Someone types at a keyboard
Tapping away at the keyboard; is cybercrime just another desk job for some?

What can you learn from spending seven years immersed in a new kind of criminal world?

James Webster

As shopping surged over Christmas and now into the January sales, it has been one of the busiest times of the year online. Yes, Santa, the high street, and Amazon have all been doing overtime … and so, each year, does cybercrime. (You may, indeed, have caught the recent credit card hack over at Macy’s.)

So what can we do about cybercrime? To answer that, you need to understand it. Enter Dr Jonathan Lusthaus, Director of The Human Cybercriminal Project in the Department of Sociology, at the University of Oxford. Dr Lusthaus has spent the last seven years researching the hidden details of cybercrime. His book on the subject, Industry of Anonymity, is published by Harvard University Press. He’s also written on the subject for range of periodicals including The New York Times and The New Statesman, and been interviewed by the Financial Times’s Tech Tonic podcast and the a16z podcast..

In those years of research, he interviewed almost 250 people. These included law enforcement agents, security professionals and former cybercriminals. Speaking about the people he met, he remarked on how normal this new kind of criminal seems to be: ‘I was able to interview a number of former cybercriminals from a range of countries. There are a lot of interesting characters out there, but ultimately they are just people like the rest of us. Many of the former offenders I spoke to were intelligent and engaging.’

What drove him to find out so much about this world? Originally, he was planning to research religious violence, but found himself fascinated by cybercrime after a talk on the topic from the journalist Misha Glenny. With the subject becoming a growing obsession, he kept researching, doing his doctorate on the subject under the supervision of Federico Varese, a leading authority on organised crime.

A picture emerged of an industry that was strangely distant from traditional organised crime. Many cybercrime ventures seemed to function much like other online businesses, only they happened to be illegal. Out of several surprises that Dr Lusthaus uncovered, he recounts one of the most eye-opening as: ‘What surprised me most about the cybercrime world was how many of the offenders know each other in person. When I began this research almost a decade ago, I assumed this would be almost a purely virtual phenomenon. But the more I dug into it, the more I found cybercriminals who met online and then met up in person, or groups of people who knew each other in person already and then started to work together on an online scam. Sometimes this can be very much embedded in local communities and environments. This offline and local dimension is particularly fascinating and something that Federico Varese and I are continuing to investigate.’

Maybe it’s that knowing each other in person builds trust? Or perhaps it just makes it easier to organise if you’re not doing it all online? Indeed, in some cases, Dr Lusthaus found that some cybercriminals went so far as to invest in office space. They would even organise themselves along corporate hierarchies, with managers, specialist roles, and marketing teams. It turns out that in the cybercrime marketplace you still need someone to advertise your services.

If the way cybercrime can flourish seems oddly entrepreneurial to you, then you’re starting to identify one of what Dr Lusthaus sees as the key factors behind it. Some of the areas that tend to become cybercrime hubs are places with very strong technical education, but not enough jobs to support all the resulting talent. Lacking employment opportunities or legal avenues for start-up investment, some people turn to cybercrime as a quick way to use their skills to make ends meet.

But not all cybercrime hotspots are the same. There’s a lot of variation tied to the resources and skills available in each area, which then feed into local criminal specialities: ‘The former Soviet Union is one well-known hub for cybercrime. It is known for the most technical types of cybercrime, like malware production. Other key hubs include Romania, Nigeria and Brazil. These often become associated with different kinds of cybercrime. For example, some would say Romanian offenders are famous for "online auction fraud", which involves selling fictitious products online.

‘Nigerian fraudsters have entered so many people's lives through those (sometimes far-fetched) emails offering strangers part of some fortune if only they can provide a small amount of money to unlock it. This is known as "advance fee fraud". More recently, these offenders have evolved and now engage in other scams like impersonating CEOs and other company officers to authorise fraudulent transactions. Of course, we also can't forget about the West, which has a lot of cybercrime offenders engaged in the money side of cybercrime, "cashing out" virtual gains into physical or monetary ones.’

So, what can we do to combat cybercrime in these areas? Various experts, including Dr Lusthaus, have suggested it’s not a problem we can arrest away. Instead, it may be an issue we can invest away:

‘While we lack data and rigorous study on this, I suspect a number of future cybercrime offenders could be diverted into legitimate work. The UK's National Crime Agency is leading the way globally with cybercrime prevention programs. But the real need is to internationalise diversion programs beyond the West and target them to the hubs that produce the most effective cybercriminals, like Eastern Europe. This means creating more opportunities in places where very capable individuals are being pulled into cybercrime because there aren't enough good jobs to support them. The private sector can potentially play a huge role here.’

If you want to learn more about cybercrime, you can find the details of Dr Lusthaus’s book and various articles on the Harvard University Press site. But if there’s one key thing you should know about cybercrime, he thinks it should be this one: ‘Cybercrime is not as shadowy as people think. It's important not to view cybercriminals as exotic. Mystifying them makes it harder to develop solutions. I think approaching cybercrime in "human" terms is really important to addressing the problem in a more holistic way. It is not just a technical challenge.’