Cyber criminals earn up to $2 million a year
Academic study reveals just how lucrative cyber crime can be, with top-level cyber criminals out-earning government leaders and university graduates.
Cyber criminals are acquiring, laundering, spending and reinvesting about $1.5tn in profits a year, research has revealed.
The highest-earning cyber criminals are making up to $2m (£1.4m) a year, almost as much as a FTSE250 CEO, according to a study, commissioned by virtualisation-based security firm Bromium.
Mid-level cyber criminals make up to $900,000 (£639,000), which is more than double the US president's salary, while entry-level cyber criminals make about $42,000 (£30,000), which is significantly more than the average UK graduate, the research noted.
The findings on how much cyber criminals earn from their illegal activities and what they spend their profits on are part of an 11-month study into the macro economics of cyber crime and how the various elements link together. It has been led by Michael McGuire, senior lecturer in criminology at Surrey University.
The use of ransomware, crime-as-a-service, data theft, illicit online marketplaces and trade secret/IP theft are helping cyber criminals generate huge revenues with relative ease, the report said.
The research also revealed that there are large organisations in the burgeoning cyber crime economy that closely match the structures and business plans of companies such as Uber, AirBnB, Facebook, Twitter and WhatsApp.
These platform owners are acting more like service providers than criminals, leading to a shift from those who commit crime to those who enable and profit from it, the report said.
"Cyber crime is a lucrative business, with relatively low risks compared to other forms of crime," said Bromium CIO Gregory Webb.
"Cyber criminals are rarely caught and convicted because they are virtually invisible. As criminals further monetise their business, allowing anyone to buy pre-packaged malware or hire hackers on demand, the ability to catch the kingpins becomes even more challenging."
According to Webb, the cyber security industry, business and law enforcement agencies need to come together to disrupt cyber criminals and cut off their revenue streams. "By focusing on new methods of cyber security that protect rather than detect, we believe we can make cyber crime a lot harder," he said.
Data gathered by the research team through first-hand interviews with 100 convicted or currently engaged cyber criminals, law enforcement agencies and financial institutions, combined with dark web investigations, reveals that 15% of cyber criminals spend most of their money on immediate needs, such as paying bills.
One-fifth of cyber criminals focus their spending on drugs and prostitution, 15% spend to attain status or impress, but 30% convert some of their revenue into investments. Some 20% spend at least some of their revenue on reinvestments in further criminal activities, such as buying IT equipment.
The proceeds of cyber crime fuel other crimes, such as terrorism and human trafficking, the report said, much like a legitimate business reinvests profits to expand while also contributing towards core philanthropic values.
The research showed that cyber criminals are reinvesting their money to grow their own business, but also to promote other types of crime. Terrorism, human trafficking, drugs manufacturing and firearms trading have all been beneficiaries of cyber crime.
The report noted there is a growing market catering to cyber criminals by allowing them to buy things with virtual currency. Sites such as White Company, Bitcoin Real Estate and de Louvois offer luxury products priced in bitcoin, which is becoming a concern for financial analysts, the report said.
"The range of spending habits among cyber criminals is fascinating," said McGuire, who will present the full findings of the Web of profit study at the RSA Conference in San Francisco from 17-19 April.
"A lot of cyber criminals spend their money on increasing their status, whether that be with peers or romantic interests."
"One individual in the UK, who made around $1.7m (£1.2m) per year, spent huge amounts of money on a trip to Las Vegas, where he claimed to have gambled $40,000 and spent $6,000 hiring sports cars so that they could 'arrive in style' at casinos and hotels."
"Another UK cyber criminal funnelled his proceeds into gold, drugs, expensive watches and spent £2,000 a week on prostitutes. It's alarming how easily cyber criminals are able to spend their illicit gains. There is an ever-growing market that is almost tailor-made for cyber criminals to make these ostentatious purchases with little to no regulation or oversight."
Other, previously released findings from the report revealed that cyber criminals are using a combination of new cryptocurrencies, gaming currencies and micro-payments to launder up to $200bn in ill-gotten gains.
According to McGuire, the report's aim is to examine revenues to gain a true picture of cyber crime, to help the cyber security industry and law enforcement identify opportunities to disrupt cyber criminal revenues and prevent social harm.
Published in Computer Weekly.