Organized nature of cybercrime, knowledge of its awareness

and impact among the new generation

By
Ram kishore Ramamoorthy

Dissertation submitted following the requirements for the Post Graduation Degree
in Criminology

Lok Nayak Jaya Prakash Narayan National Institute of Criminology & Forensic
Science,
Sector-3, Rohini, Outer Ring Road, Delhi-110085

1
DECLARATION BY THE STUDENT

I hereby make the declaration that the study titled ‘Organized nature of cybercrime, knowledge of its
awareness and impact among the new generation’ is my original research work. Wherever contributions of
others involved, every effort is made to indicate this clearly, with due reference to the literature, and
acknowledgement of collaborative research and discussions.

Ram kishore Ramamoorthy

Name of the Student Signature of the Student

2
CERTIFICATE FROM THE GUIDE

This is to certify that the study titled Organized nature of cybercrime, knowledge of its awareness and impact
among the new generation is a bonafide work carried out by Ram kishore Ramamoorthy, Roll No.
00318505819, and a candidate for the Post Graduation in Criminology of the Lok Nayak Jaya Prakash
Narayan National Institute of Criminology & Forensic Science, under my supervision.

SIGNATURE OF SUPERVISOR
Name: Dr Deepak Raj Rao
Designation: Assistant Professor
Date:
Place: LNJN NICFS, Delhi.

SIGNATURE OF DEAN
Name: Dr Minakshi Sinha
Designation: Dean (Academics)
Date:
Place: LNJN NICFS, Delhi.

3
4
ACKNOWLEDGEMENT

Foremost, I owe my deepest gratitude to my family and friends, for their constant support and love.

I wish to thank my guide Dr Deepak Raj Rao, who showed me not only the path to completing this
dissertation, but also cared about my general health and wellbeing. I would also like to extend my gratitude to
all the participants of the research who took time from their schedules to not only fill the research but also
show enthusiasm about the topic and seeking more information on it. Lastly, I would like to thank my friend's
Rajas, Krishna, Pragati, Madhurima Dey for their timely help. Without their help, I don’t think I would have
completed my dissertation on time.

Ram kishore Ramamoorthy

5
CONTENTS

S.NO TOPIC PAGE NO

1. Preface 7

2. Introduction 8
2.1. Research Questions
2.2. Objectives of the study
2.3. Significance of the study
2.4. Conceptual clarification
2.5. Limitations

3. Theoretical framework and Review of Literature 9

3.1. Organized crime
3.2. Cybercrime
3.3. Organized cybercrime
3.3.1. Organized Cybercrime-Typologies

4 Research Methodology 34
4.1. Research Design
4.2. Universe of the Study
4.3. Sampling Design
4.4. Source of the information

5 Findings and Analysis of the Study 35

6 Summary of the Study 47

7 Recommendations and Conclusion 48

8 References 49

6
PREFACE

As a research study, this research aims to understand the organized nature of cybercrime and explore the
different aspects of Organized cybercrime and its impact.

The research also aims to understand the relationship that exists between the types of criminals and the types
of crimes committed. Organized crime and cybercrime are well-researched and studied aspects of
criminological research over the last many decades. Organized cybercrime has been studied exactly in a
similar way and a lot of weight has been given to this aspect of cybercrime in the west. Cybercrime is a
complex and broad topic, includes different crimes and some offences are judged only based on their
economic impact, while others are often driven by ideology and other reasons. Through the study, we are
trying to study and understand how the organized criminals have created networks and structures to commit
cybercrime and their modus operandi to successfully execute the offence. The organized nature of cybercrime
makes the whole situation more severe and threatening due to the scale of opportunities cyberspace could
provide for groups and conventional networks. Groups and networks have the potential to be a threat not only
to individuals but also to organisations and the socio-economic-political security of the state due to its low-
risk obscure nature of the source of attacks. Examples include the recent attacks at the Iranian nuclear facility,
American oil pipeline infrastructure, ransomware attacks on institutions etc. It reinforces the belief that no
system is completely secure and these are just a few. Through the study, more understanding could be
achieved to separate these attacks from the conventional view and take steps to counter them.

In recent years, many researchers have suggested through studies and reports that organized crime (from now
on Organized crime will be denoted as OC) groups have entered into the domain of cyberspace to expand their
portfolios and also support their conventional criminal activities.

7
INTRODUCTION

I. RESEARCH QUESTIONS
 How the organized criminals have created networks to commit cybercrime and
 What is their modus operandi adopted while targeting the victims and crimes that are
commonly committed against the victims?
II. OBJECTIVES
 To understand the holistic nature of organized cybercrime and the modus operandi of the
offenders.
 To analyze how organized cybercriminals have created structures and networks to commit
offences.
 To study the most commonly committed offences by cybercrime groups and the victims
targeted.
III. SIGNIFICANCE OF THE STUDY
 After this study has been conducted, we can understand how organized cybercrimes are
committed and evolved over the years and the types of groups engaged to commit such attacks.
This could lead to more understanding about the types of victims targeted and their impacts.
IV. CONCEPTUAL CLARIFICATION
 The present study is based on several concepts like Organised cybercrime and other technical
concepts which had been clearly explained in the following chapters.
V. LIMITATIONS OF THE STUDY
 Due to the present scenario of pandemic and the nature of the study involved, the primary data
collection method could not be adopted in this research study. The findings of this study are
based on secondary sources. So it reduces the validity of the answers to the research questions
in recent times.
 Because the instances in question were not picked at random, our findings cannot be
considered conclusive. Due to this, there is an issue of a selection effect.
 Lack of or less availability of research studies on the Organized cybercrimes under the Indian
scenario led this study to incorporate the research studies across the globe and thus making the
universe vast for this study. Therefore, the findings of this study are very much general. The
extent of applicability of the findings to the Indian context hasn’t been thoroughly explored.
But due to the transnational/Multinational character of cyberspace, the research could be
unbiased to the Indian context.

8
9
THEORETICAL FRAMEWORK AND REVIEW OF LITERATURE

According to the National Cyber Security Centre, subdivision of GCHQ, UK, the Internet is considered a
major enabler for Organised Criminal Group (OCG) activity. It is believed that compared to making money
from more traditional crimes the hacking individuals, SMEs, and large crime organizations are relying more
on internet and communication technologies which come as a relatively low-cost, low-risk proposition for
criminal groups - and there are many parts of the world where such activity is not actively prosecuted by the
authorities due to legality, capacity and also instability in many places. Matt Carey, the head of London
operations of NCSC underscored that these OCGs share similar techniques and services and communicate
with each other over heavily monitored, vetted closed criminal forums on the ‘dark web’ where they can
collaborate and advertise new services, tools, and techniques. He also concluded that very few people are
aware of the extent of the online criminal ecosystem that supports and enables these attacks, and the business
model behind them.

Cybercrime has progressed from a low-volume crime perpetrated by a single expert offender to mainstream or
common high-volume crime that is "organized and industrial in nature." (Clayton, & Anderson, 2009;
Anderson et al., 2012).

Susan Brenner was one of the first to assert that there is mounting evidence that "the dark side of the Internet"
encompasses not just "disorganized crime," such as individual paedophile networks, but also criminal
organizations who were least expected to foray into this domain in the beginning. (2001).

Choo and Smith (2007) and Grabosky (2007) both had a very similar conclusion: in particular, Choo and
Smith identified three categories of groups exploiting Information and Communication Technologies, namely:
1. traditional OC; 2. ideologically and politically motivated groups, and 3. organized cybercriminals.

Peter Grabosky in his work on Organized cybercrime and national security studies the presence and the
impact of state-backed (unofficial) transnational organized cybercrime groups on the security of other states’
organizations, both public and private. This helps in understanding the development of cyber groups by state-
backed agencies.

McGuire (2012) wrote on behalf of BAE Systems Detica (BAE Systems Applied Intelligence, a private
security company) in a report based on a review of secondary sources and investigation into the cases and
records in law enforcement and quoted that 80% of cybercrime is carried out by Organized Crime networks.
McGuire also had told that around 80 per cent of digital crime is a form of organized activity and more data
and analysis is needed to strengthen this typology and find more. McGuire also proposed a typology of
cybercrime groups in this report.

10
Cybercrime groups, according to Mcguire and Yips, have comparable characteristics in terms of organisation,
being transient and flexible, and bending to suit the demands and possibilities of the day with the
characteristic of being independent and can be compared to small businesses. (McGuire, 2012, Yip 2013).

Tropina (2013) stated in her study that cybercrime would evolve into something worldwide managed by
Organized Criminal Groups (traditional or new) and that it is still unclear how organized networks in
cyberspace are built and operate. She also concluded that new forms of Organized Crime (OC) Groups are
emerging in cyberspace and are not yet consolidated. Cybercrimes are perpetrated by and exhibit traits of
Organized Crime (OC) Groups, but their degree of organization is still not clear.

Online criminal opportunities are exploited by lone as well as cooperating offenders, but there is still scarce
evidence as to whether new criminal actors created organized groups in cyberspace and/or ‘traditional’ OC
groups operate in online marketplaces. The evidence points in the direction of the presence in cyberspace of
loose, simple, horizontal and fluid networks without a core active unit consistently (Wall, 2014). As a result,
according to Wall, the organisation is almost always flat and lacks a hierarchical command and control
structure.

Similarly, Krebs (2014) reported that ‘partnerkas’ a group of Russian-speaking criminal networks involved in
spam activities is often defined as ‘organized cybercrime’. However, he soon had to specify that ‘partnerkas’
would be better defined as ‘disorganized cybercrime’. The reason is that these groups have no continuity and
are formed by loosely affiliated individual contractors who only remain in the partnership as long as it is
economically efficient for them to do so.

Recent research has shown that, while new Information and Communication Technologies are opening
opportunities for new criminal actors, only some types of traditional OC groups had so far taken the advantage
of criminal opportunities provided by new Information and Communication Technologies in carrying out their
traditional activities. (Lavorgna and Sergi, 2014)

The data collection for the Internet Organized Crime Threat Assessment 2020 report took place during the
lockdown implemented as a result of the COVID-19 pandemic. Indeed, the pandemic prompted the significant
change and criminal innovation in the area of cybercrime. Criminals devised both new modi operandi and
adapted existing ones to exploit the situation, new attack vectors, and new groups of victims. (IOCTA, 2020
by Europol)

Only a few research have looked at the existence of conventional organised crime as well as newly established
criminal groups on the internet such as Lusthaus in 2013, Lavorgna in 2015; Leukfeldt, Lavorgna, &
Kleemans, 2016. In their studies, they have always insisted that organized cybercrime groups had not been
thoroughly studied to be treated as that of another form of organized crime in the legal sense.

11
There is limited empirical evidence of the link between traditional groups and groups in cyberspace, according
to Lavorgna, though anecdotal evidence suggests that traditional organised crime groups operating offline
have become involved in cybercrime and that cybercriminals may operate in structures similar to organised
crime groups such as the mafia. (Lavorgna, 2015; Lavorgna & Sergi, 2016).

The social organization of multiple criminal networks involved in economic cybercrimes to improve our
knowledge of the social organization of serious forms of cybercrime was studied and analyzed by Leukfeldt
and Holt in 2019. Through their study, they had found from the cases that the number of layers in each of the
networks varied and each network depending on factors such as scale, skill, and resource requirement, etc.

Jason R. C. Nurse and Maria Bada investigated the group aspect of cybercrime to get a better understanding of
how groups may be both offenders and victims of online crime. They examined how these malicious
organisations form, how their members establish confidence in one another, techniques, and the reasons that
drive a group's success and activities, as well as providing an up-to-date examination of the different internet
platforms utilised by cybercriminals. It offered a characterization of the group element of cybercrime and its
primary categories, including newly developing means of the organization, in addition to explaining these
often-undefined elements in the study.

Dark markets and crypto markets sites where cyber organized crime occurs, not only make illicit goods and
services available, but also enable illicit actors to interact with each other, share knowledge and resources,
develop contacts, build and maintain relationships, recruit individuals to commit illicit acts, launder money,
learn how to commit crimes and cybercrimes, and evade detection by authorities (Leukfeldt, Kleemans, and
Stol, 2017).

12
ORGANIZED CRIME

Perceived ideas abound in discussions of cybercrime and organized crime. The idea of the lone hacker can
often obscure the truth about the collaborative nature of cybercrime. Conventional understandings about
organized crime had become obsolete because Organized crime itself is evolving with time.

Organized crime doesn’t have a universally accepted understanding or meaning. Klaus von Lampe had
identified close to 150 definitions for organized crime. The definitions suit the needs of many stakeholders,
and the conventional understanding of organized crime is out of date. Cressey's fraud triangle study was based
on the "mafia model," which are homogenous and hierarchical groups. Some definitions of organized crime
are too narrow and constrained by the ideology that makes it impossible to establish a clear distinction in
many cases.

While the majority of today's cybercrime is the result of experienced technicians applying their knowledge to
criminal behaviour, traditional crime groups have begun to use digital technology to achieve their criminal
goals. This divide has already blurred the lines but soon it will disappear over time. The working definitions
of "organised crime" determine whether certain cybercrimes are classified as a kind of organised crime or are
linked to organised crime.

The International Conventions doesn’t define organized crime mainly due to lack of agreement amongst
States but also because of choices made by Convention members. Any definition would almost certainly have
to contain a list of the illegal acts carried out by organised criminal groups, which are evolving and adapting
but would be useless sooner. The OC Conventions, rather than defining the crime, specifies the person that
commits it: an "organised criminal organisation." The "organized criminal group" is defined as a group with a
structure of more persons present for a period of time to commit serious crimes or offences established in
accordance with international law so that they could get material advantage. As a result, the term is wide,
encompassing loosely linked groups with no clearly defined responsibilities for members or a well-developed
structure. Observers of criminal empires noticed that most of the illegal activity will be carried out small
groups of loosely form organizations around the end of the century not by the so-called mafia organizations.

This thought of vertically integrated enterprises gave way to the understanding of networks, the presence of
interrelationships between organized criminal groups and loosely organized individual groups, all due to
evolution in criminal life and developments in organizational life from other aspects of the society.

Traditionally organized crime is believed to be purely profit-centric. But, even the most thoughtful observers
and academics of “terrestrial” organized crime note there are other reasons which are not material.

13
Organized criminal activities on the internet are driven for a range of reasons including challenging oneself
intellectually, for notoriety, lust like the organized grooming and child abuse groups, different ideology,
protests, rebellion, and curiosity. There have many examples like that of many libertarian1 activists.

Most criminal organizations do not engage in violence or bribery and also the simplistic view of organizations
having full-time and part-time criminal professionals doesn’t uphold the reality in many cases, due to the
traditional mind of seeing organized crime groups. Criminal organizations do have explicit or implicit
membership, some of whom will be aware of their involvement in a criminal enterprise and some don’t.
Money mules for example are one such temporary group of expendable employees.

1
Libertarianism is a political philosophy and movement that upholds liberty as a core principle. Libertarians seek to maximize
autonomy and political freedom, emphasizing free association, freedom of choice, individualism and voluntary association.
Libertarians share a skepticism of authority and state power, but some Libertarians diverge on the scope of their opposition to
existing economic and political systems. Various schools of libertarian thought offer a range of views regarding the legitimate
functions of state and private power, often calling for the restriction or dissolution of coercive social institutions. Different
categorizations have been used to distinguish various forms of libertarianism. Scholars distinguish libertarian views on the nature of
property and capital, usually along left–right or socialist–capitalist lines.
14
CYBERCRIME AND ITS PREVALENT TYPES AND TYPOLOGIES

Cybercrime is very different to that of traditional crime and it has no boundaries and can be carried out with
very little effort, greater ease, and speed than conventional organized crime. (Maras, 2014). Just like organised
crime, there has never been a globally accepted definition for cybercrime, very much similar to the case of
organized crime.

Cybercrime is a type of crime that involves the use of information and communication technology (ICT) to
target networks, systems, data, websites, and/or technology to commit or aid a crime. (Goodman, and Brenner,
2002; Maras, 2016). Individuals, groups, corporations, and nation-states can all commit cybercrime. Although
the attackers may employ identical techniques and tools and attack comparable targets, their reasons and goals
for committing cybercrime might be completely different (Wall, 2007).

Gini Rometty, IBM’s former executive chairman at a 2015 IBM Security Summit said that she believed that
data is the phenomenon of our time, a new natural resource, provides a competitive advantage for profession
and industry and accepts that cybercrime, is the greatest threat to every profession, industry in the world.2

The World Economic Forum had estimated the cost of cybercrime at $3 trillion worldwide in 2017 and
according to the research conducted by Cybersecurity Ventures, cybercrime damage costs were predicted to
reach $6 trillion annually by 2021.

Cyber offences, progressed by impacting computers, networks, and smartphones to endangering people,
automobiles, trains, aircraft, electrical grids, and anything with a heartbeat or electronic pulse. IBM's CEO
recognised it coming and offered us a big-picture look at how it will affect businesses throughout the world.
Cybercrime has no favourites when it comes to company size. All sizes from small, big to MNCs are hacker
and cybercriminal group’s targets. Especially small businesses are prone to threats and losses when they fail to
hire a cybersecurity expert. There is a common misconception that cybersecurity strategy is only needed for
big corporates. According to billionaire Warren Buffet, no individual or an organisation is completely immune
to a cybercriminal attack.

2
https://www.csoonline.com/article/3210912/
15
According to Europol, cybercrime can be classified into cyber-dependent crimes and cyber-enabled crimes.

 Cyber dependent crimes are crimes that can be committed only by using computers, it’s
networks or other types of Information and Communication Technologies.
 Cyber-enabled crimes are traditional crimes facilitated by the new age of the Internet and
prevalent digital technologies.

There is a difference between these two categories of cybercrime where Information and Communication
Technologies have an important role in the offence committed. One is either the target or plays an important
part in the method of attack of the offender. When Information and Communication Technology is the target,
this cybercrime negatively affects the confidentiality, integrity and/or availability of computer data or
systems. Confidentiality, integrity and availability together make up the "CIA Triad" 3. Cybercrime involves a
typical crime (e.g., fraud and theft) assisted by the Internet and digital technologies when ICT is used as part
of the crime script.

The most commonly committed cybercrimes usually include hacking, possession, distribution and
development of malware; denial of service (DoS) attacks; distributed denial of service (DDoS) attacks; and
website defacement etc., (which is a form of online vandalism targeting the content of websites).

 Hacking is a concept that describes unauthorized access to systems, networks, and data (hereafter
target) and maybe perpetrated solely to gain access to a target or to gain and/or maintain such access
beyond authorization. (Maras, 2014). Hackers may also seek unauthorized access to systems to cause
damage or other harm to the target.
 Man in the middle attack is a situation wherein offenders hijack connections between clients and
servers by creating two connections (offender and client, and offender and server). The purpose of this
attack is to secretly intercept, receive, and/or send information between client and server (Maras,
2014).
 A distributed denial of service attack (or DDoS attack) refers to the use of multiple computers and
other digital technologies to conduct coordinated attacks with the sole intention of overwhelming the
servers and/or intermediaries to prevent legitimate users' access. DDoS attacks can be conducted by an
individual, group, or state. States can target critical infrastructures, which are deemed essential to the
functioning of society.
 The botnet attack (i.e., the network of infected digital devices - known as zombies) can be used to
commit other cybercrimes, such as cryptojacking. Crytopjacking is a tactic whereby the processing

3
CIA Triad: The CIA (Confidentiality, Integrity and Availability) Triad is a security model which shows the core data security
objectives and serves as a guide for organizations’ security infrastructure to keep their sensitive data protected from unauthorized
access and data exfiltration.
16
 power of infected computers is used to mine cryptocurrency, an encrypted digital currency for the
financial benefit of the offender/s and helps in controlling the infected digital devices (i.e., the
botherder) and/or those who hired the botherders.

Cybercrime as a service: Cybercriminals also provide Cybercrime as a service for individuals or networks.
For example, ransomware as a service scheme has been enabling even the most technically illiterate
cybercriminal to extort payments from victims who are infected with data-encrypting malware and the
developers of the service take a significant percentage of the ill-gotten money. It's essentially considered
"ransomware for dummies" as it is an all-in-one kit. Cereber is one such malicious program, which caused
havoc to many as the source code was publicly shared.

Malware attacks: Malware, malicious software is used to infect the target computers to monitor them,
collect data, take control of the system, modify system operation and/or data, and damage the system and/or
data. Several forms of malware can be used to infect systems (Maras, 2014; Maras, 2016) such as,

 Worm.  Standalone malicious software that spreads without the need for user activity. 
 Virus.  Malware that requires user activity to spread (e.g., an executable file with virus spreads when
opened by the user).
 Trojan horse.  Malware is designed to look like legitimate software to trick the user into downloading
the programme, which infects the users' system to spy, steal and/or cause harm.
 Spyware.  Malware is designed to surreptitiously monitor infected systems, and collect and relay
information back to the creator and/or user of the spyware.
 Ransomware. Malware is designed to take users' systems, files, and/or data hostage and relinquish
control back to the user only after the ransom is paid.
 Crypto ransomware (a type of ransomware) attacks the device of the user and controls the document
with encryption with the blackmail to destroy data if a ransom is not received.
 Doxware is a form of crypto-ransomware that perpetrators use against victims which release the user's
data publicly if money is not given to unlock everything.

Computer-related offences are another category of cybercrimes that include cyber-enabled crimes
committed for personal gain or financial gain or harm.

 Computer-related forgery involves the impersonation of legitimate individuals, authorities, agencies,

and other entities online for fraudulent purposes. Cybercriminals can impersonate people from
legitimate firms to trick them into giving personal information and providing the offenders with
money, goods and services. The email sender pretends to be from a legitimate organization in an
attempt to get the users to trust the content and follow the instructions of the email. Either the email is
17
 sent from a spoofed email address4 from a domain name similar to the legitimate organization or
agency.
A common technique used is the sending of an email to targets with a website link for users to click on
that might either lead to downloading malware onto the users' devices or sends users to a malicious
website that is designed to steal users' credentials (phishing). A targeted version of phishing is known
as spear phishing. This form of fraud occurs when perpetrators are familiar with the inner workings,
structure and positions of the firm’s employees and send targeted emails to employees to trick them
into revealing information and/or sending money to the offenders. Another common technique
involves cybercriminals pretending to be higher-level executives in a company like CEO, CFO, CSO,
lawyers, accountants, and others in positions of power, authority and trust, to trick employees into
sending them funds. This tactic is known as whaling due to its highest yield. Phishing via
telecommunications is known as vishing (because a voicemail message is left and it is designed to get
the target to call a number and provide personal and/or financial data), and phishing via text messaging
is known as smishing (or SMS phishing).
 Computer-related fraud includes many online swindling methods that involve false or misleading
promises of love and companionship (catphishing), property (through inheritance scams), and money
and wealth (through lottery scams, investment fraud, inheritance scams, etc.). The ultimate goal of
these scams is to trick the victim into giving or otherwise providing personal information and funds to
the perpetrator (it is a form of social engineering fraud). This tactic uses social engineering.5 The
most well-known computer-related fraud involves a request for an advance fee to complete a transfer,
deposit or other transaction in exchange for a larger sum of money (advanced fee frauds a.k.a., 419
scams). While the story of the perpetrator’s changes (they pose as government officials, bank officials,
lawyers, etc.), the same tactic is used - a request for a small amount of money, in exchange for a large
amount of money. The most famous example is the Nigerian Prince scam.
 Computer‐related identity offences and spam: Along with these schemes financial (or economic)
fraud, such as bank fraud, email fraud, and debit and credit card fraud, is also carried out online. For
example, debit and credit card data that had been illicitly obtained is sold, shared, and used online. A
2018 international cybercrime operation led to the closure of one of the most well-known online illicit
carding forums, Infraud, which sold and shared stolen credit and debit card data and banking
information (DOJ USA, 2018). The personal, medical, and financial information bought, sold, and
traded online could be used to commit other crimes, such as identity-related crime, whereby the
perpetrator unlawfully assumes and/or misappropriates the identity of the victim and/or uses the
identity and/or information associated with the identity for illicit purposes (UNODC). The type of data

4
Spoofed email address is an email address designed to look like an authentic email from the organization.
5
Social engineering: is the practice "of manipulating, deceiving, influencing, or tricking individuals into divulging confidential
information or performing acts that will benefit the social engineer in some way" (Maras, 2014).
18
 targeted by criminals includes identity-related information, such as identification numbers (e.g., social
security numbers in the United States), identity documents (e.g., passports, national identifications,
driver's licenses, and birth certificates), and online credentials (i.e., usernames and passwords)
(UNODC, 2011). Identity-related crime may or may not be financially motivated. For example,
fraudulent identity documents (e.g., passports) could be purchased online for use in travel (UN-
CCPCJ, 2017, p. 4). These types of crimes, as well as economic fraud, are facilitated online through
the sending of unsolicited emails (spam), newsletters, and messages with links to websites, which are
designed to mislead users and trick them into opening the emails and newsletters or clicking on links
in the emails, which may contain malware or be designed to send them to pharmed websites.  
 Computer‐related copyright or trademark offences: Copyrights refer to literary and artistic
creations, such as books, music, paintings and sculptures, films and technology-based works (such as
computer programs and electronic databases). There are several international treaties for copyright
protection, such as the Agreement on TRIPS of 1994, and the WIPO Copyright Treaty of 1996 and
many countries specific laws also protect IPR. An example of the infringement of copyright protection
is digital piracy (e.g., the unauthorized copying, duplication, or distribution of a movie protected by
copyright law), trademarks (i.e., names, symbols or logos belonging to a brand, service, or good),
patents (i.e., novel and unique creations, innovations, and inventions) and trade secrets (i.e., valuable
information about business processes and practices that are secret and protect the business' competitive
advantage).
 Computer‐related acts causing personal harm: This includes harassing, threatening, stalking, or
instilling fear or intimidation in a person via a computer system. Examples of these types of
cybercrimes are cyberstalking, cyber harassment, and cyberbullying. These cybercrimes are not
included in multilateral and regional cybercrime treaties. Cyberstalking, cyber harassment, and
cyberbullying have been used interchangeably.
1. Cyberstalking.  The use of information and communication technology (ICT) to commit a series
of acts over a time designed to harass, annoy, attack, threaten, frighten, or verbally abuse an
individual (or individuals).
2. Cyber harassment.  The use of ICT to intentionally humiliate, annoy, attack, threaten, alarm,
offend and/or verbally abuse an individual (or individuals).
3. Cyberbullying The use of ICT by children to annoy, humiliate, insult, offend, harass, alarm, stalk,
abuse or otherwise attack another child or other children. What differentiates these cybercrimes is
the age of the perpetrators (i.e., only children engage in and are victims of cyberbullying), and
intensity and prevalence of the cybercrime (cyberstalking involves a series of incidents over time,
whereas cyber harassment can involve one or more incidents).

19
  Solicitation or "grooming" of children
Information and communications technologies have also facilitated child grooming. Child grooming
is the process of fostering rapport and trust through the development of an emotional relationship with
the victim (Maras, 2016). According to Whittle et al. (2013), "grooming varies considerably in style,
duration and intensity; often reflecting the offender's personality and behaviour". The offender may
manipulate the child or the victim using a variety of power and control tactics, including (but not
limited to): adulation, gifts, isolation, intimidation, threats, and/or force (Maras, 2016) as well as
pretending to have shared interests. Child grooming can occur on email, in chat rooms, through instant
messaging services, and via apps, social media platforms among other areas.
A 2017 BBC investigation revealed that the Periscope app, which enables live broadcasting anywhere
in the world, was being used by predators to groom children. The predators who contacted the children
who were broadcasting live made sexualized comments about the children and some even requested
children to remove their clothes (BBC, 2017).

Content related offences

The cybercrimes included in this section involve illegal content.

 Child sexual abuse material: The term child sexual abuse material should be used over child
pornography because the term child pornography minimizes the seriousness of the offence. What the
person is viewing, is not sexual activity between a child and an adult, but the sexual abuse of a child.
But international, regional, and national laws use the term child pornography instead of child sexual
abuse material.
 Commercial sexual exploitation of children is a term used to describe a range of activities and
crimes that involve the sexual abuse of children for some kind of remuneration of any monetary or
non-monetary value (e.g., shelter, food). Live-streaming child sexual abuse is a form of commercial
sexual abuse that involves the real-time broadcasting of child sexual abuse whereby viewers can either
be passively or actively involved.
 Published racist and xenophobic material content virtually refers to any form of material, image, or
other representation of ideas or theories that advocates, promotes, or incites hatred, discrimination, or
violence against any individual or group of individuals based on race, colour, descent, national or
ethnic origin, or religion is used as a pretext for any of these.
 Publication of false information is a double-edged sword, as it is considered a crime in various
countries. Singapore is the latest country to have passed a law against fake news, joining others like
Germany, Malaysia, France and Russia. But the law to fight the wave of fake news is not considered

20
 the best approach. Human rights activists, legal experts and others fear these laws have the potential to
be misused to stifle free speech, or unintentionally block legitimate online posts and websites.
 Content inciting terrorism: Any virtual material that could lead to public provocation to commit a
terrorist offence, as well as both recruitment and training for terrorism according to UNODC, 2012.
While there is currently no binding universal obligation on States under international law to
criminalize the incitement of terrorism, many States do have legal and criminal justice approaches to
address such conducts and acts.

As there is no universal definition of cybercrime, there are also no globally accepted definitions of different
types and general categories of cybercrime. It's not just individuals who are also involved in cybercrime, even
groups, and states can (and have) engaged in illegal access, interception, and interference with systems,
networks, and data (i.e., by hacking, conducting DoS and DDoS attacks, and malware distribution).

21
WHAT IS ORGANIZED CYBERCRIME

So far, a universally accepted definition of organized crime has not been found, it can be defined as a long-
term criminal operation that seeks to profit and enjoy the benefits from illegal activities that are frequently in
high demand among the general public. It maintains its presence by bribing public officials and using
intimidation, threats, and forced to defend its operations. It has been noticed that a large portion of organized
criminal conduct on the internet is driven by a desire for many reasons apart from profit and monetary
reasons. 6

As a result, cyber organised crime is a phrase that refers to criminal actions that take place in cyberspace.
There is no agreed-upon definition of cybercrime or cyber-organized crime, just as there isn't one for
organized crime. (UNODC, 2013; Broadhurst et al., 2014; and Maras, 2016).

Cybercrime is a low-risk criminal activity and in recent times is considered to have a level of organization and
structure, especially when criminals working in groups collaborate to commit frauds and crimes. Many
cybercrimes have a level of organization (Wall, 2017) and are considered to be "planned, rational acts that
show the effort of groups of individuals".

According to the BAE systems analytica report in 2012, a review found that up to 80% of cybercrime may be
due to a form of organized criminal activity. This doesn’t mean the groups take the form of conventional
hierarchical organized crime groups or commit crimes exclusively online. Studies have also suggested that
we have entered the new era of organized crime, whereby exploitation of cyberspace is happening and there is
a coexistence of traditional organized crime groups with newly evolving organized structures in the virtual
world. (BAE Systems Detica 2012; Ben-Itzhak 2008). Analytical reports now produced by security companies
reveal the level at which cyber-attacks and financial crimes are committed in global networks with
professionalism and sophistication, suggesting a new type of organized crime with different structures
changing in new ways, and finding new ways of using hi-tech tools to attain criminal goals. It is very hard to
fit cybercrime, even when committed in the traditionally organized way, into this concept.

Cyber organized crime has been perpetrated on the visible Web (that is the Clearnet) and the Deep Web which
includes sites that cannot be reached using traditional search engines, such as databases (free or those that can
be accessed for a fee; e.g., intranets and internet) and darknet sites (an area of the Deep Web known for the
illicit activities that occur within that space).

6
UNODC, 2013.
22
Organized cybercrime can be looked into two dimensions. To avoid confusion on the debate of organized
crime in cyberspace, it is very important to make a clear distinction between the migration of traditional
organized crime to the virtual world (as well as the synergy between traditional organized crime and online
crime) and the organized groups focused on committing cybercrimes. It's worth noting that the two
aforementioned trends aren't mutually exclusive; rather, they complement one another, resulting in a synergy
between conventional organised crime and internet criminal institutions. There is not much study available on
Cyber organized crime. ac

These cybercrime groups could be big or small groups of offenders who could be high/ lowly specialized in
technical skills or unskilled people who band together in ephemeral or sustained forms to multiple forms of
cybercrime. Some groups are following the business models of existing corporates, with leadership, control
and structure. They also have various members filling specific functional roles, as in the classic business
model of division of labour. The year 2020 has seen an increase in the number of organized cybercrimes
which is unrelated to the pandemic.

These groups may create "ephemeral" forms of organization wherein the Internet is relied upon completely
link up with offenders to commit an offline crime for a shorter period or organized criminal groups may use
the internet to create more "sustained" organizational forms for protection (Varese, 2010). The 'hybrid' form is
a type where an accepted criminal goal is circulated online by a small core group, to initiate attacks by lone
wolves or localized cells found in the case of hacker groups or attacks in offline situations associated with
terrorism.

23
Modus operandi

Organized criminal gangs that engage in cybercrime may or may not function only online. Cybercrime also
varies based on the offenders' methods of operation, which are linked to the criminal actors' motivations and
profiles. Scams, frauds, and extortion are examples of "cybercrimes against the machine," which include
computer misuse by hackers, and "cybercrimes using the system," which include scams, frauds, and extortion;
"cybercrimes in the machine" such as child sexual abuse material, hate speech, terrorist materials (computer
content is offensive) is another commonly noticed offence (Wall, 2017). Since most of the cybercrimes
committed are profit-driven with financial targets being the most common, the crime scripts revolve,
particularly around financial cybercrimes. According to the type of cybercrime committed the script varies,
that has been the results of the research and pieces of evidence collected by investigators and academics. But
academics like Leukfeldt also, the methods are not simple and vary with groups and types of crime
committed. The development of new technologies also aids the growth and development of new methods of
committing offences. The types of victims targeted also change in which the method of attack is carried out.

Almost every cybercrime offence carried out has a modus operandi, most of the attacks are performed using
traditional and well-established methods like spam mail, phishing emails, and websites, tricking the user of
the device to click unsolicited links from both trusted and untrusted websites, inducing the user to down a file
which contains a hidden malware or other software that compromises the computer providing access and
control to perform different cybercrimes with the device, through social engineering techniques or the
combination of the above methods and many more.

Targeted victim groups

While looking into the organization of cybercrime, the most important component is the targeted victim
group/s. Some criminal groups according to the type of the crime target specific individual users based on
different profile types and factors using deceptive technological means to cheat or defraud them. Criminals
target government sectors as well as private MNCs, commit fraud, commit espionage at the request of a rival
for a variety of motives and offences. Another form of Organized cybercrime is that of one by State actors 7,
targeting the infrastructures of other States or organizations to create chaos, harm and confusion for many
reasons(Wall, 2017). Thus, criminals who utilise networked technologies arrange themselves differently from
criminals who commit crimes online, although the latter is equally dependent on the technologies employed,
the illegal actions done, and the targeted victim categories.

7
State actors also commit cybercrimes in collaboration with groups or without collaborating to commit cyber offences on
organizations, states etc.
24
Depending on their activity and targets, (online or offline or both online and offline), cybercrime
organisations display different degrees of an organisation.

Professionalization

Often traditional organized crime is compared with organized cybercrimes due to the comparable feature but
studies that were conducted to study cyber organized crime had indicated that some features of traditional
organized crime don’t translate well into cyberspace, like the "control of territory" (UNODC, 2013),
corruption and the threat or use of violence (Leukfeldt, Lavorgna, and Kleemans, 2017). Therefore, it is very
important to note that differences to understand the unique nature of organized cybercrime.

Cybercriminal gangs have created patterns that mimic the operations of corporations like eBay, Yahoo,
Google, and Amazon, and they've progressed to the point where their attacks are sophisticated,
commercialised, and integrated (Kshetri; Grabosky 2007). There is an increasing specialization of perpetrators
which means that cybercrime involves a division of labour. This new type of organised crime in information
networks is non-competitive and permits collaboration across criminal networks, with the group's power
measured by the strength and sophistication of its software rather than the number of people involved.
Because of their adaptability, criminal groups operating in cyberspace are thought to be more adaptable than
traditional organized crime, allowing for the integration of members for brief periods. (Choo and Smith 2007;
UK Home Office 2010)

To give a picture of the level of professionalization that can be achieved an agent of US FBI's Cyber Division,
referred to the kind of roles which can be part of a cybercriminal group (Chabinsky, 2010):

1. Coders or program creators program viruses, worms and create tools to commit an attack.

2. Distributors are traders of stolen data.

3. Technicians maintenance specialists of infrastructure to such as servers, ISPs, and encryption.

4. Hackers search for weaknesses to exploit the systems, and networks and gain access.

5. Fraud specialists are developers of social engineering schemes, and plans for each type of crime.

6. Hosts provide “safe” servers and sites through botnet and proxy networks. Bulletproof hosting service
providers is an example of hosts.

7. Casher’s they manage money mules and control drop accounts and sell data for a fee.

8. Money mules a member to transfer the proceeds of fraud to a secure location. They are temporary members
of the group, sometimes who work unknowingly or are forced to work. They also happen to be the first
suspects caught in an investigation.
25
9. Tellers transfer and launder proceeds through bitcoins or other digital currencies and other traditional fiat
currencies.

10. Executives (Core member) are the important members of the organization who finalizes the victim, and
plays an important role in recruitment and assignment of members to the tasks to managing the split of
criminal proceeds and involves in creating a fool proof plan

This ideal division of work does not apply to every group, but it does apply to a representative of a business
system. Many duties may be outsourced, depending on the availability of skilled workers, the money
available, the kind of crime, and other considerations. Because many of the contacts in such networks are
transitory, they generally operate as criminal macro-networks rather than tightly-knit groups in the traditional
sense. There may be additional paradigms for defining groups in cybercrime that are potentially useful which
have yet to be explored. Some cybercrime gangs may change over time, engaging in one form of crime before
moving on to another with a new method of operation.

Among most of the networks and groups core members of the group, professional enablers, recruited enablers,
and money mules are the four roles found in a network. The above roles mentioned can be under any of the
first three categories except for the money mules. The level of importance also decreases from Core members
to professional enablers to recruited enablers in descending order or hierarchical fashion. Money mules are the
most expendable or coerced or powerless category but play an important role in accessing or having access to
the end product.

26
FORMATION OF ORGANIZED CYBERCRIME GROUPS- TYPOLOGIES

The researchers have sought to identify the types of cybercriminal groups based on different factors include 1)
Choo and Smith, 2) McGuire, and 3) Leukfeldt, Kleemans, and Stol.

1. The categorization of cybercriminal groups by Choo and Smith is very similar or close to the Mcguire
typology. Choo and smith classified them into three categories. The first category is the conventionally
organized criminals who use information and communication technology to enhance terrestrial
criminal activities. Choo and Smith's second category is organized cybercriminal groups, which are
defined as groups of individuals working together to achieve a shared purpose. The last group category
is that of ideologically and politically motivated cyber groups that includes terrorist organizations and
all types of hacktivist groups.
2. McGuire through the research work and analysis of data collected suggested a typology of cybercrime
groups with three main types. These include organisations that operate largely online, organisations
that blend online and offline operations, and organisations that operate mostly offline but utilise
internet technologies to facilitate criminal activity.
3. Another typology was through research analysis of cybercrime groups by classifying them according
to their characteristics and the way, the technology is used (low-tech to high-tech) and the level of
offender-victim interaction (no interaction to high interaction), the extent to which groups have local
or international components by Leukfeldt, and his colleagues Kleemans and Stol. They believed that
the networks couldn't simply be divided into high-tech networks with specialists who carry out
international attacks and low-tech networks with criminal all-rounders who carry out local or domestic
attacks and therefore has varied arrangements due to factors like the use of technology, the degree of
offender-victim interaction, and international components.

27
McGuire (2012) in the report Organised Crime in the Digital Age commissioned by John Grieve Centre for
Policing and Security and BAE Systems Detica created typologies with available data concerning the links
between organized crime and cybercrime based on "the degree of involvement of groups in online (as opposed
to offline) activities and the structure of associations within the group". This was also cited in the UNODC
threat assessment report in 2013 on Organized cybercrime. Mcguire identified three general types of groups,

o Type I: Cybercriminal organisations that operate mostly online.

o Type II: Criminal and cybercriminal groups that operate both offline and online and
o Type III: Offline criminal gangs who use the internet and communication technologies to aid
their activities.

These three general types each are further subdivided into two subgroups depending on their association
strength between the members of the group. It is considered one of the best typologies we currently know
about cyber offenders and is likely to change as the digital environment evolves.

Type I groups function online and are divided into swarms and hubs. Their targets are mostly online ones and
formed on the basis of trust.

1. Swarms are less organized, viral, de-centred spontaneous groupings with a common purpose, minimal
chains of command similar to ‘hacktivist’ groups. They lack leadership and are often considered
amateurish. The group Anonymous is a swarm-type group that exemplifies the activities of these types
of swarm groups driven by ideology and political thoughts-based protest (Olson, 2012).
2. Hubs are structured and has a command structure with a strong web presence. They engage in a wide
range of online activities, including piracy, phishing attacks, botnets, and online sexual offences, as
they use the hub and spoke paradigm to connect the core group with the periphery associates.

Type II groups are hybrids having both online and offline presence and targets. They can be one of the two
types either extended or clustered.

1. Offenders in a clustered hybrid are concentrated on certain activities, places, or techniques. They have
a structure and features that are comparable to hubs, but their work includes both online and offline
offending. Some of the problematic sorts include skimming credit cards and subsequently using the
information for online transactions or selling it to carding networks. (McGuire, 2012)
2. Extended hybrid groups operate in similar ways to the clustered hybrids and are a lot less defined and
centralized. Without a central focus, they somewhat appear dissociated but highly complex criminal
activities are carried out. Interventions are usually carried out by subgroups

Type III groups are offline offender groups with online technology supporting their endeavours. According to
McGuire, this sort of group needs to be given more attention since their involvement in digital crime is

28
growing. Due to their degree of cohesiveness and structure, they are split similarly to the preceding kinds as
‘hierarchies' and ‘aggregates.'

1. Hierarchies are conventional criminal organisations that conduct some of their operations online. The
typical interest of some mafia organisations in prostitution, extortion, drugs etc. has now expanded to
encompass many activities. Examples include virtual gambling, blackmail etc.
2. Aggregate groups are loosely organized, temporary grouping like street gangs, burglars using digital
technologies in an ad hoc manner to inflict harm. Both the Type III groups have been more understood
making effective action possible.

29
Choo and Smith in 2007 classified and suggested that cybercriminal groups could be of three categories

The first is traditional organised criminal groups throughout the world may have identified the significance of
leveraging information and communication technology (ICT) to increase crime incidence. Via Technology to
enable drug and human trafficking; trafficking business secrets and identity information; online extortion,
frauds, and scams; money laundering using online payment systems; and online distribution of illicit content
such as child pornography are just a few examples. Many enterprises have entered the domain as a result of
the large-scale incentives and revenues given by the new internet-driven economy. Highly organized and
worldwide criminal syndicates such as the Asian triads and Japanese Mafia, whose illegal operations have
been known to use computer software, are among the entities engaging in technology-enabled crime.

Europol also found crime-as-a-service business models used by traditional groups engaging in cybercrimes.
Crime-as-a-service models, which may be found on the Dark Web, allow criminals to buy services such as
acquiring botnets and phishing networks, conducting denial-of-service assaults against specific targets, and
developing bespoke malware. As a result, criminals may launch sophisticated cyber-attacks against
organizations or people of their choice with ease and speed.

Choo and Smith identify the second type as sophisticated cybercriminal groups. They are made up of people
who only know each other online but are part of the organizational structure that works together since the
internet makes it much simpler to meet and organise events. Although the primary purpose is generally
financial gain, it can also involve other illegal objectives such as the production and dissemination of child
exploitation materials (e.g. online paedophile rings).

Other examples of known organized cybercriminal groups listed by Choo and Smith are

 ‘Shadowcrew’ is an underground criminal group that stole more than 1.7 million credit cards online.
 ‘DrinkOrDie’: an underground software piracy group that illegally produces and distributes software,
games, and movies over the Internet.
 The ‘Rock-Phish’ gang: an underground phishing group identified in recent research by researchers
from the University of Cambridge (Moore and Clayton 2007)
 An intrusion was reportedly carried out by the ‘Mpack' gang, who had successfully hacked the
homepages of hundreds of legal Italian websites (Symantec 2007).
In the cyber realm, the third type is ideologically and politically driven groups. Terrorist organisations and a
wide spectrum of hacktivist groups are included. Choo and Smith point out that terrorist organisations commit
acts that are frequently associated with organised criminal gangs to acquire cash for their ideological goals.
Scamming and ransoms are high on the list of actions used to fund terrorists, according to a 2015 investigation
from the United Kingdom.

30
Terrorist groups, such as ISIS, are well-known for using the internet for a variety of purposes, including
plotting, recruiting, and claiming responsibility for attacks. For such groups, social media remains a preferred
venue, as seen by Twitter's participation in "Tweeting the Jihad." Politically motivated hackers, often known
as hacktivists, are becoming a more common subset of this category. Politically motivated hacker groups
(hacktivists) have disrupted government websites and engaged in information warfare. Given its assaults on
the FBI and other sites, Anonymous is one of the most well-known of these organisations, and its effective
response to ISIS has earned it widespread plaudits as it chased away and reported on ISIS presence in social
media and websites.

31
Leukfeldt, Kleemans, and Stol. Studies by Leukfeldt, Kleemans, and Stol. followed up the work of Soudijn
and Zegers and Leukfeldt. For this study, 40 investigation cases (and hence 40 separate criminal networks)
were examined.

In the Netherlands, networks 1–18 were studied, networks 19–27 were studied in the United Kingdom,
networks 28–37 in the United States, and networks 38–40 in Germany.

The cases were examined with a format created by the Dutch Organized Crime Monitor, a long-running
initiative in the Netherlands studying OC (e.g., Kleemans 2014). They discovered that networks cannot simply
be classified as high-tech networks with specialists who carry out international attacks versus low-tech
networks of criminal all-rounders who carry out local attacks based on different characteristics such as the
extent of ICT use and the degree of offender-victim interaction, as they did with the cases from the
Netherlands. The modus operandi of the networks can, therefore, be divided into four categories:

I. low-tech attacks with a high degree of direct offender-victim interaction,

II. low-tech attacks with a low degree of direct interaction,
III. high-tech attacks with a low degree of interaction and
IV. high-tech attacks without interaction.

Also based on the 40 cases they found that networks can be classified into 4 types bases on their social
relationships based on the information on their origin and growth. They include,

I. Completely through offline social contacts

II. Online forums to recruit specialists and offline social contacts as a base
III. To recruit local criminals offline social contacts and online forums were used as a base
IV. Completely through online forums.

Types of crimes committed

Most of the crimes involving technologies are not committed by individuals even if they have all the
knowledge, access, and resources. They are always in need of support in one form or another to complete the
entire crime script without mistakes, especially when the crime volume, victims, scale of finance involved is
not smaller.

Fraud, hacking, malware creation and distribution, DDoS attacks, blackmail, and intellectual property crime,
such as the sale of counterfeit products have all been perpetrated by cyber organized crime along with many
other. Cyber-crimes have been used to fund terrorism by both terrorist groups, organized crime gangs and
sometimes even by private entities and state supported groups, and have caused financial, psychological,
economic, and even physical harm (Europol, 2018; Broadhurst et al., 2018; Maras, 2016).

32
  Cyber organised crime groups also provide services that facilitate crimes and cybercrimes (crime as a
service), such as data and identity documents like financial and health data, passports and other IDs;
banking malware, distributed denial of service (DDoS) attacks, and botnet services; keyloggers;
phishing/spear phishing tools; hacking tutorials (Broadhurst et al., 2018; Maras, 2016).

 Illicit items and services supplied online have also benefitted and/or helped organised criminal gangs.
 Bulletproof hosting services are also provided by cyber-organized criminals allowing criminals to use
servers to perpetrate cybercrime and not delete illicit information from these servers. (National Cyber
Security Centre, 2017).
 Escrow services supplied by cyber-organized criminal organisations are in great demand due to trust
difficulties in illegal transactions online and the presence of fraudsters. (National Cyber Security
Centre, 2017). 
 Cyber-organized criminals also provide money laundering as a service. Money is laundered utilizing
different means and methods like uber accounts, gift cards, digital currencies, shell companies etc.
(Maras, 2016; Europol, 2018).
 According to Europol, cyber organised criminals are also swappers 8 and decentralised exchanges to
launder illicit gains since they do not need user identity or authentication (Europol, 2018).
Furthermore, cyber-organized criminals have devised new and inventive methods of money
laundering, such as Uber "ghost journeys"9 and fake Airbnb rentals10. engage in micro
laundering11(Maras, 2016).
 Cybercriminals are targeting digital payment systems. In 2014, the malware was deployed by a
criminal network to target the Boleto Bancário (or Boletos), a legal and commonly used payment
mechanism in Brazil. Boleto payments were diverted to the accounts of criminals and money mules
within the networks by the virus (also known as bolware).12
 In addition, criminals use ICT to do and promote a variety of traditionally offline organised crime
activities, including migrant smuggling and human trafficking, wildlife trafficking, drug trafficking,
firearms trafficking, and cigarette trafficking. ICT is used by traffickers to target victims by making
false promises of work, fame, and love, to advertise victims, to communicate with clients and other
traffickers, to plan, organise, and schedule meetings with clients and victims, and to monitor and
control victims' whereabouts and activities. (Maras, 2016; Europol, 2017; Maras, 2017). In addition to
migrant smuggling and human trafficking, traffickers have used ICT to facilitate wildlife trafficking,
8
Swappers are semi-automated cryptocurrency exchanges.
9
Uber ghost journeys: drivers receive funds from money launderers to accept ride requests from Uber accounts at a prearranged
price without the launderers using the service.
10
Air bnb rentals: money launderers pay Airbnb owners without staying at their property.
11
Microlaundering: a process in which criminals launder large amounts of money by engaging in numerous small transactions
online, these types of transactions can occur on commercial sites, auctions sites, and even employment sites
12
Brazilian 'Boleto' Bandits Bilk Billions.
33
 drug trafficking, and research has shown that drug traffickers are increasingly using crypto markets13(a
darknet site) for a global reach (Maras, 2014, 2016). Except for the dangers connected with the
interception of package delivery, which is prevalent in offline drug trafficking, these crypto markets
reduce the possibility of violence and exposure to law enforcement.

13
Cryptomarkets, is a market website that employs advanced cryptographic encryption to keep users anonymous and protect their
identity.
34
RESEARCH METHODOLOGY
I. RESEARCH DESIGN
The data collection process involves two types of data theoretical and statistical. Theoretical data will
be collected through reference books, research papers, Government sites, and publications. While the
Statistical data is collected via means of a questionnaire. In this research, collecting data from primary
sources was not adopted due to the prevailing situation. Therefore, secondary sources were used for
this quantitative study. In this study, Exploratory Research Design is adopted to have a better
understanding of the existing but less studied problem of organized cybercrime, which is complex and
less visibly understood. To get a detailed understanding, a case study approach has been adapted from
literary sources.

II. UNIVERSE OF THE STUDY

The generic universe of the present research consists of case reports from government sources, open
sources, and investigators of those cases. The cases are from United States (US), United Kingdom
(UK), East European countries and the ones from the European Union have been taken into the
consideration as the universe of this present study.

III. SAMPLING DESIGN

The Nonprobability sampling Method has been used in this research work. The prior findings which
have some relation to the subject matter currently under consideration, have been used for analysis.
Hence, the Purposive or Judgemental Sampling Design has been followed in this study.

IV. SOURCE OF THE INFORMATION

The present research study has been based on the analysis of secondary resources. In other words, the
different research studies which were previously done surrounding the present topic have been
explored extensively to find out the answers to the present research questions.

35
FINDINGS AND ANALYSIS

MODUS OPERANDI (CRIME SCRIPTS) OF CYBERCRIME GROUPS

Between 2004 and 2014, a total of 18 examples of criminal networks with cases especially linked to banking
malware and phishing were examined and analysed by Leukfeldt, Kleemans, and Stol as part of the Research
Program Safety and Security of Online Banking, Netherlands. The results of 18 Dutch criminal investigations
were examined to obtain insight into the makeup and criminal capabilities of criminal networks. It's crucial to
remember that this research only looks at networks that target internet banking. Wiretaps, surveillance, house
searches and undercover policing have supplied information on cybercriminal networks and their members,
according to police files. In a nutshell, this refers to phishing and malware assaults. The instances examined
were finished criminal investigations, but this does not imply that a court judgement has already been reached
or that the prosecution is certain of obtaining a conviction. Because there was no central registration system in
the Netherlands at the time of the research that allowed for a fast overview of all criminal investigations into
phishing networks, the cases were chosen using the snowball technique. As a result, interviews with the public
prosecutor, the police team head, detectives, and financial or digital specialists were conducted in addition to
the criminal investigation analysis.

The scripts of the crime networks have many similarities,

To get access to victims' online bank accounts, the initial step is to intercept their login credentials. However,
transferring funds from victims' accounts is insufficient. One-time password credentials are required for this.
In the first step to intercept login credentials, the offender pursues various methods to obtain the credentials;
for example, if the offender is highly skilled/resourceful, he may use malware to obtain the credentials, or he
may purchase the credentials from a darknet forum where the information is sold by an offender who has
already completed the first step but does not wish to proceed to the second. (Maras, 2016)

After these codes are acquired the second step is a transaction from the victim accounts to the accounts of
money mules. The third stage is to pay out the money once it has been successfully transmitted, and it is then
distributed to core members after various pauses. The fundamental outline of how the offence is committed is
established by these three phases. Otherwise, the criminals would prefer to use the victims' accounts to
purchase items or acquire Bitcoins. To cash out the money, bogus front accounts are employed. Though all
criminal networks' scripts are the same, there are several key variations when it comes to collecting user
passwords and transaction authentication codes. The level to which criminals utilise ICT and the degree to
which they interact with victims varies.

36
Offenders have high-tech capabilities that allow them to minimise direct contact with victims, as well as
networks that limit the use of ICT to a minimum and have victims provide codes to criminals, increasing
interaction. These networks get user credentials via e-mail (and occasionally phishing sites), and victims are
contacted by crooks acting as bank personnel to obtain essential transaction authentication codes.

On the opposite end of the spectrum, networks are employing sophisticated malware that does not require
direct interaction with the victim. These networks, for example, infect websites with antiquated security
mechanisms, such as those that are still in use but have not been updated. When a user accesses this page, his
or her computer is infected with malware. The malware allows criminals to get access to and control the
victim's computer, allowing the attacker to modify or change online banking sessions. As a result, modus
operandi may be classified into two broad categories: low-tech assaults and high-tech attacks, with each
category further subdivided based on the level of contact between offenders and victims. As a result, four
attack variants have been identified: low-tech attacks with a high degree of direct interaction between the
attacker and the victim (10 cases), low-tech attacks with a low degree of direct interaction (5 cases), high-tech
attacks with a low degree of interaction (4 cases), and high-tech attacks without interaction (1 case).

Networks that are carrying out low-tech attacks sometimes use several types of attacks (both with a low
degree of contact and a high degree of contact).

Thus, based on the crime script and how an attack or an offence is committed, the cases had help in
identifying 4 categories.

Type 1: Low-tech attacks with a high degree of victim-attacker interaction

Ten networks carried out low-tech assaults that involved a high level of contact between offenders and
victims. All of them made use of phishing emails and websites. Victims were sent an e-mail that seemed to be
from their bank. The victim was instructed to take urgent measures to guarantee the security of his or her
account. If the victim reacted to the e-mail itself, as well as occasionally via a link in the e-mail, which
generally connects to a secure portion of the bank's website. Offenders get user credentials and other pertinent
information in both situations. The victim is then approached by phone by a member of the criminal network.
The caller pretends to be a bank employee. During the phone contact, the caller alludes to the phishing e-mail.
Furthermore, the caller may provide information to the victim that only the bank is intended to know. This
gives the victims assurance that they are speaking with bank staff. Victims are requested to provide one-time
security codes during the phone call to confirm the most recent security upgrades. Offenders can use these
security codes to transfer money from the victim's bank account to money mule accounts.

37
Type 2: Low-tech attacks with a low degree of victim-attacker interaction

In addition to the above, seven networks employ phishing emails and websites to get user passwords and other
victim information. However, these groups' criminal scripts do not necessitate a phone call. Victims, similar in
the previous attack variation, get a phishing e-mail with a link to a phishing site. This website requires a
telephone number to be supplied in an extra entry box. When the victim visits this phishing site, the thieves
gain access to the victim's online bank account and, as a result, the victim's phone number. The perpetrators
seek a new SIM card in the victim's identity. Once accepted by the telecom operator, every communication to
the victim's phone number is sent to the perpetrators. Criminals now have access to transaction authentication
codes provided to the user's mobile phone and can use them to conduct transactions from the victim's bank
account.

Type 3: High-tech attacks with a low degree of victim-attacker interaction

Malware-infected networks do not need to communicate directly with victims to intercept user passwords and
transaction authentication codes. The virus grants the criminal network access to the user's PC. Once this has
been done, the victims' transfers can be controlled. The most critical aspect of this assault is infecting potential
victims' PCs with malware. When victims click on a link in an e-mail, four networks employ a way to install
malware. For example, Network 15 initially hacks into numerous corporate databases to collect e-mail
addresses. The gang also hacks a hosting business to transmit massive volumes of e-mail through the
company's servers. The e-mail appears to have been sent from a large power service utility in the Netherlands.
The e-mail claims that the receiver is behind on his or her payments and that the energy provider has
attempted to reach the victim numerous times without success. It also includes a link to the outstanding
invoice. The machine gets infected with a Trojan when the receiver clicks on the link in the e-mail. This
provides the perpetrators access over the victim's browser. The information entered by the victim might be
changed without the victim's knowledge. Criminals change the information entered by the victim while
moving funds from his or her online bank account.

Type 4: High-tech attacks without victim-attacker interaction

As a result, high-tech assaults need some level of victim-attacker contact; if consumers do not click on the link
in the e-mail, their machines are not infected. Network 18, on the other hand, employs an attack technique that
involves no victim-attacker contact at all. This network infected a number of websites with out-of-date
security. When a person views this page, his or her computer is immediately infected with malware; the user
is not required to take any action. When the victim transfers money using his or her online bank account, the
virus modifies the highest transaction. The money is divided in two parts: one part goes to the original
beneficiary, while the other part goes to a money mule's account. As usual, the victim must approve the
transaction and input the transaction authentication numbers. The victim has no reason to suspect anything

38
because the total amount has not changed, and there is nothing unusual on the screen. The virus guarantees
that the payment is not shown in the online bank account's transaction summary. The only way for the victim
to find out that there has been a fraudulent transaction is by logging into their online account using a computer
that has not been infected with malware.

New types of Modus Operandi

Bulletproof hosting, a form of Modus: BPH services are provided as a haven for cybercriminal enterprises.
According to IOCTA, Europol bulletproof hosting (BPH) – an essential CaaS offering is an important
criminal infrastructure that provides the technical infrastructure to criminals deliberately that is resilient to law
enforcement disruption or takedown. Due to virtually low or no KYC norms and with the growth of cloud
services, threat actors are renting virtual private servers from legitimate hosting providers using fake or stolen
identities.

Ransomware scripts: is a top priority threat as per IOCTA reports, especially for public and private
organizations. With ransomware, criminals use encryption to hide their identity and obfuscate their financial
transactions but also actively use encryption as part of their modus operandi. This leads to a situation where
they can almost act with impunity. Ransomware attacks deployed against large corporations occur in different
stages and are executed by different threat actors. The first initial step (performed by one group of criminals)
of a ransomware infection is the computer/network intrusion which is done by the use of multiple attack
vectors and malware types. The access is then sold to different cybercriminals that perform IT infrastructure
mapping, privilege escalation, lateral move, data exfiltration, etc., and finalized by deploying the ransomware.

As mentioned above ransomware pose a significant indirect threat to businesses and organizations by
targeting supply chains and third-party service providers. Private sector respondents have reported concerns
over the differences in the IT security apparatus across supply chains, which leaves companies that play a key
role as service providers vulnerable to attacks.

Malware script: Cases, where perpetrators use trusted third-party services in their malware attacks, including
Amazon Web Cloud and Google, and therefore threat actors, are using the legitimacy of these services to trick
their users into clicking those phishing emails and malware. While this modus operandi has been around for a
few years already, 2019 saw significant development. Cybercriminals hack legitimate sites (for example those
run-on WordPress) to house various payloads and malware, using them as ‘stagers’14 to upload malware and
phishing sites within them.

Simswapping script: SIM swapping is a new method employed by offenders according to IOCTA. This
modus operandi garnered considerable attention in 2020, with the law enforcement agencies noticed a

14
Stagers: The stager is responsible for downloading a large payload (the stage), injecting it into memory, and passing execution to
it.
39
significant increase with a growing number of cases in Europe. SIM swapping is a type of account takeover
and refers to the circumvention of SMS-based 2FA to access sensitive user accounts. Criminals fraudulently
swap or port the victim’s SIM to one in the criminal’s possession to intercept the one-time password (OTP)
step of the authentication process. Since this typically requires detailed information on the victim, SIM
swapping attacks are highly targeted. A successful SIM swapping attack can lead to criminals gaining
complete control over a victim’s bank, email or social media account and can lead to more crimes.

Operation Quinientos Dusim was an operation on January 2020, where investigators from the Spanish
National Police together with the Civil Guard and Europol targeted suspects across Spain believed to be part
of a hacking ring that stole over €3 million in a series of SIM swapping attacks. The modus operandi was
simple, yet effective. The criminals managed to obtain the online banking credentials from the victims of the
different banks through the use of banking Trojans or other types of malware. Once they had these credentials,
the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the
mobile service providers. With these duplicates in their possession, they would receive the 2FA codes directly
to their phones send by the banks to confirm the transfers. The criminals then proceeded to make fraudulent
transfers from the victims’ accounts to money mule accounts used to hide their traces. All this was done in a
very short period – between one or two hours – which is the time it would take for the victim to realise that
his/her phone number was no longer working.

Card not present fraud script: CNP fraud, such as carding and e-skimming, is commonly occurring fraud
but new modi operandi is employed. Carding refers to the use of stolen card data to purchase goods or
services.

The compromise of card data through e-skimming (also referred to as digital skimming) has increased, with
technically knowledgeable organised criminal groups targeting e-commerce merchants with weak security
measures. In an e-skimming attack, criminals inject malicious JavaScript code into the merchants’ checkout
pages, which allows them to capture personal data.

Black box attacks on ATM terminals: Logical attacks on ATMs and POS devices remain a threat and black-
box attacks, where organised criminal groups successfully manage to extract large amounts of cash in short
periods. Black-boxing involves the installation of an external device connected to the cash dispenser to bypass
the need for a card authorisation to dispense cash. Typically, the actual installation of the black box requires
little technical knowledge besides the provision of the device and instructions. Instructions are remotely sent
to jackpot the ATMs, mostly older ATM models, for which security measures and software have not been
updated. While the modi operandi here remain largely the same, a new type of modus operandi for each
attack, including malware to check the balance of an ATM before deciding to attack it. Cybercrime gangs
change throughout time, committing one sort of crime before moving on to another, sometimes using a
different script.
40
ORGANIZED CYBERCRIME GROUPS- STRUCTURES AND NETWORKS

a) As mentioned above Mcguire and Chabinsky had established a typology that established six subtypes
in 3 general categories. But also suggested exercising restraint due to the currently evolving nature of
the organized nature of cyberspace.

Typology

o Type I: Groups that mostly operate online and commit cybercrimes. These groups operate
online and are divided into swarms and hubs.
o Type II: Groups that operate both offline and online and engage in crimes and cybercrimes.
They are said to be ‘clustered’ or ‘extended.’
o Type III: Groups that utilize information and communication technology to facilitate offline
crimes. They are subdivided as ‘hierarchies’ and ‘aggregate’ due to their degree of cohesion
and organization.

Cases

Lulzsec: LulzSec is a hacking organisation that got private information from Sony Pictures' computer systems
by employing a SQL injection 15 attack against the website and then spread the stolen material on the Internet.
The stolen data includes sensitive information of thousands of Sony consumers, including names, addresses,
phone numbers, and e-mail addresses. The hackers didn’t have any motive to exploit the data, but rather
wanted to demonstrate Sony's website security which is not secure. These actions were both a protest against
the online entertainment industry's commercialism and an attempt to demonstrate technological competence.

Dreamboard Until it was shut down in 2009 as part of a multi-national police operation, Dreamboard was a
closed group that sold unlawful photographs of children under the age of twelve.

There was rivalry for rank within the group, but the primary goal of the group was sexual satisfaction. The
servers were in the States, and the senior member administrators were in France and Canada, so there was
rivalry for rank within the group. The servers were in the United States, and the senior member administrators
were in France and Canada. The rules and regulations were written in different languages, most prominently
used, on the site's message board, making it a sophisticated institution that screened potential members,
demanded the provision of unlawful material for membership position, and the members got paid for making
content. The quality and quantity of members' contributions dictated their status levels, and the group's
members used masked identities and the data was secured through encryption. To get access to the bulletin
board of the group, proxy servers that hides the original server were utilised. These communications were

15
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its
database. This database may include any number of items, including sensitive company data, user lists or private customer details.
41
routed through other computers to hide a member's true location, making it harder for investigators to monitor
their online activities (US Department of Homeland Security, 2011).

DrinkOrDie was a gang of copyright pirates that used the Internet to illegally create and distribute software,
games, and movies. The group was well-organized, with a hierarchical structure and a division of labour.
Employees of software firms often got new programmes, crackers removed the content's electronic security,
testers ensured that the unprotected version functioned properly, and packers disseminated it. Members were
motivated not by profit, but by a challenge to compete with other similar groups and earn a status among the
community of piracy.

Dark Market served as a backend support for a marketplace where buyers and sellers of credit card and
banking information could meet in the online word. The marketplace sold banking and card information.
Banking and card information was obtained illegally through secret recordings at ATMs using ‘skimming'
devices, through access to information of the user’s personal and business systems, and ‘social engineering'
techniques in which victims were persuaded to divulge the information. It's a carding site. Initially it was a
direct buyer-seller trade, but due to vast amount of content, it was an economical decision to use a forum
where prospective parties could communicate collectively. The group was really well-organized. Prospective
suppliers had to demonstrate that they could supply acceptable credit card information, which was then
verified for accuracy. Members were chosen after being nominated and verified. At any given moment, the
site could only have four administrators. They were in charge of the site's security, offered an escrow service,
and patrolled it for "illicit behaviour" such as drug selling and child pornography. For the VIP members
reputation and prestige was the priority and for others it was the monetary gain with anonymity/low profile.

The DNSChanger malware was created by a group of Estonian men posing as Rove Digital, a real firm. It
gave them control over DNS (Domain Name System) servers. The gang controlled online advertising through
internet fraud scheme. Social engineering supported their growth for example, it was given as a video code
that was ostensibly necessary to watch pornographic movies. The malware infected an estimated four million
machines globally at its height. DNSChanger works by replacing advertising on websites with Rove Digital-
sold advertising and sending infected computers to rogue servers controlled by the group's associates. When
visitors clicked on links to a valid official website, they were sent to a phoney website that looked identical to
the original site but offered counterfeit and often hazardous items. The organisation was accused of stealing
millions of dollars in ad views.

Carberp is a malicious piece of software that aims to steal financial data. Carberp was only utilised by a tiny,
secretive organisation that operated in Russian-speaking nations, employing only 16 people. The team has an
extensive network of collaboration with three other groups. The developers of the virus began selling it to a
few clients in the former Soviet Union. The team shown a great level of cooperation. Members of Carberp's
team worked remotely from several cities in Ukraine. They unlawfully moved significant quantities of money
42
into the group's accounts using stolen banking data. The funds were then taken from a number of ATMs
across Moscow. The first group had a direct connection to the malware's developer. Carberp source code was
sold to the organizers of the second group in 2010, and they worked on a second version in parallel. The third
gang had been using the botnet Origami Hodprot to commit online bank fraud until switching to Carberp in
2011. As the botnets increased in size, the group's actions got more structured, and its members became more
well-coordinated. With rumours of the Carberp source code being made public in mid-2013, there are
concerns that better 'copycat' variations may be produced and released soon.

Unlimited operation is a cybercrime network that spans the globe.

The group's masterminds had hacked the network of worldwide financial institutions in order to obtain data
from prepaid debit cards. They were able to remove the card's withdrawal restriction. ‘Cash crews' were able
to take almost unlimited amounts from ATMs all around the world using fake cards made from stolen data.
The participants' enrichment was based on a clever division of labour. ‘Unlimited operations’ was marked by
three characteristics the surgical precise, had a global reach and they were very coordinated with planning and
execution. This shows they are highly sophisticated and want a quick getaway.

Koobface (anagram of facebook) is a worm-based malware that primarily targets Web 2.0 social media sites
like Facebook. Koobface propagated by sending messages to the ‘friends' of a Facebook account that had been
infected. The message linked the user to a fake website, asking to download of what seemed to be an Adobe
Flash Player update. After installing the bogus programme, Koobface took control of the computer's search
engine and steered the user to linked illegal websites that offered a variety of frauds, including false
investments, fake antivirus software, and fake dating services, among others. The Koobface botnet profited
from these other websites' pay-per-install and pay-per-click revenues.

So, to summarise, LulzSec was a loose network of like-minded hackers that infiltrated the systems of high-
profile companies in order to call attention to possible security flaws. Dreamboard, a closed group shared
pornographic photos of children. DrinkOrDie was a group dedicated to piracy and the distribution of pirated
media. The other groups were driven by a desire to make money. One commonality among these groups was
their global reach and presence.

ANALYSIS AND CLASSIFICATION: They analysed and summarised the instances in order to determine
which typology these cases fall into, as well as to establish the link between criminal type and organization
structure. The examples were not picked at random. They also highlighted activities carried out by groups
working under official support, involved in espionage and sabotage, having economic and political aims and
do not involve the desire for recognition. According to the study, certain groups' abilities and resources were
superior to those of other groups and people. The work of Drink or Die, Dreamboard, and ‘Unlimited
Operation' demonstrated perfection and skill.

43
Chabinsky's model's organisational structure looks to be more akin to a sophisticated, enterprise-like
deception than other forms of crime. The “Unlimited Operation” and Koobface instances appear to support
this theory. Chabinsky's model's organisational structure looks to be more akin to a sophisticated, enterprise-
like deception than other forms of crime. The "Unlimited Operation" and Koobface examples appear to be the
most appropriate.

The “Drink or Die” group featured a division of labour to a lesser level, with at least six of Chabinsky's 10
positions involved. Cashers, tellers, and money mules were not required because the organisation had no
substantial financial motivation.

In light of the instances we've covered, McGuire's typology appears to be valid. The state crime cases looked
to fit into a hierarchy, or the extended hybrid form, to the extent that non-state actors are engaged.

Complex frauds, such as ‘Unlimited Operation’ are also the work of hierarchies.

Discussion forums like DarkMarket, an online marketplace connected with activities related to online fraud,
have swarm-like characteristics. The site allowed a variety of cybercriminals and potential offenders with a
similar goal to come together to acquire and sell stolen data, from forum managers to normal members.

DNSChanger and Carberp are examples of close-knit group structures, which can act as a hub since smaller
groups have stronger social links.

LulzSec, a putative branch of Anonymous, is an example of a swarm and hub-like organisation. LulzSec,
which is made up of a small number of people, is said to have worked with Anonymous, a bigger collective.
Annoyance crime and more complicated protest activities, such as denial of service, appear to be best suited to
a swarm.

Protest activity that are ad hoc, short-term are carried out by aggregate groups. Illicit markets and organized
paedophile activity resemble hubs. Paedophile activity is an offline offence and clustered hybrid form.

44
 b) Networks and structures by Leukfeldt

The research examines 40 cases from the Netherlands, Germany, the UK and the USA in which criminal
networks were involved in financial cybercrime affecting the banking industry, with the aim of achieving the
discourse on the extent to which cybercrime is OC.

Cases from UK, US, Germany and Netherlands:

Data was obtained via criminal investigations into cybercriminal networks in the Netherlands, the United
Kingdom, the United States, and Germany as part of ERL's doctoral study and the Dutch Research
Programme on Online Banking Safety and Security. In the Netherlands, the researcher gained access to 18
police investigation files. In Germany, the United Kingdom, and the United States, the researcher had no file
access for detailed investigation. Instead, between March 2014 and November 2015, he conducted 28
interviews with police who investigated relevant criminal cases in order to reconstruct the characteristics of
cybercriminal networks.

The researcher was able to reach out to people in the UK, the United States, and the German law enforcement
and other agencies through the Dutch police (the Dutch High Tech Crime Unit) and the Dutch Police
Academy. In addition, official court papers of the cases were examined whenever possible and data was
gathered for 22 cases in total: nine in the United Kingdom, ten in the United States, and three in Germany. In
addition to the information provided by respondents, open-source data was used to supplement the main
sources of information. The 22 cases studied spanned the years 2003–2014. In total 40 cases were researched
and hence that many different criminal networks were examined. In the Netherlands, networks 1–18 were
explored, networks 19–27 in the United Kingdom, networks 28–37 in the United States, and networks 38–40
in Germany. The cases were thoroughly examined using the analytical framework created and used by the
Dutch Organized Crime Monitor, a long-running project that investigates the nature of OC in the Netherlands.
The framework considers a variety of core elements and characteristics often associated with organised crime
(Leukfeldt et al. 2016a, b, c).

Analysis: There was no strong hierarchical structure in any of the networks that was looked at. However, this
does not imply that they were fully flexible; all networks had varied functional responsibilities and
dependencies. The majority of the networks in the study (30 of 40) had three distinct layers: core members,
enablers, and money mules (Leukfeldt et al. 2016a, b, c).

Attacks on financial institutions were launched and coordinated by core members, who also instructed other
members of the network and the attacks could not have been started or carried out without these key players.
Enablers offered services, required to carry out the modus operandi. These criminal members usually worked
for multiple networks promoting unlawful services on the internet as there was more freelance work was

45
carried out. To hide the financial trail leading to core members, money mules were deployed. There were
several exceptions, such as when core members didn't need enablers nor didn't utilise money mules.

Money mules were cheap to replace, and criminal gangs could use hundreds of them in a single strike and cut
them loose. There were the easily replaceable and unimportant members of the group once the transaction was
done. The result was exclusion from the analysis. In the last ten cases, core members didn't require facilitators
or money mules because they already possessed all of the requisite skills for the attack and transferring of the
proceeds. For 27 networks, we had detailed information on core members. In the majority of cases (22 of 27),
criminal networks were made up of a consistent group of core members who planned and carried out assaults
against financial institutions. Individual core members joined hands with other network people, even when
networks had a consistent number of core members. Prior to the hacks, criminals in the five networks that
lacked a stable core used online forums to locate additional suitable co-conspirators.

For example, in Network 34, all core members had their technological expertise in the domain of hacking,
money laundering and they were all entrepreneurs who worked on virtual darknet markets independently and
occasionally collaborated. The instances studied did not provide a complete picture of all members of criminal
organisations. The gathered information about the number of core members and enablers for 36 networks
shows there were two networks with only four members (small networks); 21 networks with between five and
ten members (medium networks); 11 networks with between 11 and 20 members, and one network with more
than 21 members (large networks).

A small network, Network 21, had or has four main members who spent a significant amount of time in the
world of cybercrime meeting in coding-related chat rooms and creating malware, stealing passwords from
financial institutions, and then selling those credentials on darknet. They didn't need an enabler since the core
members possessed all of the abilities which was needed to take the credentials. Therefore, there was no need
for money mules since the information was sold to others and not for self-use, thus reducing the risk.

A medium network, such as Network 18, is indeed a good example. Here a Latvia-based network, created and
used a malware to steal money from victims' accounts. Although the number of core members is unknown,
criminal investigations had revealed that one created the virus and another coordinated money transfers from
victims' accounts to money mules' accounts. To recruit and control money mules, nine enablers were used and
some of the recruiters were based in Latvia, while others were based in the victims' countries. Another
facilitator faked the paperwork that money mules required to create new bank accounts. In this case enabler
smuggled mules from Latvia.

Network 1 is a large network involved in phishing and had the largest number of core members and
facilitators. with eight core members who were in charge of a variety of tasks from organising money transfers
to recruiting to cashing money from the mules. To get login details for online bank accounts, the core

46
members utilised phishing emails and websites. One of the core members had a contact in another country to
create phishing websites to create phishing websites for two banks. One of the facilitators pretended to be a
contact centre agent to get one-time transaction codes from victims over the phone in order to transfer funds
from their bank accounts. Bank personnel, postal workers, and cashiers, in addition to members of the groups,
are involved in the execution of various portions of the crime script in various networks ranging from small to
huge.

47
SUMMARY OF THE STUDY

The study of organized cybercrime is still in the early stages with new technology and application creating an
opportunity that will criminals to exploit. It will be necessary to maintain track of the evolution of the
organisational forms that these illegal activities will take in order to stay on top of cybercrime. This research
that had been done has taken a small step in this direction. In this study, we have found that the research that
had been undertaken so far gives a picture of what organized cybercrime is and its ever-evolving nature. The
study has given us the possible ways in which crime networks were organized in cyberspace but doesn’t
reveal everything because not all were apprehended in the offences. Due to the transnational nature of its
presence, not all members of the gangs were convicted or arrested. This doesn’t give a full picture of the
networks. From the study, we can also see that formation networks and their structures are influenced by
multiple factors from technology to resources to location. With the evolving nature of cybercrimes, we have
also seen how crime scripts and structures of groups have also evolved and changed. There has also been the
limited presence of conventional groups in cyberspace, but this is not a realistic assessment as the sample or
the number of cases that were taken was limited.

To summarize, the cyber offences committed has a network and organizational structure. Most of the cyber
offences involve a group and the victims range from individuals to small businesses to corporations,
sometimes even state entities. The study on modus operandi reveals with new technology, new forms are
developed. With structure and network, the existing typologies fit but don’t reveal everything as more
research is required. Due the fact that organized cybercrime is a subset of cybercrime, the impact and
awareness part of the cybercrime has been well studied and researched but without pointing particularly on the
topic of organized cybercrime.

48
RECOMMENDATIONS AND CONCLUSION

From the research, we can conclude any type of cyber-attack by lone wolves has huge risks and losses, the
risks and losses become manifold if the same offence is committed by a group. Some recommendations could
help in countering or mitigating the effects and stopping these attacks moving forward,

 It is very important to differentiate organized cybercrime attacks from other forms of organized crime
and this will help in directing the resources and work accordingly. In the USA, these crimes are
classified as organized crimes and not dealt with separately in a legal sense.

 International coordination and cooperation are a must for these transnational cyber offences. It had
been difficult for traditional offences for years to achieve international cooperation among agencies;
thus, this could make it even more difficult to deal with transnational cyber offences. Operation
Trident Breach, a special international collaboration between FBI, FSB, Ukrainian and Dutch police to
capture the group branded as Evil Corp, which caused ransomware attacks globally causing millions of
dollars of losses, ended up as a failure after years of investigations, efforts when they managed to find
the suspects who ran the big cyber ring/ empire. This case study is a perfect example where
international collaboration at different levels are needed to these crimes causing billions in losses
before it reaches the tipping.

 Information sharing (removing practical obstacles, enhance judicial cooperation, reduce time, foster a
culture of transparency and trust) is at its lowest and enhancing the legal framework for this particular
crime is necessary

 Prevention and awareness, as well as crisis management, is the only way the impacts can be minimized
as even the educated, technically savvy people fall into the trap as a victim, as the attacks are almost
invisible.

 Significant efforts need to be devoted to tackling major crime-as-a-service providers, this makes even
the offender with no technical skill commit a cyber offence. The service providers support the work at
a safe distance cutting the risks for a share of profits.

The research in this domain is still in its early stages, more attention is needed so that more knowledge can be
arrived and collected on the different characteristics and aspects of organized form of cybercrime, since the
attacks are on a growth pedestal. The size at which these attacks are carried out and the impact thereafter
shows there are carried out by networks of cybercrime professional doing in sophisticated manner with
complementary support from different people, groups and specialists.

49
50
51