Size Matters: Unraveling the Structure of Modern Cybercrime Organizations
The conventional definition of a legitimate company cannot be applied to criminal organizations because doing so renders all criminal groups as small-size businesses. For the purposes of our research, we set the definition ourselves for ascertaining the size of criminal groups based on the number of their employees, their layers of hierarchy, and their annual revenues, as gleaned from our robust body of research into different criminal groups that we have published through the years.
The clandestine nature of underground activity makes it impossible to devise a rigid set of criteria for determining the business size of criminal groups. To address this, we created a guide (Figure 1) that threat analysts can use to classify a criminal organization's size, which can be taken in combination with other available information. As a rule of thumb, a criminal organization’s classification under a specific category implies that it has sufficiently met the prescribed criteria.
|Number of staff and affiliates||Annual revenue||Management layers|
|Small||1 – 5||Under US$500,000||1|
|Medium||6 – 49||Up to US$50 million||2|
Figure 1. Guidelines for ascertaining criminal business size
The cybercrime space is populated mostly by small groups of criminals that earn moderate annual revenues of no more than US$500,000. Small criminal groups usually consist of a team leader, a coder, a support role, and a network administrator. Such leanness implies that each employee often multitasks to fulfill various business needs like advertising, recruitment, and finance, among others. Small criminal groups often have members holding a day job on top of their engagement with the group.
Small criminal gangs are established by one or more entrepreneurs to create and sell a unique product or service. The founders finance the operation themselves and allocate resources for developers of the malware code, servers, and other attendant cost.
In our research, we use Scan4You as an example of a small business group that made its mark on the cybercrime scene. During its five-year run from 2012 to 2017, it was one of the largest Counter Antivirus (also known as Counter AV or CAV) services in the criminal underground.
Compared to the flat organizational structure of small criminal businesses, midsize criminal groups have more management layers like those commonly found in regular businesses of the same category. Their organizational chart shows one person at the topmost tier taking charge of the entire operations.
Medium-size criminal organizations have basic functional groups and reporting lines with a headcount between six and 49 employees, and they generate revenues not exceeding US$50 million a year. Such hefty revenues therefore justify and maintain full-time employment for their group members.
To unpack the structure of midsize criminal groups, we selected MaxiDed. Initially set-up as a small hosting provider with no explicit mention of making a profit from illegal activities, MaxiDed transformed in 2011 to become a bulletproof hosting provider catering to illicit businesses that deal with command-and-control servers (C&C) for distributed denial-of-service (DDoS) botnets, cyberespionage, malvertising, spam, and hosting of child abuse materials.
Large criminal organizations have functional departments like human resources and IT, rendering their structure as remarkably similar to the setup of normal corporations. Reporting lines are also highly hierarchical with middle management and upper management arranged in a pyramid-like structure.
Case in point, managers closely monitor employee performance and implement programs to boost and sustain employee motivation to consistently achieve their financial targets. The annual revenues of large criminal organizations surpass US$50 million, which approximates the sizable earnings of legitimate companies.
As one of the most prolific and notorious ransomware groups in recent history responsible for many high-profile attacks, we chose Conti to examine the inner workings of a large criminal enterprise. Conti is a prominent ransomware-as-a-service (RaaS) provider widely assumed to be the successor of the Ryuk ransomware. Conti operators have gained infamy for their skillful use of double-extortion techniques and have been known to peddle access to victim organizations that refused to negotiate, in addition to publishing stolen data.
A cybercrime investigator’s estimation of the size of a target criminal organization can pave the way for the discovery of new information whenever an infiltration takes place. These new key pieces of information might include a gang’s financial statements, organizational charts, list of employees, the cryptocurrency wallets of group members, and department-specific documentation, among others. More importantly, such information can be pivotal for both investigators and law enforcement who aim to deal a critical blow on these gangs.
For cybercrime investigators: Knowing criminal groups’ management structure can not only give them baseline information on the roles and number of people to look for but also zero in on key people within the group for them to closely monitor and probe.
For law enforcement: Knowing the size of a target criminal organization can help identify which groups ought to be prioritized for pursuit over others to make the most significant disruption to cybercriminal operations.
Lastly, it is worth emphasizing that as leaked Conti chats prove, the disclosure of sensitive gang information can help make a more staggering impact on cybercriminal operations than mere server takedowns. To gain more insights on the size and structure of different criminal groups, read our paper, “Inside the Halls of a Cybercrime Business.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.