they're part of it. I lived less
in the message boards and more in the actual code. And so what we spent a lot of time
was looking at the code, looking at the artifacts and the metadata around the code, the IP addresses
that it was accessing, and building kind of a profile that way. And are those signals that other
people are picking up on as well? Oh, absolutely. Yeah. In building the brand that the sort of like,
that they're intentionally leaving as signals of that continuous lineage. To some extent they were.
I mean, we were investigating it to try to find out who was doing it and prosecute them. And that's a
little bit different than someone looking to buy malware. But basically, you would look through the code for
artifacts and find these kind of connecting links. You know, attribution is the hardest part of the
whole security ecosystem, like putting fingers on keyboards, that's what governments do. In the private
industry and private sector and financial services, it was more about just unwinding the technicalities
of it and finding ways to stop it. And that was generally what we had to go by because it's very
easy to shift identities online, but code is something that's relatively immutable. So when we talk about
that kind of old world organized crime versus the new and the ways that some of it is old made new again
are just carried over.
Are there ways in which it's not just scaling technology?
Are there ways in which this sort of new world of cybercrime
and the organizational structures
or the way that the entire organization is working
is fundamentally different?
The difference is down to who's involved.
So I think there's a lot of talk about traditional organized crime groups
taking over cyber crime.
The search I've done, I don't think that's the case.
I think they're involved in certain ways,
particularly on the money side of things.
That's a particular skill set that they have.
And by they, you mean the mafia groups.
violent groups, gangs.
The mafia doesn't exist.
It's just a rumor.
There's a lot of public comments
about the Russian mafia taking over cybercrime.
And I think what people really mean is
Russian cyber criminals are involved in cybercrime
in a big way, and that's true.
But Russian mafia, there's actually like specific groups
you can track this too. They have names.
And if you actually drill down into those groups,
they're not that commonly involved.
And I've spoken to certain people
with a knowledge in this space who say,
actually, you know, there's some people
dipping their toe.
But a lot of cases,
this is not their skill set. You're not going to find
Marfi members suddenly wanting to get
heavily involved in hacking because they don't
know about hacking, right? What you're going to
find them doing is getting involved in technology
in a way that leverages and improves
their existing resources and their existing ability to do
the crimes that they do. And so that's the kind
of crossover you're more likely to see.
Sort of the innovator's dilemma applied to crime,
right? They got their incumbency in the rackets
that they're running and they're not really looking to expand.
Cybercrime is very much a greenfield
opportunity, the same way that technology
is and you do see a lot of the same dynamics at play.
That's really interesting.
Just on a research kind of point of view, how did you find these people?
Well, it took me seven years of field research to do it, and so that's the short answer.
Did you respond to any work from home ads?
What it was was a seven-year process of networking, of educating myself, and across law
enforcement, across the private sector, and a former cybercriminals as well, shared a huge
amount of knowledge with me. They also shared contacts. So in academic research, we'd call
the snowball sampling, basically that when you meet some people, they can then offer you
introductions to others. But there was still some sense of, I guess, paranoia, actually,
not just amongst the people from criminal backgrounds, but also those in the security sector are very
paranoid. So that had its limits. And even towards the end of the study, I was still just actually,
to be perfectly honest, finding people on LinkedIn. The amount of information that people put
online is frightening. And the final way, really, that I did this in terms of talking particularly to
those from a cybercriminal background was to begin to look at those who'd actually been arrested
and actually became in some ways pen pals with some people who were in prison who, as part of this
research, shared really some of the most valuable information and were very, very helpful as well.
So when we talk about this kind of anonymity and the trends in the space and on the internet
overall, how is the organized structure of cybercrime evolving and changing over time?
So in some sense, I think it's surprising how little it's evolved.
So we've seen, obviously the technology is changing a lot.
I think in terms of the responses to those technical threats,
you see a lot of change in that regard as well.
But on the human level, actually, the changes are not large.
It's quite a slow process.
And in fact, we don't see a lot of change because ultimately humans behave in very similar
ways.
And I think it's important to remember that cybercriminals are humans too.
And so a lot of the things that they do in terms of,
how they run the industry, how they trust each other, how they work together, how they run a business,
is very, very similar to how other people run businesses and how they work together and how they trust
each other. And so ultimately, we often see a kind of return to things that have happened in the
past in terms of how they operate, how they organize. Like if we take the example of these sorts
of marketplaces, we hear a lot now about darknet. Actually, marketplaces have been around for decades,
these online marketplaces. And while some of the underlying technology has changed in terms of
tour and other things. The actual human aspects of this in terms of people trading and the way
they trust each other on these platforms is very much the same as it was 20 years ago, not that
much as shifted in terms of how they operate. I mean, the whole problem with cybercrime for me,
like just at a very fundamental level, is that it's not necessarily a criminality issue. It's not,
you know, there are a lot of issues that it gets attributed to, and it's just not, it's ultimately
at its core secrets management problem, right? Like, it is about the ease at which you can steal secrets
from people and then weaponize those secrets to commit fraud. If you look at the data for breaches
and for security incidents, 93% of all breaches are spearfishing emails, right? 80% of those is just
straight credential theft. When we were chasing down the Zeus botnets back in the day, it was
just painfully obvious that like a strong two-factor authentication would stop like most of this.
And I think what you're seeing now with the evolution of this space, as more second-factor
authentication happens, banks are getting better about protecting their sites. We have really
great consumer tools now to protect our accounts, you're seeing this pivot where they're starting
to go back more to sending you threatening messages, they're doing extortion, they're kind of driving
a different way. A different kind of crime. Yeah, absolutely, right? The days of like I could grab
15,000 bank accounts, log in to them and then transfer the money out or kind of coming to an end,
hopefully. Right. So I think that's generally the direction these things are heading. Well, thank you so much
for joining us on the A16D podcast. Thanks very much for having me. Thank you.