It Was a Good Month for Fighting Cybercrime. Don’t Get Comfortable

Even as police and tech companies get better at shutting down illicit operations, cybercrime is worse than ever.

As ransomware attacks across the United States and around the world reached a fever pitch in 2021, private companies and governments made their most extensive promises yet to address and deter such attacks and dismantle the cyber-criminal ecosystem. A flurry of activity in recent weeks highlights progress on these efforts. But cyber-crime is still at an all-time high, and researchers warn that there is no single holistic solution. 

The Department of Justice announced last Tuesday the takedown of RaidForums, a marketplace for sensitive stolen data like usernames and passwords, Social Security numbers, and individuals’ financial information. They also said they had charged RaidForums’ alleged founder and chief administrator, 21-year-old Diogo Santos Coelho of Portugal, and arrested him in the United Kingdom on January 31. A day later, Microsoft said it had disrupted the ZLoader botnet, a favorite malware distribution platform for ransomware actors that include the Ryuk gang, which is known for targeting hospitals and other health care organizations.

Microsoft even chose to name the alleged developer of one ZLoader component, who lives on the Crimean Peninsula, “to make clear that cyber-criminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.” And during the first week of April, German law enforcement working with US agencies announced the take-down of Russian-language dark web market Hydra. In addition to offering a platform to sell drugs and other elicit goods, Hydra was a major cyber-criminal money-laundering and cash-out hub.

Dark web market and botnet take-downs have been going on for years, but the escalating pace and scale of these interventions is noteworthy. After the Hydra take-down, for example, researchers found that users were concerned about how to replace its services and whether they would be able to trust new sites that could simply be fronts for law enforcement.

Allan Liska, an analyst for the security firm Recorded Future, says Whac-A-Mole is still an apt analogy for what’s going on, but that doesn’t mean there hasn’t been progress.

“Forgive me, I am going to stretch the analogy a little bit,” he said. “When you first start playing Whac-A-Mole, you can’t keep up and the moles keep winning. But if you head out to Coney Island every day with a pocketful of quarters, eventually you get really good at it. For the longest time, law enforcement and Big Tech were getting a little better each time, but now it’s like they are training for the Whac-A-Mole championships. We have seen an acceleration of take-downs over the last few years.”

Liska says expanded international cooperation, more law enforcement experience with running digital operations, and better public/private communication have all contributed to the improvement.

Still, cyber-crime is an ever-present threat. At the end of March, the FBI’s Internet Crime Complaint Center published its annual report on cybercrime-related submissions received in 2021. The group got 847,376 complaints that totaled nearly $7 billion in losses, a 64 percent increase over 2020. And the report opened by saying that last year, “America experienced an unprecedented increase in cyber attacks and malicious cyber activity.”

Researchers say, however, that different types of cyber-crime must be addressed in different ways. For example, the Internet Crime Complaint Center (IC3) said in its 2021 compendium that nearly $2.4 billion of the reported losses came from business email compromise and email account compromise scams. And such schemes are less technical and much more decentralized than ransomware attacks and other types of cyber-crime.

“When there are relatively few actors that run a significant amount of the overall activity, law enforcement intervention can make a noticeable impact in the overall threat landscape,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “But BEC is highly decentralized; there are literally thousands of actors that are very loosely affiliated—there is no head of the snake.”

Even when it comes to centralized criminal infrastructure like dark web marketplaces, malware families, and botnets, Hydra’s name is apt. Law enforcement will conduct take-downs and even arrests, only to find new iterations of the same services cropping up later using rebuilt infrastructure and run by the actors who got away. As Microsoft put it in an announcement about the ZLoader take-down, “Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations.”

Recorded Future’s Liska emphasizes, though, that this relentless pace shouldn’t distract from the gains defenders are making.

“Yes, bad guys are able to set new stuff up. But we are much better at getting that new stuff knocked down,” he says.

This progress is focused mostly on types of cyber-crime that rely on cryptocurrency to enable massive value transfers, like ransomware and digital extortion. Hassold adds, though, that BEC scammers use totally separate networks of money mules and bank transfer schemes to pilfer traditional fiat currency.

“It will just have to be approached in a completely different way,” he says. “You can’t even arrest dozens or hundreds of these guys or take care of the main actors, because there are no main actors.”

Even as law enforcement makes real progress honing its ability to mount some types of enforcement actions, there’s a bigger conceptual issue if your local arcade keeps adding more and more Whac-A-Mole machines all around you.

Found this interesting? Then check our main news page where you can find all articles related to Crypto, Crime, Darknet, Security and much more!