Who run the organized cybercriminal groups, and how?


The structural composition and complexity of cybercriminal groups vary. They range from hierarchical structures to transient, fluid, lateral, loosely affiliated, and decentralized networks, all of which have some form of centralization, division of labor, and identifiable leaders.

In some cases, the structure and organization of the groups are linked to the online site on which they operate rather than to people. It has been observed on both the clearnet (i.e., the visible web) and the darknet on illicit online market sites.

To regulate and control their provision of illicit goods and services, cybercriminal organizations use online forums and platforms. Other cybercriminal gangs also have service-delivery structures (i.e., they offer crime as a service).

These organizations, in particular, use structure and procedures to protect members’ anonymity and avoid law enforcement attention by employing operational security measures to conceal their identities and activities.

Cyber organized criminal groups operate as legitimate enterprises with employees hired in various roles, such as technical and other support personnel, marketing personnel, and “employees” in charge of the receipt and distribution of payments to other members; in addition, they have rules and codes of conduct that govern members’ behavior. When a specialized skill or ability is needed, these groups hire others to complete the tasks.

The roles within a cybercriminal group vary depending on the cybercrime committed and any offline activities involved in the execution of the tasks associated with the illicit acts and/or the achievement of the group’s objectives.

The structure and roles of individuals within organized cybercriminal groups:

  • Coders: These are the people in charge of creating malware, exploits (programs or pieces of code designed to find and exploit security flaws or vulnerabilities in an application or computer system), and other cybercrime tools (e.g., they can build custom exploits for a fee).
  • Hackers: These people are in charge of finding and exploiting flaws in systems, networks, and applications.
  • Technical support: These individuals provide technical assistance to the group’s operations, including infrastructure and technology maintenance.
  • Hosts: They host illicit activities on servers or offline physical locations.
  • Administrators: Administrators are in charge of the enterprise’s long-term strategic planning and day-to-day management tasks like determining all members’ responsibilities and levels of access, vetting prospective members, deciding which individuals could join the organization, and rewarding and punishing existing members.
  • Supermoderators: “Supermoderators” are in charge of content moderation, which includes reviewing contraband for sale, editing and deleting posts based on reviews, and resolving disputes between buyers and sellers.
  • Moderators: Moderators have the same content-moderation responsibilities as “supermoderators,” but less authority and privileges.
  • VIP members: VIP members are longstanding, distinguished platform members.
  • Members: These are general members of the forum.
  • Vendors: Vendors are individuals who sold and/or advertised illicit goods and services on the site.

Members or associates of organized cybercriminal groups can also serve as specialists. These individuals specialize in a specific cybercrime or other crime and a cybercrime tactic or method. An example of a specialist is an individual who creates “crypters,” software tools that encrypt malware so that it can evade detection by antivirus programmes on devices.

Furthermore, organized criminal groups may employ “cashers,” who convert illicit goods into cash, steal money from targets and distribute it to group members, or otherwise make the proceeds of the group’s illegal activities available. The “cashers,” also known as “runners” or “strikers,” can be used to withdraw or transfer money online or in person, such as at a bank. Furthermore, these organizations may use “money mules” to launder the proceeds of their cybercrime by obtaining and transferring money illegally upon request and payment.

Some roles within organized cybercriminal groups are temporary, and people in these roles only stay in the group until they’ve accomplished their goal. A specialist hired by an organized criminal group to create malware for later distribution is an example of a person in a temporary role.

Furthermore, not all group members are valued equally or regarded as important. Members of certain online illicit forums are ranked, and VIP status is granted to elite group members in some cases. Additionally, some members of the group may be viewed as disposable. For example, “money mules” who are approached online and asked to open bank accounts (or use their existing accounts) and receive money from others (or to mail or physically move packages by receiving them and forwarding, sending, or taking them to their destination) are frequently viewed as expendable by the group (especially if they unwittingly participate in this activity).