Today's foremost cybercrime gangs operate like large enterprises, with more than $50 million dollars in annual revenue and around 80% of operating expenses going to wage bills.
In a report published April 3, researchers David Sancho and Mayra Rosario Fuentes of Trend Micro mapped out the economics of running a cybercrime business in 2023. Using "observations and estimations," they explained, they aimed to show "the quarterly financial reports for typical criminal groups under small, medium, and large enterprise categories."
"Our hypothesis was that the bigger these organizations are going to be, the more they're going to resemble the structure of a corporation," Sancho tells Dark Reading. The most surprising thing, he says, is "when you put everything together, how consistent the picture is."
Small, medium, and especially large cybercrime gangs operate just like their legitimate counterparts, from their managerial structure all the way down to benefits for the lowest-level employees.
The inner workings of cybercrime operations don't just make for fun facts, though. "If you agree with our conclusion that the larger the organism, the more structured it becomes," Sancho says, "that presents an opportunity for anybody who is investigating or otherwise dealing with these organizations."
The Cybercrime Economy of 2023
In parallel with the corporate economy, the researchers mapped cybercrime organizations into three categories:
- Small: 1-5 staff and affiliates, one management layer, under $500K annual revenue
- Medium: 6-49 staff and affiliates, two management layers, up to $50M revenue
- Large: 50+ staff and affiliates, a few management layers, and more than $50 million in revenue
The smallest hacker groups operate with a "move fast and break things" kind of mentality — funding operations out of their own pockets, making income however they can, and with everybody on the team doing a little of everything.
But "as revenue grows larger and larger, there's a bottleneck," Sancho explains. "If we can get this much money with five hackers. Let's see what we can get with six."
At this point gangs begin to bring on full-time staff — necessary for maintaining million-dollar annual profits — and a defined organizational structure.
"When you're more than five, six people, somebody needs to be in charge of something, otherwise if everybody does everything, it's kind of a mess," the researcher notes.
"The more they start growing, the more the complexity grows," he continues. "And when you're thinking about organizations of 20-plus, 50-plus, you definitely need people arranged in some sort of structure. Some people do finance, some do marketing, some do sales."
These groups have IT and even human resources divisions, operating with a pyramid-style management structure. As a humorous case in point: The Conti group used to have employees of the month.
How Corporate Cybercrime Targets Can Benefit
As Sun Tzu famously observed in The Art of War: "When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. Know thy enemy and know yourself; in a hundred battles, you will never be defeated."
Hackers have a reputation for working in the shadows — dark rooms, anonymous identities, and so on — by their own design. Once enterprises can recognize a bit of themselves in their adversaries, it makes the job of dealing with them less confusing.
For example, if you've been hit by a small group, you might reasonably assume that they act more like a startup. "Those groups can be more flexible and attack you differently," Sancho says, and so victims should react with more caution.
Conversely, for the biggest, baddest criminal outfits. "Once you realize that criminal organizations behave in an enterprise manner, then you realize their need to have a repository of documents," he explains. "They need to have rules for how to interact with one another. They're mostly working remotely."
Investigators can look for data one might not otherwise associate with cybercrime gangs — mergers and acquisitions information, shared calendars, and the like. And if nothing else, businesses may take some comfort in knowing that their attackers have predictable systems in place.
Professionalization can also prevent agility for cyberattackers. Cybercrime gangs are just like corporations now and as long as that's true, Sancho concludes, "they'll have the same headaches corporations have," like, for instance, sourcing good talent.