Electronic copy available at: http://ssrn.

com/abstract=2211842






"#$%& $' "()&#*+,-&.
/00&'1&#* ,'1 23& 456& 50 /#7,'$8&1 "#$%& 9#5:+*

;5#<$'7 =,+&#
>?@A?@BA>C






451&#$- D#5,13:#*2E
=&2&# 9#,)5*<(E
F,%5:' G6,8,)E
D#$7$22& D5:35:#*E
H2&I& "35' J
"3&' K,




G:*2#,6$,' L,2$5',6 M'$I&#*$2( "()&#-#$%& /)*&#I,25#(

Electronic copy available at: http://ssrn.com/abstract=2211842



"#$%& $' "()&#*+,-&.
/00&'1&#* ,'1 23& 456& 50 /#7,'$8&1 "#$%& 9#5:+*


;5#<$'7 =,+&#
>?@A?@BA>C



Roderic Broadhurst, Peter Grabosky,
Mamoun Alazab, Brigitte Bouhours, Steve Chon & Chen Da

Australian National University Cybercrime Observatory
1


Contact: roderic.broadhurst@anu.edu.au
School of Regulation, Justice & Diplomacy
Australian National University
Canberra, ACT, 0200
Australia


G)*2#,-2
This working paper summarizes what is currently known about cybercrime offenders and
groups. The paper briefly outlines the definition and scope of cybercrime, theoretical and
empirical challenges faced when studying cyber offenders, and the likely role of organized crime
groups (OCG). The paper gives examples of known cases that illustrate individual and group
behaviour, profiles typical offenders, including online child exploitation perpetrators, and
describes methods and techniques commonly used to identify crimeware and trace offenders.

N&( O5#1*
Cybercrime; Internet crime; cyber offenders; online offenders; online child sex offenders;
online investigation

1
The research is funded by an ARC Discovery Grant on the evolution of cybercrime (DP 1096833) and supported
by the ARC Centre of Excellence in Policing and Security. We also thank the Australian Communication & Media
Authority (ACMA) and the Computer Emergency Response Team (CERT) Australia for their assistance in the
provision of data. The authors thank Chen Da, Chinese Peoples Public Security University and Visiting Fellow,
ANU, for his assistance in the translation of relevant Chinese language papers.
2

P'2#51:-2$5'
Cybercrime exploits cross-national differences in the capacity to prevent, detect, investigate, and
prosecute such crime, and is fast becoming a growing global concern.
2
This transnational
character provides cybercriminals, whether operating as individuals or as organized crime groups
(OCGs), with the potential to escape counter-measures, even when these are designed and
implemented by the most capable actors.
3
Cybercrime has evolved in parallel with the
opportunities afforded by the rapid increase in the use of the Internet for e-commerce and in the
developing world. In February 2013, 2.7 billion people, nearly 40% of the world population, had
access to the Internet. The rate was higher in the developed world (77%) than in the developing
world (31%). While Africa had the lowest Internet penetration rate (16%), between 2009 and
2013 Internet penetration has grown fastest in Africa (annual growth of 27%) followed by Asia-
Pacific, the former Soviet Union, and the Arab States (15% annual growth rate). Around one-
quarter of all Internet users used English (27%) on the web, and another quarter (24%) used
Chinese.
4


A main reason for the growth in the scale and scope of cybercrime since the mid-2000s has been
attributed to the proliferation of botnets
5
as mass tools for computer misuse and the
amplification of these activities via toolkits (e.g. Zeus) that simplify their deployment. Spam
and malicious websites are still the usual vectors for deceptive intrusion and widespread
distribution of malware such as bots.
6
Various forms of social engineering are also common
means of compromising computers. Botnet operators or herders provide such services for fees
that reflect the number and likely value of zombie (or infected) computers in the botnet. These
activities operate like criminal services in other domains of crime, for example, those of forgers
or money launderers. Crimeware toolkit users also adopt the software as a service approach by
renting out malicious software from their creators or owners for a specified period of time during
which they are able to commit crime. A more basic service is that of a stolen data supplier, who
allow others to download stolen data, such as credit card details, for a fee.
7
In short, cybercrime
has quickly evolved from a relatively low volume crime committed by an individual specialist
offender to a mainstream or common high volume crime organized and industrial like.
8


2
United Nations, A More Secure World, Our Shared Responsibility: Report of the High-Level Panel on Threats,
Challenges, and Change (online, 2004), <http://www.un.org/secureworld/report2.pdf>.
3
S Brenner, Cybercrime Jurisdiction, 2006, Crime, Law and Social Change, 46, 189-206; Council of Europe,
Summary of the Organized Crime Situation Report: Focus on Cybercrime, 2004, Octopus Interface Conference:
Challenge of Cybercrime, September 15-17, Strasbourg; R Broadhurst & K K R Choo, Cybercrime and Online
Safety in Cyberspace, in C Smith, S Zhang, & R Barbaret (eds), International Handbook of Criminology
(Routledge, 2011), 153-165.
4
International Telecommunication Union, ICT Facts and Figures (Geneva, ITU, 2013), <http://www.itu.int/en/ITU-
D/Statistics/Documents/facts/ICTFactsFigures2013.pdf>.
5
A botnet is a network of individual computers, which have been compromised by malicious software and are
controlled by a third-party, usually for the purpose of criminal activities (e.g. sending spam).
6
Malware stands for malicious software such as worms, viruses, and trojans. Bots or web robots allow a malicious
user to control remotely computers infected by malware.
7
Y Ben-Itzhak, Organized Cybercrime and Payment Cards, (2009) 21(2) Card Technology Today, 1011.
8
See T Moore, R Clayton, & R Anderson, The Economics of Online Crime (2009) 32(3) Journal of Economic
Perspectives, 3-20, 3-4, 17; R Anderson, C Barton, R Bohme, R Clayton, M van Eeten, M Levi, T Moore, & S
Savage, Measuring the Cost of Cybercrime, Workshop on the Economics of Information Security (WEIS), 25 June
2012, Berlin, Germany, <http//weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>.
3


While many types of cybercrime require a high degree of organization and specialization, there
is insufficient empirical evidence to ascertain if cybercrime is now dominated by OCGs and what
form or structure such groups may take.
9
Digital technology has empowered individuals as never
before. Teenagers acting alone have succeeded in disabling air traffic control systems, shutting
down major e-retailers, and manipulating trades on the NASDAQ stock exchange.
10
What
individuals can do, organizations can also do and often better. It is apparent that many if not all
forms of criminal organization are capable of engaging in cybercrime. The Internet and related
technologies lend themselves perfectly to coordination across a dispersed area. Thus, an OCG
may be a highly structured traditional mafia like group that engages delinquent IT professionals.
Alternatively, it could be a short-lived project driven by a group that undertakes a specific online
crime and/or targets a particular victim or group. Rather than groups, it may involve a wider
community that is exclusively based online and dealing in digital property (e.g. trading in
cracked software or distributing obscene images of children).
11
It may also consist of
individuals who operate alone but are linked to a macro-criminal network
12
as may be found in
the darknet and Tor
13
undernet sites.

Many cybercrimes begin with unauthorized access to a computer system. Information systems
may be targeted for the data they contain, including banking and credit card details, commercial
trade secrets, or classified information held by governments. Theft of personal financial details
has provided the basis for thriving markets in such data, which enable fraud on a significant
scale.
14
The Internet has also been used as a vehicle for fraud. Spurious investment solicitations,
marriage proposals, and a variety of other fraudulent overtures are made daily by the hundreds of
millions (for example, see case study on scareware scam). In recent years, insurgent and
extremist groups have used Internet technology as an instrument of theft in order to enhance their
resource base.
15


As digital technology pervades modern society, we have become increasingly dependent upon it
to manage our lives. Much of our ordinary communications and record keeping rely on the

9
J Lusthaus, How Organised is Organised Cybercrime? (2013) 14(1) Global Crime, 52-60.
10
US Securities and Exchange Commission, In the Matter of Jonathan G. Lebed (2000),
<http://www.sec.gov/litigation/admin/33-7891.htm><http://www.usdoj.gov/criminal/cybercrime/juvenilepld.htm>;
<http://cbc.ca/cgi-bin/templates/view.cgi?/news/2001/01/18/mafiaboy010118>.
11
The Internet has been used to communicate a wide variety of content deemed offensive to the point of criminal
prohibition in one or more jurisdictions. Such material includes child pornography, neo Nazi propaganda, and
advocacy of Tibetan independence, to list but a few. Jihadist propaganda and incitement messages also abound in
cyberspace.
12
See T Spapens, Macro Networks, Collectives, and Business Processes: An Integrated Approach to Organized
Crime (2010) 18 European Journal of Crime, Criminal Law and Criminal Justice, 185215.
13
Tor is an encrypted re-routing service designed to obscure the original source of an email or website on the
Internet, sometimes known as The Onion Router. Law enforcement concerns about the widespread misuse of Tor
recently led Japanese police to recommended blocking access to the service to those that misuse it (BBC
Technology, Japanese police target users of Tor anonymous network, 22 April 2013,
<http://www.bbc.co.uk/news/technology-22248692>.
14
M Glenny, Dark Market (Knopf, 2011).
15
Imam Samudra, convicted architect of the 2002 Bali bombings, reportedly called upon his followers to commit
credit card fraud in order to finance militant activities (cited in A Moghadam, The Globalization of Martyrdom: Al
Qaeda, Salafi Jihad, and the Diffusion of Suicide Attacks [Johns Hopkins University Press, 2009]).
4

Internet and related technologies. Just as digital technology enhances the efficiency of our
ordinary legitimate activities, so too does it enhance the efficiency of criminal activities.
Criminals and terrorists use the Internet as a medium of communication in furtherance of
criminal conspiracies.
16
And like for law-abiding citizens, it is a means of storing records and
other information, and performing financial transactions, albeit in the case of criminals, such
transactions may be part of money laundering activities. Manufacturers of illicit drugs advertise
and trade recipes over the Internet.
17



!"#$%&#$% !"#(
Cne of Lhe mosL wldespread onllne scams lnvolves 'scareware', a mallclous Lype of
sofLware LhaL clalms Lo deLecL vlruses and oLher LhreaLs LhaL do noL acLually exlsL. 1he
sofLware ls ofLen adverLlsed Lhrough alarmlng pop-up messages saylng your compuLer ls
lnfecLed and you need Lo buy Lhe anLlvlrus sofLware belng adverLlsed. 1he pop-ups are
perslsLenL, ofLen dlfflculL Lo close, and ln exLreme cases lL ls posslble Lo become lnfecLed
when Lrylng Lo cancel Lhe noLlflcaLlon. ln 2011 a coordlnaLed lnLernaLlonal law
enforcemenL operaLlon, CperaLlon 1rldenL 1rlbunal, dlsrupLed Lhe acLlvlLles of Lwo
cybercrlme groups lnvolved ln Lhe sale of scareware. 1he groups are belleved Lo be
responslble for vlcLlmlzlng more Lhan one mllllon compuLer users and causlng more Lhan
$74 mllllon ln LoLal losses. Cne scam was aLLrlbuLed Lo a group based ln klev, ukralne,
whlch used a varleLy of LacLlcs Lo lnfecL compuLers wlLh scareware, such as dlrecLlng users
Lo a web page feaLurlng fake vlrus scans LhaL lnsLead lnsLalled Lhe mallclous sofLware.
eople were Lhen asked Lo supply Lhelr credlL card number and had Lo pay Lo have Lhelr
compuLer repalred (see full example of lMu below). ln anoLher slmllar scam, Lwo
lndlvlduals ln LaLvla had creaLed a fake adverLlslng agency. vlslLors Lo Lhe agency's
webslLe were lnfecLed wlLh a mallclous scareware and requlred Lo pay a fee Lo have Lhelr
compuLers resLored. 1he success of CperaLlon 1rldenL 1rlbunal resLed on Lhe cooperaLlon
of law enforcemenL among 12 naLlons: ukralne, LaLvla, Cermany, neLherlands, Cyprus,
lrance, LlLhuanla, 8omanla, Canada, Sweden, Lhe unlLed klngdom, and Lhe uS.
18



This paper focuses on common criminal activities in cyberspace, such as fraud, and what we
know about offenders and their modus operandi. We briefly discuss some characteristics of
offenders involved in online child sex exploitation and touch on matters related to the use of
computers in furtherance of political or ideological aims or as instruments of defence or state
initiated cyber-warfare (see case study on Operation Olympic Games). For example, Anonymous
is a loose collective of anarchists who engage in what Denning referred to as hacktivism.
19

Members of this group tend to attack prominent symbols of capitalism and government. The

16
A. Moghadam, 2009, ibid.
17
J Schneider, Hiding In Plain Sight: An Exploration of the Activities of a Drugs Newsgroup (2003) 42(4)
Howard Journal of Criminal Justice, 372389.
18
<http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211>.
19
D E Denning, Activism, Hacktivism, and Cyberterrorism: the Internet as a Tool for Influencing Foreign Policy,
in D Arquilla & D F Ronfeldt (eds), Networks and Netwars: The Future of Terror, Crime and Militancy (Rand,
2001), 239-288.
3

chosen vehicles for their activities consisted of defacing the websites of government agencies
and corporations, distributed denial of service attacks, which paralysed target computers by
overwhelming them with data, and occasionally the publication of confidential data, like in the
AT&T case. These attacks were usually complemented by online verbal abuse.


)*%$#+,-. )/0(*," 1#(%2
was a coverL collaboraLlon beLween Lhe uS naLlonal SecurlLy Agency and lLs lsraell
counLerparL, unlL 8200, whlch lnLended Lo dlsrupL Lhe lranlan nuclear enrlchmenL
program. lL allegedly lnvolved Lhe clandesLlne lnserLlon of an exLremely complex and
sophlsLlcaLed seL of sofLware, named SLuxneL, lnLo Lhe communlcaLlon and conLrol
sysLems aL Lhe naLanz nuclear faclllLy. 1he sofLware reporLedly lncluded a capaclLy Lo
monlLor communlcaLlons and processlng acLlvlLy, as well as Lhe ablllLy Lo corrupL conLrol
sysLems aL Lhe faclllLy. 1he operaLlon succeeded ln delaylng Lhe progress of uranlum
enrlchmenL Lhrough remoLely conLrolled desLrucLlon of a number of cenLrlfuges used ln
Lhe process. 1he secrecy surroundlng Lhe operaLlon was compromlsed ln parL when Lhe
mallclous sofLware escaped because of a programmlng error. nelLher Lhe unlLed SLaLes
nor Lhe lsraell governmenL acknowledged Lhe exlsLence of Lhe operaLlon.
20



Imbued with the hacker ethos that information should be free, the group also targeted the secrecy
of the Church of Scientology, the proprietary commercialism of the Motion Picture Association
of America, and became a supporter of Wikileaks. When the US Government prevailed upon
various electronic payment service providers to discontinue processing of contributions to
Wikileaks following its publication of secret US State Department messages, Anonymous
orchestrated denial-of-service attacks against the complying sites.
21
A well-known Anonymous
campaign is illustrated in the open letter to Colonel Gadhafis Internet Service Provider (ISP)
during the civil war in Libya (Figure 1).

An activity worth noting is a form of vigilantism or counter-hacking in which individuals may
take direct action against some forms of cybercrime. Rather than simply alerting law
enforcement to a successful or attempted intrusion, or reporting a website that hosts illicit
material such as sexual images of children or a market for stolen credit card details, cyber
vigilantes seek unilaterally to vandalize or disable the offending site. The greater the skills of the
vigilante, the greater the damage they can inflict. For example, on 25 April 2013, hacking group
Anonymous temporarily took down several child pornography websites as part of what they
called Operation Alice. Anonymous has a long history of battling online paedophile rings.
22
Such

20
D Sanger, Confront and Conceal: Obamas Secret Wars and Surprising Use of American Power (Crown
Publishers, 2012).
21
See P Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber
Insurgency (Little, Brown & Company, 2012); G Coleman, Anonymous: From the Lulz to Collective Action, The
New Everyday, 6 April 2011, <http://mediacommons.futureofthebook.org/tne/pieces/anonymous-Lulz-collective-
action>.
22
M Stone, Operation Alice: Anonymous Punishes Pedophiles, Targets Child Pornography Sites, Examiner.com
(25 April 2013), <http://www.examiner.com/article/operation-alice-anonymous-punishes-pedophiles-targets-child-
porn-sites>.
6

response is illegal in many jurisdictions and counter-hackers may be disinclined to publicize
their exploits. Victims, whose actions provoked the response, are understandably reluctant to call
attention to their own offending. However, there have been some notable disclosures; for
example, a number of retaliatory cyber-attacks by various companies and by the US Department
of Defence in response to electronic intrusions have been documented.
23
Grubb revealed how an
Indian software firm had been engaged by the film industry in response to piracy. The firm
searched the Internet to find movies that were being illegally uploaded, then sent the hosting
server a request to remove the pirated content. Noncompliance with a second request was met
with a denial of service attack. The firm has also claimed to have remotely destroyed pirated
products in order to prevent further illegal use.
24



3.-.0(-42 #+ 3565
A former A1&1 conLracLor, Lance Moore, allegedly handed over Lo Anonymous Lens of
Lhousands of phone numbers, confldenLlal l addresses, usernames, and passwords, plus
corporaLe emalls, and oLher documenLs. 1hese were used by LulzSec
23
Lo embarrass A1&1
vla a publlc daLa dump of Lhese sLolen addresses and documenLs ln !une 2011. 1he
alleged offences were dlscovered Lhrough A1&1's neLwork audlLlng and log managemenL
LhaL ldenLlfled an A1&1 vn connecLlon used Lo upload documenLs Lo llleApe.com aL Lhe
same Llme LhaL unauLhorlzed access was made Lo senslLlve lnformaLlon. 1he l address
used was asslgned Lo a small group of conLracLors, and furLher lnvesLlgaLlon showed LhaL
Moore's accounL was Lhe only one used Lo access boLh llleApe.com and Lhe servers wlLh
Lhe sLolen daLa.
26



23
R Majuca & J Kesan, Hacking Back: Optimal Use of Self-Defense in Cyberspace (Illinois Public Law Research
Paper No. 08-20, 2009), <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1363932>; see also B Smith,
Hacking, Poaching and Counterattacking: Digital Counterstrikes and the Contours of Self-Help (2005) 1(1) Journal
of Law, Economics and Policy, 171-195.
24
B Grubb, Film Industry Hires Cyber Hitmen to Take down Internet Pirates, Sydney Morning Herald, 8
September 2010, <http://www.smh.com.au/technology/technology-news/film-industry-hires-cyber-hitmen-to-take-
down-internet-pirates-20100907-14ypv.html#ixzz205Bikun9>.
25
Lulz Security, commonly abbreviated as LulzSec, was a computer hacker group comprising at least seven
individuals (residing in the US, Ireland and the UK) that claimed responsibility for several high profile attacks,
including the compromise of user accounts from Sony Pictures in 2011. It was affiliated with Anonymous and
AntiSec. The group also claimed responsibility for taking the CIA website offline (see
<http://en.wikipedia.org/wiki/LulzSec>). In April 2013 one of those responsible (25 year old Cody Krestinger) was
sentenced to prison for a year and to 1,000 hours of community service by a US court for his part in the Sony hack
on the play-station network while four others (all under the age of 26) involved with LulzSec in the UK were still
awaiting sentence. Police in both countries were able to secure confessions after getting cooperation from other
hackers (BBC Technology, Kretsinger, Sony Hacker Recursion, Jailed for 1 Year, 19 April 2013,
<http://www.bbc.co.uk/news/technology-22214506>.
26
See P Olson, 2012, op. cit., 286-287 for an account of the machinations within LulzSec; E Chickowski,
Notorious Cybercrooks of 2011 and How They Got Caught, (2011) Dark Reading,
<http://www.darkreading.com/security/attacks-breaches/232300124/the-most-notorious-cybercrooks-of-2011-and-
how-they-got-caught.html?itc=edit_stub>.
7


Figure 1. Anonymous Press Release urging an ISP to decline hosting the website for
Colonel Gadhafi.














































8


In summary, the Internet may be used for criminal activity in three basic ways: it can serve as the
instrument of crime; the target of crime; or it can be used incidentally in furtherance of criminal
activity. The three modes apply to both individual and organizational use, and are not mutually
exclusive. Measuring cybercrime is not straightforward. First, there are many differences in
definition within and between jurisdictions. Second, a large proportion of cybercrime goes
unreported, and possibly unnoticed for some time. In a recent comprehensive study the UN listed
four ways of measuring cybercrime: 1) by using police statistics; 2) by conducting cyber
victimisation surveys of individuals and businesses; 3) by encouraging victims to report; and 4)
by drawing on information from the cyber security industry.
27
This study estimated that of all
instances of cybercrime known to police in 61 countries, one-third related to fraud and forgery;
between one-third and one-half, depending on the country, involved content crime, for example,
distribution of child pornography or terrorism-related material, and copyright infringements; the
remaining 10 to 33% involved hacking and illegal access to computer systems. Individual cyber
victimisation is higher than victimisation via conventional crime. UNODC estimated that
between 1% and 17% of the world population with Internet access had been victims of online
credit card fraud, identity theft, email account hacking, or had responded to a phishing attempt.
28


Many new computer viruses and malware codes are developed by nation state actors or their
surrogates for strategic or tactical offensive action against enemiesrather than as crimeware
(e.g. Stuxnet, the worm created for the Operation Olympic Games against Iran; see also
GhostNet below).
29
However, this malware may escape, or otherwise become available to
OCGs, which then use it to extend their criminal capabilities. The information security industry
is another potential distribution vector for malware, as when penetration testing generates new
codes capable of avoiding filtering and other malware detections. Such malware can be sold or
made available by delinquent security professionals.

The anonymity afforded by the Internet makes it relatively difficult to identify offenders. Skilled
hackers, whether employed by the state, by a criminal organization, or working on their own, are
often able to conceal their true identity. As a result, when ones information systems are subject
to intrusion, one cannot be sure whether the intruder is a sole teenager, an organized criminal
group, or agents of a foreign government. Indeed, two or more of these may be acting in concert,
under arrangements of sponsorship or in some hybrid form. Nor can one be confident of the
physical location from which the attack originated. It has become a clich to suggest that
cyberspace knows no boundaries, and a crime can be committed against a target on the other side
of the world as easily as a target in ones own jurisdiction.

27
United Nations Office on Drugs and Crime (UNODC), Comprehensive Study on Cybercrime (UNODC, February
2013), <http://www.unodc.org/documents/commissions/CCPCJ_session22/13-
80699_Ebook_2013_study_CRP5.pdf>. The report of the comprehensive study on cybercrime was prepared by
UNODC under the auspices of the open-ended intergovernmental expert group.
28
UNODC, 2013, ibid., 25-26.
29
Some are also used by states for cyber espionage, an increasingly controversial area; see D Fiddler, Economic
Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through
Cyber Technologies (2013) 17(10) Insight, 1-6.
9



17-2+8%+
1he name glven by a group of Canadlan researchers ln 2010 Lo a cyber-esplonage
operaLlon apparenLly operaLlng from commerclal lnLerneL accounLs ln Chlna. 1he hackers
compromlsed governmenL compuLers ln over 100 counLrles on several conLlnenLs, Lhey
also LargeLed emalls from Lhe server of Lhe ualal Lama. 1he Chlnese CovernmenL denled
lnvolvemenL, and Lhere was no concluslve evldence Lo Lhe conLrary. 1here was, however,
some evldence of governmenL compllclLy. Chlnese offlclals have confronLed expaLrlaLe
dlssldenLs reLurnlng Lo Chlna wlLh LranscrlpLs of lnLerneL chaLs ln whlch Lhey were
lnvolved durlng Lhelr absence.
30
WheLher Lhe acLlvlLy ln quesLlon was Lhe work of
paLrloLlc hackers acLlng unllaLerally, or skllled lndlvlduals wlLh guldance from sLaLe
auLhorlLles who were oLherwlse acLlng aL arm's-lengLh, remalns unclear. Canadlan
lnvesLlgaLors found evldence of llnks Lo Lwo lndlvlduals ln Lhe underground hacklng
communlLy of Lhe 8C.
31


The standard definition of organized crime enounced in the UN Palermo Convention,
32
based on
the participation of three or more persons acting in concert, does not extend to certain highly
sophisticated forms of organization such as the mobilization of robot networks that may be
operated by a single person. So-called botnets involve an offender using malicious software to
acquire control over a large number of computers (the largest including more than a million
separate machines). Even though the individual and institutional custodians of compromised
computers may be unwitting participants in a criminal enterprise, some commentators maintain
that botnets should be considered a form of organized crime.
33

"3,66&'7&* 50 Q3&5#( ,'1 RI$1&'-&
The absence of evidence about the extent, role, and nature of OCGs in cyberspace impedes the
development of sound countermeasures. While a growing number of experts consider that
cybercrime has become the domain of organized groups and the days of the lone hacker are past,
little is yet known about the preferred structures and longevity of groups, how trust is assured,
and the relationship with other forms of crime. There is an absence of evidence-based research

30
Information Warfare Monitor, Tracking GhostNet: Investigating a Cyber Espionage Network (2009),
<http://www.infowar-monitor.net/ghostnet>.
31
<http://www.nartv.org/mirror/shadows-in-the-cloud.pdf>; J Markoff & D Barboza, Researchers Trace Data Theft
to Intruders in China, New York Times, 5 April 2010,
<http://www.nytimes.com/2010/04/06/science/06cyber.html?pagewanted=all>.

32
Article 2(a) of the United Nations Convention against Transnational Organized Crime defines an organized
criminal group [as] a structured group of three or more persons, existing for a period of time and acting in concert
with the aim of committing one or more serious crimes or offences established in accordance with this Convention,
in order to obtain, directly or indirectly, a financial or other material benefit. Article 2(c) clarifies that a structured
group shall mean a group that is not randomly formed for the immediate commission of an offence and that does not
need to have formally defined roles for its members, continuity of its membership or a developed structure.
33
L Y C Chang, Cybercrime in the Greater China Region: Regulatory Response and Crime Prevention across the
Taiwan Strait (Edward Elgar, 2012).
10

about offender behaviour and recruitment in cyberspace, although learning and imitation play
important roles.
34
Hence, OCGs cannot be understood from just their functional (illicit)
activities, that is as rational profit-driven networks of criminal actors, since socio-cultural
forces also play an important role in the genesis and sustainability of such groups. In some cases
obsessive-compulsive behaviour is evident; in others, a sense of impunity (born of over-
confidence in anonymity) is apparent. Greed may be only one of many motives: lust, excitement,
rebellion, technological challenge, and the desire for notoriety or celebrity status may be present
to varying degrees, depending on the types of crime.

Organized crime is often explained using functionalist (strain theories of disadvantage), learning
(notably differential association),
35
conflict theories, as well as rational choice theories. Crime
prevention practices based on actor choice, and which rely on deterrence, are usually applied.
36

In cyberspace, we have limited understanding and empirical evidence about these causes with
respect to profit or content forms of cybercrime. Broadhurst and Choo hypothesized that OCGs
would be attracted by profits and, therefore they would be more likely to target the more
lucrative online markets. Rather than traditional mafia-like groups, these offending networks
would tend to take new forms.
37
In addition, drawing on the broader organized crime literature,
they argued that more permanent or semi-durable forms of online OCGs are likely to get
involved the extortion of victims who are the owners or custodians of credit card and identity
details.
38
They would be less likely to engage in systematic fraud or deception-related
cybercrime where dynamic and fluid groups or networks would dominate.
39
In turn OCGs have
resources, are resilient, and are able to adapt to changes in their environment. Digital technology
has facilitated OCGs involvement in transnational crime and contributed to the success and
longevity of some OCGs. Understanding the various organizational structures of OCGs helps
predict their behaviour and may improve the ability of police to investigate, disrupt, and weaken
organized crime activity.
40


It is assumed that OCGs are profit-focused enterprises that seek out opportunities provided by ill
-managed ISPs and jurisdictions with weak regulatory control of the Internet. They acquire the
necessary resources for cybercrime by (inter alia) using delinquent IT professionals and
targeting weakly protected computers/networks or other digital devices. Consequently,

34
R Broadhurst & P Grabosky, Computer-Related Crime in Asia: Emergent Issues, in R Broadhurst & P Grabosky
(eds), Cybercrime: The Challenge in Asia (University of Hong Kong Press, 2005), 347-360.
35
T J Holt, G Burruss, & A Bossler, Social Learning and Cyber Deviance: Examining the Importance of a Full
Social Learning Model in the Virtual World (2010) 33 Journal of Crime and Justice, 31-61.
36
G Newman & R Clarke, Superhighway Robbery: Preventing E-Commerce Crime (Routledge, 2003); T J Holt, &
A Bossler, Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization
(2009) 30 Deviant Behavior, 1-25; M Yar, The Novelty of Cybercrime: An Assessment in Light of Routine
Activity Theory (2005) 2 European Journal of Criminology, 407-427.
37
Broadhurst & Choo, op. cit.
38
P Grabosky, R Smith, & G Dempsey, Electronic Theft: Unlawful Acquisition in Cyberspace (Cambridge
University Press, 2001), 34-50. It is apparent that some services in cyberspace offer means to protect illicit data or
information obtained by illicit means; however, these services may not mimic the usual forms of protection offered
by terrestrial OC groups.
39
K von Lampe, Explaining the Emergence of the Cigarette Black-Market in Germany, in P C van Duyne, K von
Lampe, M van Dijk, & J L Newell (eds), The Organised Crime Economy (Wolf Legal, 2005), 209-229.
40
See R Broadhurst & V Ly, Transnational Organized Crime in East and Southeast Asia, in A Tan (ed), East and
South-East Asia: International Relations and Security Perspectives (Routledge, in press).
11

deterrence (increased penalties and detection) is the preferred policy response, complemented by
appropriately trained police (capable guardians) and target hardening.

Alternative theoretical approaches that posit particular offender motives or pathologies, or the
role of social conflict, have not featured widely in explanations of cybercrime. Early accounts of
hackers emphasized individuality and a non-profit orientation, but also observed the likely shift
to profit-oriented misuse as the Internet developed.
41
Indeed, the role of social learning and
offender pathology has been neglected but may play a significant role in predisposing some
actors to criminal activity and risk-taking in cyberspace, where anonymity reduces social
surveillance and self-control.
42
Hate and so-called content crimes perpetrated via the Internet
may reflect social or individual pathologies, and less the exercise of rational choice although it
may be rational to adopt Internet strategies of dissemination.
43


Functionalist approaches assume crime is a normal adaptation to change, and indeed represents a
creative response to adversity, usually experienced as different forms of social exclusion.
Cybercrime in this sense is normal, albeit novel in its form. Thus, successfully suppressing
cybercrime may only be achieved at the cost of limiting the Internets natural advantages, such as
low-cost connectivity. Another approach is to explain certain forms of crime as the result of
conflict within society and disputes about what constitutes crime. In this view, criminalization of
an act represents the exercise of power by elites. Thus, defining behaviour as deviant or criminal
may represent only sectional interests with little real community support. For example, the
development of digital technology has recently made it possible to easily copy movies and music
as digital media. Many people embraced the new technology and started exchanging such media.
Subsequently the practice of illegally copying digital media without paying the copyright holders
was criminalized, with attendant changes to community attitudes, opportunities for criminals,
and policing practice.

In the following sections we discuss a number of current and past examples of cybercrime, and
the role of groups and individuals that are involved in these crimes. We begin with the role of
groups or networks, and individuals involved in distributing child pornography on the Internet.
In general, this activity has attracted more interest and research about offenders than have other
types of cybercrime. However, such child exploitation groups or networks may not share the
organizational forms of other criminal groups operating in cyberspace. This section draws on
recent work by the authors for the Virtual Global Taskforce (VGT) on Child Protection a
consortium of several police agencies across the globe. Then we turn to the volume cybercrime
par excellence, spam
/'6$'& "3$61 H&S:,6 RS+65$2,2$5'
The production and dissemination of child pornography (CP) and child exploitation material
(CEM) has been widely criminalized. As the Internet facilitates the accessibility to CEM there

41
A Chantler, Risk: The Profile of the Computer Hacker, unpublished PhD Thesis (Curtin University, 1996).
42
R Broadhurst & K Jayawardena, Online Social Networking and Paedophilia: An Experimental Research
Sting, in K Jaishankar (ed), Cyber Criminology: Exploring Internet Crimes and Criminal Behavior (CRC Press,
2007), 79-102.
43
R Broadhurst, Content Cybercrimes: Criminality and Censorship in Asia (2006) 34(1&2) Indian Journal of
Criminology, 11-30.
12

are concerns that it may in turn stimulate the demand for newer and more extreme images as well
as increase the risk of real life abuse. An early example of online trade in CEM was the activity
of a group known as W0nderland. Established around 1995, its membership consisted of about
180 persons from 49 countries who exchanged thousands of illicit images of children, until it was
closed by the combined cross-national police investigation Operation Cathedral in 1998. This
closed group operated in a similar way to other peer-to-peer (P2P) online groups who traded in
illicit goods such as pirated software or music.

A recent study found that in a sample of over 3,500 online CEM offenders, one in six were also
involved in offline molestation of children.
44
Additional research on online sexual offenders is
ongoing and studies addressing, for example, differences between online and offline child sex
offending,
45
potential links between online and offline offending,
46
and online grooming
behaviours
47
are available. This body of research about potential links between online offending
and child sexual molestation has produced contradictory findings.
48


A review of 27 studies addressing the question of whether online offenders differ from offline
offenders found that online offenders were more likely to be Caucasian, unemployed and
marginally younger than offline offenders.
49
They showed higher levels of empathy (toward
victims), but also greater levels of sexual deviance than offline offenders. The researchers
concluded that online offenders appeared to exercise more self-control than offline offenders.
They suggested that further research should explore the barriers to acting on their deviant
interests and whether the emotional distance inherent in child pornography (CP) use is a feature
of online offending.

Between July 2010 and June 2011 the Virtual Global Taskforce (VGT)
50
collected data on a
small, non-random sample of 103 suspected CEM possessors who allegedly downloaded and
exchanged such material through the medium of online P2P services provided to Internet-
enabled users. Because of the small size of the sample and its non-random case selection process,
findings are not generalisable to the population of online offenders, but some insights into the
characteristics of these individuals and their offending can be gained.
51


44
J Wolak, D Finkelhor, & K Mitchell, Child Pornography Possessors: Trends in Offender and Case
Characteristics (2011) 23(1) Sex Abuse: A Journal of Research and Treatment, 22-42.
45
A Elliot, A Beech, R Mandeville-Norden, & E Hayes, Psychological Profiles of Internet Sexual Offenders:
Comparisons with Contact Sexual Offenders (2009) 21(1) Sex Abuse: A Journal of Research and Treatment, 76-92;
L Webb, J Craissati, & S Keen, Characteristics of Internet Child Pornography Offenders: A Comparison with Child
Molesters (2007) 19 Sex Abuse: A Journal of Research and Treatment, 449-465.
46
J Endrass, F Urbaniok, L C Hammermeister, C Benz, T Elbert, A Laubacher, & A Rossegger, The Consumption
of Internet Child Pornography and Violent and Sex Offending (2009) 9 BMC Psychiatry, 43-49.
47
Broadhurst & Jayawardena, op.cit..
48
For example, Broadhurst & Jayawardena, ibid.; Elliot et al., op. cit.; Endrass et al., ibid.; Webb et al., op. cit..
49
K Babchishin, R Hanson, & C Herrmann, The Characteristics of Online Sex Offenders: A Meta-Analysis (2011)
23(1) Sex Abuse: A Journal of Research and Treatment, 92-123.
50
The Virtual Global Taskforce (VGT) for Combating Online Child Sexual Abuse is an international partnership
between nine law enforcement agencies established in 2003 for details see
<http://www.virtualglobaltaskforce.com/>.
51
B Bouhours & R Broadhurst, Statistical Report: Virtual Global Taskforce P2P Online Offender Sample July
2010June 2011 (Australian National University, 2011), available at SSRN <http://ssrn.com/abstract=2174815> or
<http://dx.doi.org/10.2139/ssrn.2174815>.

13


All suspects were male and ranged in age from 15 to 73 years (mean age = 41.2 years and
median age = 40 years). One in five suspects was not working but was retired, unemployed, or
receiving sickness benefit; the others were working or studying. Forty-two per cent were living
with a partner and/or children and were significantly older than single offenders (50 years on
average compared to 35.2 years). Around 4% of offenders were reported as having a mental
health problem. It was estimated that around 30% of the sample had above average access to
children because, among other reasons, they themselves had children, they worked with children
or they occasionally had access to other peoples children, for example, when babysitting.

Suspects had been involved in online CP-related activities for an average of 4.8 years (ranging
from 6 months to 30 years). The offending material seized from the suspects computers
included both sexualized and non-sexualized images of children, and 35% of the suspects
possessed 10,000 or more images. Over 60% of suspects not only collected CP but also
traded/distributed it through the P2P network, and 35% were involved in network(s) other than
P2P. Of those, half were participating in offline networks, which suggests that individuals who
go beyond collecting CP to trading or producing it do so online but also in real life.

Fewer than 20% of suspects collected exclusively images of children not engaged in sexual
activity. For 35% of suspects, the most serious images in their possession involved sexual
activity between children, and for 47%, sexual assault by adults including penetration and
sadistic activities.

All suspects were concerned with hiding their activities from others, but only 60% succeeded in
separating it totally from their daily life. For the rest of the group their offending activities
tended to become obsessive, were more or less enmeshed with their daily life, and were possibly
not well hidden from others. The latter group tended to be of low socio-economic status and to
be highly computer literate. Of the 103 arrested suspects, 5.8% had previously been charged with
online child sex offending (CSO), 17.5% with contact CSO involving children younger than 16
years, and 14.6% with non-sexual offending. In addition, evidence that at the time of their arrest
suspects were also engaged in offline, hands-on CSO was found in 15.5% of cases. Two-thirds
of those suspects had a prior history of sexual offending against children. There was little overlap
between prior sexual and non-sexual offending, which suggests specialization in child sex
offending.

Based on the suspects length of offending, the type of offending activities they were carrying
out, the way in which they managed their offending, and the amount of CEM found in their
possession it was possible to construct a depth of involvement scale ranging from 1 (low
involvement) to 4 (deepest involvement). About one in five suspects were categorized as low
involvement, one-third had a medium depth of involvement, the same proportion was
categorized as deeply involved, and it was estimated that just over 10% had the deepest
involvement. As Table 1 shows, suspects with the deepest involvement in CEM activities were
also those most likely to have engaged or currently engage in real life CSO.


14

Q,)6& >@ "5'-:##&'2 500&'1$'7 )( *:*+&-2T* 1&+23 50 $'I56I&%&'2 $' 5'6$'& "H/ UVW
Depth of involvement in online CSO
Type of offending
Low
N=22
Medium
N=34
Deep
N=31
Deepest
N=11
Prior/current real life CSO 0.0 26.5 16.1 45.5
**

Prior/current real life and
prior online CSO
4.5 29.4 25.8 63.6
**

Prior non-sexual offending 13.6 11.8 16.1 27.3
**
p<.01. Source: Bouhours and Broadhurst 2011

To sum up, this study found that offenders in the VGT sample had a relatively high rate of
previous and concurrent hands-on child sex offending, and for over half the suspects with prior
child molesting charges, there was also evidence of current engagement in hands-on offending.
However, because of the small sample size in this study and potential selection bias, it is not
possible to answer the question of whether men who engage in online CSO are at greater risk of
also engaging in real life sexual offending against children. This would be an important line of
inquiry for future research.
H=GF ,* P'0&-2$5' X&-25#
While the Internet permits the rapid distribution of a wide range of material, it has also resulted
in the circulation of a large volume of unwanted messages or spam. There is no universal
definition of spam. The Australian Communication and Media Authority (ACMA) defines spam
as unsolicited commercial electronic messages. Under this definition, a single electronic
message can be considered spam.
52
On the other hand, Spamhaus
53
consider that an email is
spam if it is both unsolicited and sent in-bulk. Unsolicited messages have created a serious
problem due to their enormous volume. For example, the Grum botnet, taken down in July 2012,
was able to generate 18 billion emails a day!
54
Spam takes many forms. It can be used to merely
advertised products or services; however, spam is often the initial means for cybercriminals, such
as the operators of a fraudulent scheme, to contact and solicit prospective victims for money, or
to commit identity theft by deceiving them into sharing bank and financial account information
(the Zeus case illustrates such malware).

Spam emails remain the major vector for the dissemination of malware that infects computers
clandestinely. Unlike the type of low volume-high value cybercrime that targets banks and
financial services and requires advanced hacking capability, spam enables malware to reach

52
The Australian Communications and Media Authority (ACMA),
<http://www.acma.gov.au/WEB/STANDARD/pc=PC_2861>.
53
Spamhaus Project is an international non-profit organization, which tracks Internet spam operations and sources,
and collaborates with law enforcement agencies to identify and pursue spam gangs worldwide. Spamhaus maintains
a number of real time spam-blocking databases, including the Spamhaus Block List, the Exploits Block List, the
Policy Block List and the Domain Block List; see < http://www.spamhaus.org>.
54
S Cowley, Grum Takedown: 50% of Worldwide Spam is Gone, CNN Money, 19 July 2012,
<http://money.cnn.com/2012/07/19/technology/grum-spam-botnet/>.
13

high volume-low value targets that are less likely to have effective anti-virus or other
countermeasures in place. Such malware is distributed in one of two types of spam: those with an
attachment that contains a virus or trojan that installs itself in the victims computer when the
attachment is opened; and those with a hyperlink to a web page where the malware is then
downloaded onto the compromised computer.


57% 9%42 +$-:#.
1he malware 'Zeus' was used by ukralnlan hackers Lo galn access Lo Lhe compuLers of
employees of small buslnesses, local governmenL, and non-governmenL organlzaLlons ln
Lhe unlLed SLaLes. 1argeL compuLers were hacked when Lhe vlcLlms opened a seemlngly
benlgn emall message. 1hls enabled access Lo Lhe compuLer's daLa such as bank accounL
numbers and password deLalls. Cybercrlmlnals ln ukralne were Lhen able Lo log on Lo Lhe
bank accounLs and lllegally wlLhdraw funds. AssoclaLes of Lhe ukralnlan organlzers
adverLlsed on 8usslan language webslLes lnvlLlng sLudenLs llvlng ln Lhe uS Lo help ln
Lransferrlng Lhe sLolen funds ouL of Lhe counLry. 1hese 'mules' were provlded wlLh fake
passporLs and asked Lo open accounLs under false names ln varlous uS banks, bulldlng
socleLles and oLher flnanclal lnsLlLuLlons. ukralne-based organlzers Lransferred funds from
Lhe vlcLlms' leglLlmaLe accounLs Lo Lhe mules' accounLs, who were lnsLrucLed Lo Lransfer
Lhe money Lo offshore accounLs or Lo physlcally smuggle lL ouL of Lhe uS. llve persons
were arresLed ln ukralne, 11 ln Lhe unlLed klngdom, and 27 ln Lhe uS (8 more were
charged ln Lhe uS buL remalned aL large). 1he moLlve of Lhe organlzers was solely
flnanclal and Lhe Zeus malware was Lhe 'LoolklL' used. 1he volume and repeaLed naLure of
Lhese offences drew Lhe aLLenLlon of pollce and led Lo Lhelr dlscovery.
33


In order to mitigate the threat of infection via attachments, security firms and other organizations
often block or reject emails that contain an executable file (e.g. with the extension .exe).
Cybercriminals have adapted by sending malware within PDF attachments or images. Another
way is to use a double extension: the first extension is that of a benign attachment (e.g. .jpg), but
the second extension represents what the file really is (.exe); a gap between the two extensions
prevent spam filters to discover that the attachment is actually an executable file. Malicious
URLs included in spam emails seem to be more effective than attachments and have become the
major way of infecting computers. The email often uses alarming language (for example, your
Google account suspended) to convince users to click on the malicious URL. When they do,
users are prompted to install a malicious code disguised as legitimate software, or the link itself
is infected. Alternatively, users can be redirected to a fake website where they are asked to enter
confidential information such as bank details.

The Australian National University Cybercrime Observatory is currently conducting research on
large domestic and international samples of spam emails collected over one year. One aim of the
project is to describe the diversity of spam emails and examine whether it varies overtime. The

55
<http://www.fbi.gov/newyork/press-releases/2010/nyfo093010.htm>;
<http://www.justice.gov/usao/nys/pressreleases/September11/garifulinnikolaypleapr.pdf>;
<http://www.justice.gov/usao/nys/pressreleases/September10/operationachingmulespr%20FINAL.pdf>.
16

study also tries to classify spam emails depending on whether they contain malware as
attachment, malicious URLs, or are merely annoying communication that causes no harm to the
computer. Finally, it is hoped that these and other analyses will permit to predict which types of
spam are most dangerous and develop prevention strategies.
/00&'1&#* ,'1 23& 456& 50 /#7,'$8&1 "#$%& 9#5:+*
In this section we review some of the available data on online offenders, groups, and networks.
Information about cyber offenders is limited. It often relies upon retrospective studies of
prosecuted cybercrime cases and limited or convenience samples, but also self-report studies,
observation of the dark net or underground Internet, and honeypots.
56
An increasingly
common method used by researchers to gather data on offenders is through the observation of
communication in discussion forums and chat rooms. Undercover law enforcement operations
also target online underground forums.

It may be easier to identify those engaged with OCGs
when such groups are discovered. We stress that at present there is a scarcity of evidence about
the nature and behaviour of online offenders as compared to other offenders, and that even less is
known about the structure or morphology of criminal groups/networks operating in cyberspace.
The fundamental hypothesis is that criminal structures evident in the real world are likely to be
duplicated in the cyber world. It is also likely that virtual only criminal networks or groups will
manage the essential issue of trust in ways that will mimic the conventional practices of crime
groups in the real world.
57

;50*,"#/< -==%.>%$ *$-=,/%
Yip et al. argue that the cyber security industry has so far had a narrow response to cybercrime
by focusing essentially on its technical aspects.
58
This approach runs the risk of leading to a
never-ending cat-and-mouse chase, as new technologies emerge and cybercriminals adapt to
them. They suggest a different approach, which considers cybercrime a socio-technological
phenomenon and attempts to understand some of the characteristics of the people committing
these crimes: their motivations, attitudes, and behaviour, as well as the environments in which
they operate. As access to computers and the Internet became widespread, hackers have grown
more sophisticated. Criminal hackers who apply their skills to acquiring material benefits have
increasingly supplanted the thrill-seeking, computer-savvy hackers of the 1970s and 1980s who
promoted a quasi-ideological culture of the free Internet.
59


Li attempted to draw a profile of cybercriminals by analysing 115 typical cases of cybercrime
prosecuted in the US between 1998 and 2006.
60
These cases involved a total of 151 offenders
who were overwhelmingly male (98%) and ranging in age from 14 to over 45 years. Forty per

56
Honeypots are computer systems set up to attract and trap potential offenders who try to access data illegally.
57
M Yip, C Webber, & N Shadbolt, Trust among Cybercriminals? Carding Forums, Uncertainty and Implications
for Policing (2013) Policing and Society: An International Journal of Research and Policy,
DOI:10.1080/10439463.2013.780227.
58
M Yip, N Shadbolt, T Tiropanis, & C Webber, The Digital Underground Economy: A Social Network Approach
to Understanding Cybercrime, paper presented at the Digital Futures conference, Aberdeen, 23-25 October 2012.
59
Y Lu, X Luo, M Polgar, & Y Cao, Social Network Analysis of a Criminal Hacker Community (2010) Winter
Journal of Computer Information Systems, 31-41.
60
X Li, The Criminal Phenomenon on the Internet: Hallmarks of Criminals and Victims Revisited through Typical
Cases Prosecuted (2008) 5 University of Ottawa Law & Technology Journal, 125-140.
17

cent were 25 years or under, 35% were 26 to 35 years and the rest were over 35 years. A more
recent review of over 7,000 documentary sources and interviews with expert practitioners
conducted by McGuire confirmed that the average age of cyber offenders is increasing: he
estimated that 43% of digital crime group members were over 35 years and only one-third (29%)
younger than 25 years.
61


Lu et al., drawing on data from the Criminal Investigation Bureau of Taiwans cybercrime
database between 1999 and 2004, showed that the top five cybercrimes in Taiwan were:
distributing messages regarding sex or trading sex on the Internet, Internet fraud, larceny, cyber
piracy, and pornography. Over 80% of offenders were male and nearly 30% belonged to the 18-
23 age bracket; 45% had attended some senior high school and 24% were currently enrolled
students. The majority acted independently

and about one-third were involved with other
offenders.
62


Most of the cases analysed by Li did not use complicated techniques. Overall, 65% of attacks
used basic skills, 13% required moderate skills and 22% advanced skills. The most sophisticated
attacks were those using viruses, worms, and spyware.
63
McGuire noted that the possibility of
purchasing or downloading crimeware such as ready-made viruses that exploit the vulnerabilities
of individual computers, or more sophisticated toolkits able to hijack many computers, indicates
that criminals no longer need advanced technical skills.
64


Marcum et al.s study is one of only a few about the sentencing of convicted cybercrime
offenders. The data suggest that cyber offenders may be among the least likely to be sentenced to
jail.
65
Information from the United States Department of Justice for the five-year period 2006
2010, showed that a total of 1,177 individuals were convicted for cybercrimes. Of these, just
over half (51.7%) received a sentence including any prison time. Sentences were typically short:
of those sentenced to incarceration, more than one-third (35%) were sentenced to 12 months or
less in prison; 27% to 1324 months; 12% to 2536months; and 19% to more than 3 years. In
their sample of convicted cyber offenders under state supervision from three western states,
Marcum et al. found that 65% of offenders had been sent to prison rather than community
corrections. Sixty-two per cent of the sample was male with an average age of 35 years. Eighty-
six per cent of the sample was white and the average education was a high-school diploma. Six
per cent were members of a gang and a high proportion had prior convictions. The sample had a
relatively high rate of prior violent convictions, which may explain the high rate of prison
sentences.
66
A study of sentencing outcomes for computer crime in Australia and New Zealand
revealed no significant differences between cases where a computer was used in the commission
of the offence and those where computers were absent. Sentences imposed on offenders who

61
M McGuire, Organised Crime in the Digital Age (John Grieve Centre for Policing and Security, London
Metropolitan University, 2012).
62
CC Lu, WY Jen, W Chang, S Chou, Cybercrime & Cybercriminals: An Overview of the Taiwan Experience
(2006) 1(6) Journal of Computers, 11-18.
63
Li, 2008, op. cit.
64
McGuire, 2012, op. cit.
65
C D Marcum, G E. Higgins, & R Tewksbury, Incarceration or Community Placement: Examining the Sentences
of Cybercriminals (2012) 25(1) Criminal Justice Studies, 3340.
66
Marcum et al., 2012, ibid., 35-37 actual sample size was not given and attempts to contact the authors were
unsuccessful.
18

used computers appeared slightly more lenient than those received by their exclusively terrestrial
counterparts. These findings should be treated with caution, since they were based on cases
arising from offences that occurred more than a decade ago. The data base, moreover, may have
been vulnerable to sampling bias.
67

?0@%$A"$,(,.#/2 ,. ?7,.#
With recent massive economic growth, China has become as vulnerable as other places to
cybercrime focused on financial rewards, as the case study on online fraud illustrates. The
Ministry of Public Security reported that half of all cyber offenders identified in 2005 were over
the age of 26, 45% were between 18 and 25 years, and the rest were under the age of 18. Fraud
was the typical crime. Data for 2011-2012 from the Hubei province indicated that 90% of known
cyber-criminals were 30 years of age or less. Cybercrime cases reported in Luoyang, Henan
province, between 2006 and 2009 consisted for the most part of online fraud (70%), online theft
(10%), and online pornography (5%).
68
In 2011 in Shenzhen, Guangdong province, 57% of
cybercrime cases known to the police were online fraud, 15% were online pornography, and 6%
online theft.
69



BC? #.> 5#,&#. *-/,"% "$#"D +%/%"-( =$#4> E#.E
FG

ln a [olnL lnvesLlgaLlon, Lhe Chlnese and 1alwan pollce 'cracked' a ma[or onllne fraud case
LargeLlng 1alwan resldenLs, one of several cross-sLralL fraud crlme groups lnLerdlcLed ln
recenL years.
71
Cn !uly 26, 2012 pollce from lu[lan, Cuangdong and Palnan, asslsLed by
1alwanese pollce, ralded 33 locaLlons, and deLalned 260 suspecLs, lncludlng 26
1alwanese. reLendlng Lo be onllne web sLaff, Lhe suspecLs lllegally obLalned cusLomers'
personal lnformaLlon Lhen phoned Lhem. 1hey Lold Lhe onllne shoppers LhaL due Lo bank
sysLem errors, Lhelr lump sum paymenL had been shlfLed Lo an lnsLalmenL accounL. Cang
members lured Lhe cusLomers lnLo Lransferrlng paymenL lnLo Lhe gang's bank accounLs by
saylng Lhey could avold paylng exLra LransacLlon fees Lo Lhe bank.


Studies conducted in the provinces of Jiangsu (2007-2010) and Guangdong (2004-2006) provide
some offender demographic data. In Suzhou (Jiangsu), one of Chinas most economically
developed cities, 120 cases were recorded by the prefectures judicial and procuratorial agencies
between 2007 and 2010. Of the 195 offenders involved in these cases, 91% were males, 81%
were aged between 18 and 35 years, and 37% were college educated or above; however, a

67
P Grabosky, R Smith, & G Urbas, Cyber Criminals on Trial (Cambridge University Press, 2004). The fact that
certain offences (such as child pornography offences) are being viewed with increasingly intense disapproval by
authorities, and that such offences are greatly facilitated by digital technology, suggests that the salience of digital
technology to sentencing outcomes may become greater in the future.
68
W Zhang, An Empirical Research on Cybercrime in Metropolis, Master dissertation (China University of
Political Science and Law, Beijing, 2010).
69
Personal communications with MPS PRC January 9, 2013 cited from various Chinese sources.
70
Xinhua News, 12 December 2012.
71
The MPS reported that since 2010 over 2,500 suspects had been apprehended operating similar scams, and each
illicit operation appeared to engage large groups, often in excess of 100 persons.
19

relatively large proportion were unemployed (40%), while 29% worked for private enterprises
and 12% were self-employed.
72
About one in five (23.3%) cases in Suzhou involved more than
one offender, but an earlier study in Guangdong indicated that the proportion of joint offences
was higher and the trend was increasing.
73


Cybercrime groups often work regionally and countermeasures require collaboration between
police forces. In 2010, the Taiwanese Criminal Investigation Bureau and Chinese police officers
arrested 329 individuals in China, 121 individuals in Taiwan, as well as some individuals in
Vietnam in relation to phone and Internet auction fraud.
74
The group leader and the core crime
group were based in Taiwan. The group consisted of three subgroups with specific functions: the
first, called the technical support team, comprised five IT specialists who maintained the
network and computer infrastructure and provided technical support and service. The second
subgroup consisted of smaller teams working in underground locations in some China provinces
such as Anhui, Hunan, and Guangdong. They used information consultancy companies to cover
for the making of fraudulent calls, and some experts provided training and created scripts for
these phone calls. Finally, there was also a financial team that transferred illicit money through
underground banks. These three subgroups shared the profits and got respectively 30%, 40%,
and 30% from each successful fraud operation. More recently, in 2012, police from Fujian,
Shaanxi, and Anhui raided 17 gang locations and apprehended 86 suspects including the leader
Liu Xinglin, a Taiwanese fugitive wanted for fraud.
75
The crime group may have been operating
since 2003 and is thought to have swindled over 20 million CNY (US$3.16 million). Offenders
involved outside of the core group included suspects in PR China and Vietnamese nationals. The
fraud succeeded because of loopholes in the regulation of the financial and communication
companies that were targeted. Members of the crime group posed as government officials and
were able to withdraw cash from Taiwanese online bank accounts.
57% $-/% -= -$E#.,H%> "$,(% E$-4*2
Governments, law enforcement, academic researchers, and the cyber-security industry speculate
that conventional organized crime groups have become increasingly involved in digital crime.
The available empirical data suggest that criminals, operating online or not, are more likely to be
involved in loosely associated illicit networks rather than formal organizations.
76
McGuires
review found that up to 80% of cybercrime could be the result of some form of organized
activity. This does not mean, however, that these groups take the form of traditional, hierarchical
organized crime groups or that these groups commit exclusively digital crime. Rather, the study
suggests that traditional organized crime groups are extending their activities to the digital world
alongside newer, looser types of crime networks. Crime groups show various levels of

72
Z Li, C Jin, F Zhang, & M Yan, Survey and Analysis on Cybercrime from 2007-2010 in Suzhou City (2011) 10
Journal of Criminal Science, 120-126.
73
X Zhang, An Empirical Research on Property-Related Crime over the Internet in Guangdong (2007) 4 Journal of
Criminal Science, 95-101.
74
See <http://www.cib.gov.tw/news/news01_2.aspx?no=2974>;
<http://www.gwytb.gov.cn/guide_rules/exe/201210/t20121030_3250408.htm> (translated from Chinese by Chen
Da).
75
Xinhua News, 19 October 2012.
76
D Dcary-Htu & B Dupont, The Social Network of Hackers (2012), Global Crime, available at SSRN
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2119235 DOI:10.1080/17440572.2012.702523>.
20

organization, depending on whether their activity is purely aimed at online targets, uses online
tools to enable crimes in the real world, or combine online and offline targets.

McGuires review estimated that half the cybercrime groups in his sample comprised six or more
people, with one-quarter of groups comprising over 10 individuals. One-quarter of cybercrime
groups had operated for less than 6 months. However, the size of the group or the duration of
their activities did not predict the scale of offending, as small groups could cause significant
damage in a short time.

Cybercriminals may increasingly operate as loose networks but evidence suggests that groups are
still located in close proximity even when their attacks are cross-national. For example, small
local networks as well as groups centred on relatives and friends remain significant actors.
Cybercrime hot spots with potential links to OCGs are found in countries of the former Soviet
Union.
77
Hackers from Russia and Ukraine are regarded as skilful innovators. For example, the
cybercrime hub in the small town of Rmnicu Vicea in Romania is one of a number of such hubs
widely reported in Eastern Europe.
78
As discussed above, there is also increasing concern about
cybercrime in China.
79
The source and extent of malware attacks (whether of domestic or foreign
origin) and the scale of malware/botnet activity remain unclear, but a substantial proportion of
Chinese computers are compromised and it is likely that local crime groups play a crucial role.
80

A recent study of spam and phishing sources found that these were heavily concentrated in a
small number of ISPs (20 of 42,201 observed), which the author dubbed Internet bad
neighbourhoods; one in particular, Spectranet (Nigeria), was host to 62% of IP addresses that
were spam related. Phishing hosts were mostly located in the United States while spam
originated from ISPs located in India, Brazil and Vietnam.
81


Given the diversity of the types and sources of cybercrime, it is important to avoid stereotypical
images of cybercriminals or spreading an alarmist or moral panic narrative associated with
cybercrime. Popular images include the menacing Russian hacker in pursuit of profit or more
recently the Chinese hacker patriot. Such offender images offer a specific type of folk devil;
David Wall regards them as inherently misleading about the assumptions of offender action and
sources of cybercrime.
82
Despite the media image, offenders come from many nations and

77
N Kshetri, Cybercrime and Cybersecurity in the Global South (Palgrave Macmillan, 2013), chapter 3; see also
Microsoft Security Blog <http://blogs.technet.com/b/security/archive/2010/03/25/profile-of-a-global-cybercrime-
business-innovative-marketing.aspx>.
78
Y Bhattacharjee, Why Does A Remote Town In Romania Have So Many Cybercriminals? (2011) February,
19(2) Wired.
79
China Daily, Internet Policing Hinges on Transnational Cybercrime, 10 November 2010.
<http://www.china.org.cn/business/2010-11/10/content_21310523.htm>; D Pauli China is the Worlds Biggest
Cybercrime Victim, 22 March 2012, <http://www.scmagazine.com.au/News/294653china-is-the-worlds-biggest-
cybercrime-victim.aspx>.
80
Kshetri, 2013, op. cit.; Chang, 2012, op.cit.; N Kshetri, Cyber-Victimization and Cyber-Security in China (2013)
in Communications of the ACM (forthcoming); R Broadhurst & Y C Chang YC, Cybercrime in Asia: Trends and
Challenges, in B Hebenton, SY Shou, & J Liu, Asian Handbook of Criminology (Springer, 2013), 49-64.
81
G C Moura 2013, Internet Bad Neighbourhoods (Enschede, The Netherlands: Centre for Telematics and
Information Technology, 2013).
82
D S Wall, The Devil Drives a Lada: The Social Construction of Hackers as Cybercriminals, in C Gregoriou (ed),
The Construction of Crime (Palgrave Macmillan, 2012), 4-18.
21

motivations are diverse, although financial motives tend to dominate.
83
The Butterfly Botnet case
study exemplifies both the diversity of national involvement and the use of bespoke toolkit
malware in this case the small group of offenders were Spanish and the alleged creator of the
software, Slovenian.


I#$,*-2# ;J4++%$=/0< J-+.%+
KL

1he suspecLed creaLor of Lhe 8uLLerfly 8oL sofLware known by Lhe allas 'lserdo' was
arresLed ln Slovenla ln 2010. 1he purpose of Lhe malware was Lo lnfllLraLe vasL numbers
of compuLers, whlch could Lhen be conLrolled remoLely by crlmlnals. 1hese cybercrlmlnals
monlLored Lhe acLlvlLles of Lhe lnfecLed compuLers Lo sLeal lnformaLlon such as bank
accounL numbers and passwords. 1he malware could self-propagaLe Lo non-lnfecLed
compuLers connecLed Lo Lhe same neLwork. 1he 8uLLerfly 8oL sofLware was allegedly
purchased by ulas de esadllla (uu or ln Lngllsh, nlghLmare uay 1eam), a small
cybercrlme group based ln Spaln. uslng Lhe sofLware, Lhe group managed Lo bulld a
boLneL of 12 mllllon compuLers worldwlde, for Lhe purpose of fraud. 1hls was one of Lhe
largesL known boLneL for Lhe purpose of fraud.
83
lL was wldely used Lo sLeal logln
credenLlal daLa from varlous slLes such as banks. 1he uu gang leader (a 31-year old
male) and Lwo oLher prlnclpals were arresLed by Spanlsh naLlonal ollce ln early 2010 and
Lhe sofLware creaLor laLer LhaL year, buL ln laLe 2012, anoLher suspecLed crlme group of
10 persons also uslng Lhe 8uLLerfly 8oL were arresLed ln 8osnla and Perzegovlna, CroaLla,
Macedonla, new Zealand, eru, Lhe unlLed klngdom, and Lhe unlLed SLaLes. 1he group
was esLlmaLed Lo have made over $uSu830 mllllon.

!+$4"+4$% -= "0@%$"$,(% E$-4*2
McGuire has suggested a typology of digital crime groups, which comprises six types of group
structures. He emphasized that these basic organizational patterns often cross-cut in highly fluid
and confusing ways and the typology represents a best guess based on what we currently know
about cyber offenders. He notes that it is likely to change as the digital environment evolves.
86

McGuires typology includes three main group types, each divided into two subgroups
depending on the strength of association between members:

Type I groups operate essentially online and can be further divided into swarms and hubs. They
are mostly virtual and trust is assessed via reputation in online illicit activities.

83
The 2012 Verizon Data Breach Investigation Report identified that 75% of 621 confirmed breaches of data were
financially motivated, <http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-
2012_en_xg.pdf>.
84
See <http://www.fbi.gov/news/pressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-mariposa-botnet-
creator-operators>; <http://www.fbi.gov/news/pressrel/press-releases/fbi-international-law-enforcement-disrupt-
international-organized-cyber-crime-ring-related-to-butterfly-botnet/>; see also
<http://en.wikipedia.org/wiki/Mariposa_botnet>.
85
S P Correll, Inside Mariposa: The Largest Botnet Takedown in History (2010) May ISSA Journal, 47-48,
<http://www.bluetoad.com/publication/?i=37466&p=47>.
86
McGuire, 2012, op. cit, 58.
22

o Swarms share many of the features of networks and are described as disorganized
organizations [with] common purpose without leadership. Typically swarms have
minimal chains of command and may operate in viral forms in ways reminiscent of
earlier hacktivist groups. Swarms seem to be most active in ideologically driven
online activities such as hate crimes and political resistance. The group Anonymous
illustrates a typical swarm-type group (see the case study on AT&T above).
o Hubs, like swarms, are essentially active online but are more organized with a clear
command structure. They involve a focal point (hub) of core criminals around which
peripheral associates gather. Their online activities are diverse including piracy,
phishing attacks, botnets and online sexual offending. The distribution of scareware
often involves hub-like groups (see the case study box on scareware by the IMU
criminal enterprise and also Hun1).

MN8 O ?-*0$,E7+ B,$#"0
ln Lhls case Lhe Lwo prlnclpal organlzers of a group of abouL 30 people based ln Pungary
supplled legal compuLer server and hosLlng servlces for several prlvaLe lndlvlduals and
buslness assoclaLlons. 1hrough Lhls llclL acLlvlLy Lhey concealed hundreds of 'smswarez'
(refers Lo Lhe lllegal Lrade ln conLenL proLecLed by copyrlghL ln reLurn for paymenL by
SMS), 'smswebs' (webpages where copyrlghL-proLecLed conLenL can be downloaded ln
reLurn for paymenL by SMS) and 'LorrenLs' (a sysLem LhaL allows an lnLerneL user Lo
download Lhe deslred flle or parLs of flles noL from a cenLral server, buL from unknown
users who already have lL). 1he advanLage of Lhe LorrenL sysLem ls LhaL lf a flle becomes
very popular, more and more people download lL and lLs dlsLrlbuLlon becomes even more
wldespread. ln Pun 1, Lhe organlzers used spam Lo adverLlse Lhese llllclL servlces, whlch
ulLlmaLely led Lo Lhe selzure of 48 lllegal servers wlLh a capaclLy of 200-230 LerabyLes.
AfLer Lhls group was arresLed, Lhe lnLerneL daLa Lurnover ln Pungary was reduced by
abouL 10 per cenL.
87



Type II groups combine online and offline offending and are described as hybrids, which in
turn are said to be clustered or extended.
o In a clustered hybrid, offending is articulated around a small group of individuals and
focused around specific activities or methods. They are somewhat similar in structure to
hubs but move seamlessly between online and offline offending. A typical group will
skim credit cards then use the data for online purchases or on-sell the data through
carding networks.
88

o Groups of the extended hybrid form operate in similar ways to the clustered hybrids but
are a lot less centralized. They typically include many associates and subgroups and
carry out a variety of criminal activities, but still retain a level of coordination sufficient

87
An abridged version of cases reported in UNODC 2012, op. cit., 112.
88
See McGuire, 2012, op. cit., 50, and other papers on carding groups/forums: e.g. M R Soudijn & B C Zegers,
Cybercrime and virtual offender convergence settings (2012) 15 Trends in Organised Crime, 111-129.
23

to ensure the success of their operations. (As knowledge of group structure is often not
known, it is difficult to pinpoint a case study, but see Rus 13 case).

CN! OP QR+-$+,-.
1hls case lnvolved Lhe exLorLlon of 8rlLlsh bookmakers. Cfflclals from Lhe unlLed klngdom
naLlonal Pl-1ech Crlme unlL (now parL of Lhe Serlous Crganlsed Crlme Agency [SCCA])
and Lhe uS SecreL Servlce were lnvolved ln Lhe lnvesLlgaLlon. 1he crlmlnal group used a
neLwork of compuLers (boLneL) from whlch Lhey launched dlsLrlbuLed denlal-of-servlce
(uuoS) aLLacks. 1he roles asslgned Lo Lhe members of Lhe crlmlnal organlzaLlon all
requlred speclallzed knowledge and speclal programmlng skllls. ln order Lo conceal Lhelr
acLlvlLles, Lhey used anonymous proxy servers, vlrLual prlvaLe neLwork (vn) servlces and
anonymous mall servers. 1he exLorLed funds were senL vla exlsLlng lnLernaLlonal paymenL
neLworks Lo resldenLs ln LaLvla, who Lhen Lransferred Lhe funds Lhe 8usslan lederaLlon.
1he bookmaklng companles depended enLlrely on conLlnuous access Lo Lhe lnLerneL,
because Lhe beLs were placed excluslvely onllne and, hence, Lhey were vulnerable. ln one
lnsLance, a uuoS aLLack flooded Lhe LargeLed company's server wlLh approxlmaLely 423
unlque l addresses esLabllshlng over 600,000 slmulLaneous connecLlons wlLh Lhe
company's web server, sendlng requesLs for lnformaLlon aL over 70 M8 per second (Lhe
web server would normally recelve requesLs aL 2 M8 per second). 1hls aLLack cuL off Lhe
company's webslLe from Lhe lnLerneL, and Lhe crlmlnals demanded and obLalned
uS$40,000, LhreaLenlng LhaL lf Lhelr demands were noL meL, Lhey would conLlnue aLLack
unLll Lhe company was rulned.
89


Type III groups operate mainly offline but use online technology to facilitate their offline
activities. McGuire argues that this type of group needs to be considered because they are
increasingly contributing to digital crime. Like the previous group-types, Type III groups can be
subdivided into hierarchies and aggregates, according to their degree of cohesion and
organization.
o Hierarchies are best described as traditional criminal groups (e.g. crime families),
which export some of their activities online. For example, the traditional interest of
mafia groups in prostitution now extends to pornography websites; other examples
include online gambling (see case study), extortion, and blackmail through threats of
shutting down systems or accessing private records via malware attacks or hacking (see
Ransomware and IMU case studies).
o Aggregate groups are loosely organized, temporary, and often without clear purpose.
They make use of digital technologies in an ad hoc manner, which nevertheless can
cause harm. Examples include the use of Blackberry or mobile phones to coordinate
gang activity or public disorder, which has been seen during the 2011 UK riots or the
Sydney riots in September 2012.
90


89
Abridged from an account in UNODC 2012, Digest of Organized Crime Cases (English): A Compilation of Cases
with Commentaries and Lessons Learned (United Nations, 2012), 110-113.
90
<http://www.smh.com.au/nsw/police-investigate-rioters-text-messages-20120916-260mk.html>.
24


;C#.2-(&#$%< /-"D2 "-(*4+%$2 #.> >%(#.>2 *#0(%.+
ln May 2012, Lhe lnLerneL Crlme ComplalnL CenLer (lC3) lssued a warnlng abouL Lhe
8eveLon vlrus, whlch had become wldespread ln Lhe uS and lnLernaLlonally. 1he 8eveLon
vlrus ls descrlbed as a 'drlve-by' malware because lL lnsLalls lLself when a vlcLlm slmply
cllcks on a compromlsed webslLe. Cnce lnsLalled, Lhe malware lmmedlaLely locks Lhe
lnfecLed compuLer and dlsplays a message sLaLlng, 'a vlolaLlon of federal law (e.g. relaLlng
Lo some lllegal onllne acLlvlLy) has been ldenLlfled by Lhe l8l'. 1he user ls Lhen requlred Lo
pay a flne onllne. 8emovlng Lhe vlrus ls complex. 1he lC3 has recelved many complalnLs
buL many people have also pald Lhe so-called flne.
91


McGuire, as noted above, estimated that about 80% of cybercrime was likely the result of some
form of organized activity, a proportion that appears to have increased over time. However, there
is limited corroborative evidence available to validly estimate the proportion (prevalence) and
frequency of OCGs relative to other actors, including States or quasi-state actors.While a number
of typologies focus on the specific activities of crime groups,
92
McGuires typology is both
simple and clear, even if notions of association and centrality of actors are imprecise. The
question of the motivation of the offenders or group may not be an essential element of the
structure of a crime group and so broadening the range of organizational types regardless of
whether money, ideology or other reasons are in play can be more helpful than motivational
based typologies where complex actions are often not readily reduced to core motivations. The
typology suggested by McGuire could also be a basis for further refinement along the
dimensions of function (i.e. the type criminal activity or enterprise, duration/ monopolization and
role in protection).

Hun 1 and Innovative Marketing Ukraine (IMU) cases are examples of enterprise forms of crime
that help illustrate the range of criminal organization and the kinds of deceptions that have
proven effective to the present. IMU operated openly in Kiev as a company specializing in online
marketing and was a large-scale operation with a substantial transnational dimension that offered
a franchise-like operation. IMU used scareware to persuade victims to provide credit card
information to pay US$50-80 for the fake AV software. IMUs WinAntivirus mimicked the
appearance of Microsoft security software. IMUs fake advertisements, when clicked, triggered
bogus AV scans showing that the victims computer were virus-infected. It then directed users to
purchase IMUs fake AV software. LinkedIn records showed some former IMU employees were
now working at leading banks, consulting companies and other Kiev-based antivirus companies,
which may have assisted in extending IMUs the operations.

91
<http://www.fbi.gov/news/stories/2012/august/new-internet-scam/new-internet-scam>.
92
S W Brenner, Organized Cybercrime? How Cyberspace may Affect the Structure of Criminal Relationships,
(2002) 4(1) North Carolina Journal of Law & Technology, 1-50; P Grabosky, The Internet, Technology and
Organized Crime (2007) 2 Asian Journal of Criminology, 145-162; Broadhurst & Choo 2011, op. cit..
23


S..-T#+,T% I#$D%+,.E ND$#,.% USINV
WP

1he 'grey' enLerprlse lMu was an early promoLer of 'scareware' or fake anLl-vlrus (Av)
programs and used afflllaLes (lndependenL 'hackers') and leglLlmaLe buslnesses such as
banks and credlL card processors Lo expand buslness. lMu was founded ln 2002 by Lhree
men, lncludlng Canadlan Marc u'Souza. lMu orlglnally operaLed Lo sell plraLed muslc, grey
A/v sofLware, pornography and vlagra. lL Lhen developed an Adware malware program
LhaL became lLs maln buslness. lMu was an llllclL buslness LhaL operaLed openly ln klev as
a company speclallzlng ln onllne markeLlng. lMu employed around 600 people ln klev and
ln lndla, oland, Canada, Lhe u.S., and ArgenLlna. 1he sLaff worked ln a range of roles
from recepLlonlsLs, flnance, webmasLers and englneers. Many of lMu's sLaff had Llnkedln
proflles and one analysls found a large proporLlon worked for aL leasL a year for Lhe
company and comprlsed young college sLudenLs.
94
A former lMu employee explalned:
'!"#$ &'( )*# +(,- ./0 &'( 1'$2- -"3$4 ) 5'- )6'(- #-"37,8 9 ")1 ) :''1 ,)5)*& )$1 9 4$';
-")- <',- #<=5'&##, )5,' ")1 =*#--& :''1 ,)5)*3#,'. lMu also lnvesLed ln call cenLre
faclllLles ln Lhe ukralne, lndla and Lhe u.S., Laklng around 2 mllllon calls ln 2008 alone.
When people called Lo complaln, Lhe call cenLre helped Lhem Lhrough Lhe sLeps needed Lo
'lnsLall' and recLlfy Lhe non-exlsLenL problem. Many vlcLlms were apparenLly saLlsfled wlLh
Lhe ouLcome and were unaware of Lhe scam. lMu also pald afflllaLes 10 cenLs for each
compromlsed compuLer and generaLed average reLurns ln Lhe range of uS$ 2-3 Lhrough
sofLware sale and producL promoLlon. A recrulLlng slLe, #)*$3$:>(87'<, pald up Lo uS$180
for every 1,000 compuLers lnfecLed vla non-spam and lMu rewarded Lhe Lop sales
performers. ln one such reward evenL for scareware lnsLallers a brlefcase full of Luros was
awarded Lo Lhe besL seller.
93
AL leasL four prlnclpals were engaged (8rlLlsh and uS
naLlonals) ln Lhe buslness as manager/proprleLors and Lhey were charged ln 2010 ln a
[olnL u.S. lederal 1rade Commlsslon and l8l lnvesLlgaLlon.


K&2&-2$5' ,'1 P1&'2$0$-,2$5' 50 /00&'1&#*
Individuals and groups are continually finding new ways to commit crimes on the Internet. Some
crimes take place exclusively on the Internet while others facilitate traditional forms of crime.
The anonymity of the Internet, one of its essential characteristics, presents a challenge to identify
individuals and groups that use the Internet for dishonest and criminal purposes.



93
Kshetri 2013, op. cit., chapter 3; see also Microsoft Security Blog
<http://blogs.technet.com/b/security/archive/2010/03/25/profile-of-a-global-cybercrime-business-innovative-
marketing.aspx>.
94
F Paget, McAfee Helps FTC, FBI in Case Against Scareware Outfit (June 2010),
<http://blogs.mcafee.com/mcafee-labs/mcafee-helps-ftc-fbi-in-case-against-scareware-outfit>.
95
IMU received approximately 4.5 million orders in the first 11 months of 2008, valued at up to US$180 million;
see J Finkle, Reuters, 24 March 2010,
<http://www.reuters.com/article/2010/03/24/us-technology-scareware-idUSTRE62N29T20100324>.
26


)./,.% E#(@/,.E @0 # (#=,# =#(,/0
ln 2008, 26 lndlvlduals - lncludlng repuLed members of Lhe new ?ork Camblno organlzed
crlme famlly - were charged wlLh operaLlng an lllegal gambllng enLerprlse, whlch lncluded
four gambllng webslLes ln CosLa 8lca. new ?ork ulsLrlcL ALLorney 8rown sLaLed '...law
enforcemenL crackdowns over Lhe years on LradlLlonal mob-run wlre rooms have led Lo
an lncreased use by lllegal gambllng rlngs of offshore gambllng webslLes where acLlon ls
avallable around Lhe clock'. As gambllng ls lllegal ln Lhe unlLed SLaLes Lhe webslLes Look
advanLage of gambllng's legallLy ln oLher [urlsdlcLlons. 8eLs were placed ln new ?ork buL
processed offshore and Lhe daLa LransmlLLed Lhrough a serles of servers so Lo evade
deLecLlon by law enforcemenL.
96


Cybercriminals have been able to evade authorities because of obfuscation techniques that help
avoid the tracing of their criminal activity. A range of computer-based methods can be used to
commit a crime. These include using network services that encourage illicit activity, computer
and software infrastructure such as botnets and P2P networks, and the use of encryption. Some
technologies designed for legitimate functions can also have criminogenic features that can be
employed by criminals.
97
These technologies make it difficult for authorities to track and trace
criminals on the Internet.

There are other non-technical factors that can hinder the detection and subsequent identification
and prosecution of cyber offenders. These include the lack of cooperation between states, limited
policing capacity on the Internet, delays in acquiring mutual legal assistance even among
cooperating states, and the absence of a cohesive legal framework to address cybercrime across
jurisdictions.

While there are general investigative approaches to address cybercrime (e.g. covert and
undercover operations) the most promising approach, given the frequent cross-national form of
the crime, has been the emergence of cross-national taskforces that engage in both undercover
and sting operations. Operation Rescue in 2007 was an example of such cooperation between
the UK Child Exploitation and Online Protection Centre and the Australian police.
98
There are
also instances of informal partnerships between the public and private sector forming to help
with investigations. One such example is the Mariposa Working Group (MWG), an informal
collaboration between academia, private sector, and law enforcement that was specifically
created to assist in the Mariposa botnet case in 2009 (see case study on Butterfly bot).
99
An
example of a more structured form of cross-border co-operation is the Virtual Global Task force,

96
Queens County District Attorney (QDA), Twenty-six Charged in $10 Million Dollar Gambino Organized Crime
Family Gambling, Loan Sharking and Prostitution Operation, (2008) Media Release #27-2008,
<http://www.queensda.org>.
97
A Maurushat, Australias Accession to the Cybercrime Convention: Is the Convention Still Relevant in
Combating Cybercrime in the Era of Botnets and Obfuscation Crime Tools? (2010) 33(2) University of New South
Wales Law Journal, 431-473. R V Clarke & G R Newman Modifying Criminogenic Products-What Role for
Government? (2005) 18 Crime prevention studies, 7.
98
D Casciani, Worlds largest paedophile ring uncovered, BBC News, 16 March 2011,
<http://www.bbc.co.uk/news/uk-12762333>.
99
<http://pandalabs.pandasecurity.com/mariposa-botnet/>.
27

which, as noted above, operates to counter the advantages of CEM dissemination offered by the
borderless nature of cyberspace. A key solution to the global reach of cybercrime is to improve
the cooperation among law enforcement agencies across all jurisdictions especially those at
risk of offering a haven for cybercriminals and bullet proof ISPs, and those states that lack the
resources and knowledge to recognize that a crime has taken place and to be able to respond
effectively.
A number of successful operations to identify and capture cybercriminals have occurred through
undercover sting operations on online forums (Operation Card Shop/Carder Profit see box).
These investigations entailed setting up an online forum. Through disguising their identity,
investigators were able to gain trust among criminals such as in cases related to online child
exploitation (e.g. Operation Orion
100
). Traditional undercover operations include methods such
as covert infiltration, disguised identity, and fake transactions that help to gain the trust of
participants in an illicit network. They also include the creation of a specific site, in the form of a
sting operation to lure and capture those committing a crime on the Internet. As in other crime,
police also respond to cases reported by victims, potential victims, or informants who provide
valuable intelligence about these activities.


?#$>,.E B$-=,+
ln !une 2010, Lhe l8l esLabllshed an undercover cardlng forum called Carder roflL (Lhe
'uC SlLe') Lo collecL lnLelllgence. 1hls was a LradlLlonal cardlng forum slmllar Lo
uarkMarkeL, an lllegal onllne forum Laken down ln 2008 by Lhe l8l and lLs lnLernaLlonal
parLners, buL dlfferenL ln LhaL Lhe pollce acLually seL-up and conLrolled Lhe forum. users
dlscussed varlous Loplcs relaLed Lo cardlng and Lo communlcaLe offers Lo buy, sell, and
exchange goods and servlces relaLed Lo cardlng. 1he uC SlLe was conflgured Lo allow Lhe
l8l Lo monlLor and Lo record Lhe dlscusslon Lhreads posLed Lo Lhe slLe, as well as prlvaLe
messages senL Lhrough Lhe slLe beLween reglsLered users. 1he uC SlLe also allowed Lhe
l8l Lo record Lhe lnLerneL proLocol (l) addresses of users afLer Lhey logged on. ln May
2012 ollce and law enforcemenL offlclals arresLed 24 people (now 27) ln 13 counLrles
(lncludlng Lhe uS, uk, 8osnla, 8ulgarla, norway and Cermany).
101



Cybercrime investigations are generally initiated because of a complaint reported by a member
of the public, or arising from intelligence related activities such as undercover operations, and
the use of honeypots.
102
However, identification involves making a request to access data logs
from Internet Service Providers (ISP), as well as telecommunication providers, in order to begin
to trace the probable source of a cybercrime. The source IP address, the unique identification

100
<http://www.ice.gov/news/releases/1206/120608washingtondc.htm>.
101
<http://www.fbi.gov/newyork/press-releases/2012/manhattan-u.s.-attorney-and-fbi-assistant-director-in-charge-
announce-24-arrests-in-eight-countries-as-part-of-international-cyber-crime-takedown> (2012). An earlier example
was Operation Firewall (2004), which arrested an OCG that operated a credit card fraud and a counterfeit document
service. The offenders were located in United Kingdom, Poland, Canada, Sweden, Bulgaria, the Netherlands,
Belarus, Ukraine, and the United States.
102
J Jang, 2008, Best Practices in Cybercrime Investigation in the Republic of Korea,
<http://www.unafei.or.jp/english/pages/RMS/No79.htm>.
28

number of a device connected to the Internet, can be used to establish the origin of the criminal
activity and may help in finding the offender. As mentioned previously, obfuscation techniques
used by criminals can make this difficult and in many cases impossible to track down possible
offenders.

Other conceptual models place data at the centre of any cybercrime investigation. In Hintons
schema the logic of the attack is based on the data objectives (identities, passwords and so on),
the exploitation tactics and subsequent attack methods, and finally the technical implementation
of an attack. His model also considers the primary compounding factors that involve the purpose
of the criminal activities, the difficulties of a globalized environment, and digital evasion and
concealment by the cybercriminal.
103


Apart from diverse methods of deception (aka social engineering) that do not rely on hacking,
cyber-criminals take advantage of flaws in technology that interfaces with the Internet, which
can include computers, programs, and networks. Much of this widespread activity occurs
through the use of a single (or more commonly a group) of compromised computers (botnets),
and, are used as proxies for criminal activity. These compromised computers act as a buffer,
making it difficult to trace criminals. Much of the activity that takes place can only be traced
back to these computers rather than offenders.

A variety of techniques that recognize computer based traffic and data involved in criminal
activity are available to assist traditional investigation. These methods, widely used in the
computer security field, primarily assist in understanding traffic data and other data on the
Internet generated by criminals. These techniques rarely identify individuals, and at best, are able
to identify the origin of the activity and geographical vicinity of the compromised computer. The
majority of malicious Internet activity is now thought to result from automated forms of
cybercrime.
104
As a result, efforts to detect and locate criminals may be futile in many cases.
5%"7.-/-E0A#22,2+%> ,.T%2+,E#+,-.
There are also many technology-based methods and tools that assist in identifying malicious
code and criminal activity in cyberspace. Techniques or methods of investigation can be
classified as active or passive, depending on whether the object of the investigation is still in
active operation, or whether it has been seized and the data are frozen. Active investigations are
initiated by law enforcement and can be obtrusive. They include covert operations on discussion
forms and chat rooms or the use of honeypots.
105
The passive approach, on the other hand, is
reactive and the investigation occurs after a crime has taken place. It is commonly referred to as
computer forensic. Technology-assisted cybercrime investigations can include the retrospective
analysis of malicious software, network traffic, or any type of data. Table 2 summarizes two
general technology centric strategies to identify activity generated by compromised computers.


103
P Hinton, Data Attack of the Cybercriminal: Investigating the Digital Currency of Cybercrime (2012) 28
Computer Law and Security Review, 201-207.
104
D S Wall, Cybercrime: The Transformation of Crime in the Information Age (Polity, 2007), vol 4.
105
For an example of honeypot, refer to the Carder Profit example, where the FBI created a carding forum to lure
criminals for the purpose of entrapment.
29

Q,)6& B@ 9&'&#,6 *2#,2&7$&* 25 1&2&-2 -5%+#5%$*&1 -5%+:2&# ,-2$I$2(
Type of detection strategies Examples of approach
a

Host-based Antivirus detection, rootkit detection, modification of critical
Windows files, random popups of adware, slowness of
machine, suspect DNS server
Network-based Identifying IRC traffic analysis on ports, using botnet
command and control blacklists, unexplained behaviour of
networked computers, use of a honeypot to detect malware,
unusual traffic on network and important ports
Source
a
<http://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection>.

It is apparent that law enforcement agencies in many jurisdictions have limited capacities to
respond to cybercrime and are hindered by a lack of technical expertise and policing capacity on
the Internet. Because of their expertise, the information security and information technology
industry has played a quasi-policing role by defending and protecting information for both public
and private sectors. For example, Microsoft runs its own Digital Crimes Unit, which includes
investigators, technical analysts, lawyers, and other specialists who work on making the Internet
more secure through strong enforcement, global partnerships, as well as policy and technology
solutions (see case study on Operation b71). Governmental agencies also fulfil that function, in
particular when it involves the mitigation of malicious Internet activity (e.g. national Computer
Emergency Response Teams - CERT). Monitoring of potentially malicious activities by non-
governmental non-profit organizations (such as Shadowserver) is another resource to identify
criminal activity.
106
Analysis by independent security professionals can assist in investigation
efforts by uncovering intended targets and methods used by criminals (for example, abuse.ch).
Research-focused organizations dedicated to examining cyber-attacks, such as the Honeypot
Project,
107
contribute to the fight against malware and hacking. Ultimately, cooperation between
these groups is essential for cybercrime investigations to be successful. The Koobface case
provides an example of the combination of technical and conventional investigative techniques
in the successful identification of cybercrime suspects. In this case, the analysis of the relevant
network data and the investigation was undertaken by Sophos, a private computer security
company, and police were not involved, although the Russian police were notified.

Information security-based techniques are often leveraged to identify activity generated by
compromised computers, with host-based detection strategies focusing on monitoring the
internal system of a computer, and network-based strategies centring on determining
unauthorized access to a computer by analysing network and Internet traffic. These strategies
entail the use of a range of software tools, 3
rd
party resources, and analytical techniques
illustrated in Table 3.

106
European Network and Information Security Agency (ENISA), 2011, Proactive Detection of Security Incidents,
< http://www.enisa.europa.eu/activities/cert/support/proactive-detection>.
107
<https://www.projecthoneypot.org/>.
30


X--@=#"%


koobface ls a worm-based malware LhaL LargeLs Web 2.0 soclal neLworks such as
lacebook (Lhe name of Lhe malware ls an anagram of lacebook). koobface spread by
sendlng messages Lo 'frlends' of an lnfecLed lacebook accounL user. 1he message
dlrecLed Lhe reclplenL Lo a fake webslLe where Lhey were prompLed Lo download whaL
was presenLed as an updaLe Lo Adobe llash layer. Cnce Lhe fake program was lnsLalled,
koobface conLrolled Lhe compuLer's search englne use and dlrecLed lL Lo llllclL webslLes
afflllaLed ln offerlng varlous scams such as false lnvesLmenLs, fake Av programs, fake
daLlng slLes, eLc. 1he koobface boLneL made money Lhrough pay-per-lnsLall and pay-per-
cllck fees from Lhese oLher webslLes.
108
Sophos ldenLlfled flve poLenLlal members of Lhe
koobface gang, also referred Lo as 'All 8aba & 4'

who operaLed from 8usslan and Czech
locaLlons. Cne member was older Lhan Lhe oLhers and posslbly Lhe leader, buL Lhe
sLrucLure of Lhe group was noL fully undersLood. Members of Lhe group had prevlously
worked ln onllne pornography, spyware, and also aLLempLed Lo conducL a leglLlmaLe
moblle sofLware and servlces buslness, MobSofL LLd.
109
1he koobface crlme group was
able Lo conLlnuously upgrade and adapL Lhe boLneL, whlch lncluded an effecLlve 1rafflc
ulrecLlon SysLem LhaL managed Lhe acLlvlLy on afflllaLe slLes and boosLed Lhe lnLerneL
Lrafflc Lo Lhe boLneL (e.g. LargeLlng showblz fans, onllne daLers, casual porn surfers, and
car enLhuslasLs). 1he overall sLrucLure of Lhe boLneL was reslllenL ln survlvlng Lakedown
aLLempLs and counLermeasures by LargeLs such as ?)7#6''40 @'':5#0 and oLher soclal
neLworks8 uaLa found ln Lhe boLneL's command-and-conLrol sysLem suggesLed Lhe group
has earned around $2 mllllon a year. 1hey apparenLly could have made more money
Lhrough ldenLlLy fraud buL a 2009 ChrlsLmas e-card Lo securlLy researchers, lefL lnslde
vlcLlm compuLers, sLaLed LhaL koobface would never sLeal credlL card or banklng
lnformaLlon. lL called vlruses 'someLhlng awful' and never deployed auLomaLlc mallclous
programs, buL allowed lLs vlcLlms Lo make 'several unwlse cllcks'. ln oLher words Lhey
argued LhaL lL was vlcLlms Lhemselves who downloaded Lhe vlrus Lhrough careless use of
Lhe lnLerneL.


It is worth noting that the question of public disclosure of a suspects identity prior to police
action or in lieu of police or judicial action is inherently problematic. In the case of likely
immunity from prosecution in the offenders jurisdiction, a naming and shaming approach may
be justified. This occurred in the Koobface case, when Facebook revealed the names of those
suspected. However, it is at the cost of alerting suspects to what may be known about their

108
J Baltazar, J Costoya, & R Flores, The Real Face of Koobface: the Largest Web 2.0 Botnet Explained and Show
me the Money: The Monetization of Koobface (Trend Micro, 2009).
<http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_KOOBFACE_j
ul2009.pdf>.
109
J Drmer & D Kollberg, The Koobface Malware Gang Exposed (Sophos, 2012),
<http://nakedsecurity.sophos.com/koobface/>. R Richmond, Web Gang Operating in the Open, New York Times
(16 January 2012), <http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-
worm-operates-in-the-open.html?pagewanted=all&_r=0>; N Villeneuve, Koobface: Inside a Crimeware Network
(2010), <http://www.infowar-monitor.net/reports/iwm-koobface.pdf>.
31

activities. The identification of the Koobface crime group suspects has not prevented Koobface
tools from continuing to operate and evolve, nor is it known if the five suspects or some of
them continue to be involved or if they have sold out or moved on. Often, cybercrime activities
may be discovered through their consequences but no suspects are identified. In such recent
cases, Microsoft has pioneered an innovative response using civil law action.

Q,)6& C@ Q3#&& ,++#5,-3&* :*&1 25 1&2&-2 -5%+#5%$*&1 -5%+:2&# ,-2$I$2(
Type of approach
a
Examples
Tools Snort (intrusion prevention system), IDA Pro (reverse
engineering), Dionaea (honeypots), VMWare (researching
infections), Wireshark (packet analysis)
Resources Zeustracker (identified servers linked to botnet activity),
malwaredomainlist.com (blacklist of malicious websites),
Spamhaus (unsolicited emails)
Techniques Sinkholing, DNS monitoring, sandboxing, attribution
algorithms, data mining, network packet analysis, signature-
based detection
Note
a
These approaches are not mutually exclusive. The table includes only a few examples for
illustrative purposes, but the list is not exhaustive.

Y%E#/ ,.+%$T%.+,-.2
In February 2013, for the 6
th
time since 2010, Microsoft used a civil legal process to disable
botnets controlled by criminals (see the case of Operation b71).
110
In these cases, Microsoft
relied on the Racketeer Influenced and Corrupt Organizations (RICO) Act to obtain permission
from the court to sever the command-and-control structures of the botnet(s). Microsoft will then
be able to pursue civil cases against anyone associated with the operation of the botnet. The
analysis of the cases provides intelligence that is disseminated to ISPs and CERTs and that can
be applied to other cases. When appropriate, the collected evidence is referred to law
enforcement to initiate criminal prosecutions against the individuals involved (as in the case of
the Rustock botnet takedown). In 2011 the FBI had used a similar court process to disable the
Coreflood botnet.
111


Dittrich argued that technological interventions or legal interventions alone are not as successful
as those that combine technical methods with civil and/or criminal legal process. Coordinated
operations were used in the takedown of several complex botnets (e.g. Coreflood, Rustock) and
succeeded on the first try. The advantage of using the legal process is that it allows the removing
of all the top-level domains.
112
In addition, civil actions are a first step and they do not preclude
subsequent criminal actions against specific individuals, particularly when evidence for the civil

110
J Finkle, Microsoft and Symantec Disrupt Cybercrime Ring, Reuters (6 February 2013),
<http://www.reuters.com/article/2013/02/06/us-cybercrime-raid-idUSBRE91515K20130206>.
111
For this and other examples of takedown, see D Dittrich 2012 So you Want to Take Over a Botnet?,
Proceedings of the 5
th
USENIX Conference on Large-Scale Exploits and Emergent Threats (UNESIX Association),
<http://dl.acm.org/citation.cfm?id=2228349>.
112
Dittrich, 2012, op.cit.
32

action is collected by experts who are skilled at forensics and safeguarding digital evidence, as in
the case of Microsoft.
113


I,"$-2-=+ )*%$#+,-. @FO
8oLneL operaLors uslng Zeus and SpyLye malware were able Lo redlrecL lnLerneL Lrafflc Lo
fake banklng webslLes and obLaln vlcLlms' credenLlals. WlLh Lhls lnformaLlon, Lhey could
sLeal money from vlcLlms' bank accounLs. MlcrosofL esLlmaLed LhaL 13 mllllon compuLers
were lnfecLed and $100 mllllon had been sLolen. Cn 23 March 2012, MlcrosofL, Lhrough a
clvll law acLlon, obLalned from a federal courL an ex parLe Lemporary resLralnlng order
LhaL allowed lL Lo Lake over lnLerneL Lrafflc relaLed Lo Lhe boLneLs. 1he courL also ordered
uS Marshals Lo asslsL MlcrosofL and oLhers Lo serve search warranLs and physlcally selze
compuLers ln Lwo uS sLaLes. 1he move, conducLed ln collaboraLlon wlLh flnanclal servlces
organlzaLlons and code-named CperaLlon b71, followed monLhs of lnvesLlgaLlon. 8aLher
Lhan LargeLlng dlrecLly Lhe perpeLraLors, who had noL been speclflcally ldenLlfled, Lhe
lawsulL focused on Lhe boLneLs LhaL Lhey conLrolled. MlcrosofL had used a slmllar LacLlc
prevlously Lo Lake down slngle boLneLs buL lL was Lhe flrsL Llme mulLlple boLneLs were
Laken down aL once. AlLhough noL able Lo name Lhe perpeLraLors, MlcrosofL provlded ln
Lhelr complalnL lnformaLlon such as Lhe nlcknames and emall addresses of 39 '!ohn uoe'
lndlvlduals, a llsL of compromlsed domaln names, and a summary of each lndlvldual
alleged crlmlnal acLlvlLles.
114
1he llsL lncluded Lhe sofLware creaLors and developers, l1
Lechnlclans, sofLware users, as well as money mules and Lhelr recrulLers.


H:%%,#( ,'1 "5'-6:*$5'
It is often stated that the control of cybercrime needs a comprehensive approach. Realising a
comprehensive approach that merges technical, social, and international means is, however, no
easy task. Given that technical measures alone cannot prevent cybercrime, it is important that
law enforcement agencies have the capacity to investigate and prosecute cybercriminals
effectively. A key solution is the creation of effective partnership between law enforcement
agencies and various stakeholders such as ISPs and software and hardware suppliers. While
governments and regional governance mechanisms need to supervise or control the Internet, they
must avoid lessening its astonishing efficiency and creativity. Many tools, techniques and
processes are available to assist police and network defenders, such as passive monitoring and
collaboration with civil society and industry partners. These are reactive measures and although
they can enhance the security of a network, they are also limited. Offenders are also becoming
increasing difficult to identify from the sources of the illegal and malicious activity/methods

113
D Dittrich, 2012, Thoughts on the Microsofts Operation b71, Honeynet Project,
<http://www.honeynet.org/node/830>.
114
Microsoft press release <http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-
services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx>. For a summary of the operation
and a copy of Microsoft complain to the court see <http://news.cnet.com/8301-30685_3-57404275-264/the-long-
arm-of-microsoft-tries-taking-down-zeus-botnets/>.
33

identified; hence the risks of arrest or intervention are generally so low as to constitute little or
no deterrence.

Further work is needed on estimating the costs and benefits of different strategies for minimizing
cybercrime and the most effective roles for public police and other interested and capable actors
who can partner with police in this challenging task. One of the few systematic studies of the
cost of cybercrime recommended less investment on antivirus software and more investment on
improved policing of the Internet. They note that in general computer security approaches (as
currently performed) are extremely inefficient at fighting cybercrime and they suggest
investment in more effective policing arguing, we should spend less in anticipation of
cybercrime (on antivirus, firewalls, etc.), and moreon the prosaic business of hunting down
cyber-criminals and throwing them in jail.
115
Anderson, the lead author at Cambridges
Computer Laboratory noted: A small number of gangs lie behind many incidents and locking
them up would be far more effective than telling the public to fit an anti-phishing toolbar or
purchase antivirus software.
116

Given this situation, continued attention is required across several domains as follows:

The evolution of effective and well-defined laws against cybercrime at both national,
regional and international levels and the means to routinely update them in the light of
technological advances.
The further development of technical measures, and new investigative approaches
especially more focus on electronic evidence forensics and its legal validity.
The continued improvement of security and risk management in cyberspace (i.e.
detection, and the response to cyber-attacks), including accreditation schemes, protocols
and standards.
The establishment of cost-effective partnerships with industry, public police and cyber-
communities.
Adequate support for consumer and industry education about anti-crime measures on the
Internet and in the digital economy.
A more effective and rapid response international cooperation among law enforcements.

Cybercriminals are capable of undertaking computer/digital device capture and control, however,
the advent of malware toolkits such as Zeus and others has lowered the skill levels required.
Cybercrime sometimes requires a high degree of organization to implement and may lend itself
to small crime groups, loose ad hoc networks or enterprise style organized crime. In short, the
nature of offenders and the kinds of criminal groups that are active most likely reflect patterns in
the conventional world. The demographic characteristics of cybercrime offenders reflect the
conventional world in that young males are the majority (as in conventional crime) although the

115
R Anderson, C Barton, R Bohme, R Clayton, M van Eeten, M Levi, T Moore, & S Savage, 2012 Measuring the
Cost of Cybercrime, Workshop on the Economics of Information Security (WEIS), 25 June, Berlin,
<http//weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf>.
116
R Anderson, 2012,
<http://www.cam.ac.uk/research/news/how-much-does-cybercrime-cost/>.

34

age profile is increasingly showing older individuals. While higher education, especially in the
relevant computer related science fields, may be helpful to prospective offenders, many are not
graduates. An over-emphasis on particular notorious cybercrime groups and their origins is
unproductive and may lead to overlooking other groups (the false negative problem). There is a
lack of systematic research about the nature of criminal organizations active in cyberspace. More
research is needed about the links between online offenders and offline offending.

Despite the urge to generalize, the current state of cybercrime by individuals and by
organizations requires a great deal more in the way of basic research. Motives are varied and
diverse; they are by no means limited to greed or rebellion. Different organizational forms lend
themselves to different offence types, which in turn lend themselves to different strategies for
control and interdiction. Such a systematic approach could provide the basis for a new paradigm
for the study of cybercrime.

33

G++&'1$S
RS,%+6&* 50 -()&#-#$%&* ,'1 500&'1&#*

In the first set of cases, individual offenders are the focus of attention. All these offenders were
male; four were under 30 when they committed their offences, the other two were in their mid-
30s. Only one of these cases had a financial motive, although Pearson, the offender, denied this.
Cleary and Auernheimer claimed that the reason for their offending was, at least in part,
altruistic. They wanted to demonstrate that, despite claims to the contrary, the data repository of
large corporations and organizations, which kept important confidential information on their
clients, was not secure. It is likely that the desire for fame and recognition of their skills also
played a part in their actions. Swartz was also motivated by ideology and believed that
information should be freely accessible. The two other hackers were pushed by emotional
reasons: Chaney by his obsession with the stars, and Yin, by his desire for revenge after losing
his job. Pearson benefited financially from hacking, but he could potentially have stolen much
more. The final case illustrates the potential harm that just one cybercriminal might cause. All
faced the risk of long prison sentences.

4(,' "6&,#(. KK5H 5' H/"G
ollce ln Lhe uk arresLed 19-year-old 8yan Cleary for allegedly orchesLraLlng a dlsLrlbuLed
denlal-of-servlce (uuoS) aLLack agalnsL Lhe webslLe of Lhe 8rlLlsh Serlous Crganlsed Crlme
Agency (SCCA) webslLe ln 2011, and Lhe webslLes of Lhe lnLernaLlonal lederaLlon of Lhe
honographlc lndusLry and Lhe 8rlLlsh honographlc lndusLry, Lhe prevlous year. Cleary
allegedly renLed and subleL a large boLneL Lo conducL Lhe aLLack. Cleary was assoclaLed wlLh Lhe
hacklng group LulzSec, alLhough Lhe group lLself denled LhaL Cleary was a member, buL merely a
loose assoclaLe. Cleary's arresL followed hls exposure by Anonymous who publlshed hls name,
address, and phone number as reLallaLlon agalnsL Cleary's hacklng lnLo Lhe group AnonCps'
webslLe and exposlng over 600 nlcknames and l addresses. Cleary was reporLed as sLaLlng LhaL
AnonCps was 'publlclLy hungry'. Cleary has pleaded gullLy Lo mosL of Lhe charges and wlll be
senLenced ln May 2013.
117


G'1#&O G:&#'3&$%&#. G++6& $=,1 H'55+
ln !une 2010, 23-year-old Andrew Auernhelmer managed Lo obLaln Lhe emall addresses of
114,000 lad users lncludlng celebrlLles and pollLlclans, by hacklng Lhe webslLe of Lhe
LelecommunlcaLlon company A1&1. Auernhelmer was a member of Lhe group CoaLse SecurlLy,
LhaL speclallzes ln uncoverlng securlLy flaws. 1he aLLack was carrled ouL when Auernhelmer and
oLher hackers reallzed Lhey could Lrlck Lhe A1&1 slLe lnLo offerlng up Lhe emall address of lad
users lf Lhey senL an P11 requesL LhaL lncluded Lhe SlM card serlal number for Lhe
correspondlng devlce. Slmply guesslng serlal numbers, a Lask made easy by Lhe facL LhaL Lhey
were generaLed sequenLlally durlng manufacLurlng, generaLed a large number of addresses.
Auernhelmer and CoaLse released deLalls abouL Lhe aLLacks Lo Cawker Medla. ShorLly afLer, Lhe

117
E Chickowski, Notorious Cybercrooks of 2011 and how they Got Caught, (2011) Dark Reading,
<http://www.darkreading.com/security/attacks-breaches/232300124/the-most-notorious-cybercrooks-of-2011-and-
how-they-got-caught.html?itc=edit_stub>; see also Olson, 2012, op.cit.
36

l8l arresLed Auernhelmer ln connecLlon wlLh Lhe breach. ln March 2013, he was senLenced Lo 3
x years ln prlson for explolLlng A1&1 securlLy flaw, buL was unrepenLanL for hls acLlon.
118


G,#5' HO,#28. "5'2&'2 K5O'65,1&#
A programmer and fellow aL Parvard unlverslLy's Safra CenLer for LLhlcs, 24-year-old Aaron
SwarLz was lndlcLed ln 2011 afLer he downloaded more Lhan 4 mllllon academlc arLlcles Lhrough
Lhe MassachuseLLs lnsLlLuLe of 1echnology (Ml1) neLwork connecLlon Lo !S1C8, an onllne
academlc reposlLory. SwarLz used anonymous log-lns on Lhe neLwork ln SepLember 2010 and
acLlvely worked Lo mask hls log-lns when Ml1 and !S1C8 Lrled Lo sLop Lhe masslve draln of
copyrlghLed maLerlal. AfLer !S1C8 shuL down Lhe access Lo lLs daLabase from Lhe enLlre Ml1
neLwork, SwarLz wenL on campus, dlrecLly plugged hls lapLop ln Lhe lnformaLlon lnfrasLrucLure
of a Ml1 neLworklng room, and lefL lL hldden as lL downloaded more conLenL. Powever, an l1
admlnlsLraLor reporLed Lhe lapLop Lo Lhe auLhorlLles. A hldden webcam was lnsLalled and when
SwarLz came and plcked up hls lapLop, he was ldenLlfled and arresLed. SwarLz dld noL sLeal any
confldenLlal daLa and, once Lhe conLenL of Lhe slLe had been secured, !S1C8 dld noL wlsh Lo
lnlLlaLe legal acLlons, however, Lhe ALLorney Ceneral wenL ahead and charged SwarLz wlLh 13
counLs of felony.
119
SwarLz was known as 'a freedom-of-lnformaLlon acLlvlsL' who called for clvll
dlsobedlence agalnsL copyrlghL laws, parLlcularly ln relaLlon Lo Lhe dlssemlnaLlon of publlcly
funded research. SwarLz sald he was proLesLlng how !S1C8 llmlLed academlc research and LhaL
he had planned Lo make Lhe arLlcles he downloaded publlcly and freely avallable. Larly ln 2013,
!S1C8 made mllllons of academlc arLlcles avallable Lo Lhe publlc for free. SwarLz's llfe ended
Lraglcally when he commlLLed sulclde ln early 2013, before hls courL case was flnallsed. Pls
famlly accused Lhe governmenL of havlng some responslblllLy for hls deaLh because of Lhe
overzealous prosecuLlon of whaL Lhey descrlbed as a non-vlolenL vlcLlmless crlme. ln March
2013 he was posLhumously awarded Lhe !ames Madlson Award by Lhe Amerlcan Llbrary
AssoclaLlon, a prlze Lo acknowledge Lhose who champlon publlc access Lo lnformaLlon.
120


"3#$*25+3&# "3,'&(. "&6&)#$2( Y,-<&#,88$
ln whaL amounLed Lo 'cybersLalklng', celebrlLy-obsessed ChrlsLopher Chaney, 33 years, used
publlcly avallable lnformaLlon from celebrlLy blog slLes Lo guess Lhe passwords Lo Coogle and
?ahoo emall accounLs owned by over 30 sLars, lncludlng ScarleLL !ohansson, Mlla kunls, and
ChrlsLlna Agullera. Pe successfully managed Lo hack lnLo Lhe accounLs and seL up an emall-
forwardlng sysLem Lo send hlmself a copy of all emalls recelved by Lhe sLars. lrom november
2010 Lo CcLober 2011, Chaney had access Lo emalls, phoLos, and confldenLlal documenLs. Pe
was responslble for Lhe release of nude phoLos of ScarleLL !ohansson LhaL subsequenLly
clrculaLed on Lhe lnLerneL. Pe was also accused of clrculaLlng nude phoLos of Lwo (non-

118
Chickowski, 2011, ibid.; see also <http://en.wikipedia.org/wiki/Goatse_Security>; O Thomas, Infamous iPad
Hacker Makes no Apology as he Faces Jailtime, Business Insider, 18 March 2013,
<http://au.businessinsider.com/andrew-weev-auernheimer-att-ipad-hacker-sentencing-2013-3>.
119
Chickowski, 2011, op.cit.; <http://about.jstor.org/news/jstor-statement-misuse-incident-and-criminal-case>.
120
A Cohen, Was Aaron Swartz really Killed by the Government, Time Ideas, 18 January 2013,
<http://ideas.time.com/2013/01/18/was-aaron-swartz-really-killed-by-the-government/>; J Bort, The American
Library Association Has Given Aaron Swartz Its First Ever Posthumous Award, Business Insider, 16 March 2013,
< http://au.businessinsider.com/aaron-swartz-granted-posthumous-award-2013-3>.
37

celebrlLy) women buL he denled Lhls. l8l lnvesLlgaLors dld noL glve deLalls of how Lhey Lracked
Chaney who was senLenced Lo 10 years [all ln uecember 2012. Chaney apologlzed for hls
acLlons, he sald LhaL he empaLhlzed wlLh Lhe vlcLlms buL could noL sLop whaL he was dolng.
121


H,% Z$'. 9:--$ Y,-<&#
llred afLer belng accused of selllng sLolen Cuccl shoes and bags on Lhe Aslan grey markeL, a
former Cuccl l1 employee, Sam ?ln, 34 years, managed Lo hack lnLo Lhe company's sysLem
uslng a secreL accounL he had creaLed whlle worklng and a bogus employee's name. Pe shuL
down Lhe whole operaLlon's compuLers, cuLLlng off employee access Lo flles and emalls for
nearly an enLlre buslness day. uurlng LhaL day he deleLed servers, desLroyed sLorage seL-ups
and wlped ouL mallboxes. Cuccl esLlmaLed Lhe cosL of Lhe lnLruslon aL $200,000. ?ln was
senLenced Lo a mlnlmum of 2 years and a maxlmum of 6 years [all ln SepLember 2012.
122


R1O,#1 =&,#*5'. P1&'2$2( Q3&02
Crlglnally from ?ork, norLhern Lngland, 23-year old Ldward earson sLole 8 mllllon ldenLlLles,
200,000 ayal accounL deLalls, and 2,700 bank cards number beLween !anuary 2010 and
AugusL 2011. uslng Lhe malware Zeus and SpyLye, whlch he rewroLe Lo sulL hls purpose, he
managed Lo noL only hack lnLo Lhe ayal webslLe buL also lnLo Lhe neLworks of ACL and nokla,
whlch remalned down for Lwo weeks. earson flnally goL caughL afLer hls glrlfrlend Lrled Lo use
forged credlL cards Lo pay hoLel bllls. Pe was descrlbed as 'lncredlbly LalenLed' and a clever
compuLer coder, who had been acLlve ln cybercrlme forums for several years prlor Lo hls
hacklng spree. Pls lawyer, however, argued LhaL earson was noL so lnLeresLed ln maklng
money buL LhaL hacklng was 'an lnLellecLual challenge'. A prosecuLor esLlmaLed LhaL based on
Lhe lnformaLlon he had sLolen, he could poLenLlally have sLolen $13 mllllon, yeL, before hls
arresL, he had only sLolen around $3,700, whlch he had spenL on Lakeaways and moblle phone
bllls. earson was senLenced Lo 26 monLhs [all ln Aprll 2012.
123


The next set of cases involves small groups or networks of offenders, and illustrates the diversity
of OCGs operating across crime types. LulzSec was a loose network of like-minded hackers
responsible for infiltrating the systems of high profile organizations, supposedly to draw
attention to potential security failures. W0nderland was a members-only group that exchanged
illicit images of children until it was closed down in 1998. DrinkOrDie was an organization
devoted to piracy and the dissemination of pirated content. The four other organizations were
motivated by financial profit. Each organization was the target of successful law enforcement
action, and, as such, they may not be representative of other organisations that managed to avoid
prosecution. One common characteristic of these groups was their transnational reach. Each was

121
<http://www.fbi.gov/losangeles/press-releases/2011/florida-man-arrested-in-operation-hackerazzi-for-targeting-
celebrities-with-computer-intrusion-wiretapping-and-identity-theft>; Chickowski, 2011, op.cit.
122
L Italiano, Ex-Staffer Sentenced to 2-6 Years for Hacking into Guccis System, New York Times, 10 September
2012,
<http://www.nypost.com/p/news/local/manhattan/ex_staffer_sentenced_to_years_for_13AyFGWuEyvGrnEaj7ZyiO
123
M Liebowitz, UK Hacker Sentenced for Stealing 8 Million Identities, NCB News, 4 April 2012,
<http://www.nbcnews.com/id/46955000/ns/technology_and_science-security/t/uk-hacker-sentenced-stealing-
million-identities>.
38

comprised of members from different countries and was active across borders. Some members of
these groups have been convicted for their cybercrimes, and we cannot avoid wondering at the
disparity in sentencing between the members of W0nderland, who besides their cyber activities
were also physically abusing children but were sentenced to a maximum of 2 ! years jail, and
the long prison sentences meted out to some of the hackers, who committed non-violent
offences.

[:68H&- ,'1 H5'( Y,-<&#*
Cody kreLslnger (nlcknamed 8ecurslon) was arresLed for allegedly carrylng ouL an aLLack agalnsL
Sony lcLures on behalf of LulzSec ln SepLember 2011. kreLslnger, aged 23, was arresLed when
Lhe uk-based proxy server PldeMyAss, a servlce LhaL dlsgulses Lhe onllne ldenLlLy of lLs
cusLomers, provlded logs Lo pollce, whlch allowed Lhem Lo maLch Llme-sLamps wlLh l
addresses and ldenLlfy kreLslnger.
124
ln Aprll 2012, kreLslnger pleaded gullLy Lo breachlng Sony
lcLures LnLerLalnmenL, consplracy and aLLempLlng Lo break lnLo compuLers, and he was laLer
senLenced Lo one year ln [all and 1,000 hours communlLy servlce. kreLslnger wlLh oLher
members of LulzSec hacklng group obLalned confldenLlal lnformaLlon from Lhe compuLer
sysLems of Sony lcLures by uslng an SCL ln[ecLlon aLLack agalnsL Lhe webslLe. 1hey
dlssemlnaLed Lhe sLolen daLa on Lhe lnLerneL. 1he sLolen daLa conLalned confldenLlal
lnformaLlon such as names, addresses, phone numbers, and e-mall addresses for Lhousands of
Sony cusLomers. 1he hackers dld noL use Lhe daLa lllegally buL wanLed Lo demonsLraLe Sony's
webslLe was noL secure. PecLor xavler Monsegur, 28, Lhe former alleged leader of LulzSec, was
arresLed ln !une 2011 and agreed Lo acL as an lnformanL for Lhe l8l. Pe provlded lnformaLlon on
hls fellow hackers and ls belleved Lo have played an lmporLanL role ln Lhe ldenLlflcaLlon and
arresL of oLher members. CLher members of LulzSec lnclude 8yan Cleary (19), !eremy
Pammond (27), MusLafa al-8assam (18), !ake uavls (18), and 8aynaldo 8lvera (20) who all
pleaded gullLy and are awalLlng senLenclng ln May 2013. Cn 24 Aprll 2013, Lhe AusLrallan
lederal ollce (Al) arresLed a Sydney man known onllne as Aush0k who had clalmed Lo be Lhe
leader of Lhe LulzSec hacklng group.









\$7:#& B@ [:68H&- 6575E , 3,-<$'7 7#5:+ ,**5-$,2&1 O$23 G'5'(%5:*

124
Chickowski, 2011, op.cit; Olson, 2012, op.cit.
39


;A'1&#6,'1
Cn 2 SepLember 1998 a mulLl-naLlonal pollce lnvesLlgaLlon codenamed CperaLlon CaLhedral
ended wlLh slmulLaneous ralds ln 14 counLrles, durlng whlch 107 lndlvlduals were arresLed
because of Lhelr lnvolvemenL ln chlld pornography. 1he lnvesLlgaLlon sLarLed ln 1996 when a
10-year-old glrl ln Callfornla complalned LhaL she had been sexually molesLed by a man who
recorded Lhe abuse vla a camera aLLached Lo hls compuLer. A pollce search of Lhe compuLer
revealed LhaL Lhe accused had been communlcaLlng wlLh Lhree lndlvlduals ln Lhe uk. A search
of one of Lhe suspecLs' compuLer by uk auLhorlLles led Lo a number of addlLlonal
correspondenLs. ulLlmaLely Lhe lnvesLlgaLlon uncovered Lhe largesL and mosL prollflc chlld
pornography rlng aL Lhe Llme, Lhe W0nderland Club. 1he group had been esLabllshed ln Lhe
mld-1990s Lo faclllLaLe flle sharlng of lmages and vldeos. CollecLlvely, members possessed over
730,000 llllclL lmages of chlldren and over 1,800 dlglLlzed vldeos deplcLlng chlld abuse.
W0nderland was hlghly organlzed. rospecLlve members were carefully screened, requlrlng
sponsorshlp by an exlsLlng member and veLLlng by a membershlp commlLLee. Membershlp was
resLrlcLed Lo lndlvlduals wlLh aL leasL 10,000 lmages LhaL Lhey were wllllng Lo Lrade. Members
were parLlcularly careful abouL securlLy. Some of Lhe compuLers had maLerlal encrypLed ln such
complex ways LhaL lL was lmposslble Lo break Lhe code Lo presenL Lhe evldence ln courL.

1he group counLed 180 members ln 49 counLrles. Carr reporLed LhaL mosL of Lhe men were well
educaLed and employed ln a range of professlons wlLh a slgnlflcanL number of l1 professlonals.
Some soclal lsolaLes found camaraderle ln addlLlon Lo sexual graLlflcaLlon. Carr (p.16) quoLed
one member saylng 'l never had so many frlends'. Cf Lhe 107 members arresLed, Len
commlLLed sulclde raLher Lhan face Lrlal. ln Lhe uk seven men aged from 23 Lo 46 were
senLenced ln lebruary 2001. 1he heavlesL senLence was 2 x years [all.
123


K#$'</#K$&
urlnkCrule, founded ln Moscow ln 1993, was a group of copyrlghL plraLes who lllegally
reproduced and dlsLrlbuLed sofLware, games, and movles over Lhe lnLerneL. WlLhln Lhree years
Lhe group expanded lnLernaLlonally and counLed around 63 members ln 12 counLrles lncludlng
8rlLaln, AusLralla, llnland, norway, Sweden, and Lhe uS. 1he membershlp lncluded a relaLlvely
large proporLlon of undergraduaLe unlverslLy sLudenLs who were Lechnologlcally sophlsLlcaLed
and skllled ln securlLy, programmlng, and lnLerneL communlcaLlon. 1he group was hlghly
organlzed, hlerarchlcal ln form, and enLalled a dlvlslon of labour. A new program was ofLen
obLalned Lhrough employees of sofLware companles, 'crackers' sLrlpped Lhe conLenL of lLs
elecLronlc proLecLlon, 'LesLers' made sure Lhe unproLecLed verslon worked, and 'packers'
dlsLrlbuLed Lhe plraLed verslon Lo around 10,000 publlcly accesslble slLes around Lhe lnLerneL.
1he conLenL was avallable Lo casual users and Lo oLher crlmlnal enLerprlses for commerclal

125
J Carr (2001), Theme Paper on Child Pornography for the 2
nd
World Congress against the Commercial Sexual
Exploitation of Children,<http://www.childcentre.info/robert/extensions/robert/doc/
67ba32d30c03c842b7032932f2e6ce74.pdf>; G Niland, Net Paedophiles and the Malice of Wonderland,
Independent.ie, 18 February 2001, < http://www.independent.ie/opinion/analysis/net-paedophiles-and-the-malice-
of-wonderland-26247206.html>.
40

dlsLrlbuLlon. Members were noL moLlvaLed by proflL buL by Lhelr deslre Lo compeLe wlLh oLher
and achleve recognlLlon as Lhe flrsL group Lo dlsLrlbuLe a perfecL copy of a newly plraLed
producL. urlnkCrule's mosL promlnenL achlevemenL was lLs lllegal dlsLrlbuLlon of Wlndows 93
Lwo weeks prlor Lo Lhe offlclal release by MlcrosofL. 1he group was dlsmanLled by auLhorlLles ln
2001 and 20 members were convlcLed worldwlde. Lleven people were prosecuLed ln Lhe uS ln
2002 lncludlng one woman. 1hey were beLween 20 and 34 years. 1wo of Lhe leaders were
senLenced Lo 46 and 33 monLhs [all respecLlvely.
126


K,#< F,#<&2
uark MarkeL was a webslLe provldlng Lhe lnfrasLrucLure for an onllne bazaar where buyers and
sellers of credlL card and banklng deLalls could meeL and llllclL maLerlal such as mallclous
sofLware could be purchased. 1he forum was founded ln May 2003. 8anklng and card deLalls
were llllclLly obLalned by varlous means, lncludlng surrepLlLlous recordlng aL A1Ms uslng
'sklmmlng' devlces, unauLhorlzed access Lo personal or buslness lnformaLlon sysLems, or
Lechnlques of 'soclal englneerlng' where vlcLlms were persuaded Lo parL wlLh Lhe deLalls.
lnlLlally Lradlng ln sLolen lnformaLlon occurred on a one-Lo-one basls, buL glven Lhe sheer
volume of such maLerlal, uslng a forum where prospecLlve parLles could lnLeracL collecLlvely
was much more efflclenL. AL lLs peak, uark MarkeL was Lhe world's pre-emlnenL Lngllsh
language 'cardlng' slLe, wlLh over 2300 members from a number of counLrles around Lhe world,
lncludlng Lhe uk, Canada, Lhe uS, 8ussla, 1urkey, Cermany and lrance. 1he group was hlghly
organlzed. rospecLlve vendors had Lo prove LhaL Lhey were able Lo provlde useable credlL card
lnformaLlon, whlch was assessed for lLs valldlLy. Members were nomlnaLed and veLLed. A
maxlmum of four admlnlsLraLors ran Lhe slLe aL any Llme. 1hey ensured Lhe securlLy of Lhe slLe,
provlded an escrow servlce, and paLrolled Lhe slLe for 'llllclL' acLlvlLy such as deallng ln drugs or
chlld pornography. lL seemed LhaL repuLaLlon and sLaLus was more lmporLanL for Lhese vl
members Lhan self-enrlchmenL. Crdlnary members who Lraded ln lnformaLlon and used Lhe
lnformaLlon Lhey boughL Lo make money generally soughL Lo keep a low proflle. 1he forum was
lnfllLraLed by an l8l agenL and Lhe lnvesLlgaLlon resulLed ln 60 arresLs worldwlde. Cne of Lhe
mosL promlnenL members, a 33-year-old Srl-Lankan born 8rlLlsh man, was senLenced Lo 3-year
[all ln March 2010.
127


KLH"3,'7&#
Slx LsLonlan men, poslng as Lhe leglLlmaLe company 8ove ulglLal, have been arresLed ln
november 2011 for creaLlng and operaLlng Lhe unSChanger malware, whlch allowed Lhem Lo
conLrol uomaln name SysLem (unS) servers. unS ls an lnLerneL servlce LhaL converLs domaln
names lnLo numerlcal daLa LhaL compuLers undersLand. WlLhouL unS and unS servers, lnLerneL
browslng, access Lo webslLes, and emalls would be lmposslble. 1he group were runnlng an

126
<http://www.justice.gov/criminal/cybercrime/press-releases/2001/warezoperations.htm>; US Department of
Justice, Warez Leader Sentenced to 46 Months (17 May 2002) <http://www.justice.gov/criminal/cybercrime/press-
releases/2002/sankusSent.htm>.
127
Glenny, 2011, op. cit. C Davies, Welcome to Dark Market: Global One-Stop Shop for Cybercrime and Banking
Fraud, Guardian, 14 January 2010, <http://www.guardian.co.uk/technology/2010/jan/14/darkmarket-online-fraud-
trial-wembley>.
41

lnLerneL fraud operaLlon LhaL enabled Lhem Lo manlpulaLe lnLerneL adverLlslng. 1he malware
was propagaLed uslng soclal englneerlng Lechnlques, ln one lnsLance, Lhe malware was offered
as a vldeo coded LhaL was supposedly requlred Lo waLch adulL movles. AL lLs peak lL ls
esLlmaLed LhaL four mllllon compuLers worldwlde were lnfecLed wlLh Lhe malware. unSChanger
worked by subsLlLuLlng adverLlslng on webslLes wlLh adverLlslng sold by 8ove ulglLal and
redlrecLlng users of lnfecLed compuLer Lo rogue servers conLrolled by afflllaLes of Lhe group.
When users cllcked on Lhe llnks Lo a llclL offlclal webslLe, Lhey were ln facL Laken Lo a fake
webslLe LhaL resembled Lhe leglLlmaLe webslLe buL promoLed fake, and someLlmes dangerous,
producLs. 1he group allegedly neLLed $14 mllllon ln sLolen adverLlslng vlews. A [olnL operaLlon,
CperaLlon ChosL Cllck, beLween Lhe l8l and prlvaLe corporaLlons over flve years was
underLaken afLer 1rend Mlcro researchers ldenLlfled Lhe gang's boLneL. 1he slx offenders were
aged beLween 26 and 31 years. lL ls llkely Lhey wlll all be exLradlLed Lo Lhe uS for Lrlal. A sevenLh
member of Lhe group ls a 31-year-old 8usslan man who has noL yeL been arresLed.
128


",#)&#+
Carberp ls a malware deslgned Lo sLeal banklng lnformaLlon, whlch flrsL appeared ln 2009.
lnlLlally, Carberp was used excluslvely by a small closed group operaLlng only ln 8usslan-
speaklng counLrles. ln 2011 Lhe malware's creaLors sLarLed selllng lL Lo a few cusLomers ln Lhe
former SovleL unlon. ln March 2012, followlng a [olnL lnvesLlgaLlon wlLh Croup-l8, a 8usslan
cyber securlLy flrm, 8usslan auLhorlLles arresLed elghL Carberp operaLors. 1he group was led by
Lwo broLhers ln Lhelr laLe 20s. Cne of Lhem was already a known crlmlnal wlLh a record relaLed
Lo real esLaLe fraud. 1he group demonsLraLed a hlgh level of collaboraLlon. Carberp's group
members were worklng remoLely from dlfferenL clLles ln ukralne. uslng sLolen banklng daLa,
Lhey lllegally Lransferred large sums of money lnLo accounLs conLrolled by Lhe group. 1he
money was Lhen wlLhdrawn from a varleLy of A1M machlnes ln Lhe Moscow area. lL ls
esLlmaLed Lhe group had sLolen around $2 mllllon from over 90 vlcLlms.
129


uesplLe Lhe arresL Carberp conLlnued Lo evolve wlLh added funcLlonallLy. Slnce lLs creaLlon,
Lhree dlfferenL cybercrlme groups worked wlLh Carberp.
130
1he flrsL group had a dlrecL
assoclaLlon wlLh Lhe creaLor of Lhe malware. ln 2010 Carberp source code was sold Lo Lhe
organlzer of Lhe second group and Lhey worked ln parallel Lo develop a second verslon. 1he
Lhlrd group was already engaged ln onllne bank fraud wlLh Lhe boLneL Crlgaml PodproL buL
swlLched Lo uslng Carberp ln 2011. As Lhe boLneL grew, Lhe group's operaLlons became
lncreaslngly organlsed and members of Lhe group were hlghly coordlnaLed. 1hey had
command-and-conLrol servers ln several Luropean counLrles and Lhe uS and aLLacked 8usslan
as well as forelgn banks. ln uecember 2012, members from Lhe Carberp Leam posLed messages
on underground 8usslan cybercrlme forums, offerlng a new verslon of Carberp for renL. AL
uS$40,000 per monLh, Lhls was one of Lhe mosL expenslve klLs ln hlsLory. Carberp ls sald Lo be

128
FBI press release, <http://www.fbi.gov/news/stories/2011/november/malware_110911>;
<http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/>.
129
G Warner, Russian MVD Announces Arrest of Carberp Gang, Cybercrime and Doing Time, 20 March 2012,
<http://garwarner.blogspot.com.au/2012/03/russian-mvd-announces-arrest-of-carberp.html>.
130
A Matrosov, All Carberp Botnet Organizers Arrested, ESET, < http://www.welivesecurity.com/2012/07/02/all-
carberp-botnet-organizers-arrested/>.
42

more effecLlve and more dangerous Lhan Zeus and SpyLye, and mlghL soon be able Lo LargeL uS
and AusLrallan banks.
131


]M'6$%$2&1 /+&#,2$5'T
Cn 9 May 2013 ln Lhe new ?ork federal courL, elghL men were charged for wlLhdrawlng uS$2.8
mllllon ln sLolen cash from a number of A1M machlnes. 1hese men formed Lhe new ?ork cell of
an lnLernaLlonal cybercrlme rlng runnlng 'unllmlLed operaLlons'. 1he head quarLer of Lhe cyber
gang ls locaLed ouLslde of Lhe uS, buL Lhere may be oLher cells ln Lhe uS. 1he masLermlnds of
Lhe group had hacked Lhe neLwork of global flnanclal lnsLlLuLlons Lo sLeal prepald deblL card
daLa. 1hey managed Lo ellmlnaLe Lhe wlLhdrawlng llmlL on Lhese cards. uslng fake cards
manufacLured from Lhe sLolen daLa, 'casher crews' were able Lo wlLhdraw vlrLually unllmlLed
funds from A1Ms around Lhe world. 1he group arresLed ln new ?ork was one of Lhese 'casher
crews'. AlLhough he was charged, Lhe leader of Lhe gang had been murdered ln Aprll. Slx of Lhe
seven suspecLs were under 23 years, and all were uS clLlzens. 1wo worked as bus drlvers for a
prlvaLe company.
132
1he new ?ork gang conducLed Lwo successful operaLlons. uurlng Lhe flrsL
one, whlch occurred ln uecember 2012, a LoLal of uS$3 mllllon was wlLhdrawn ln 20 counLrles.
ln new ?ork ClLy, Lhe group scoured 140 A1Ms and sLole uS$400,000, ln [usL 2 hours and 23
mlnuLes. 1he second operaLlon wenL for [usL over 10 hours on 19-20 lebruary 2013.
Worldwlde, over uS$40 mllllon was Laken, ln new ?ork ClLy, Lhe defendanLs wlLhdrew uS$2.4
mllllon from around 3,000 A1Ms. 1he success of such aLLacks revolves around Lhe speed and
mlnuLla of Lhese 'unllmlLed operaLlons'. 1he new ?ork prosecuLor remarked:
133

'unllmlLed operaLlons' are marked by Lhree characLerlsLlcs: 1) Lhe surglcal preclslon of Lhe
hackers carrylng ouL Lhe cyber-aLLacks, 2) Lhe global naLure of Lhe cybercrlme
organlzaLlon, and 3) Lhe speed and coordlnaLlon wlLh whlch Lhe organlzaLlon execuLes lLs
operaLlons on Lhe ground. 1hese aLLacks rely upon boLh hlghly sophlsLlcaLed hackers and
organlzed crlmlnal cells whole role ls Lo wlLhdraw Lhe cash as qulckly as posslble'.


131
Constantin, L. 2012, Improved Carberp Banking Malware will Target North American Banks, Group-IB Says,
IDG News Service, 17 December 2012,
<http://www.computerworld.com.au/article/print/444820/improved_carberp_banking_malware_will_target_north_a
merican_banks_group-ib_says/>.
132
J Marzulli, Global Cyber, ATM Heist Nets Thieves $45 Million from 26 Countries, NY Daily News, 9 May
2013, <http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051>.
133
US Attorneys Office, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million
Cybercrime Campaign, 09 May 2013, <http://www.justice.gov/usao/nye/pr/2013/2013may09.html>.