Book Review: Into the Web of Profit

Next: The Terbium Take: Synthesizing Academia's Insights on Stolen...
Previous: Risk, Cyber Crime and Strategic Security: Highlights from...
Writer Emma Z.
July 18, 2018

Emma serves as the Director of Analysis at Terbium Labs, working on evaluating and contextualizing threats to customer data. She spends a lot of time reading forum drama on the dark web, writing regular expressions, and drinking LaCroix on the train between DC and Baltimore.

The popular image of a cybercriminal remains a highly trained computer genius (probably wearing a ski mask, for some reason) sitting in front of a keyboard and “hacking into the mainframe.” This kind of imagery implies that these actors steal because they are “bad guys” and establishes the hacker as a individual with savant skills and an isolated target. These images are evocative—they are also inaccurate.

Dr. Michael McGuire’s recent book, “Into the Web of Profit: Understanding the Growth of the Cybercrime Economy,” approaches the issue of cybercrime from a new and sorely needed perspective. While awareness of cybercrime as a nebulous concept is at an all-time high—hardly a week goes by without news of a new data breach or compromised website—awareness of how and why cybercrime actually happens is relatively low. The sheer number of data breaches shows that we still need to discuss prevention, and current conversation ignores the motivations of the criminals themselves. Cybercrime has become a highly functional, scalable economy with a low barrier to entry and the potential to generate enormous profit relatively quickly. The behavior of cybercriminals is best understood through the lens of economic motivations. Criminals do not (usually) steal data for the purposes of hacktivism or vandalism—instead they steal data for its monetary value, to either enrich their own lives or fund other criminal enterprises.

According to McGuire’s self-described conservative estimate, cybercrime generates at least $1.5 trillion in revenues every year. Mitigating the risk and lowering the cost from data loss begins with identifying how criminals make money from stolen data, and requires understanding the relative value of different data types in the criminal economy. “Into the Web of Profit” examines three key factors: the how and why of revenue generation, methods to launder funds from cybercrime, and the eventual destinations (other assets or activities) of these ill-gotten revenues.

Platform Capitalism, Platform Criminality

One of the more intriguing concepts put forward by recent research into the dark web is the idea of the cybercrime economy as a mirror of the contemporary capitalist economy. McGuire’s research suggests that the revenues generated from overt criminal acts are only a small piece of the puzzle. Data theft also supports a network of platforms and services that inadvertently enable and, ultimately, extract value from these activities. Digital platforms, from AirBnb to Facebook, have generated billions of dollars of revenue by connecting unconnected individuals and allowing them to share information or provide services to one another. Just as legitimate platforms have disrupted traditional capitalist models of generating revenue, so-called platform criminality (or platform criminalism, as it is referred to in the Dittus, Wright, and Graham paper of the same name) disrupts both the legitimate economy and other forms of crime. Platform criminality operates either by exploiting existing infrastructure or by creating its own platforms in order to extract additional value from illicit acts.

Because cybercriminals can exploit legitimate platforms, these legitimate platforms often have perverse incentives to enable illegal acts. “Into the Dark Web” provides the example of criminals using Airbnb payment cards to launder money. The paper explains that after the French government complained that Airbnb’s payment methods were enabling criminal activity, “the company … bowed to pressure and will no longer accept them for payment in France.” However, McGuire notes, it is not clear whether Airbnb is phasing out Payoneer cards worldwide. Instituting rules or policies that prevent criminal activities can introduce friction, making the service less convenient for legitimate customers and causing them to leave the platform. Criminals exploit these incentives in order to evade law enforcement and to profit from their criminal acts.

Cyber criminals are also an enterprising group; if they cannot sell their goods or services directly on legitimate ecommerce sites, they make their own. Dark and clear websites offer everything from stolen payment cards to Cybercrime-as-a-Service (CaaS) tools. Criminals with little to no expertise can buy or rent targeted scam pages, phishing sites, or botnets, often with technical support or guides that explain exactly how to use the product or service. The combination of existing infrastructure and specifically designed tools or services enables cybercriminals to exploit the most convenient aspects of the legitimate and illegitimate economies.

Follow the Money

While cybercriminals’ techniques constantly evolve, the results of these enterprises bear a striking similarity to those of more traditional criminals. Cryptocurrency created a springboard for cybercrime by providing a new way to buy and sell illicit goods and services. Criminal gains can outpace law enforcement’s efforts to track and disrupt: the blockchain obfuscates transactions and the number of anonymous wallets is limitless. According to McGuire’s research, cybercriminals continue to spend profits on luxury goods, such as high-end cars or jewelry, transform revenues into longer-term assets, such as property or art, and use revenues to pay bills or for basic living expenses. These revenues can also be reinvested in additional criminal enterprises; for example, a criminal might invest the profits from selling stolen payment cards into renting a botnet to DDoS a website.

“Into the Web of Profit” provides a compelling argument in favor of examining cybercrime as a complex economy rather than as a business or just a back alley deal. Criminals have developed streamlined, specialized, and interconnected operations, which creates a more robust and defined economy for specific data types. Approaching the risk calculations of preparing for and preventing data breaches from the perspective of which data is most valuable to a criminal rather than what which data is most valuable to a company may help generate new prevention and mitigation strategies.

Additionally, examining cybercrime as a mirror of other new economic models, such as platform capitalism, and exploring how these legitimate and illegitimate industries interact with each other will lead to a deeper understanding of how to disrupt these disruptions. Researchers, law enforcement, and cybersecurity professionals would do well to explore the possibilities offered by McGuire’s research.

analysis June 28, 2018
Shady Business: Commoditization of Data in the Dark Web Economy

Terbium's new report, Shady Business: Commoditization of Data in the Dark Web Economy, examines the underground data trade, investigates the shady business side of dark web operations, and challenges existing ideas about data valuation....

analysis July 09, 2018
The Terbium Take: Synthesizing Academia's Insights on Stolen Data

In an industry lacking a shared understanding of or framework for digital assets, we at Terbium Labs appreciate the analytical contributions from the academic and policy communities. In this post, we examine three papers...