The Uber of the underworld

Mint

4 days ago

EVERYTHING'S POSSIBLE at Harrods, proclaims the website of Britain's glitziest department store. Alas, on May 1st this universe of possibilities included an attempted cyber-attack that forced the company to restrict internet access at its sites, it said. The attempted intrusion came just days after hackers took down computer systems at Marks & Spencer (M&S), a supermarket and clothing retailer which says the disruptions will cost it some £300m ($405m). These breaches, which also hit the Co-op supermarket chain, were more than just costly cyber-attacks. They are worrying examples of how crime is evolving beyond simple street thuggery, or even the work of small groups of clever hackers, into a global service economy where anyone with cryptocurrency can buy the tools to paralyse a multinational corporation.
One of the chief suspects in the attacks on Britain's high street is the hacker collective Scattered Spider, according to Britain's National Crime Agency, which investigates serious and organised crime. Scattered Spider is not a traditional, hierarchical mafia. Instead it is a fluid network of young hackers who may never meet in person, yet can co-ordinate devastating attacks across continents. They are thought to have used DragonForce, a ransomware-as-a-service platform that gives criminals the software to carry out attacks in which they encrypt the victim's data or otherwise block their access to computer systems until a ransom is paid.
Just as Uber upended the taxi industry and Airbnb reshaped the hotel business, the criminal underworld is undergoing its own digital revolution. Criminals who might once have committed crimes themselves are now becoming service providers in a vast underground marketplace. This new service model 'is evolving at a rate that we've never previously seen", says John Wojcik of the United Nations Office on Drugs and Crime (UNODC).
The exact cost of cybercrime cannot be known, since much of it happens in the shadows and victims of ransomware attacks may be reluctant to report the crimes. Sometimes this is out of fear that doing so will harm their reputation among customers or that it could result in them being fined under data-protection laws.
Nevertheless, it is clear that the scale is staggering, with billions, possibly trillions, of dollars in economic costs each year. The low end of the range comes from tallies of reported crimes by law-enforcement agencies. The FBI said it received reports of direct losses of $16.6bn in 2024, a 33% increase over 2023. Adding in unreported losses and wider economic costs leads to bigger numbers. Britain puts its current annual losses at more than £27bn (based on old data). The European Commission reckons that the worldwide costs of cybercrime were €5.5trn ($6.5trn) in 2021.
Though estimates of the full cost differ, almost all studies suggest that cybercrime is booming. One reason is the emergence of DragonForce and other similar providers of plug-and-play hacking kits, which give even unskilled criminals the ability to launch ransomware attacks. This dramatically lowers the barriers for newcomers, who no longer have to write their own malicious malware. Moreover, a wider ecosystem of criminal services is developing. This allows hackers to buy, rather than steal, the personal data they need to identify potential victims or to work out how to launder ransom payments. Many of these services are accessed through online forums or messaging apps, such as Telegram, and are often paid for with cryptocurrency.
Hackers who develop ransomware use a variety of business models from selling the basic code, which sometimes costs as little as $2,000, to ransomware-as-a-service. Under the service model a client (or affiliate) gets access to a web portal that lets them customise the ransomware. Some groups also provide a communications portal, through which their clients can negotiate anonymously with their victims. In exchange for these services they take a share of the profits. Market forces and competition have pushed these down to around 10-20% from around 30-40% a few years ago.
Keeping secrets
This new modular model is not easily thwarted by law-enforcement officials. When cybercrime operates through countless providers, shutting down one node barely dents the system. In 2023 Scattered Spider attacked Caesars Entertainment and MGM Resorts International, two American casino operators, yet the FBI struggled to dismantle the network.
Criminal business models are also evolving. DragonForce uses a double extortion method. The service both steals a copy of its victim's data and also encrypts it on the victim's computer system. Thus it can demand two separate ransoms: one to unscramble the data and another to delete the stolen copy. Firms that refuse to pay face the threat that their data will be leaked to other cyber-criminals.
The targeting of large retailers such as M&S, Co-op and Harrods is not random: these sorts of firms house troves of customer data. After Scattered Spider's attacks on the British retailers, Google warned on May 21st that the group is turning its attention to American retailers.
The sorts of personal information big retailers hold—names, email addresses, credit-card details, shopping habits, even browsing histories that reveal personal interests—are the backbone of modern retailing. These data are among cybercrime's most valuable commodities. With this information criminals can craft more convincing phishing attacks (emails that impersonate legitimate companies in order to trick people into divulging passwords or financial information), launch targeted malware attacks and commit fraud. Underground markets, hosted on messaging apps or on the dark web, now serve as trading hubs where vendors sell stolen credit-card details, bank records and other confidential data. Beyond hacking large retailers, criminals who specialise in stealing and selling data also target banks, investment firms and other financial companies for information about wealthy clients and other profitable targets.
Increasingly, criminals use information-stealing malware, often distributed through phishing emails or malicious ads, that infects computers and smartphones. This malware harvests browsing history, saved passwords (including from internet banking), chat logs, cryptocurrency-wallet details and other personal content. Among these password-stealers are RedLine Infostealer, which has been used to infiltrate major corporations, and META Infostealer (not to be confused with the company that runs Facebook). They are distributed through a decentralised malware-as-a-service model in which cybercriminals either buy a lifetime licence for $900 or subscribe to use it at a cost of $150 a month, according to a criminal complaint filed by America's Department of Justice before a court in Texas in 2022. One cyber-security expert now reckons that the cost of a lifetime licence has increased to $10,000.
Adding fuel to the fire is artificial intelligence (AI), which has already transformed two common types of cybercrime: producing malware and conducting phishing attacks. In the past, gangs would have needed experts with advanced coding skills to write malware or to tailor it to specific targets, tasks that are easily done by generative AI. 'What might have previously taken an advanced criminal group weeks to figure out is now available to any criminal in minutes," says Jeff Sims of Infoblox, a security firm.
AI also allows criminals to produce convincing, well-written phishing messages (often in languages that are not their own). These are more likely to succeed in deceiving victims, especially when combined with stolen data. Crime syndicates, for example Chinese groups operating out of South-East Asia, are using AI to translate scripts for romance scams, fake job offers or fraudulent investments, letting them target victims around the world.
Paying the bounty
Law-enforcement agencies have tended to focus on trying to shut down or disrupt the providers of ransomware. In late May an operation by European and North American agencies dismantled an extensive network and issued arrest warrants for 20 people. Yet the continued growth in this sort of crime suggests that enforcement is failing, leading to more draconian proposals. Britain plans to outlaw payment of ransoms by public-sector bodies and operators of critical infrastructure, hoping this will make them less attractive as targets. Those not subject to this ban would still have to report ransomware attacks to the authorities, which would allow law-enforcement officials to block ransom payments. Yet legal experts fret this will not stop cyberattacks (since hackers may still get customer data that they can sell) nor protect companies, which could collapse if they cannot regain control of their data.
If nothing else, the dilemma over how to deter the new breed of cybercriminals highlights how one of the world's fastest-growing criminal threats come not from armed gangsters, but from geeks writing and selling code in the burgeoning underworld of the criminal gig economy.