In an industry lacking a shared understanding of or framework for digital assets, we at Terbium Labs appreciate the analytical contributions from the academic and policy communities. In this post, we examine three papers from these communities around stolen data.

While each of the papers approaches a different segment of the dark web and the illicit economies, they all align on one key theme: the dark web’s ease of access lowers the barrier to entry for new players, whether for criminals new to the trade or for those looking to cross over into a digital platform for their existing, albeit shady, enterprises. Once embedded in the underground economy, criminals have access to a host of resources and a wealth of information from the existing community, with toolkits and instruction manuals to develop and scale lucrative enterprises.


In testimony before House Financial Services Committee’s Subcommittee on Terrorism and Illicit Finance in March 2018Lillian Ablon of RAND proposes a series of frameworks for understanding the variables that make up an the underground economy for stolen data. By understanding these variables—people, products, places, and prices in the market—and by identifying the myriad of motivations, skills, resources, and force of will behind each variable, we can begin to form patterns and shared understandings for the manifestations of cybercrime. Not all attacks, actors, platforms, or data types are created equally.

One of Ablon’s frameworks juxtaposes the motivations of the four groups of actors in the illicit economy: cyber terrorists, hacktivists, state-sponsored actors, and cybercriminals. Cybercriminals, as Ablon defines them, are primarily motivated by financial gain. However, their activities manifest, “they care about making money.” While these groups may overlap, we can see delineations in motivations, techniques, targets, and ultimately, the use of stolen data once obtained.

Understanding the structure of people allows us to evaluate how the professionalization of cybercrime has allowed for the segmentation of skills and for specialization. In order to run an operation more effectively, people are performing the functions they have grained professional experience in—platforms are broken into hierarchies to allow for scalable, functional enterprises.

Ablon’s testimony goes on to present the foundation for a shared understanding of the marketplace for data, tools, and services. The sooner we understand this cybercrime system for what it really is (a mashup of a structured economy, and illicit business school, and a scalable criminal operation), the sooner we can begin to collaborate in identifying and disrupting the supply chains of cybercrime.


We cannot contemplate account security and prevention of account takeover until we understand what we are securing—which digital assets and which sensitive data.

It is easy to think of breaches, phishing, and malware as distinct from one another, and as three separate functions in cybercrime. These three vectors are inseparably linked by the exposure of account information. An account exposed in a breach can be used to facilitate another breach, can be used as part of a phishing campaign, and can be manipulated to most effectively deliver a malware payload. We cannot think of security as being cleanly broken down into discrete pieces. Security is an overlapping, intermingled beast, with the consequences of one lapse immediately and irrevocably impacting other pieces of the system.

In Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials, Kurt Thomas, et. al, use exposed or collected account information as a proxy to measure ease of criminal access to digital identities. Using account data as a proxy for identity is an effective metric—account credentials are a gateway to a host of personal information and financial data, along with information about purchasing habits, family members, and other sensitive details. Thomas, et. al., compare the effectiveness of breaches, phishing, and malware at generating access to viable account information.

The authors report that the risk of account takeover depends heavily on how the attackers first come to be in possession of a user’s account credentials, noting “7% of victims in third- party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”


Finally, in