In an industry lacking a shared understanding of or framework for digital assets, we at Terbium Labs appreciate the analytical contributions from the academic and policy communities. In this post, we examine three papers from these communities around stolen data.

While each of the papers approaches a different segment of the dark web and the illicit economies, they all align on one key theme: the dark web’s ease of access lowers the barrier to entry for new players, whether for criminals new to the trade or for those looking to cross over into a digital platform for their existing, albeit shady, enterprises. Once embedded in the underground economy, criminals have access to a host of resources and a wealth of information from the existing community, with toolkits and instruction manuals to develop and scale lucrative enterprises.


In testimony before House Financial Services Committee’s Subcommittee on Terrorism and Illicit Finance in March 2018Lillian Ablon of RAND proposes a series of frameworks for understanding the variables that make up an the underground economy for stolen data. By understanding these variables—people, products, places, and prices in the market—and by identifying the myriad of motivations, skills, resources, and force of will behind each variable, we can begin to form patterns and shared understandings for the manifestations of cybercrime. Not all attacks, actors, platforms, or data types are created equally.

One of Ablon’s frameworks juxtaposes the motivations of the four groups of actors in the illicit economy: cyber terrorists, hacktivists, state-sponsored actors, and cybercriminals. Cybercriminals, as Ablon defines them, are primarily motivated by financial gain. However, their activities manifest, “they care about making money.” While these groups may overlap, we can see delineations in motivations, techniques, targets, and ultimately, the use of stolen data once obtained.

Understanding the structure of people allows us to evaluate how the professionalization of cybercrime has allowed for the segmentation of skills and for specialization. In order to run an operation more effectively, people are performing the functions they have grained professional experience in—platforms are broken into hierarchies to allow for scalable, functional enterprises.

Ablon’s testimony goes on to present the foundation for a shared understanding of the marketplace for data, tools, and services. The sooner we understand this cybercrime system for what it really is (a mashup of a structured economy, and illicit business school, and a scalable criminal operation), the sooner we can begin to collaborate in identifying and disrupting the supply chains of cybercrime.


We cannot contemplate account security and prevention of account takeover until we understand what we are securing—which digital assets and which sensitive data.

It is easy to think of breaches, phishing, and malware as distinct from one another, and as three separate functions in cybercrime. These three vectors are inseparably linked by the exposure of account information. An account exposed in a breach can be used to facilitate another breach, can be used as part of a phishing campaign, and can be manipulated to most effectively deliver a malware payload. We cannot think of security as being cleanly broken down into discrete pieces. Security is an overlapping, intermingled beast, with the consequences of one lapse immediately and irrevocably impacting other pieces of the system.

In Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials, Kurt Thomas, et. al, use exposed or collected account information as a proxy to measure ease of criminal access to digital identities. Using account data as a proxy for identity is an effective metric—account credentials are a gateway to a host of personal information and financial data, along with information about purchasing habits, family members, and other sensitive details. Thomas, et. al., compare the effectiveness of breaches, phishing, and malware at generating access to viable account information.

The authors report that the risk of account takeover depends heavily on how the attackers first come to be in possession of a user’s account credentials, noting “7% of victims in third- party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”


Finally, in Platform Criminalism: The ‘Last-Mile’ Geography of the Darknet Market Supply Chain, Martin Dittus, Joss Wright, and Mark Graham investigate the ties between the production, trade, and consumption of illicit drugs as a comparative analysis between dark web drug networks and traditional drug networks. While Terbium Labs does not focus on the activities belying the dark web drug trade, the authors’ analysis provides valuable insight into the ways in which the dark web mirrors, integrates, and disrupts existing criminal infrastructures.

The authors find that, at least for two of the three drugs reviewed, the patterns indicate that the dark web is keeping some of the traditional trade routes intact—what Dittus, Wright, and Graham call “the last mile”—providing yet another example of where the dark web is less disrupting and more augmenting, building and expanding on the criminal structures already in place. The economy for sensitive information—the data fueling payment fraud, identity theft, and account takeover—is operating in parallel, serving, in many cases, as the banking function for these drug networks.


Data is not going to become more secure—cybercriminals will continue to build off of each others’ successes and develop new tactics and techniques based on the same technologies that organizations develop, except cybercriminals are not bound by laws or conventions. They will use existing systems—illicit and legitimate—to mine the resources they need to continue building their enterprises. The stolen data trade is well established, and vendors will continue to supply goods (read: account information and other sensitive data) so long as the market demands.