The Trend Micro report, Inside the Halls of a Cybercrime Business, examined the operations of small, medium, and large criminal groups. The report details a day in the lives of employees and how they operate within hierarchies that increasingly resemble legitimate businesses as the group expands.
While small cybercrime groups typically consist of a few members operating under a partnership model — most of whom usually have day jobs on top of their role in the group — employees of larger organisations tend to lead lives like corporate workers at legitimate software companies. Large cybercrime organisations tend to have corporate-like departments such as human resources (HR) and information technology (IT) and might even have “employee-of-the-month” recognition programmes and performance reviews.
Nilesh Jain, vice president of Southeast Asia & India at Trend Micro says the criminal underground is rapidly professionalising — groups are beginning to mimic legitimate businesses that grow in complexity as their membership and revenue increases.
Trend Micro's latest Cyber Risk Index revealed that 89% of Asia Pacific organisations are somewhat to very likely to be compromised in the next 12 months. "The report will aid investigators in the ongoing fight against cybercrime by helping them better understand the criminal entities they are dealing with,” opined Jain.
Three types of cybercrime organisations according to size
Small criminal businesses (e.g., Counter Anti-Virus service Scan4You):
- Members often handle multiple tasks within the group and also have a day job on top of this work
- Typically, one management layer, 1-5 staff members, and under US$500K in annual turnover
- Comprise the majority of criminal businesses, often partnering with other criminal entities
Medium-sized criminal businesses (e.g., bulletproof hoster MaxDedi):
- Members work full-time for the group, managing various tasks within an eight-hour shift
- Typically have two management layers, 6-49 employees, and up to US$50m in annual turnover
- They usually have a pyramid-style hierarchical structure with a single person in charge
Large criminal business (e.g., ransomware group Conti):
- Members work from home based on a rigid, predictable schedule, and communicate frequently with their line manager about productivity and performance — like remote workers at legitimate corporations
- Typically have three management layers, 50+ staff, and over US$50m in annual turnover
- Implement effective OPSEC and partner with other criminal organisations
- Those in charge are seasoned cybercriminals and hire multiple developers, administrators, and penetration testers – including short-term contractors
- They may have corporate-like departments (e.g., IT, HR) and even run employee programs, such as performance reviews
The concluding theory
Knowing the size and complexity of a criminal organisation can provide critical clues to investigators, such as what types of data to hunt for. Understanding the size of targeted criminal organisations can also allow law enforcers to prioritise better which groups should be pursued for maximum impact.