Connect with us

Hi, what are you looking for?



Black Markets for Cybercrime a Specialized and Mature Economy: Report

Analysis of Cybercrime Markets and Stolen Data

Cybercrime Black Market Viewed as Being More Profitable and Low-risk Than Illegal Drug Trade

Analysis of Cybercrime Markets and Stolen Data

Cybercrime Black Market Viewed as Being More Profitable and Low-risk Than Illegal Drug Trade

Cybercrime has evolved from a shadowy world dominated by individuals looking for notoriety and engaged in a game of one-upmanship, competition to a mature market-based economy thriving in the darkest parts of the Internet, according to an in-depth RAND study.

“The hacker market, once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety, has emerged as a playground of financially driven, highly organized and sophisticated groups,” RAND researchers wrote in Tuesday’s “Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar” report, sponsored by Juniper Networks.

Today’s black market is a multi-billion dollar ecosystem where buyers can buy tools, technology, services, and stolen goods from sellers through a combination of familiar e-commerce tools, digital currencies, and secure communication protocols, according to the study. The black market is much more sophisticated than originally thought, and operates just like a legitimate economy, subject to normal market forces such as supply and demand.

The cybercriminal underground “mirrors the normal evolution of a free market, with both innovation and growth,” the report said.

The existence of the underground economy is not exactly a well-kept secret. There has been a lot of recent research on the type of tools and services available, such as the thriving market for stolen credit and debit cards, the fact that criminals can rent or buy most of the tools and infrastructure they need for cheap, and an attempt to identify some of the malicious sites hidden inside the Tor network. The RAND study differs from previous work because it is an economic analysis of the complete black market, and not just on a specific geographic region or a segment of offerings, said Lillian Ablon, a RAND researcher and one of the principal authors of the study. Researchers found significant levels of economic sophistication, maturity, reliability, accessibility, and resilience in the products, distribution channels, and actors involved in these operations.

Specialization and resilience are some of the hallmarks of a mature economy, Ablon said. In a resilient economy, if one business shuts down, whether voluntarily or because of a law enforcement action, other participants step in and close that gap quickly. For example, when the alleged author of the Blackhole Exploit kit was arrested, total exploit-based attacks didn’t decline dramatically because other exploit kits filled that vacuum. Or when Silk Road was shut down, a replacement Silk Road 2.0 opened for business shortly afterwards, Ablon noted.

Cybercrime Marketplaces

Criminals can shop for hacking tools and exploit kits, hosting infrastructure and distribution systems, and stolen information just by visiting a storefront. Sellers use anything from instant messaging chat channels, forums, to sophisticated e-commerce sites, the report found. Much of the transactions are paid for with digital currencies such as Bitcoin, Pecuni, AlertPay, and PPCoin, to protect the anonymity of the marketplace participants. Much of the communications are conducted over secure instant messaging or private forums that require select membership.

Advertisement. Scroll to continue reading.

Today’s “black markets have seen a shift, a huge movement, into the darkness,” said Ablon.

Recent arrests of major figures in the cybercrime underground and law enforcement’s increasing successes in shutting down servers hosting malware and illegal marketplaces mean access to many of these black markets have become more restricted, said Lillian Ablon, a RAND researcher and one of the principal authors of the report. Cybercriminals have to be vetted before they can gain access, but once in, there are no restrictions in what the criminals can do or buy.

There are still certain rules of behavior, just like any other market, and the rule-breakers tend to be in the “lower” levels of the black market, which has less strict vetting rules. About 30 percent of the sellers of financial data are considered “rippers,” or those who don’t deliver what they offer, the report found. Reputation still matters, for both the sellers and buyers, since violators such as these rippers are reported and removed from the marketplace fairly quickly, the report said.

The cybercrime black market is increasingly being viewed as being more profitable and low-risk than the illegal drug trade, Ablon said. Some criminal organizations can reach 70,000 to 80,000 victims worldwide and earn hundreds of millions of dollars, the study found. It’s easier to find victims and the barriers to entry for cyber-criminals are negligible. For example, botnets which be used to launch distributed denial-of-service attacks, are available for as low as $50 for a 24-hour attack.

“These tools, sold on the black market as traditional software or leased like any other managed service, can help enable the most unskilled hackers to launch fairly elaborate and advanced attacks,” the study said.

There are some geographic differences and areas of specialization. Cybercriminals from China, Latin America, and Eastern Europe were known for quantity in malware attacks, while Russian criminals were generally considered to offer better quality, the report found.

As end users become more hyper-connected, with more devices being able to connect to the Internet, criminals will see more points of attack and exploitation, Ablon said. The increased attack surface will mean wider selling opportunities on the black market, she said. There will be more malicious activity in the darknets, increased vetting of participants in these black markets, and a greater popularity of cryptographic currencies such as Bitcoin.

Products will also evolve in its sophistication, such as adding encryption to protect data being transferred from compromised systems and anonymity capabilities to malware harder to detect. The black markets will be instrumental in distributing these anonymous, stealthy, and potent attacks, making more likely the “the ability to attack will likely outpace the ability to defend,” the report found.

While there is a growing number of services such as hacking-for-hire, hosting providers, and Malware-as-a-Service being offered on the black market, experts could not agree whether the black market will eventually transform into a service-based economy, which products will be on the rise, or which types of attacks will be more prevalent, Ablon said. Most interestingly, experts disagreed whether individuals or businesses would be the most affected by the ever-expanding black market, she said.

The full report from RAND is available online.

RelatedWhat Happens to Stolen Data After a Breach?

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.