Rising energy bills, inflation, skyrocketing interest rates; the world continues to suffer from a cost of living and economic crisis. While individuals are feeling the pinch at their supermarkets, with their mortgage rates, and at the petrol pumps, the impact of the global economic downturn and other major events are also being felt by the cybercriminal world. Check out some of our findings of these difficulties in the following blog.
Life in cybercrime follows a series of peaks and troughs:
As with anything in life, nothing is predictable. One minute you could be on top of the world, the next, metaphorically—or literally—sifting through the dumpster. Never get too comfortable on top and never get too disheartened on the bottom. We’re getting very close to Forest Gump territory here, but life is complicated, and you don’t know what is around the corner.
When researching the content for this blog, that’s very much the impression we took from several threads related to budding cybercriminals making their way into the world of cybercrime. We should however clarify that it was often hard to distinguish the specific nuances to cybercriminals financial problems; while there are major economic problems across the globe right now, much of the strife facing Russian aligned threat actors is likely to do with the ongoing Russia and Ukraine war. There were however a number of interesting insights we were able to establish.
In response to a thread on other forum user’s financial lives and histories, several users expressed that the early successes in their cybercriminal lives often felt the most significant. This included making their first 100 from illicit means (currency not stated, likely USD) and purchasing their first bottle of whiskey and cognac. The financial situation did, however, exist in “jumps” i.e. some schemes worked for a period of time, the threat actor was able to make consistent profits, then the method became redundant. At this point, the threat actor was forced to search for another method of achieving financial profits, which often took time and investment to identify new schemes.
With recent sanctions and additional scrutiny on activity originating from Russian entities, it’s likely that many of these cybercriminals have been forced to constantly refine and adapt their techniques; and therefore, having to climb out of that trough again. A good example of this is the use of GooglePay and other financial technologies becoming banned for use across Russia; this led to many scams becoming redundant almost overnight.
Diminishing returns following the Ukraine war:
One user in the same thread also shared some unique insights related to the ongoing Russia-Ukraine war, which while bringing levels of violence that have been unseen in Europe for many decades, has also resulted in significant financial turmoil across the globe. The price of energy and global supply chains have in particular been impacted by the ongoing conflict in Eastern Europe.
Cybercriminals are also feeling the pinch during these troubling times. In the same thread mentioned above, a user replied that before the conflict they had earned “as much as they liked”, which had subsequently lost their “shadow” earnings; of course shadow earnings likely relate to the cybercriminal work, possibly conducted alongside a regular job. This lack of current earnings was reiterated by other users, who suggested nothing they had tried had worked, and they were “tired of living in poverty”.
For those lucky enough to find shadow work, the prices they could command had reportedly diminished. One user suggested that at one time—likely referencing before the conflict—a user could typically command 500 USD for providing an initial access to a targeted network. Within the context of the conversation, it appears the user was suggesting prices had significantly dropped since that time. We’ve written numerous times about the rise of initial access brokers (IAB) and how this type of threat actor has greatly assisted cybercrime, however it’s possible that the market has either become oversaturated with IABs, and prices lowered as a result.
Carding a dying art form:
We previously wrote about the raids conducted by Russia’s Federal Security Service (FSB) on several prominent members of the carding community. Six months later and it appears that the raids may have either kickstarted or coincided with a reduction in overall carding activity. We identified during recent deployments that the sentiment among some cybercriminals was that carding was a diminishing art form, which was becoming increasingly difficult to make regular returns. Some users had expressed concerns of the difficulties in receiving up to date information over carding activities on forums, while another suggested that they deliberately did not post carding related information, in order to prevent competitors from gaining an advantage.
A lack of genuine carding data was also a concern for those involved in this type of activity, which often saw duplicated or invalid cards being sold to prospective buyers; a lack of honor amongst thieves, who’d have guessed it? A prediction for the future of carding brought differing opinions; some users stated they had continued success but likely were lucky in their endeavors, while another user suggested that carding would not be profitable in a few years.
Its quite possible that many cybercriminals have simply moved on to more profitable endeavors, like moving onto supporting ransomware operations. While there is no proven route into the world of cybercrime, carding tends to be conducted by those on the lower end of the spectrum; i.e. done by script kiddies and criminals without great technical expertise. If carding is becoming more difficult to make a sustainable income, it may make it harder for budding cybercriminals to establish themselves in this space; it’s hard to get started in any new endeavor if you can’t make enough money to pay the bills.
Cybercrime finds a way
Cybercriminals are a hardy and adaptable breed. While the current economic and geopolitical conditions may have had an impact in diminishing financial returns, it’s likely that the effects will only be a short term hinderance. Many types of cybercrime, including ransomware and account takeover, have thrived in the last year, and that will almost certainly continue as we enter the final quarter of 2022. If you’d like to discover further useful insights our team identify from closed sources, why not sign up for a demo of Search Light (now ReliaQuest GreyMatter Digital Risk Protection).