If cybercrime is a business, then business is very, very good. Ransomware attacks, data breaches, theft of intellectual property, sales of counterfeit goods and other illicit activities are generating at least $1.5 trillion in annual revenue, according to a new academic study, Into The Web of Profit.
By comparison, that's more than the combined revenues of Facebook, Amazon, Apple, Netflix, and Google in the past 12 months—a lot more. In fact, $1.5 trillion roughly equals the revenue of the entire U.S. Technology sector and is larger than all sectors but retail, finance and services, based on CSIMarket data.
In short: Cybercrime is a really big business, growing fast and it's more than just "hackers with hoodies," as the report notes. As more and more of our daily activity takes place online, more and more criminal activity is going digital, where the rewards for fraudsters tend to be higher and the risks of getting caught in the act are lower.
The Cybercrime Economy
Cybercrime is "a hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting and maintaining criminal revenues at unprecedented scale," warns the study's author, Dr. Mike McGuire, a senior lecturer at the University of Surrey in the U.K.
The author of Hypercrime: The New Geometry of Harm, McGuire is an international expert in analysing cybercrime, technology and the justice system. The study was sponsored by Bronium Inc., which provides security platforms for digital systems.
The cybercrime economy McGuire examines is not only intricately woven into the legitimate global economy, it also is building its own separate world of trading platforms for counterfeit merchandise and stolen data, establishing geographic centers of production, outsourcing criminal services to specialists in various aspects of cybercrime, and creating methods of converting stolen goods into cash through money laundering on places like the dark web.
McGuire says the $1.5 trillion estimate is probably low, because of the difficulty in gathering global data. The estimate is based on just five of the most prominent categories of cybercrime (as shown). While McGuire lists "crimeware" as generating $1.6 billion, he's totaling only the known attacks in denial of service and botnet hires, sales of Trojan-related malware and hacker-for-hire activity. The estimate entirely ignores romance and advance-fee loan scams, which generated $29 billion in the United States, United Kingdom and Australia alone during 2015.
McGuire's research included interviews with 100 active or convicted cybercriminals, as well as more than 50 experts in policing, finance, cybersecurity and academia. It also included peer-reviewed academic research; intelligence reports; security and financial databases; media reports; and material gathered from the dark web.
However, many experts agree it's difficult to pinpoint exact numbers when it comes to cybercrime. "While we know cybercrime is widespread, actual dollar amounts are very hard to estimate because criminals aren't likely to divulge actual numbers," explains Michael Bruemmer, VP of Consumer Protection at Experian. "The anonymity of the dark web makes commerce on it extremely difficult to track."
What Makes Up the Cybercrime Economy
According to McGuire's study, more than 50% of total cybercrime revenue is produced by trading in illicit or illegal online markets, such as prescription pharmaceuticals and counterfeit goods, sold on the dark web or through legitimate online operations, such as Amazon or eBay.
This growing illegal economy looks increasingly like the legitimate digital world. In addition to committing actual crimes, elements of the criminal economy are offering online services just like legal providers, including: technical support, customer reviews, ratings, and data on success rates.
The Income of a Cybercriminal
Rates for hiring cybercriminal servicers range from $200-$600 for each malware deployment, $200 for custom spyware, and $250,000 for an iOS attack, according the study. Bargain hunters can pick up a month of SMS spoofing for a mere $20. (See also: Here's How Much Your Personal Information Is Selling for on the Dark Web)
Like the legitimate economy, the emerging cybercriminal system is highly stratified. At the top end, someone managing a platform offering multiple lines of debit and credit card data can earn up to $2 million, McGuire found; individual hackers-for-hire can make $30,000 for a single job. A low-end cyber hustler may earn as little as $3,500 a month, but that's $42,000 on an annual basis, close to the median U.S. household income—and frequently tax-free. What's more, digital crime pays better than violating the law in real life: "Individual earnings from cybercrime are now, on average, 10-15% higher than most traditional crimes," McGuire writes.
To combat this growing underground digital economy, McGuire suggests law enforcement concentrate on three key aspects of the larger system, rather than the current focus of defending individual devices and networks from hacks and breaches. Instead, he argues, prevention should study:
- How cybercrime revenue is generated and which revenue streams are the most profitable.
- How the illegal proceeds are transferred or laundered into the legitimate economy.
- Where cybercrime revenue is being spent, converted into assets or used to finance other illegal activities, including terrorism, illegal drugs, and human trafficking.
Surprisingly, McGuire estimates that only around 4% of money from cybercrime activities is laundered through Bitcoin or other cryptocurrencies. Meanwhile, up to 80% of cybercrime profits are spent on the immediate needs of criminals, illicit activities such as drugs and prostitution, merchandise such as luxury cars and jewelry, or converted into real estate or other long-term assets.
McGuire believes the pressure on cybercriminals to cash out their illicit proceeds can be exploited by law enforcement and cybersecurity enforcers to create new ways to identify and foil illegal activities.
In addition, focusing on those points of contact that are easiest to attack in any network or organization, rather than reacting to attacks after the fact, is key to preventing cybercrimes, McGuire says. "The criminals know where we are vulnerable—most often where humans put fingers to keyboards." While trying to change the ways humans work with technology can be daunting, focusing on prevention can be more effective in reducing attacks, he notes.
On an individual level, there are a few things consumers can do to help prevent being a victim of online crimes:
- Check to see if your information is on the dark web. Run a free dark web scan now to see if your Social Security number, phone number or email address are on the dark web.
- Practice safe password habits and change your passwords if you suspect your information has been breached.
- Manage your social media privacy settings to prevent personal information from falling into the wrong hands.
- Don't click on links in emails unless you're sure of the sender and the legitimacy of the links themselves.