Connect with us

Hi, what are you looking for?



Cryptocurrencies and the Revolution in Cybercrime Economics

Cryptocurrency was envisioned as a revolution in how money is created, used and controlled.

Cryptocurrency Use in Cybercrime

Cryptocurrencies Have Revolutionized the Economics of Cybercrime

Over the past year, Bitcoin and other Cryptocurrencies have increasingly gained publicity and media attention. The focus of the reporting has been primarily on cryptocurrencies as a financially speculative medium, with the value of Bitcoin rising over 2000% in 2017 alone. Although there has been some reporting on the importance of cryptocurrencies as the payment medium of choice on the Darknet, less attention has been given to the fact that they have revolutionized the economics of cybercrime, with a noticeable impact on threat actors’ Tactics, Techniques and Procedures (TTP’s).

The history of monetizing hacking

Historically it has been challenging for cyber criminals to monetize hacking. While for example it has always been relatively easy to obtain credit card numbers from ecommerce web sites, converting these into cash has required more than just computer skills and frequently exposed the hacker to real world risk. Going back to the 1st and 2nd generation of hackers, the currency of choice within the community were lists of password and shells, zero days and exploits. As hacking knowledge was more broadly disseminated and moved beyond a small circle of technology enthusiasts, and more and more commercial activity transitioned to computerized and networked systems, financially motivated cybercrime also increased.

In the early days of cybercrime, cybercriminals used a variety of approaches to generate profit from their activities:


Stealing sensitive data and finding a buyer for it has a long history in the hacking community and beyond. In 2006 for example, two criminals stole intellectual property from Coca-Cola and tried to sell it to Pepsi. Thankfully, Pepsi alerted the authorities and the perpetrators were caught and prosecuted. Although this example was committed primarily physically, the risk involved in this particular crime is similar to when it’s committed through hacking.

Even when the counter parties that the data is sold to do not alert the authorities, a concerted campaign of data theft can eventually be discovered, as in the case in 2008 of a Greek hacker who had stolen weapons data from France’s Dessault Group and sold them to several nation states

Advertisement. Scroll to continue reading.

One of the oldest, but most famous examples is the story of Karl Koch and the KGB hackers, who broke into US defence contractor systems for the KGB in return for cash and drugs. Karl Koch died in a suspicious suicide in 1989 that many still suspect was a murder.

Cyber Extortion

Another way to monetize hacked data is to blackmail the victim. Many companies and people have data that they wish to keep a secret, whether they are sensitive trade secrets, evidence of wrongdoing or unethical behaviour, or something to be ashamed of. The true scale of this can only be guessed at, but there are quite a few known cases. In 2007, Nokia allegedly paid millions of Euro’s to cybercriminals who had stolen a digital signing key for Nokia’s Symbian OS and Domino Pizzas’ customer database was stolen in a breach in 2014 with the attackers demanding a ransom of $30,000.

Extortion based on DDoS attacks is another tried and tested criminal way of monetizing hacking. The idea is simple – the victim has to pay the hacker or their cyber presence will be DDoS’ed, and is especially effective when targeting online retailers, gaming, gambling and media providers. Not paying could mean a higher financial impact in lost revenue and service outages.

The current variation of cyber extortion is of course ransomware.

The challenge for the hacker, as with most historic methods, is how to get his hands on the money without being exposed to risk. A wire transfer and even PayPal leave an audit trail, and a cash exchange requires physical interaction.

Identity Theft and Credit Card Fraud

The first attempts hackers made at credit card fraud were primitive, but so were credit card theft counter measures. One generally accepted Modus Operandi was to order a high value item such as a laptop to an address were the hacker knew no one was at home. They would then pretend to be the resident of the property, doing gardening work for example, to intercept the delivery, or a similar social engineering based ruse. This approach was inherently risky and difficult to execute, requiring knowledge of an empty property without suspicious neighbours and of the day and time of delivery.

As credit card data became increasingly available and hacking skills were disseminated to a broader audience, organized crime got into the game as well. The simplest way to convert credit card data into cash involved copying the stolen to card data to cloned cards and to use these to pick up cash from ATMs. This was still something that a hacker could accomplish alone, but daily ATM cash limits meant that each card only provided a percentage of the available funds and the window of opportunity for using them was small. The risk of getting caught was also not negligible. Alberto Gonzalez, one of the most famous early cyber criminals first came to the authority’s attention this way.

A more effective and scalable method involved cloning credit cards and going on a purchasing spree for high ticket items for resale. This requires a sophisticated crime ring. The capability to clone large amount of cards including the raw cards and copying technology, a group of willing accomplices who will physically go into stores to buy the merchandise and a way of selling it to turn it back into cash. At each step there is a loss of value – only a percentage of the credit limit can be used, resale means selling at discount. Lastly, there’s at least a partial audit trail that a fraud investigator could use to reconstruct the crime – receipts, serial numbers, the seller account and the mechanism with which payment is received.

With the advent of online retailers such as Amazon or eBay and payment services such as PayPal, th
is became easier, but a high level of risk was still involved, and businesses also put counter measures into place.  For example, Amazon stopped sending orders to certain high risk countries such as Russia. But Russian cybercriminals just bypassed this restriction by placing job ads seeking individuals who would repost ordered items from their own address, essentially transferring the risk of getting caught to hapless victims who thought they were getting an easy side job.

Wire transfer fraud

Another classic is the theft of banking or other payment related credentials, for example PayPal, often via social engineering or a Trojan, to subsequently transfer funds out of the victims account. In its most simple form, this involves social engineering via email or phone to fool the victim into passing on the account credentials. More sophisticated cybercriminals automate this using drive-by infection or phishing emails as success can require a high volume of attempts before victims fall for the scam.

Direct attacks on the banking system have occurred, but are rarer and difficult to execute. They require a high degree of formality with how financial transactions and the banking system function, and frequently rely on insider knowledge or participation.

The inherent challenges of traditional Cybercrime Monetization – Complexity and Risk

Each one of these has four distinct weaknesses from the hackers point of view:

1. They force him to move beyond the virtual. To monetize each of these approaches requires interaction with the real world.

2. They make him rely on oftentimes dangerous and unpredictable 3rd parties, such as nation state intelligence services or hardened criminals.

3. They require a sophisticated and complex infrastructure or human organisation

4. The last step in the chain – obtaining the profit and converting it into cash anonymously – is difficult and requires multiple steps to launder the money.

The hacker is rarely autonomous and independent, and the risk of getting caught, especially when transferring the stolen profit into his own hands is considerable.

The role of Cryptocurrencies in the new Cybercrime Economy

Cryptocurrencies possess some characteristics that solve the complexity and risk challenges for monetizing hacking:

1. They are anonymous

2. They are unregulated

3. They represent a direct store of purchasing value, even if they need to be converted from one cryptocurrency into another

4. They can be stolen themselves, or resources can be stolen to mine them

It is these characteristics that make Cryptocurrencies so attractive and especially useful to cybercriminals.

The problem that cybercriminals have always had, was how to turn data into currency. Now data is currency.

We are already seeing this have effect on the threat landscape and threat actor’s TTP’s:

1. Cryptojacking, where system resources are hijacked to mine cryptocurrencies, is up by 725% over the past 4 months

2. Ransomware, that now generally demands payment in BitCoin, has increased by 90% in 2017

3. Bitcoin exchanges have been targeted in a number of high profile breaches

4. Bitcoin users have been specifically targeted to steal their wallets 

Cryptocurrency was envisioned as a revolution in how money is created, used and controlled. This utopian goal seems to have been overly idealistic and never considered that it will in fact be co-opted and regulated by central powers and financial institutions. Where it has in fact caused a revolution is in Cybercrime. Cybercriminals are now truly autonomous. They can directly monetize hacking. They require no middlemen to do this, and can use less sophisticated TTP’s than has historically been required. The task of tracking and catching them however has become more difficult, and whenever the profit in a criminal endeavour increases, so does its proliferation.

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.