Just one more hour behind the hot grill flipping burgers, and Derek* could call it a day. Under his musty hat, his hair was matted down with sweat, and his work uniform was spattered with grease. He knew he’d smell the processed meat and smoke for the next three days, even after he’d showered. But it was money, he supposed.
“Derek!” His manager slapped him on the shoulder. “A little bird told me you were good with computers. I’ve got a job for you, if you’ll take it.”
The next day, with routers and cables bought and paid for by his manager, Derek networked his boss’ entire home. After one hour of work, he was handed a crisp $100 bill. Derek made a quick calculation: He’d have to put in three full shifts at the burger joint to take home the equivalent.
Unfortunately, not all of Derek’s clients had his manager’s money. Like him, his classmates came from a modest middle-class background, and they often couldn’t afford the latest video games, DVDs, and albums. But Derek had something not even his boss had: the ability to hack.
Mostly, his classmates looked for video game hacks, like unlimited life, or access to boatloads of free music. Sometimes they needed expensive cables to set up LAN parties, and Derek could McGyver a cat-5 so that his friends only had to pay him $10, instead of the $50 they cost at Best Buy.
Sometimes, Derek took on work that was a little more dangerous or challenging—like scamming other scammers to get onto their networks and drop malware or redirecting browser traffic to personal eBay storefronts—and he proved himself adept at this type of problem solving. Everyone knew Derek was the man to go to for these things—and he liked that. What’s not to like? Money, popularity, and a quiet “screw you” to the man. He was proud of his ability to hack into and modify programs built by professionals.
“There was ego involved, of course. It was like, ‘Ha! Look what I did that I wasn’t supposed to be able to do,’” said Derek, who today works as an engineer at a security company, but sometimes still participates in less-than-legal activities online. “Some 13-year-old kid just beat a 30-year-old programmer.”
Derek’s hacking hobby soon became more than a pastime. The stars had aligned for him to step into the world of cybercrime.
What makes a cybercriminal?
Some of Derek’s actions might sound familiar to those who tapped into the early, Wild West-esque days of the Internet. Pirating and counterfeiting music, video games, and DVDs was par for the course in the mid and late 1990’s, until the Napster lawsuit and subsequent shutdown opened the nation’s collective eyes to the fact that these actions were, in fact, unlawful.
Today, we know better. Those who can game the system are called hackers, and the term is often used interchangeably with cybercriminals. However, hackers are merely people who know how to use computers to gain access to systems or data. Many hackers do so with altruistic purpose, and they are called white hats.
White hats are considered the good guys. They’re experts in compromising computer systems, and they use their skills to help protect users and networks from a criminal breach. White hats often work as security researchers, network admins, or malware analysts, creating systems to capture and analyze malware, testing programs for vulnerabilities, and identifying weaknesses in companies’ infrastructures that could be exploited and/or infected. Their work is legal, sanctioned, and compensated (sometimes handsomely). But sometimes, even white hats can find themselves in compromising positions.
Good guys (and girl): The Malwarebytes intel team
Jared* got his start in IT as a technician, working at a mom-and-pop shop that he had frequented often when putting together his own machine. “I was a computer hobbyist,” he said. “I bought and built my first one, and I kept going to the same store for parts. Eventually, I ended up working there.”
Jared built up his skills working in the shop, eventually moving up to enterprise work at a larger chain store. It was there that he was introduced to a software developer that was making an anti-malware product designed to rip spyware out of people’s machines. He was hired on to add definitions (the code that helps antivirus programs detect malicious software).
But soon, Jared started to sense that something was off. Despite the fact that the company owners kept departments siloed—the user interface (UI) people didn’t know what the product development people were doing, and none of them knew what the marketing people were up to—Jared started asking uncomfortable, ethical questions in meetings that made him rather unpopular.
“I had the horse blinders on. I knew that there was stuff taking place that I was not comfortable with, and I chose to ignore it because it wasn’t the product I was working on,” he said. “But, that mental gymnastics got harder and harder and harder, until I finally realized that some aspects of the company I was working for were super scummy.”
What Jared came to realize after moving into a Q/A position was that he was, in fact, working for a potentially unwanted program (PUP) maker—a product created mostly to rip people off. He might not have been trying to participate in cybercrime, but he was complicit.
Despite trying to fight the corruption from the inside, Jared was stuck. He needed this job to stay financially afloat. Finally, after six years at the company, he was actively looking for a new job in IT when he was approached by a legitimate security company—and that’s where he is today. His bosses at the PUP maker, however, knew exactly what they were doing. And that’s why they’re considered black hats.
Black hats are the bad guys; the cybercriminals. They use a similar skill set as white hats, but their intentions are not to protect systems. Instead, they look to cause damage to their targets, whether that’s stealing personal data for monetary gain or coordinating attacks on businesses for revenge. Black hats’ criminal activity ranges from targeting individuals for state-sponsored espionage to widespread corporate breaches, and their efforts may be conducted from outside an organization or embedded within as an insider threat.
But the world is not black and white. A third set of hackers exists between opposite ends of the moral spectrum, and they are known as gray hats. They may not be trying to cause intentional harm, but they’re often operating outside the law. Gray hats might identify as cybervandals or rogue researchers, publicly announcing vulnerabilities to bring attention to a problem. For example, a gray hat could compromise a system without an organization’s permission, but then inform the organization after the fact in order to help them fix the problem. You might consider Jared a gray hat during his tenure at the PUP maker, even though he entered and left the establishment with the best of intentions.
What sets a cybercriminal apart from a security researcher, then, comes down to motive. Ethical hackers look to improve the security of software programs to protect users and their online experiences, whereas cybercriminals seek to undermine the integrity of those systems and programs for their own gain. It’s why people hack that shapes the nature of their being.
Putting together the profile
Without knowing the identity of cybercriminals (as most do a good job of covering their tracks), criminal profiling becomes a useful tool to begin drawing more accurate pictures of the people behind the proverbial hoodies.
Criminal profiling is a psychological assessment that includes personality and physical characteristics. “Fitting the profile” doesn’t necessarily mean a person committed the crime, but it can help narrow the field of suspects and exclude others from suspicion. Profilers use both inductive profiling (statistical data involving known behavioral patterns and demographic traits) and deductive profiling (common sense testing of hypotheses related to forensics, crime scene evidence, and victimology) to create personas of criminals. They are then able to identify criminals based on an analysis of their behavior while they engage in the crime.
Online, however, gathering this type of data can be nearly impossible. How can criminal profilers identity the crime scene, for example, when a victim might not even know how, when, or where he was infected?
According to an article in CIO, criminal profiling has a success rate of 77 percent in assisting traditional investigations. Unfortunately, no such headway has been made for cybercrime. Instead, both corporate and individual would-be victims rely on a combination of cybersecurity awareness (aka street smarts for computers) and technologies to prevent the crime from happening in the first place. These technologies include firewalls, encryption, two-factor authentication, antivirus, and other more advanced forms of cybersecurity software.
And while technology has been the main defense against cyberattacks, experts say a better understanding of the psychological, criminological, and sociological side of the equation can help fortify protection and possibly catch thieves in the act.
“Those that get caught never invest in sensible growth funds or get their families out of the country. They buy sports cars,” said William Tsing, Head of Intel Operations at Malwarebytes, whose work includes coordinating with law enforcement to take down cybercriminals. “Florida has had success getting people with outstanding warrants by the classic giveaways of sports cars and boats. These men have very specific ideas of who they’re ‘supposed’ to be, and buying expensive toys plays to their ego. They steal what they think they deserve.”
That being said, only 5 percent of cybercriminals are actually apprehended.
To better understand their psychological, criminological, and sociological motives, former police officer and IT professional Deb Shinder put together a set of characteristics she says that most cybercriminals exhibit. These include:
- Some measure of technical knowledge
- Disregard for the law or rationalization about why particular laws are invalid or should not apply to them
- High tolerance for risk or the need for a “thrill factor”
- “Control freak” nature, enjoyment in manipulating or outsmarting others
- A motive for committing the crime—monetary gain, strong emotions, political or religious beliefs, sexual impulses, or even just boredom or the desire for fun
A generic cybercriminal profile, therefore, might look like this: “Male, under 25, history of anxiety, angry, sustained difficulties with in-person interaction, and distrustful of anything outside of science or tech,” said Tsing, who qualifies that it applies to North American and Chinese black hats only—Russian black hats likely fit a different profile.
Additional research conducted by online payment company Jumio finds that three-quarters of cybercriminals are male, and they work in organized groups, half of which have six or more members. (Though this is not to be confused with organized crime, which cybercriminals have, surprisingly, little connection with.) And they live all over the world, but are found especially in Asia, most notably China, Russia, and Indonesia.
As there as so many different forms of cybercrime, so too are there different profiles. Those who participate in online piracy have different traits from those who are scam artists, as well as those who are involved in human trafficking or child pornography.
Types of cybercrime
The various types of cybercrime committed by black hat hackers are highly influenced by technical skill, though socio-economic factors also play a part. Those who are able to participate in cybercrime that requires higher technical expertise often come from fairly comfortable, middle-class backgrounds. Yes, there are savants—your Good Will Huntings who come from extreme poverty and are self-taught—but for the majority of cybercriminals, a base level competence in computer science is acquired at home, with private access to a computer, and at school.
“In high school, I took computer science classes. That was actually my first exposure to cybercrime and the dark world,” said Derek. As a freshman, he was in class with seniors who were already involved with less-than-legal activities, and they taught Derek how to grow his own abilities, whether that was by finding better content or achieving faster download speeds.
Personal preference and opportunity certainly play a role, but technical skill is the major factor that separates the scammers from the ransomware authors. We separate types of cybercrime (and criminals) into categories as follows:
Online piracy: We’ve covered this fairly well with Derek’s actions, but online piracy involves illegally copying and sharing copyrighted material, such as movies, video games, and music. In the US, this is an infringement on the Digital Millennium Copyright Act (DMCA), which was enacted in 1998. It doesn’t require much technical skill to do the copying and sharing of files, but it does require some basic know-how to find torrent sites that won’t infect your own machine and stay under the radar enough to avoid fines.
Malware/PUP writing: To write programs that deploy malicious code generally requires a much higher level of technical prowess, whether that’s authoring a program that can discover vulnerabilities in other software and escort malware through the door (exploits) or creating ransomware that can seize and encrypt a system’s files, holding them hostage.
Creators of potentially wanted programs also fit under this umbrella, as they require the requisite programming skills of any software maker, with the added bonus knowledge of dark design—e.g. sneaking pre-checked boxes into end-user license agreements (EULAs) or creating extra search bars that obfuscate their true purpose, which is to redirect users to sites out of their control.
One caveat: A lot of malware creation can now be conducted by those with lesser technical capabilities, such as script kiddies, or people that use existing computer scripts or code to hack into computers. Malware-as-a-service, then, has popped up as a profitable form of cybercrime, where black hats actually write and sell code to other black hats in place of or in addition to participating in their own attacks.
Scamming/fraud/extortion: Scamming requires little in the way of technical skill, but does rely on knowledge of classic social engineering techniques, such as exploiting fear, carelessness, or a variety of other emotions to manipulate users. Scamming in the cyberworld includes phishing attacks that seek credentials, such as usernames and passwords and technical support scams, which dupe users into pay fake technicians to “fix” an issue in their computer that either doesn’t exist or that the technician has actually caused himself.
Those that write malware often look down upon the scammers for their lack of technical skill, and sometimes infiltrate scammer networks and drop their own viruses or worms.
“I liked causing pain to people who were trying to screw over grandma,” said Derek. “In the land of the blind, the one-eyed man is king.”
However, socio-economics probably has the largest impact on this subset of criminals. Massive caller banks have been set up in states and nations where poverty runs rampant, including Florida and India, where scammers target the mentally ill or the elderly for low-end technical support scams and vendor fraud. While seemingly vile, it puts much-needed money in the pockets of the poor.
Cyberterrorism/state-sponsored espionage: Here live those with top-of-the-line hacking aptitude, such as the ability to reverse engineer malicious code or break military-grade encryption. Once cybercriminals become good enough at their trade, they’re often snatched up by nation-states that participate in this type of cyberwarfare. (Though there are those hacktivists that work independently from their governments.) In the US, those with a background in cybercrime are not invited to the cyber table, so to speak, but they are often courted and hired by private companies as security researchers
Child pornography/human trafficking: Sure, yes, technical skill is involved to some degree when you’re talking about this type of deviant behavior, but mostly you’re dealing with the soulless and sociopathic, here. When it comes to the deep end of this criminal pool, psychological motive is the factor that separates the truly sick from the opportunists.
What motivates a cybercriminal?
Indeed, motive is the most fascinating and also most illuminating factor that ultimately determines the full psychological profile of a cybercriminal. And while cybercriminals often have more than one motive for doing what they do, these motives can tell us the all-important why behind the hacking, as well as which type of cybercrime they’ll likely participate in.
“I didn’t brute force FTP servers as a kid because I was poor,” said Tsing. “I did it because I was bored, powerless, depressed, and smart enough to try it.”
Some of the main motives for different types of cybercrime break down as follows:
For fun/the challenge: According to a 2017 report from the National Crime Agency, 61 percent of cybercriminals begin before the age of 16. The young age of the offenders can be attributed to their access to technology and the perception that it’s a victimless crime.
“There’s a little bit of a Robin Hood complex there. I’m not saying it’s right, but I would say that for the most part, what I did was victimless crime,” said Derek of his video game hacking enterprise. “If anything, it was cheap marketing because they played the game and gave out reviews and loved the hell out of it.”
Shinder believes that many cybercriminals hack not out of malicious intent or financial benefit, but simply because they can. “They may do it to prove their skills to their peers or to themselves, they may simply be curious, or they may see it as a game,” she said.
John Draper, aka Captain Crunch (left), is one of the early pioneers of hacking.
One subject interviewed by the NCA said that illicit hacking made them popular, and they looked up to users with the best reputations. The NCA study also found that curiosity and a desire to increase skills were the most common factors that led to cybercrime. This assessment is corroborated by a recent report by Nuix, which found that 86 percent of surveyed threat actors said that they liked the challenge of hacking and hacked to learn. Additionally, 35 percent said they did it for the entertainment value or to make mischief.
If having fun or looking for a challenge is the main motive, then the buck likely stops for these budding cybercriminals at sharing copyrighted music and movies, defacing websites, or other low-impact crimes. If you combine this motive with others, however, the severity of the crime begins to increase.
Financial: Money can account for the motive behind almost all forms of cybercrime, from online piracy on down to scams and human trafficking. According to the Nuix report, 21 percent of surveyed respondents hacked for financial gain.
What pushes cybercriminals to continue down their path often amounts to putting more expendable cashin their pockets. As cybercriminals age, their financial needs change. What started as a yearning for new video games grows into wanting more cash to buy a car, date girls, and buy drinks at the bar. And often, criminals discover that their side hacking jobs pay way more than entry-level jobs in fast food or retail.
“The first time I started thinking about [hacking] for money was when I first started caring about money,” said Derek. “At 15, I started wondering how I was going to buy a car. [I was] making more than I should have been at 16-years-old—probably a couple grand a year. It was a lot more than my real job at the mall. At that point, I wasn’t thinking of stopping. Money talked.”
Cybercrime paychecks often stack up much higher against career IT jobs. For example, Jared made $45,000 a year while working for the PUP maker, which was much more than a basic computer technician could expect to make in his location and during the time he worked there. For those that are at the top of their crime field, the earnings are even higher. According to an April 2018 study by Dr. Mark McGuire, the highest-earning cybercriminals can make more than $166,000 per month, middle earners can make more than $75,000 a month, and the lowest-earning cybercriminals can still rake in more than $3,500 a month.
Still, money isn’t the only incentive for many threat actors, who prefer the anonymity and isolation of working in cybercrime over the human interaction required to work in a traditional office.
“The stated motive is always money. But that’s not necessarily true,” said Tsing. “It’s just that legit avenues to earn don’t appeal for various reasons. Often times, low level guys will make peanuts, but it’s peanuts where you don’t have to interact with others with respect, don’t have to be around women, and can take time off if you’re crippled with depression or anxiety. So, they go with $40–$60,000 selling DDoS or launching phishing attacks rather than take $75,000 in an office.”
Emotional: Shinder believes that the most destructive cybercriminals act out of emotion, whether that’s rage, revenge, “love,” or despair. This category includes ex-spouses, disgruntled or fired employees, dissatisfied customers, and feuding neighbors, to name a few. Cybercriminals motivated by emotion can often be found getting angry in forums, comments sections, and social networking groups, “trolling” users by baiting them with overly offensive, intentionally contrary content.
The emotional motive might be most personally destructive to the victims of lovers spurned. These criminals use their technical competence to cyber stalk their victims, access their accounts without authorization, or use Internet of Things (IoT) devices to commit domestic abuse, such as locking their loved ones inside the house via smart locks or cranking the heat up in the middle of the summer using Internet-controlled thermostats.
The malicious insider is another common subtype impacted by emotion. They are often upset about being overlooked for a promotion or raise, or are frustrated by a perceived injustice, which can send them on a critical path that includes defacement of company websites, DDoS attacks, stealing or destroying company data, or exposing confidential company information.
“As for the malicious insider, predispositions and professional dissatisfaction or a sense of being slighted in his job can serve as a trigger,” said certified forensic psychologist Dr. Harley Stock in an article for Dark Reading. “They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior.”
Ego: For those involved in a variety of cybercrime, but especially social engineering attacks, shoring up a weak ego is a motivation that combines several psychological provocations, including insecurity, financial woes (and gains), and emotional turmoil into one powerful punch. In fact, if you ask Tsing, he believes ego is at the root of all cybercrime evil.
“I’d say the one overarching motive is emotional if I wanted to troll—they tend to go on at length about how they don’t have emotions. But it’s probably ego or power,” he said. “It gets confused as money, because they use money as a means to power. I think if it were actually money, though, we’d see a lot more of these folks leaving their countries of origin.”
Cybercriminals driven by a weak ego and lacking the technical skill to drop malware on their chosen targets tend to have more visibility into and interaction with their victims, and they validate those actions by convincing themselves they’re actually on the defensive, attacking “back” at those who put them in the position in the first place.
“They have such a shaky sense of self that they feel constantly under assault by essentially everyone,” said Tsing. “So, it’s not that they don’t care [about hurting others], it’s that they’re ‘getting back’ what’s theirs.”
Poor grandma. She must have been a real jerk to deserve having her identity stolen, or to field a phone call from a fake, desperate granddaughter who needed money to bail her out of jail (a real scam scenario).
Political/religious: According to the Nuix report, six percent of respondents said they hacked for social or political motives. Often associated with cyber activism/terrorism, hacktivism, and nation-state supported cybercrime, those with political or religious motivations hack with the intent to take down foreign adversaries. Shinder asserts that this particular motive is closely related to the emotional category, as people’s political and religious beliefs are often intertwined with their personal feelings. “People get very emotional about their political and religious beliefs, and are willing to commit heinous crimes in their name,” she said.
Sexual impulses/deviant behavior: Cyberpsychologist Mary Aiken, whose work was the inspiration for the TV show “CSI: Cyber,” famously joked in a 2015 Web Summit conference about the Freudian impulse that drives people to hack as “a cyber-sexual urge to penetrate.” While meant as a tongue-in-cheek poke at psychologists’ attempts to understand cybercriminals, there does exist a group in the darkest corners of the web to whom sexual compulsion and deviant behavior apply.
Although also related to emotion, those with sexual impulses are some of the most violent cybercriminals, as they commit heinous crimes using the Internet as a tool to lure in their victims. Rapists, sexual sadists, pedophiles, and even serial killers either use their own skill or hire those lacking a moral compass to help aid in their sexual predatory behaviors. Child pornographers and human traffickers also fit into this category, or they may be merely exploiting the sexual impulses of others for profit.
“I can tell you that there are people out there who just want to do harm and cause chaos. I saw some really messed up shit and decided I didn’t want to be part of it,” said Derek, who witnessed hitmen for hire, human trafficking, and bioengineering attack schemes while conducting research. “There are guys and girls out there who are ready to break people. They turn a human being’s psyche into a math problem and then subsequently solve the problem.”
Sometimes, a bad apple is just a bad apple.
What would make a cybercriminal reform?
Armed with the knowledge of what drives a cybercriminal to do what he does, we ask the question: How can we get black hats to turn into white hats? The answer shouldn’t surprise you: It’s likely the same things that made them hack in the first place. Of course, there are those that are psychopathic by nature—generally one in 100 people—and they just want to wreck the place. But others could be swayed by the following:
Money: Pay a cybercriminal well enough to work as a malware analyst, and they won’t be able to justify to the IRS where all this extra cash from cybercriminal side jobs is coming from. If you tip the balance of the risk/reward ratio, you can court many of those whose motivations are financial to the side of the light.
According to Payscale.com, the median salary of an ethical hacker is around $72,000 a year and consultants can expect to be paid $15,000 to $45,000 per assignment. However, as discovered by the recent Osterman report, medium-sized companies aren’t offering their security teams enough money right now. Salaries and retention numbers lag because their starting salaries average only $3,000 more than small companies, but $17,000 less than enterprises. In fact, the Osterman survey found that nearly 60 percent of security pros think that black hats make more money than security professionals.
How can companies fix the imbalance? Malwarebytes’ CEO Marcin Kleczynski said, “We need to up-level the need for proper security financing to the executive and board level discussions. This also means properly recognizing and rewarding the best and brightest security pros.”
Challenge: While money is a major factor for attracting cybercriminals to white hat positions, providing them with interesting and challenging work, and surrounding them with other talented researchers can keep them there.
“What really made me turn the corner was when a select group of people in the company who were known as the smartest took notice of me and the abilities I had shown, and invited me to mess around with a target,” said Derek, whose white hat work includes actively searching out criminal activity to stymie. “Being in the white hat community, I was exposed to many more skilled people. It was really good for me because it pushed me to learn so much more.”
Adrian Lamo, Kevin Mitnick, and Kevin Lee Poulsen: three former black hatters who reformed. Photographer: Matthew Griffiths
Age: Many simply grow out of this behavior. There’s a reason why security is on average older than any other IT field: It’s mostly composed of those who’ve seen the error of their ways or are looking for more stability.
“The ones that seem to think that cybercrime is victimless tend to be very young—generally, under 25, which is when the good judgement part of the brain finishes forming,” said Tsing. “You don’t see the consequences in front of you, therefore there aren’t any. Eventually, a huge amount of these guys age out of the profile and start acting like humans.”
In addition, the longer they go, the more skilled they become. The more skilled they become, the deeper waters in which they wade. Eventually, those whose consciences are alive and well will find themselves in uncomfortable positions. They’ve seen too much.
“In the wrong hands, these skills can be used to do some seriously scary shit,” said Derek. “I met a guy who had hypothesized targeting a primate gene that would effectively reset the world clock. One guy, through this tech, had the capability of watching the world burn, if he so chose…I like to think that at my core, I make the right decisions. I’m comfortable with me having the knowledge, but I know there are people out there who have a very different moral compass.”
Flipping the system: A paradigm shift in education might be one of the most difficult changes to achieve, but it also could help thwart teens with technical capability from participating on the fringes of society in the first place. Give your outside-the-box thinkers the platform to use their skills in a positive way, and they won’t be so tempted to go after the low-hanging, unscrupulous fruit.
Educational reform has been hard pressed to include 21st century learning initiatives, at least in the US, where many public schools in the K–12 system use barely-functioning tech—a single, shared iPad on a decrepit, crumbling network—and avoid topics such as digital citizenship and literacy in favor of standardized testing. For the kids already hacking video games, their classroom experience is, in Tsing’s words, “stifling and borderline traumatic.”
“At 19, I was going to community college and thought it was a joke. College was to show that you could complete a project start to finish and to build a network of people,” said Derek. “I had already learned to do that in high school with my enterprising.”
In addition, if the US government could get over their aversion to hiring former cybercriminals, there’d be a place for many more skilled individuals to do some good, especially as cybersecurity continues to be a concern surrounding our elections and infrastructure.
There’s a razor thin line separating the white hats from the black. Cybercriminals are equally passionate and skilled at what they do, but the lens through which the view the world may be blurred by socio-economic circumstances or psychological hang-ups. There are those that may be beyond hope, but there are also those who are simply too young or too insecure to work a system that feels like it’s set up to watch them fail.
Give them an off-ramp from the treadmill and hand them the tools sooner for doing some good online. Then we just might be able to hold out hope that we can, in fact, make the Internet a safer place to be, without having to clutch our passwords tight.
*Names have been changed to protect the anonymity of the cybercriminals interviewed for this piece.