I’ve always been curious about who’s making the money from cybercrime. Among the players we have Nation States, Organized Crime, small teams to individuals, so let’s follow the money. To keep this simple and about money, we’ll discuss the three most active cyberattacks—Phishing, Ransom and Identity Theft. Each of these attacks have a list of usual suspects, Phishing is a small group or individuals, Ransom and Identity Theft are larger groups like Organized Crime and Nation States. According to McAfee the top Nations States are China, Russia, North Korea, Iran and Central America. All these groups combined in 2019 realized $1.5 trillion in money stolen—good guys to bad guys. The good guys also ended up paying $4.0 trillion in money to clean up the mess; global cybercrime cost $5.5 trillion in 2019 in an $80 trillion global economy.
So, what did the bad guys do with $1.5 trillion? Where can you hide billions of dollars? At the top, identity theft spoils (NPI, PII and PHI) are sold to others on the dark web and they launder and monetize the stolen assets. This accounted for $860 billion. High-earning cybercriminals can make $166,000+ per month; middle-earners can make $75,000+ per month and low-earners can make $3,500+ per month according to Mike McGuire, University of Surrey (UK), April, 2018.
Just selling your personal information to other bad guys can collect:
- Social Security number: $1
- Credit or debit card: $5 to $110
- Driver’s license: $20
- Passports (US): $1,000 to $2,000
- Medical records: Up to $1,000 for complete APS
The value of your personal information is four to six years. Once they have their clean cash, then how do cybercriminals spend it?
- Immediate needs—paying bills: 15 percent
- Disorganized/Hedonistic spending: 15 percent
- Finance criminal activities: 20 percent
- Status spending: 20 percent
- Cryptocurrency: 30 percent
Mike McGuire, 4/2018
Nation States mostly focus on intellectual property and, when monetized, its value is $600 billion. China’s Ministry of State Security and People’s Liberation Army are mandated to steal U.S. industrial and trade secrets. Forrester Research Inc. 10/2019
Here’s a typical story on how Nation States engage business opportunities with technology companies to gain access to their infrastructure, steal their intellectual property, then pursue litigation while making use of stolen property.
American Superconductor Corporation (AMSC) was a developer of world-class technology for software to control wind turbines. Sinovel (2007), AMSC’s Chinese partner, paid a bad guy $1.7 million to steal the software and, as a result, ended their AMSC relationship. Sinovel engaged in litigation refusing to pay $800 million owed to AMSC and AMSC has countersued for $1.2 billion. AMSC is in survival mode and the litigation is going nowhere. AMSC claims that 20 percent of China’s wind farms are running stolen code. In the last decade the Chinese initiative has stolen intellectual property such as:
- Dupont technology for the benefit of Chinese chemical manufacturers
- Motorola’s cellular technology
- Dupont genetically modified corn seeds
- T-Mobile confidential equipment
- Cisco Systems core router software code
- Avago and Skyworks wireless communications technology
Gen. Keith Alexander, NSA Chief, in July 2012, warned us that Nation State cybercrime will be the “greatest transfer of wealth in history.” Nation States like China are after our technology for their own internal benefit and to understand how to crack it as we use this technology today in our perimeter cyber security defense.
Bad guys conducting Ransom attacks took home $21 billion and Phishing victims lost $1 billion. Ransom attacks start with the introduction of malicious code (Phishing) that encrypts your hard drive or database with a displayed message on how to contact them.
“Fifty-five percent of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks. A total of 140 US local governments, police stations, and hospitals have been infected with ransomware. In the third quarter of 2019, the average ransomware payout increased to $41,000. Ninety-five percent of ransomware profits are laundered with cryptocurrency,” reported Heimdale Security, December 2019. The FBI reports that only 19 percent of Ransomware crimes are reported. No loss of data exempts them from declaring a breach and if the FBI’s figures are close, $100 billion plus was coerced from businesses last year.
Cybercrime continues to grow at 15 percent per year and the bad guys have figured out how to make more money by selling their tools. Bad guys now offer platforms like service providers; they don’t commit the crimes directly but enable others for a fee. Such sites offer more than tools, they include customer reviews, technical support, descriptions, ratings and information on success rates. Some examples of the services offered:
- A zero-day Adobe exploit can cost $30,000
- A zero-day iOS exploit can cost up to $250,000
- Malware exploit kits cost $200-$600 per exploit
- Blackhole exploit kits cost $700 for a month’s leasing, or $1,500 for a year
- Custom spyware costs $200
- One month of SMS spoofing costs $20
- A hacker-for-hire costs around $200 for a small hack
The point here is that cybercrime is evolving into its own institution like drug cartels, prostitution rings and illegal gambling. The same types of people involved in organized crime are now into cybercrime. Well, so far we’ve discussed who, what and where cybercriminals are making their money, but like all illegal gains it must be washed of any stains and be accounted for by a trusted third party.
Here I sit, a cybercriminal with $1 million worth of credit cards ready to cash in. Now we play the shell game where we move money around offshore shell companies with just enough transaction history to be legitimate when it lands. Setting up shell companies is quick and costs about $5,000 each. Me, the bad guy, has an E-Commerce site in the Cayman Islands that only sells pet rocks. I place the orders using stolen credit cards, never shipping anything, and deposit the proceeds into my Cayman business account. The next day I start moving the money through Panama, Samoa, The Seychelles, Belize and ending up in the British Virgin Islands. Then move what I need into the U.S. for taxation. This process has worked well for many years but, like most third-party processes, you’re paying fees and dealing with many layers—a lot of systems to trust that leave fingerprints around the money.
So now we come to cryptocurrency, a peer to peer financial exchange network with no third-party trust, no oversight, traceability or bureaucracy. Just two people agreeing to exchange value based on an arbitrary exchange rate. One of the first cryptocurrencies, called Bitcoin, was founded in 2009 by Satoshi Nakamoto (alias). Satoshi’s design solved the fundamental problem of double-spending with the introduction of Blockchain—a public ledger of all transactions that ever happened within the network, available to everyone. Bitcoin, to establish the market exchange, set the total number of coins at 21 million. You can buy portions of Bitcoins and you can be a miner and be rewarded Bitcoins. Miners are Blockchain verifiers who add transactions to as many Blockchains out there as quickly as they can so that thousands of Blockchains will have your transactions. Mining has evolved into very special hardware and the miners have gone institutional. It’s not a surprise to find the most well-known mining hardware manufacturer around, Bitmain, was founded in 2013 in China and today has offices in several countries around the world. Bitcoin today is valued at $6,887.49 per coin for a market cap of $126 billion. Source: https://bitcointicker.co/.
Now back to my cybercriminal selling pet rocks in the Caymans. Bad Guy now wants to move his washing machine to crypto-exchanges and stay below the radar of law enforcement because they’re so far behind. Bad Guy takes the stolen identities and opens 20 to 30 crypto accounts under the same names. I write about cryptocurrencies because there are 540 plus crypto exchanges on the globe and bad guys spread these new accounts across many exchanges. Some platforms collect personal information to build trust, but many others remain anonymous accounts; 40 million people own cryptocurrency, 11 percent are Americans. Based on my research, I believe half (five percent) of those Americans don’t even know it. Interesting for 2019 IRS forms asking if you own any cryptocurrency.
Bad Guy now takes about 300 to 400 credit cards directly to the Bitcoin trading platform and deposits about $2,000 to $3,000 illicit CC transactions directly into their wallets and buys 145 Bitcoins. The next day Bad Guy starts trading among his controlled accounts creating three to five transactions each. The small amount of trades is less likely to be mined because these networks rely on the largest Blockchain to be more complete, therefore a better record by passing small chains. Then on schedule, Bad Guy transfers funds to a “legitimate” account (opened with stolen ID) and then to their roadside vegetable stand bank account or to their import/export business. Hell, today you can go to a Bitcoin ATM and withdraw cash directly as needed.
In connecting the dots, let’s look at two ecosystems: Cybercriminals and cryptocurrency. Cybercriminals reportedly bought $350 billion ($250 billion in ID theft and $100 billion from Ransom theft) worth of cryptocurrency in 2019. Reports size the cumulative market capitalization of cryptocurrencies at $237 billion in 2019, almost double 2018. Professional money laundering is a business and they are very active in cryptocurrency, taking the normal 10-30 percent off the top—in BTC of course. The money laundering front sells to Bad Guy a coin at the going rate ($6,000). Bad Guy then sells the coin back to the front for $4,000; Bad Guy walks away with $4,000 and the front keeps $2,000. Remember, this is a peer to peer exchange, not much different than OTC brokerage exchanges but without any oversight.
Therefore, with the admission of cybercriminals using cryptocurrency to launder stolen money around a market of stolen identities with unsustainable Blockchain verification and auditing, the bad guys are cashing out. In Part Two of this article, I’ll discuss three promising technologies that could eliminate or at least significantly reduce cybercrime. Then one wonders…by eliminating cybercrime, could that alone crash the value of cryptocurrencies?