Worldwide, cybercriminals rake in at least $1.5 trillion every year — an amount equal to Russia's gross domestic product (GDP), according to research by Dr. Michael McGuire, senior lecturer in criminology at Surrey University and commissioned by security firm Bromium. In fact, if cybercrime were a country, it would have the 13th highest GDP in the world. McGuire's revenue figure includes estimated earnings of $860 billion from illicit or illegal online markets, $500 billion from intellectual property theft, $160 billion from data trading, $1.6 billion from crimeware-as-a-service, and $1 billion from ransomware. The research presents evidence that cybercrime revenues often exceed those of legitimate small to midrange companies.
In fact, the global crime economy has become a self-perpetuating organism — an interlinked web of profit where the boundary between the legitimate and illegitimate is often unclear. The McGuire report notes the emergence of platform criminality, which is similar to the business model used by companies like Uber and Amazon and whose stock in trade is data. The report also red-flags new modes of criminality that these platforms enable, and they allow illicit monies to be directed to more widespread criminal activities such as human trafficking, drug production and distribution, and even terrorism.
The World Goes Digital, and so Does Crime
Cybercrime is now a profitable underground economy. The fabled "darknet" provides the platform for transactions, the place where demand meets supply. The evolving cybercrime-as-a-service model offers everything from distributed denial-of-service attacks and malware to shiploads of stolen data sets on demand. Today, engaging in cybercrime is as simple as legitimate e-commerce.
Meanwhile, and making matters worse, the dependency on the availability and performance of IT infrastructure among legitimate enterprises is increasing heavily, which makes them more vulnerable to breaches that can wreak havoc on business. A few errant clicks by a clueless or malicious employee can take an organization offline or flood it with malware.
For those who know how, it is relatively simple to access the tools, services, and expertise of the cybercriminal. As a result, it's certain that both enterprises and governments will see more sophisticated, costly, and disruptive attacks — and that the problem won't be solved with old thinking or legacy technology. It will require fresh, more intelligent, and nimble approaches.
Platform Criminality Is Emerging
Interestingly, McGuire's report describes a growing interconnectedness and interdependence between the illegitimate and legitimate economies, something he calls the "Web of Profit." He contends that "companies and nation states now make money from this Web of Profit. They also acquire data and competitive advantages from it, and use it as a tool for strategy, global advancement and social control."
He continues: "There is a range of ways in which many leading and respectable online platforms are now implicated in enabling or supporting crime, albeit unwittingly, in most cases."
The emergence of platform criminality — which mimics the platform capitalism typified by companies like Amazon, Facebook, and Uber — offers fertile ground for hackers to further increase their ill-gotten gains. The report raises concerns that platform criminality is funding broader criminal activities such as human trafficking, drug production and distribution, and even terrorism.
According to the report, whether it's through hacking companies to steal users or personal data, distribute malware, flog illegal goods and services, establish fake shopfronts to launder money, or simply connect buyers and sellers, cybercriminals are clearly adept at leveraging existing platforms for commercial gain.
"This is creating a kind of 'monstrous double' of the legitimate information economy — where data is king," writes McGuire. "The Web of Profit is not just feeding off the way wealth is generated there, it is reproducing and, in some cases, outperforming it."
Post-Crime Reality and Terrorism
"We can clearly link cybercrime to the spread of new psychoactive substances with over 620 new synthetic drug types on the market since 2005," adds McGuire. "Many substances of this kind are manufactured in China or India, purchased via online markets, then shipped in bulk to Europe. But there is also evidence that groups who acquire revenues from cybercrime are involved in the active production of drugs."
The report shows that cybercriminal platform owners are likely to receive the biggest benefits from this new wave of cybercrime, and that they will probably distance themselves from the actual crimes. In fact, individual hackers may only earn a paltry $30,000 a year. In contrast, a trader can earn up to $2 million if they have just 50 stolen card details at their disposal.
McGuire refers to this as "post-crime" reality, one in which cybercriminals adopt a "platform capitalism" approach to selling, rather than committing crime.
In fact, McGuire unearthed criminal websites that provide ratings, descriptions, reviews, services, and even technical and customer support. These platforms are making the criminal "customer experience" better and providing easy access to services and products that support crime on a global scale.
Strangely enough, even criminal organizations themselves are also undergoing digital transformation and diversifying into new types of crime. McGuire claims that many of the larger known cybercrime operations typically reinvest revenues into expanding their operations — such as buying more crime software, maintaining a website, paying mules, or other criminal requirements. They invest approximately 20% of their revenues into further crime, which suggests that up to $300 billion may be funding future cybercrime and other serious criminal activities.
Alarmingly, the cybercriminals are not just stealing data to make money for the sake of it. McGuire suggests that their reinvestments include spending money to support other types of crime such as drug and human trafficking, and even terrorism. The report highlights one case where cybercrimes were committed specifically to generate more than $3.5 million for terrorist activities. Clearly, the need for cybersecurity is greater than ever, because the stakes have never been so high.