Cybercriminal groups – Swarms vs. Hubs


There are plenty of cybercriminal groups worldwide who collaborate on certain illicit activities and operations and commit cybercrimes predominantly or fully online, using tools such as the clearnet (or the surface web), social media platforms, the darknet, licit online marketplaces, secure communications platforms, online payment services, and digital currencies.

Certain groups are structured and organized. They exhibit behaviors similar to those of traditional organized criminal groups – particularly the use of their structure and special procedures designed to preserve the anonymity of their members and evade detection by law enforcement agencies.

Such groups are increasingly seeking to cooperate with cybercriminals who have the critical and essential skills that these groups can use or need to execute certain operations. These individuals can be coders (responsible for developing malicious software (malware), exploits, and other tools used to commit cybercrime) and hackers (responsible for exploiting the vulnerabilities of systems, networks, and applications).

Swarms and hubs are two types of groups that primarily operate online and commit cybercrimes.

1. Swarms

A swarm is defined as a group of people who come together for a short time to perform specific tasks to commit a cybercrime. Some, most, or all individuals may go their separate ways once they complete their assigned task or objectives and/or succeed in committing the cybercrime as a collective. The temporary group that has been formed may disband. This disbanding does not preclude any individuals from joining another swarm in the future to engage in a similar or different cybercrime, with some or all of the same individuals or with others.

Swarms are decentralized networks typically (but not always) composed of ephemeral clusters of individuals with a common goal and minimal command chains. One of the most common goals of a swarm is to commit a cybercrime for ideological reasons, and most people who join swarms do so for that reason.

Anonymous, a “hacktivist” group, is an example of a swarm’s composition. While Anonymous does not have a declared leader, the group does have some leadership in that group members take the lead in organizing, planning, and ultimately making cybercrime decisions. In most jurisdictions, swarms are not considered organized criminal groups if they do not engage in cybercrime for monetary gain.

2. Hubs

A hub is a criminal organization with a core group of criminals surrounded by peripheral criminal associates. A hub is more structured than a swarm; it has a discernible command structure. The activities of hubs are usually profit-driven. Phishing, sexual offending, and malware operations are some of the criminal activities associated with this organizational structure (worms, viruses, scareware, etc.).

Dreamboard, a criminal enterprise that consisted of an online bulletin board that only advertised and distributed child sexual abuse material to its members, is an example of a hub. Prospective members had to provide evidence of child sexual abuse to join Dreamboard. Members of Dreamboard had to provide child sexual abuse material regularly, or their access to the bulletin board would be revoked. If a member went 50 days without posting child sexual abuse material, their access was revoked.

Members of the Dreamboard had to follow the rules in four different languages (English, Japanese, Russian, and Spanish). One of the rules was that all of the images on the site had to be of girls aged 12 and below. Dreamboard’s administrator divided the board’s members into groups. SuperVIP members were trusted individuals who created and advertised their own child sexual abuse material. Members of the SuperVIP group had more access to child sexual abuse material than other members.

Members of the VIP group and others had more limited access to child sexual abuse materials. They needed to produce child sexual abuse material and make it available to other members, post more child sexual abuse material advertisements or post advertisements for child sexual abuse material that other members did not already have in their possession to advance to a higher group level. A few Dreamboard members were sentenced to life in prison for their crimes.