The scale at which the types of cybercrime are progressing could mean that the market is growing. Trend Micro, a cybersecurity solutions provider, found that cybercriminals may be operating like legitimate businesses complete with departments.

In its report “Inside the Halls of a Cybercrime Business,” Trend Micro examined the operations of small, medium, and large criminal groups and details the daily lives of “employees” and how they operate within hierarchies that increasingly resemble legitimate businesses as the group expands. 

On the other hand, small cybercrime groups typically consist of a few members operating under a partnership model — most of whom usually have day jobs on top of their role in the group — employees of larger organisations tend to lead lives similar to corporate workers at legitimate software companies. 

Trend Micro emphasizes need for strong cybersecurity posture
Trend Micro blocks 41 billion cyber threats as attacks surged in 1H21

“The criminal underground is rapidly professionalising — groups are beginning to mimic legitimate businesses that grow in complexity as their membership and revenue increases,” said Ian Felipe, country manager, Trend Micro Philippines.

Using examples where Trend Micro collected the most data from law enforcement and insider information, the report examined three types of cybercrime organisations based on size. 

From small- to medium- to large-scale business model

The Trend Micro report saw that small criminal businesses (for example, Counter Anti-Virus service Scan4You), members often handle multiple tasks within the group and also have a day job on top of this work. For those with one management layer, there usually is 1-5 staff members, and has an annual turn over of under$500,000.

Most of small cybercrime businesses are under this category.

Medium-sized criminal businesses like bulletproof hoster MaxDedi, usually have two management layers with 6-49 employees, and up to$50 million in annual turnover. The members work full-time for the group, manage various tasks within an eight-hour shift. This category typically have a pyramid-style hierarchical structure with a single person in charge.

Large criminal business such as ransomware group Conti) normally have over $50 million in annual turnover. And the more than 50 employees are report to three management layers. Those in charge are seasoned cybercriminals and hire multiple developers, administrators, and penetration testers including short-term contractors. They may have corporate-like departments and even run employee programs, such as performance reviews.

They implement effective OPSEC and partner with other criminal organisations.

Knowing the size and complexity of a criminal organisation can provide critical clues to investigators, such as what types of data to hunt for. Understanding the size of targeted criminal organisations can also allow law enforcers to priorities better which groups should be pursued for maximum impact.