The Cyber Crime Business Model

The Internet is a major enabler for Organised Criminal Group (OCG) activity. Compared to making money from more traditional crimes, hacking individuals, SMEs and large organisations is a relatively low-cost, low-risk proposition for criminal groups - and there are many parts of the world where such activity is not actively prosecuted by the authorities.

Many of these OCGs share similar techniques and services, and communicate with each other over heavily vetted closed criminal forums on the ‘dark web’ where they can collaborate and advertise new services, tools and techniques.

The cyber crime threat spans different contexts, and covers a wide range of online criminal activity, from scamming activity through to sophisticated attacks against financial institutions and other large organisations. 

However, very few people are aware of the extent of the online criminal ecosystem that supports and enables these attacks, and the business model behind it. It's very important to know what you're up against so you can defend yourself adequately.

How an OCG is set up
Most of the people within organised crime groups will have unique and valuable skill sets. Typically, these roles will comprise:

Team leader
A successful criminal group needs a team leader to oil the wheels and keep everyone in check. Sophisticated and successful cyber crime activity is managed by a co-located, or closely connected, OCG.

Coders, also known as malware developers, will write and update new code for malware, or plagiarise or modify publicly available malware. Cyber crime malware has progressed significantly in the past 10 years, from enabling basic access to a network or system to being able to: • execute a wide range of commands on a host • hide from antivirus • remotely control the victim’s machine • wiping Master Boot Records. Some forms of criminal malware are also able to hide in memory, so that even when you think you have removed them from the machine, they can re-establish themselves when it’s rebooted.

Network administrator
Not every group will have a network administrator or bot herder, but when present, they are responsible for hijacking (compromising) hundreds of online servers and devices which, when linked together, are referred to as a ‘botnet’. Having such a large network of devices within their control means bot herders have a significant network of machines to exploit.

Intrusion specialist
If an OCG manages to successfully install malware on a business network or other major target, then an intrusion specialist will step in with their own toolkit to ensure the malware presence is enduring and that they can exploit the network, often working to gain administrator privileges to gain access to the most valuable applications and databases.

Data miner
A cyber crime group will also often employ a data miner . Cyber criminals are now adept at stealing data in bulk. However, data is also valueless if it cannot be viewed in a format that can be easily sold on or exploited. A skilled data miner can identify and extract the data of value so that it is ‘clean’, categorising it and presenting it in a way that can be used to make money, or sold on a criminal forum to other criminals to exploit.

Money specialist
Once an OCG has clean data, they can ‘monetise’ it. A money specialist can identify the best way to make money from each type of dataset. This could be selling in bulk to trusted criminal contacts, or by using specialist online services.

How criminals access networks and steal data
The most common way your computer might become infected with data stealing malware is still via phishing emails which contain malicious links or attachments. In a report from Action Fraud, it was found that over 90% of cyber attacks used phishing as an attack vector. Other common ways your computer might be compromised are through visiting genuine websites that have been compromised with malicious code (known as a watering hole attack) or adverts that redirect you to a malicious server that will serve up advertisements to your computer (known as malvertising).

How phishing works
Spam emails have been used for years to deliver malware, but these have evolved significantly. By using interesting or concerning topics within the spam email (like fake invoices or banking security notifications), you’re encouraged to open them quickly out of curiosity, or concern. When you do, malware is deployed which will attempt to exploit your device. Whether it succeeds or not is often dependent on how up-to-date your antivirus is, and how well patched your operating system and software are.

The attachment in the spam email will often only contain a basic piece of malware or a ‘loader’ which, when deployed to your computer, is used to determine whether or not a full exploitation is possible or worthwhile for the cyber criminal. Once this determination is made, the loader will reach back to the cyber criminal’s malicious server and download a full malware package to it. An example of this can be seen in one of our recent case studies looking at Emotet/Ryuk/Trickbot (available from our archives at

Watering holes and exploit kits
In the case of watering holes (or some spam emails containing malicious links), you will be redirected to an exploit kit - a suite of computer programmes which scan your computer for exploitable vulnerabilities. When one of these vulnerabilities is discovered, an appropriate exploit will be deployed, which will then enable the installation of other malware to exploit your device. Once the malware is deployed, the whole range of tools contained in its code can be used to obtain what the criminal needs.

How criminals turn data into cash
Criminals monetise data in a number of ways, but generally the OCG will either do it themselves, or they will sell any stolen data on to other criminals to exploit in what is known as ‘secondary fraud’. To exploit bank accounts, an OCG will use specialists (known as money mules and mule herders) to launder stolen money through a myriad of accounts, eventually overseas and into the hands of the OCG.  If an OCG is going to sell the data, there are hundreds of criminal websites to facilitate this, including something called an Automated Vending Cart (AVC) where data can be bought in bulk with digital currencies such as Bitcoin.

How cyber criminals use the ‘online marketplace’
For the most organised and technically advanced groups, many of the services described are carried out ‘in-house’ as part of their own business model. For smaller groups or individual criminals, these services can be hired on the cyber criminal ‘online marketplace’ using a plug and-play approach to crime. Most of these services will be openly advertised in criminal forums. Some of the other typical services that are also regularly used by cyber criminals include:

Counter Anti-Virus (CAV) Services, which scan malware against all of the Anti-Virus packages currently on the market to ensure it goes unnoticed when it is deployed against a victim’s device.
Bullet Proof Hosting Services , which rent servers to host online criminal activity, but will not co-operate with local or international law enforcement (hence ‘bullet proof’).
Escrow Services, which will act as a 3rd party during transactions between untrustworthy criminals, holding onto their payments until they are happy with the quality of the service provided.
Cryptor Services, which put an encryption ‘wrapper’ around your malicious code to give it the best chance of being undetected.
Drop Services, which help any criminal business translate ill-gotten gains into cash. This service helps multiple crime types (including cyber criminals) transfer money between bank accounts, or physically move currency across international borders, or into other less traceable currencies such as Bitcoin.

(This article summarises the NCSC's report on criminal online activity - to read the full report visit the NCSC website at

How to Protect yourself

The NCSC publishes two key products covering how best to protect individuals and businesses from cyber crime:

Cyber Aware: ( cyber security advice for individuals and small businesses, including software updates and information on creating effective passwords

Cyber Essentials: ( industry-supported scheme to guide businesses in protecting themselves against cyber threats 

We (the SWRCCU) offer advice and guidance to organisations of all sizes and sectors based in the South West. We offer a range of workshops ranging from awareness presentations to incident response sessions, if you're interested in hosting or running these types of workshops then get in touch with us.

If you or your organisation have been a victim of ransomware or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at or via phone on 0300 123 2040. Action Fraud have a 24/7 reporting capability for live incidents.

By using this website you agree to our use of cookies to enhance your experience. I understand

Windows 7 EOL

On January 14th 2020 Windows 7 and Windows Server 2008 (inc.variants) reached End of Life and will no longer have release updates or security patches provided by Microsoft.

These systems will still work after this date, but your business may be exposed to emerging threats of new viruses and malicious attacks.

Please don’t hesitate to contact either Julie or Darryn on 01460271055 to discuss your concerns.