Crime as a service or e-shops with cybercrime 

Crime as a service or e-shops with cybercrime

The importance of modern technologies in our lives is truly enormous today. Everyone has found a way to adapt to the changes that technology brings to our lives - but so have criminals. As technology advances, so do the ways in which various illegal activities can be carried out. A typical example is "crime as a service".  

And how does (cyber)crime as a service work?  

The concept of crime as a service is nothing new, but it has only experienced real growth in recent years. Along with the rise of, for example, the Dark Web or cryptocurrencies, it is possible to sell and buy services, knowledge, programs or other necessary tools completely anonymously, which are later mainly used to commit "cybercrimes". Thanks to these technologies, it is relatively easy to offer all kinds of services, from ordering custom-made malware to buying back already stolen data, so that the perpetrator is practically undetectable to the investigating authorities.  

Thanks to this, the number of criminals who have advanced technology, functional programs or the experience of their colleagues is increasing. Plus, it's all very cheap. A ten-minute DDoS attack costs about $5, a 24-hour DDoS attack costs about $500. But that is far from all. For example, DarkWeb offers a service that consists of "absolute digital removal of the targeted person" (removal of social media content, bank and e-commerce accounts) for between $1,500 and $2,0001. Everything paid in Bitcoin or with the help of other cryptocurrencies, i.e. almost untraceable. 

The most famous example of such a mockup was the AlphaBay network. It was publicly launched in 2014, special anonymizing software "Tor" was required to access it, payment could only be made in cryptocurrencies. In 2017, it had over 400,000 users. The site became infamous for selling stolen data and accounts of Uber users. These bills were then sold at a price of one dollar2. In August 2017, AlphaBay was revealed as a possible location where one of the perpetrators of the 2017 Jewish Community Center bomb threats may have been selling a "School Email Bomb Threat Service" - American Michael Kadar was offering fake phone calls warning of a hidden bomb to schools and other public device. In total, he made 2,000 threats in this way3 and was sentenced to ten years in prison. AlphaBay was shut down in June 2017 after its founder, Canadian Alexandre Cazes, was discovered and arrested4.  

From the above examples it is clear that the existence of such sites cannot be dismissed as minor or unimportant. The police and other branches of state power naturally have to keep up with the technological shift. For example, the British NCA (National Crime Agency) infiltrated this illegal market by creating a fake site where DDoS attacks were offered. But visitors to the site were unpleasantly surprised when they opened it to learn that it was a government-run site that collected their data, on the basis of which they would be contacted by police authorities. After the operation ended, the NCA claimed that several thousand users visited the site during its existence5. This fake site (and not only it) are part of Operation "PowerOff", a coordinated international effort to crack down on sites that offer DDoS attacks for a fee. 

But this is not the first case of using this method. In June 2021, the US FBI, in collaboration with the Australian Federal Police (AFP), revealed that they had operated the encrypted chat service ANoM for nearly three years, which intercepted over 27 million messages exchanged between members of criminal gangs around the world.6 

"Crime as a service" is nothing new on the market, and yet (or maybe because of it) it's being combated. Even so, there is a permanent interest in it. And who knows how much this "industry" will grow due to the advancement of publicly available AI, for example? It can therefore be said with almost certainty that cyber security will become more and more important - not only at the corporate level, but also in the personal lives of all of us. 

More articles

Plans such as BCP, DRP, or risk management plans ensure cybersecurity and help maintain business continuity. What should they include?
Listen to the podcast with Katka Hůtová, who will guide you through the upcoming changes according to the new cybersecurity law.
Crisis communication during a cyber-attack should be swift, transparent and consistent to minimize damage and maintain the trust of all stakeholders. How to do it?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.