The threat of cybercrime in the European Union (EU) has increased. Cybercrime has become big business and a whole illicit economy of service providers and recruiters has been created to support it. This makes it increasingly difficult for law enforcement authorities to investigate cyberattacks, as many specialised criminals from all corners of the globe operate on this large criminal network. Cybercriminals continue to demonstrate high adaptability to new technologies, while constantly improving their specialisations.

On 17 July 2023, Europol published its ninth Internet Organised Crime Threat Assessment (IOCTA), which looks at the online crime ecosystem and analyses its courses of action, perpatrators and victims. IOCTA presents its main findings on the different types of cybercrime typologies, namely cyberattacks, online fraud schemes and online child sexual exploitation.

Cybercriminal services are intertwined

The published assessment addresses the challenges of investigating cyberattacks. Cybercrime consists of several stages, from the initial intrusion to data exfiltration and exploitation, which makes it difficult to investigate. These crimes often involve multiple actors cooperating through crime as a service. Cybercrime services are readily available on the black market. The services offered for cybercrime are often interconnected and their effectiveness in achieving the criminal objective is often facilitated by the cooperation of illicit service providers. Services such as initial access brokers and dropper-services are essential for cyberattacks and online fraud schemes. Malware developers and fraudsters rely on dropper and phishing services to reach their victims and use botnets for distribution. Cloaking techniques and antivirus services are used to hide malicious intent and circumvent antivirus software. Criminals also use Virtual Private Networks (VPNs) to mask their identities and criminal activities. VPN service providers for criminals offer full encryption and do not cooperate with law enforcement authorities, thus providing criminals with complete anonymity. Some internet service providers used by criminals do not monitor their customers closely, making it difficult to identify suspects.

Similar techniques for different goals

Criminals use a variety of methods to gain access to victims’ systems, such as phishing emails, malicious document files and social engineering techniques. Phishing, which involves deceiving individuals into revealing personal information, has become both more widespread and more complicated. Phishing can also take different forms, such as smishing and vishing. Phishing is the main means of access for online fraud schemes and malware-based attacks. Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing, and VPN vulnerability exploitation are the most common intrusion tactics used by cybercriminals. Legitimate software and tools are also frequently misused to penetrate victims’ networks. Criminals involved in child sexual exploitation and online fraud schemes commonly use social media to interact with victims under false identities. Online fraudsters impersonate legitimate businesses, institutions, non-governmental organisations and individuals to solicit money transfers or obtain access to victims’ sensitive information. Charity scammers exploit crisis situations such as the COVID-19 pandemic and the Russian invasion of Ukraine to deceive donors and legitimate charities.

The central commodity is stolen data

The illegal economy is based on stolen data obtained through cyberattacks. Stolen credentials and victim data obtained by hacking various databases are in high demand. Stolen data is used in various criminal activities, including espionage, extortion, and to obtain various benefits. Child sexual exploitation offenders groom victims in order to obtain sensitive information that can be then exploited for extortion purposes. The type of stolen data available on the black market has expanded to include multiple datapoints from multiple maliciously infected devices. Payment system fraud often leads to the theft of personal information, which can further result in stolen identities and further online fraud schemes. The quick development of an extensive data-trading ecosystem has increased the threat of account takeover (ATO). Targeted accounts (such as online banking, email accounts or social media profiles) are valuable to criminals as they can hold funds, can provide access to specific services, or contain important private information that can be sold online. ATO is also carried out in order to either directly access the victim’s account or to harvest data to be traded further. Nowadays, ATO is considered quite an easy technique to implement, and it is sold as a service on cybercrime forums for a very low price.

Same victims, multiple offences

Cybercrime is often interlinked, presenting a concatenated set of criminal actions that often results in the same victim being targeted multiple times. The assessment highlights specific examples of child sexual exploitation, malware attacks and online fraud schemes. Criminals often use stolen information to repeatedly attack the same individuals, for example, by posing as lawyers or law enforcement agents and offering help to retrieve their funds in exchange for a fee. Compromised organisations may face multiple cyberattacks, as the same compromised credentials can be used by different cybercriminals. Victims of child sexual abuse suffer repeated abuse both online and offline, and offenders often encourage the same victim to be exploited repeatedly. The child sexual abuse material (CSAM) produced by offenders is in fact shared at many levels, from closed communities of trusted perpetrators to large communities on online forums. The receivers of this imagery in most cases share it further, resulting in the same material being encountered by investigators over many years and the same victim being impacted.

Underground communities for educating and recruiting cybercriminals

Dark-web forums serve as important platforms for cybercriminals to communicate, share knowledge, recruit new members and trade illegal services. Criminal hacking forums are flourishing, offering a variety of criminal services, including VPNs and initial access brokers. Dark-web forums can also provide valuable information on conducting crime and offer training on illegal activities such as fraud, money laundering and phishing. However, success by law enforcement authorities has led to instability on the dark web, causing some illegal traders to cease operations.

What happens with criminal profits?

Cybercriminals use different methods to launder their ill-gotten gains, depending on the amount and type of gain. They use their own money laundering capabilities, including money mules, straw men and crypto mixers, or work with professional money launderers. Cybercriminals launder their profits through accounts in several different countries. Money mules play an important role in this process, allowing criminals to quickly transfer funds from different accounts and countries. Money mules are sometimes recruited on criminal forums or social media. Money laundering networks are large and operate on a global scale, making their money laundering schemes more difficult to trace. However, law enforcement has successfully unveiled criminal networks providing professional money-laundering services.

Ransomware groups receive cryptocurrency payments from victims directly to their dedicated wallet. From there funds are usually funnelled through a mixer and distributed automatically between the administrators, the affiliates carrying out the attack, and the service providers. The split of the profits received by the affiliate is based on their rank, which is determined by the success rate of their attacks and the criminal profits generated. Cybercriminals involved in cyberattacks and related services, as well as those trading and administering dark-web marketplaces, carry out their financial transactions almost exclusively in cryptocurrencies.

For a better understanding of this article, we would like to draw your attention to these explanations of some of the terms used in the article:

  • Account takeover (ATO) – the act of illegally accessing a victim’s online account.
  • Affiliates – cybercriminals who carry out ransomware attacks using ransomware-as-a-service platforms (affiliate programs) that are run by criminal groups. Affiliates are able to use the tools on the platform in exchange for a percentage of their criminal proceeds earned through it.
  • Botnet – a network of computers or internet-connected devices that are infected with malware granting someone illegal control over them.
  • Droppers – programmes designed to deliver malicious software to a device. They usually do not have malicious functions themselves and are designed to evade and de-activate the system’s security features (e.g. antivirus, endpoint detection) before installing malware and other malicious tools (i.e. payloads).
  • Phishing – the act of deceiving a person in order to steal their money or personal information. Phishing is most commonly done through fraudulent emails or websites.
  • Smishing – a form of phishing using text messages or common messaging apps.
  • Vishing – a form of phishing using voice calls and voicemails.


The Europol press release is available here. The Internet Organised Crime Threat Asessment (IOCTA) is available here.