How Cybercrime Empires Are Built

Strong partnerships and collaborations between industry and law enforcement are the most critical ways to take down cybercrime groups before they grow.

Sean M. McNee, Vice President of Research & Data, DomainTools

June 13, 2024

4 Min Read
The word CYBERCRIME over a dark but colorful digital background; hands can be seen on a laptop keyboard
Source: Igor Stevanovic via Alamy Stock Photo


It appears that 2024 could be the year of the cybercrime takedown. The most high-profile takedown so far this year, LockBit, was an international news story that broke the back of the so-called "most harmful cybercrime group." This was followed up shortly by the takedown of ALPHV/BlackCat.

However, for every takedown, there is an equivalent cybercrime "startup." Here's how such organizations emerge and function. 

Developing a Business Model 

When viewed through a dispassionate lens, cybercrime groups aren't that dissimilar from startups. The successful ones stay keenly focused on what their customers want and which markets and trends are ripe for disruption, and move fast to secure their advantages — even though these groups operate within a shadow economy that, despite being presumably hidden and illegal, is still an economy. It has all of the same financial dynamics, complex business interactions, and market forces as any other economy. 

Since these cybercrime groups operate outside the law, they are able to "innovate'' independent of any external regulations. They can pivot to target new industries rapidly, or pivot technologies or processes when they determine the financial payout is worth it. This freedom allows a highly motivated group to remain ahead of law enforcement and their targets. The savviest cybercrime groups don't change their technology because they want to, however, they change in response to market forces.

The Manipulaters: A Case Study 

The maturation of a cybercrime gang and its associated crimeware tools does not happen in a vacuum. It happens in the context of a community of financially motivated individuals. In the case of the recently documented recently documented Manipulaters, the group leveraged the variety of unmet needs by their customers to move laterally into different markets. The storefronts that the Manipulaters created demonstrated "social proof" of their value and followed a predictable pattern: A store would start with spam tooling and services, move to phishing kits, and eventually expand into off-the-shelf malware. Each time, the Manipulaters would refine its business models: who it sold to, what its pricing model was, and the specific services it offered. Even with these innovations, spam services remained its core business, with the most consistent profits, especially from West African clientele.

The considerable scale of its operation is nothing compared to its position as one of the "innovators'' in the cybercrime space. Its now defunct primary shop, Fresh Spam Tools, was one of the earliest large spam- and phishing-focused cybercrime marketplaces. The cybercrime marketplaces online today are a result of this "innovation" — there's good money to be made enabling others to perform cybercrime. By pioneering this business model, the Manipulaters lowered technical barriers to entry and expanded Internet crime. What this group may lack in technical talent, it more than makes up for in opportunism and business savvy, leading to its financial success.

Shifting Response Strategies 

Groups like LockBit, the Manipulaters, and others may find themselves battling changing strategies from law enforcement disrupting their activities. Recent amendments to the US Federal Rules of Criminal Procedure, including a specific change to Rule 41, broadens courts' jurisdictions to issue remote search warrants when the location of a sought-after device or data has been concealed due to technological means. This change, in alignment with the provisions of the Budapest Convention, has created the legal framework and tools required for international law enforcement coalitions to go after and take down cybercrime groups. The LockBit and ALPHV/BlackCat takedowns were enabled by these changes.

While this helps curtail illegal activity online, some privacy advocates are concerned. "Hard cases make bad law," so these takedown precedents should be considered carefully. There appears to be an operational delineation between "illegal code" placed into US-owned hardware by foreign actors, for example, compared to similar actions undertaken by domestic actors. Ultimately, Congress will need to step in and provide additional rules and guidelines for how to align potential domestic takedown cases with Fourth Amendment rights. 

Tracking Infrastructure to Prevent Empires

Law enforcement takedowns depend on timely, accurate, and actionable information, both on who the actors are and where their infrastructure is located. Internet infrastructure — IP addresses, email, and especially DNS — is key, as bad actors must be online to cause harm, thus we can track them. The research and knowledge generated by the security industry builds up a clear picture of the activities of cybercriminal networks. Therefore, ensuring a strong partnership and collaboration between industry and law enforcement is the most critical way to identify, mitigate, and take down cybercrime groups such as LockBit and ALPHV/BlackCat before they have a chance to become an empire. 

About the Author(s)

Sean M. McNee

Vice President of Research & Data, DomainTools

Sean M. McNee is Vice President of Research and Data at DomainTools. Over his career, Sean has harnessed the power of machine learning and visual analytics to help people — including academics, lawyers, and threat hunters — find the information they need to make better decisions. He looks for ways to make the Internet a better place, with a focus on Internet infrastructure, such as domain registration and DNS data analysis. A winner of the 2010 ACM Software Systems Award, Sean received his doctoral degree from the University of Minnesota, where he researched personalization and recommender systems.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights