PractiveSecurity.com
Practical, Active, Effective Cybersecurity Solutions

Education Blog

Practive Security Education and Knowledge

Practive Security 101: The Cybercrime Underground Economy

Threat Actor Introduction - Cybercrime and The Underground Economy

Audio Version

In the security industry, we group what we call threat actors typically by their primary motivation and activity. 

We have Activists who are typically using technology to exert their influence on others in pursuit of political, ideological, religious, or cultural change. This is typically a smaller group of actors who tend to be among the least sophisticated but most vocal. As famously made evident by Anonymous and the “Occupy” movement of the early 2000s, they do tend to blend kinetic actions with virtual ones. Activists tend to be overtly destructive, though in recent years have become more quietly subversive and act often as organizers of physical protests.

We also have Nation State threat actors who vary broadly but tend to all have this in common: they are either directly or indirectly resourced, tasked, or otherwise operating on behalf of the interests of their affiliated state. Operations and even organizing structures are typically divided between an interior policing focus, an interior political focus, and an exterior political, or military focus. Think of state operated espionage programs, programs of influence and subversion, and then kinetic or war fighting capabilities. The United States, Russia, China, Israel, France, UK, Germany, Italy, Australia, North Korea, South Korea, Iran, and Vietnam are nations who generally considered top-tier and very active in operating official cyber programs. In the case of China, Vietnam, North Korea, and Russia, state-sponsored cyber programs also operate against private citizens and businesses of foreign entities; a practice that is considered “off limits” in the West.

A relatively new form of threat actor that has emerged in recent years, is Social or Cultural Influencers. These actors can vary widely and are often ignored due to their seemingly “normal” profile. Today, Big Tech CEOs have actually publicly stated intent to use their businesses, money, and power to overtly influence cultural change in the United States. They view themselves as sort of generals in a culture war and they should not be discounted. Use of major media platforms to influence public opinion, suppress information, and elevate or support false narratives has become common. At a lower level but similar kind are social media influencers who use their fame to espouse political or cultural ideology, hoping they can enact change. Practive Security considers these as internal threats, because they are using technology as a means to force behavioral change in service to their motives, just as Activists are.

Finally we have what is likely the largest group of threat actor types and that is Financial Actors or Financially Motivated actors. These are simply those who conduct criminal actions via the Internet as a means to fulfill or empower their lives. It is this third group that we will focus on here.

Welcome to the Underground

When we think about cyber crime, for many of us the image that comes to mind is likely one built by Hollywood and movies. One of my favorites is a character in the movie Die Hard with a Vengeance who lives in the basement of his mother’s home. He seems like a classic loser, but he’s also the only one connected with communication capabilities when the power goes out. Then there’s the classic Dennis Nedry character from Jurassic Park - a fat pig of a man who also holds a day job in the park with legitimate credentials, but also plays the underground.

In reality, the cyber crime world does have those types, but it is also populated by individual professionals, organized criminal gangs, the mafia (yes!), political and cultural activists, people who work day jobs as unassuming IT experts, and even professional businesses that offer salaries and benefits. Nation state actors, whether they are mercenaries for hire or actual government employees, have also been known to moonlight in the underground for more money.

Indeed, some of the larger organized crime operations that sell or rent access to hacking tools and infrastructure, are so well funded and organized that they offer 24x7 tech support and service guarantees, even health benefits and paid time off for their employees.

But it’s not only that. There are some criminal organizations that are so well organized and managed, that they employ normal people who think they have a normal job, but are in fact committing financial crime every time they go to work. 

I once participated in the discovery and takedown of a Nigeria-based criminal organization engaging in identity theft and tax fraud, that had local workers recruited by a local business man, but the entire operation was overseen by a Russian man living in Ukraine who was under protection from the government. The people he employed in Africa thought they were working data entry IT jobs, and had no idea they were involved in crime. Their local recruiter also flaunted himself online claiming to be a local tech expert available for hire on-demand. When we concluded our investigation, we believed that the only person involved who truly knew it was a criminal enterprise, was the man in Ukraine running it all. But we also believe that he wasn’t the one stealing the financial data he had his “employees” using. We believe that he was purchasing all that stolen information from underground forums, organizing it, and then turning the use of that information into identity theft and tax crimes.

But in fact the cybercrime world and underground economy deals in much more than many understand. The underground economy, mostly fueled by cybercrime, deals in things like:

  • Stolen goods for sale (identity data, passwords or other property)

  • Tools & infrastructure for sale (like hacking tools, exploit code, botnets, communication tools etc.)

  • Services to hire (like on-demand hacking support)

  • Access for sale (including compromised email accounts, website accounts, hacked computers or networks)

  • Tradecraft to share or sell

  • Communities and forums (to share ideas or build camaraderie) 

  • Human trafficking

  • Weapons, drugs, contraband, or other illegal or illicit goods

That’s just a few, but you get the point.

But it’s in this underground economy that people of many varied backgrounds with varied intentions gather to conduct business that would normally be illegal or otherwise expelled or impossible to do, if done in plain sight.

With this basic introduction, let’s highlight some of the specific cybercrime activity and the size of this problem.

Scope and Scale

It’s important to remember that the underground economy, or think of it more simply as the black market, has always existed. We tend to think it’s small and obscure and increasingly shrinking with modern law enforcement, but in fact in the era of the Internet it has exploded to unimaginable scale.

Anonymity on the Internet is a very real thing, and despite the few cases announced each year by the US DOJ against cyber criminals, by and large the crime goes unchallenged. International cooperation is basically non-existent, partly due to the fact that many of the more prolific and sophisticated actors are protected national assets by governments like Russia, Ukraine, China, Iran, Vietnam and others. These nation states also have a vested interest in the underground economy operating uninhibited, because it’s also used to conduct state-sponsored activities. 

But let’s look at the size.

According to a Cybercrime Magazine assessment, in 2025 the cybercrime economy is expected to exceed $10 trillion US, possibly closer to $12 trillion. This is effectively the third largest economy in the world. It is an economy that has been growing steadily at around 15% each year with an increasing upward trend. Although some recent forecasts claim cybercrime seems to be slowing in its rate of growth, I don’t think this will bear true for long.

To put this $12 trillion economy into perspective, the total US economy is estimated to be $29 trillion, making the cybercrime world about ⅓ of that. For references, the US economy is ¼ of the total world economy. 

A 2021 prediction estimated that cybercrime activity would cause $16 billion a day in damages, globally.

It is a massive ecosystem.

The Revenue Generation

How is it funded? We don’t entirely know, but we can pull out some highlights of different forms of cybercrime to get a basic understanding again of the scope and scale of all this.

We’re going to review 5 of the main methods the underground economy earns money.

Ransomware and Ransomattacks

Ransom attacks are one of the most prolific forms of cyber attack today. An article from TechTarget highlights some of the biggest of these in recent years:

  • In 2025 a Catholic health system called Ascension was hit by a ransom attack and had to pay out $1.3 billion in damages.

  • In 2023 Caesars and MGM were hit by a ransom attack in which they paid a $15 million ransom but still suffered over $100 million in damages.

  • In 2024, CDK Global paid a $25 million ransom in bitcoin, but suffered $1 billion in total damages from the attack.

  • In 2024, United Health suffered $2.5 billion in damages including a $22 million ransom payment in an attack that affected 100 million people.

Ransom attacks are not just limited to large organizations like these, although the bigger operations do go after the biggest fish they can - especially organizations that are the most likely to pay-out, including the medical industry and critical infrastructure providers.

But extortion and ransom attacks do target individuals, demanding much smaller forms of payment to unlock computers or pay off some threat. There are even similar extortion scams that will implant illegal content on your computer and threaten to report you to law enforcement unless you pay. These damages are small, typically in the hundreds to low thousands of dollars in demands, and of course they go unreported, but they add up.

Data for Sale

Data theft is also a constant problem. Threat actors work around the clock to spread malware throughout the Internet in various ways. They run scanners and probes that are constantly looking for weaknesses in websites they can exploit. They embed malicious code into websites and ads, they use impersonation scams and phishing to deliver malware onto people’s laptops, and they distribute pirated or fake versions of software or other content that contains hidden malware. They also compromise legitimate Internet properties and websites and steal information directly from them. All of this is in service to collecting as much data as possible, which they can turn around for a profit on the underground. Some of the top data sources that are stolen and sold include:

  • Passwords - especially if the username and related account information is paired with it

  • Credit card numbers

  • Identity related data such as drivers license numbers, physical addresses, email addresses, social security numbers (in whole or part)

  • Intellectual property including process documents, designs, or other confidential information, as well as media like movies and software

Financial Fraud

Financial fraud itself is a broad topic that includes multiple types of attacks and scams with varied levels of impact.

Fraudulent purchases using stolen credit cards were estimated to impact 63% of US credit card holders, with 62 million Americans reporting fraudulent charges in 2024 exceeding $6 billion total.

That’s $6 billion in purchases, many times with the purchased good or service having been shipped or delivered by the vendor. Some of the most commonly purchased items with stolen credit cards are gift cards, transportation, or tickets to sporting events. 

Someone has to foot this bill, and that’s usually our banks who write it off as losses, but also pass the impact in part to their customers through banking fees, interest rates, and other means of recouping the damages.

Fortunately about 90% of cases involving fraudulent credit purchases are “refunded” by banks, but not all are, and again, those banks have to recover the loss somehow.

Fraudulent loans or lines of credit opened using identity theft is another form of financial fraud. This is a little more difficult to get an accurate picture on the total scale, but fraudulent loans have been reported in small amounts totaling a few thousand dollars, to moderate amounts in the tens of thousands. The most common form of financial fraud involving credit is opening credit card accounts using stolen identities. 

According to Experian, a credit management company,

  • The FTC logged 1.1 million identity theft reports in 2024

  • There were 2.6 million identity theft related cases of fraud in 2024

  • Total losses were estimated at $12 billion in that year alone

That’s just among the most common forms of financial fraud.

Infrastructure for Sale

This is another huge topic that is difficult to summarize in whole, but to understand this side of the problem, we are going to use the Mirai botnet as one example.

The Mirai botnet was one of the largest that has ever existed. It’s total size is unknown, but it’s operators developed a new way to target and compromise IOT devices all over the world, largely personal WIFI routers and Internet connected security cameras. After implanting their malware, they were able to take control over the devices and had set them up to work collectively in an automated manner in destructive attacks known as Distributed Denial of Service or DDoS. 

After proving their capability in a massive global attack in 2016, the Mirai botnet operators offered the network “for rent” with a weekly rental cost of $4,000 to control 50,000 bots or $7,500 to control 100,000 bots. Again, that’s a weekly rate.

But it’s not just botnets that are for sale. Simple tools, exploit code, phishing email generators, GenAI variants designed to create or operate attacks, command and control infrastructure needed for malware…it’s all for sale in the underground to be used by whomever wants to purchase access.

Crypto Mining and Wallet Theft

In recent years, the creation of cryptocurrency and miners has also introduced a new revenue generation scheme for the underground. 

In mining operations, threat actors compromise legitimate Internet infrastructure or computers connected to the Internet, and they install tiny miners that can easily go unnoticed. Some miners can even run within your web browser. In larger attacks, these actors will re-purpose large amounts of server infrastructure, especially in cloud computing environments, to run miners at massive scale. The simple goal is to generate new crypto currency.

But there are also actors who focus on cryptocurrency theft. They create and run scams or overt hacking operations (often using phishing and malware) to steal crypto currency wallets or to transfer cryptocurrency from wallets to accounts under their control. In fact the North Korean government uses crypto currency theft as a major source of revenue to bypass sanctions. They target not only individuals, but also cryptocurrent exchanges and investment accounts that hold large amounts of cryptocurrency. 

The Impact

What does this all mean for you and I? 

Disruptions to Services

As previously highlighted, ransom attacks target organizations that are part of our critical infrastructure, including hospitals and emergency responders. When these institutions are impacted, it means everyone they serve is impacted. This can cause delayed or missed diagnoses or treatments, or general stress on the staff and industry at large.

Social Decay

In sum, all of this theft goes toward funding criminals who use it to enrich their lives at the expense of others, but much of the criminal underground is interested in more than just crime to make money. They also deal in or facilitate other illegal and illicit activity, including physical crime, human trafficking, weapons sales, pornography, pirated software, just to name a few things. So as this underground world grows, so does the size and scale of human suffering and sin in our world that rises above the surface. It is like a contaminant that permeates all of society.

Increased Costs of Goods and Services

Due to the scale of some of the larger cyber operations, large companies can have massive pay-outs. Often this is the result of having to improve IT infrastructure and processes to stop the breach and prevent it from recurring, but also a result of paying to prevent damages to customers in the form of credit monitoring and identity theft protection services…sometimes for millions of customers. These companies have to recover these damages, and often do so through either lowering investments and/or slowing down the business to reduce operating costs, reducing profit margins that can also shrink the business, laying off employees, or simply increasing costs for customers.

For banks and other financial institutions, they roll their losses down to the customer through increased fees or percentage rates. Banks try to keep this all transparent, but true write-off damages mean lower overall revenues which hurts affects business taxes and government revenue.

Additionally, cybersecurity or data breach insurance has become a market in and of itself. Now larger corporations pay a premium for insurance, to offset the damages they have to pay in the event of a data breach. But having to pay for insurance is an impact to the operating costs of the business, which always translates to decreased business capabilities or higher prices.

Personal Financial Loss

Depending on the nature of the crime committed against individuals, the personal cost can vary, but might include:

  • Paying for professional services help to clean up laptops or recover data

  • Replacing laptops or mobile devices

  • Credit monitoring and identity theft protection services

  • Loss of work to address complex cases of identity theft

  • Loss of work or relationships due to reputational damages

  • Temporary loss of money while fraud cases are sorted and money is refunded

  • Paying a ransom

Stress and Anxiety

If you are the victim of cybercrime, it can be very stressful. Not only the initial shock of what the particular experience is, but also the lingering mental impact of having been the victim of a crime. It’s real and it can really bother people in significant ways that can lead to health problems or impact other normal rhythms of life.

Human Trafficking

Mentioned previously, human trafficking is a significant part of the underground economy, with organized cyber criminals partnering with physical criminals to find, lure, and capture victims. The more resources these actors have, the more successful they will be, placing many at increased risk.

Suicide

Sadly, there are many victims of cybercrime, especially of extortion scams, who become so filled with despair and anxiety over what has happened, that they take their own lives. This is a terrible reality and it’s not necessarily triggered by a single event. Many people live on the cusp of despair and a seemingly overwhelming event can push them over the edge.

Top Attack Techniques

Next we will review the top attack techniques used by the cybercrime world. These are the most common, and of course there are variations on each.

Malware

The mass majority of financially motivated cybercrime attacks involve malware installed on your computer that has been delivered via some messaging service, either SMS, email, or from a website or related web content.

When it comes to SMS or messaging attacks, they will often contain a link to a website, and that website may either be a spoofed one in which you enter information thinking you are at the real website, or it will be a weaponized website or URL that is designed to install malware on your computer.

The same is basically true of email based attacks, although they will also often include an attached file that itself has been poisoned, or what we call “weaponized.” These malicious docs can contain code that triggers your computer to download additional content, including exploit code or malware, that runs on your computer.

Web-based attacks are more difficult to spot because they often leverage malicious code that has been injected into website properties, like ads or vulnerable websites, that aren’t obvious to you. You can be compromised by simply browsing to a website or viewing an ad that has been poisoned.

Weaponized Apps or Pirated Software

It is very common for apps within open mobile OS app stores or licensed software or other media shared through peer-to-peer networks (like torrent / Bittorrent), to have been weaponized or poisoned with features or installers that perform malicious actions on your device. 

The malicious attributes might perform functions directly, or they may be initial installers that connect to an online service and download malware to be installed locally.

Stolen Credentials

Another extremely common technique used by cybercriminals to gain initial access that later leads to data theft, is simply logging into an online account or service using a stolen (and purchased) username and password combination.

This is the lowest level of effort required, since the adversary can often simply buy access and once they are in, they can use the legitimate service or platform to do whatever they want with the data therein.

Direct Hacking

Direct hacking, or what you would consider traditional hacking where an adversary finds a vulnerability in code and exploits it with their own malicious code, is actually less common but does happen. Many times, direct hacking is automated. The adversaries will setup automated tools that constantly scan the Internet for vulnerabilities that are exposed, and when found, the toolkit will automatically serve the vulnerable system the exploit code, and initial entry is made.

In fact botnets are often doing this 24x7x365 across the entire Internet.

Phone / Social Engineering

In recent years there has also been a resurgence of what we call social engineering attacks conducted by phone. These are manual scams, but can also be extremely well organized and conducted. In these attacks, the adversary will select a specific individual after having performed some level of reconnaissance on them, and they will engage via phone presenting a scenario and claiming to be someone they are not. Their goals can vary but some common campaigns include:

  • Calls claiming to be tech support from Microsoft, Apple, or your Internet service provider. In these scams, the attackers typically try to lure you to downloading a “tool” they will use to clean your computer, which they will claim has been detected as compromised. The tool is backdoor software they use to remotely control your computer.

  • Calls claiming to be from your credit card provider or bank, saying you have suspicious charges to your account that need to be cleaned up. The primary objective here is to get you to state your sensitive financial information so they can steal your credit card or identity.

  • Personal impersonation scams using Generative AI that claim to be a call from on on behalf of a loved one. The caller will claim some emergency situation has transpired and they need money sent immediately to avoid a dire outcome.

What You Can Do

It might seem like there is little an average person can do to defend against these threats, given that the largest enterprises in the world don’t seem to be able to. However, there is a lot you can do and there is a lot those victimized organizations could have done that they chose not to.

It’s important to remember that threat actors, even nation states, are not all knowing, all powerful, nor are they infinite in capability or resources. Indeed, their window of operations is relatively small, and we control it for the most part.

Practive Security provides numerous strategies and tips to help you know how to successfully defend yourself, but in closing some are shared here:

  1. Protect your computers with antivirus and antimalware software.

  2. Update the software and operating systems of your devices and computers often.

  3. Secure access to your online accounts using MFA.

  4. Do not open unsolicited files sent in text or email and avoid clicking on links sent the same way.

  5. Avoid clicking on ads or sponsored links on websites or in search results.

  6. Backup your computer and all your files on a regular basis.

  7. Keep a low profile personally on social media, and avoid publishing personal information, including pictures, publicly.

  8. Use a secure web browser that blocks pop-ups, cookies, and other unwanted web content (consider Safari, FireFox, or DuckDuckGo).

  9. Monitor your bank accounts and credit card statements regularly.

  10. Consider credit monitoring services or locking your credit when you know you do not need to open new accounts.



EducationMatt JohnstonAdversary, Cybercrime, Education, 101