Online data thieves: how the cybercrime bazaar works

Original version in Spanish published in El País on 22 April 2025 [https://elpais.com/tecnologia/2025-04-22/ladrones-de-datos-online-asi-funciona-el-gran-bazar-del-cibercrimen.html] by the journalist Pablo G. Bejerano [https://elpais.com/autor/pablo-garcia-bejerano/]

Developers of malicious software, sophisticated attack tools and data thieves all offer their products in dedicated marketplaces or forums. The online crime ecosystem is becoming increasingly complex.

Gone is the almost romantic image of the lone hacker breaking into the systems of a large corporation through programming genius and sleepless nights. Today’s cybercrime landscape is much more pragmatic and resembles the operation of any other business. One of the latest trends in the world of digital crime is cybercrime as a service (CaaS). Its name derives from the term SaaS (software as a service), popular in the business world to indicate the provision of an online service. Except that in this case, the service is provided through malicious software or stolen data.

Constantinos Patsakis, a cybersecurity researcher at the Athena Research Centre (Greece), says that much of this activity takes place on the deep web content not indexed by search engines) and the dark web (the part accessible only through tools such as Tor. ‘You can find forums or services that sell credentials, people who sell services related to money laundering, or the sale of malware. For example, some sell the source code or the builder (which facilitates the creation of complex objects in programming) to create ransomware as a service,’ he notes.

‘People buy it and infect other devices,’ says Patsakis, who coordinates the European SafeHorizon project. This initiative involves collaboration between CSIC staff and various research centres, both private and public, in several EU countries. It aims to increase the region’s resilience to cyberattacks, with a particular focus on CaaS. ‘We try to understand the modus operandi of cybercriminals, collect data, and make correlations. We try to understand how reverse-engineered malware works, what it does, and where it sends the stolen data,’ explains the Greek researcher. Close collaboration with the authorities is key. That is why law enforcement agencies such as the police forces of Finland, Poland, and Moldova are participating in the project.

There is a whole market, with its producers (of malicious software) and intermediaries. There are trading platforms and other distribution channels offering a wide range of products. Malware, vulnerabilities, network access and all kinds of stolen data are offered, like in a large cybercrime bazaar. The concept of cybercrime as a service encompasses the more specific MaaS (malware as a service) or RaaS (ransomware as a service).

‘It’s about transposing the concept of any popular software, such as Microsoft Office, to software that, instead of text editing, executes malware,’ says Marc Almeida [https://cibernicola.es/], a cybersecurity researcher working at CIRMA, a project associated with SafeHorizon. ‘If they can acquire the technical engine, the most complex part, technically speaking, is removed from the equation. Their job is reduced to executing the deception, so that someone makes the famous click on a link or downloads a file, or buys or acquires access to company networks through vulnerabilities.’

This scheme is spreading rapidly. An annual report by British cybersecurity company Darktrace estimates that MaaS is already responsible for 57% of cyberattacks on businesses and institutions, according to the specialist publication Cyber Magazine. The increase in recent months has been sharp. In mid-2024, these attacks still accounted for 40%.

‘It costs them much less than it would have cost them to do it from scratch,’ Almeida insists. ‘Otherwise, they would have had to program the malicious software, find the vulnerabilities and hide, which they also have to do so they don’t get caught.’ Malware development is usually carried out by small groups with technical knowledge, including groups sponsored by states. Sometimes they are individuals working alone. And the main motivation is profit, although there are also motives linked to geostrategy.

These malicious programmes are distributed through markets and forums on the dark web. But also, through well-known services such as Telegram or Discord. ‘Sometimes you have independent sellers, such as a small hacker who has created a specific tool to steal specific information,’ explains Patsakis. ‘There are also cases where someone has access to confidential data from an organisation, for example, and simply writes on a forum, “Hi guys, I have information about company X” and asks interested parties to send him a message or send bitcoins to a virtual wallet to buy it.’

Stolen data is another star product in the CaaS arena. A cybercriminal organisation uses a programme to steal information, which it then sells to anyone willing to pay the price. They convince a large number of users to install an infostealer (a Trojan horse), which monitors what you type on your keyboard or the websites you visit. ‘They can conclude that you have logged into a certain platform and used certain credentials,’ says Patsakis.

Once the information has been harvested, the group sends it to its own central infrastructure. ‘Sometimes they have staff dedicated to evaluating the stolen information. This means that if they have data from 10,000 users, not all of this user data has the same value,’ emphasises the SafeHorizon coordinator. “In some cases, they will be high-profile users or high-profile bank accounts, which are worth more. Or they may have credit cards that cannot be used.” The cybercriminal group classifies all stolen data as a fruit distributor would. Each piece of information has its market value.

The groups that make up this cybercrime ecosystem seek efficiency in their ‘business.’ To do so, they adopt commercial strategies that we are accustomed to seeing in the legitimate digital world. Malware is sold directly, but there are also subscription models that provide access to a catalogue of attack tools that is updated periodically.

Sometimes, the buyer can modify certain parameters of the malware to suit their objectives. It’s the same idea as when a company adapts third-party software to its needs. Almeida notes that sellers offer different commercial packages: ‘It’s like a company. If you want, you can buy just the executable or also the Command & Control server, from where you can control how the malicious programs are executed, and even check if updates are needed. It’s what you see on the legitimate side of software, but transferred to malware.’

And who can buy these malicious products derived from CaaS? Almeida is categorical: ‘Potentially anyone,’ emphasises the cybersecurity researcher. ‘The most cumbersome, technical part is simplified. As a result, the entry curve for these activities tends towards zero. Before, this type of software required development; it wasn’t just a matter of pressing a button. Now you can eliminate that from the equation.’ As with any growing economic activity, cybercrime has discovered the division of labour.

DISCLAIMER: The following article was written by Pablo G. Bejerano (https://elpais.com/autor/pablo-garcia-bejerano/), who CSIC invited to attend the SafeHorizon Consortium Meeting organised by CSIC on 27/04/2025 in Madrid. Translation made with the support of DeepL.com