How much are cybercriminals earning for their efforts? A new study by Bromium suggests that figure could be as much as US$2 million per job for those who are cybercriminal platform owners – although individual hackers can still walk away with US$30,000 per year.
The resulting cybercrime industry may be raking in as much as $1.5 trillion worth of illicit profits that are being acquired, laundered, spent, and reinvested. The industry is now an ‘interconnected Web of Profit’ – a self-sustaining system.
The study, conducted by the University of Surrey’s senior lecturer in criminology, Dr Michael McGuire, is based on conversations from the UK’s GHCQ, the US FBI, Europol, global financial institutions, and even covert security workers who infiltrated the dark web.
Illicit and illegal online markets make up the bulk of the $1.5 trillion economy ($860) billion; theft of trade secrets and IP is worth $500 billion; data trading is worth $160 billion; crimeware-as-a-service is worth $1.6 billion; and despite its prevalence, ransomware is only worth $1 billion.
McGuire calls cybercrime an economy: “A hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale.”
Cybercriminal platform owners will take the biggest share of the cybercrime actions. Managers can earn up to $2 million just with 50 stolen card details.
‘Platform capitalism’ has now extended beyond legitimate companies like Facebook and Amazon, and has now filtered down to the dark web to create the ‘Web of Profit’.
Bromium CEO Gregory Webb adds that the lines between criminal and ‘legitimate’ worlds are now blurring.
“We are no longer simply dealing with ‘hackers in hoodies.’ We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cybercrime, the security community can better understand how to disrupt and stop them. New approaches to cybersecurity will be required,” Webb says.
Individual services and products available on the dark web include:
· Zero-day Adobe exploits, up to $30,000
· Zero-day iOS exploit, $250,000
· Malware exploit kit, $200-$600 per exploit
· Blackhole exploit kit, $700 for a month’s leasing, or $1,500 for a year
· Custom spyware, $200
· SMS spoofing service, $20 per month
· Hacker for hire, around $200 for a “small” hack
McGuire found a number of criminal sites offering ratings, descriptions, reviews, services, and customer support – all of which improve the criminal customer experience.
Advertising is also a core revenue generator - before being taken down in 2016, the ‘Kickass Torrents’ platform was worth over $54 million, with estimated $12.5-$22.3 million annually in ad revenue alone, the report says.
Dark web market AlphaBay was one of the dark web’s biggest online crime markets before it was taken down. The platform not only included cybercrime tools, but also illicit substances, firearms, counterfeit goods, and toxic chemicals.
“We can clearly link cybercrime to the spread of new psychoactive substances with over 620 new synthetic drug types on the market since 2005. Many substances of this kind are manufactured in China or India, purchased via online markets, then shipped in bulk to Europe,” McGuire notes.
Platform criminality is also contributing to human trafficking, the report suggests.
“Pimps frequently use the internet as a tool for gathering revenues from clients and workers, and then recycle this back into the logistics (and costs) of trafficking victims from target locations with economically vulnerable populations,” McGuire concludes.