Cybercrime is a major concern for individuals, businesses, and governments alike. As technology advances, so do the tactics and sophistication of those who seek to exploit it for nefarious purposes. Data shows that, on average, a cyber attack occurs every 39 seconds, affecting one in three Americans annually.
Recognizing the human element behind these cyber threats is crucial in combating them effectively; this article aims to analyze the psychological complexities driving cybercriminal activities and pave the way for more effective countermeasures.
What Does the Modern Cybercriminal Look Like?
While notorious cybercrime gangs get all the attention, there's very little coverage devoted to what an individual cybercriminal looks and behaves like. Don't get us wrong—knowing strategies and techniques used by organized crime is invaluable to cybersecurity experts and law enforcement, but we must dig even deeper.
So, what would the average cybercriminal be in 2024?
In terms of age, they're men aged 18-34, with a propensity for risk-taking. In 2019, the International Journal of Cybersecurity Intelligence and Cybercrime revealed that women make up less than 6% of all offenders, a situation that hasn't changed. Likewise, they can either be formally educated in computer science or self-taught. But what about their motivations? It mostly comes down to:
Financial Motivations
Individuals such as BreachForums' former owner, Pompompurin, who was apprehended last year, have stolen vast amounts of data and developed networks of like-minded people to prey on those who fail to adequately secure their digital assets or
However, it's not that simple—there are two types of financially motivated cybercriminals:
- Brokers. According to an estimate by the UK government, the average price of an individual's stolen data is £4,335, meaning there is also money for people who connect hackers with data buyers. Whether it's running large-scale scams or something else, data brokers play an integral role in facilitating the flow of data between hands. Most of them are former hackers, using their 'clout' and connections to acquire more clients.
- Malicious Hackers. While most laymen imagine those profiting off data breaches earn millions, the truth is that many are happy to sell stolen data for just about anything. One example is the Evite attack, which saw the social planning service app's user data being sold for just $1,900 on the dark web. Likewise, Australian software company MediSecure saw its data on sale for $50,000. Of course, the more data points per individual, the higher the price.
Political/Ideological Reasons
In recent years, due to ongoing conflicts, regimes such as Russia, China, and North Korea have actively recruited younger, impressionable individuals with computer skills to do their dirty work. Anonymous Sudan, confirmed to be an offshoot of the Russian collective Killnet, is an example.
This wasn't even the first time Cold War-era intentions were played out on the digital battlefield. In 2016, Guccifer 2.0 hacked the DNC to acquire potentially compromising emails, which would have caused the candidate unfavorable to them to lose. We also can't forget about the Syrian Electronic Army (SEA), CyberCaliphate, and APT33, all of which are considered to be made up of young men lured by job prospects by their respective totalitarian governments.
Even the ongoing war in Ukraine has been impacted by volunteer hackers, blurring the lines between civilians and military members more than ever.
Ego and 'Street Cred'
While fulfilling dreams of earning lots of money or seeing one's homeland overpower a foe in the digital space, the truth is that motivations are often closer to home.
It's a common misconception that, just because they're adept at cybersecurity, cybercriminals are social recluses with an above-average intelligence level. In reality, studies have shown that they are much more like offline offenders than we previously thought, but more manipulative and willing to play the long game.
On the flip side, they're prone to the same mistakes as everyone else. Gal Valerius, aka OxyMonster, was found and arrested in 2017 after he couldn't stop posting on social media as himself... while using the same tone and vocabulary under his dark web alias.
The same goes for Martin Marsich, the perpetrator of the EA hack, who led himself straight into the hands of the FBI by bragging about his activities about going on trips to LA instead of laying low.
Know the Cybercriminal, Know Thyself: The Digital Sun-Tzu
Knowledge brings comfort, but having a profile of your average cybercriminal and variations depending on motivation will prepare you better for the battle ahead. In particular, knowing who you're dealing with can help with:
Threat Modeling Based on Attacker Profiles
Knowing the attacker's profile allows for precise threat modeling. When cybersecurity teams can categorize threats based on the attacker's financial, ideological, or psychological motivations, they can prioritize resources and defenses accordingly.
For instance, financially motivated attackers often deploy ransomware or financial fraud schemes. Recognizing this, defenses can be bolstered around transactional systems, employing advanced encryption, multi-factor authentication, and anomaly detection to safeguard financial data.
Informed Development of Detection Systems
Understanding the attacker's tactics and tools informs the development of robust intrusion detection and prevention systems.
When analyzing the methods used in previous attacks, such as phishing campaigns, malware strains, or exploit kits, security teams can create more accurate and responsive detection algorithms. At the same time, developer and product teams can use this knowledge to apply security-by-design principles more effectively, resulting in imperviousness across the board.
This continuous feedback loop of attack analysis and defense adjustment is crucial in maintaining an effective security posture.
Behavioral Profiling for Real-Time Defense
Behavioral profiling of attackers also plays a critical role in defense. Cybercriminals often exhibit patterns in their activities—specific times of day, types of targets, or methods of communication. If a company has access to this data, its team can quickly reinforce protocols that were considered weak links.
Likewise, ML algorithms can be trained on these patterns to predict and identify malicious activities in real time. This predictive capability allows for preemptive measures, reducing the window of vulnerability.
Intelligence Gathering and Proactive Measures
A thorough understanding of the attacker's ecosystem—such as the dark web marketplaces, communication channels, and tools—provides valuable intelligence. This intelligence can be used to anticipate future threats and develop countermeasures before attacks are launched.
Not only that, but it provides invaluable insights to train even non-tech-savvy employees on how to spot more subtle forms of social engineering bolstered by AI-aided personalization.
Enhanced Incident Response Strategies
Incorporating the attacker's perspective into security protocols also enhances incident response strategies.
Once they understand potential attacker scenarios, response teams can develop detailed playbooks that outline specific steps to mitigate various types of attacks and use these same profiling capabilities to aid law enforcement in mounting a rapid response of their own.
Critical Differences Between Regular Criminals and Cybercriminals
| Aspect | Regular Criminals | Cybercriminals |
| Tactics and Techniques | Physical methods, direct confrontation | Zero-day exploits, APTs, social engineering |
| Operational Scope | Local or regional impact | Global scale, multiple targets through interconnected networks |
| Anonymity | Limited anonymity; physical presence increases the risk of identification | High anonymity through IP spoofing, VPNs, dark web |
| Resource Requirements | Physical tools and manpower | Digital resources, extensive knowledge, access to cyber tools |
| Detection and Response | Physical evidence, direct observation | Network monitoring, anomaly detection, threat intelligence, rapid digital forensics |
| Jurisdictional Challenges | Single legal jurisdiction | Multiple jurisdictions, requiring international cooperation |
| Economic Impact | Localized and limited impact | Widespread economic damage through data breaches, IP theft, ransomware |
| Motivational Complexity | Straightforward motivations (financial, vendetta) | Multifaceted motivations (financial gain, ideological, geopolitical, notoriety) |
Conclusion
'Getting to know' the average criminal in a profiling sense might be daunting at first, but it won't be long until you notice patterns. Once that happens, you'll know which issues and vulnerabilities to prioritize or even set a honeypot before the criminals become aware of what's happened.
Nevertheless, the propensity of generative AI and the deepening of social engineering techniques furthers the game of cat and mouse. Still, cybercriminal profiling brings the cat closer than it otherwise would be.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
