Cybercrime

Cybercrime is criminal activity carried out through digital devices and networks — historically defined as 'a crime committed on a computer network, especially the Internet.' Its boundary-defining categories include (1) ransomware and extortion (data encryption + leak threats, run as a service economy), (2) fraud and social engineering (phishing, business-email-compromise, romance scams, AI-enabled voice/video deepfakes), (3) identity theft and credential trading (infostealer logs, COMB-style credential aggregates, sold via darknet markets), (4) financial cybercrime against banks and crypto exchanges (heists, money laundering, mixers), (5) marketplace operations on Tor and I2P (Hydra, AlphaBay-class), and (6) state-sponsored offensive operations that increasingly overlap with criminal activity (DPRK's Lazarus Group runs both espionage and the world's largest crypto heists). What separates 'cybercrime' from adjacent fields is the financial-criminal motivation: pure espionage, hacktivism and influence operations sit outside the term as we use it here, though they share infrastructure and personnel.

The cybercrime ecosystem has three concentric rings. The innermost ring is the criminal supply side — specialised vendors who do not themselves carry out attacks but sell capability: ransomware developers (LockBit, Conti/Wizard Spider, REvil, BlackCat/ALPHV), initial-access brokers (corporate-VPN credentials, RDP, web-shells), malware-as-a-service droppers (IcedID, SystemBC, Trickbot, Bumblebee — all targeted by Operation Endgame), and crypto-mixer/launderer services. The middle ring is the affiliate / operator layer: small teams (Scattered Spider / UNC3944 is archetypal) and state-sponsored brigades (Lazarus, APT28, APT41) who licence the inner-ring capability and conduct intrusions. The outermost ring is the marketplace and forum layer that connects supply to demand — darknet markets (Hydra until 2022, AlphaBay, post-Hydra Russian-speaking forums) plus Telegram channels and infostealer-log markets. Opposite this stack sits the defender ecosystem: national/regional law-enforcement (FBI Cyber Division and IC3, CISA, UK NCA, Europol's European Cybercrime Centre / EC3), supranational intelligence-sharing (ENISA's Threat Landscape, Interpol), and commercial threat-intelligence (Chainalysis on the financial trail, Mandiant/Microsoft/CrowdStrike on tradecraft, urlscan / SpamHaus / Abuse.ch on infrastructure). The defining 2024-2025 inflection is the rise of coordinated multi-agency operations — Operation Cronos against LockBit, Operation Endgame against droppers, the ALPHV seizure — that for the first time have measurably bent the criminal economics, even as state-sponsored crypto-theft (Bybit, US$1.5B, Lazarus) reached new individual-incident records.

The dominant operating model is a three-stage value chain. Stage 1 — Access: initial-access brokers compromise corporate networks via phishing, infostealer logs sold from darknet markets, exploitation of internet-edge devices (VPNs, firewalls, file-transfer appliances — the CISA KEV catalog tracks the live exploit pipeline; Ivanti products alone account for 35 entries with multiple ransomware-linked CVEs), or social engineering of IT help desks (the Scattered Spider playbook against MGM and Caesars). Brokers sell that access on Russian-language forums. Stage 2 — Action on objective: affiliates of a RaaS brand (LockBit, BlackCat, Conti) buy the access, deploy commodity droppers (IcedID, SystemBC, Bumblebee, Trickbot — the Operation Endgame targets), exfiltrate data, then encrypt and post the victim to a public 'leak blog' as a double-extortion lever. Stage 3 — Monetisation: ransoms (typically Bitcoin or Monero) flow through mixers, no-KYC exchanges, and over-the-counter brokers; Chainalysis tracks the on-chain trail, providing the principal commercial measurement of the ecosystem. Defender-side disruption operates symmetrically across all three stages — Operation Endgame targets droppers (Stage 1), Cronos and the ALPHV seizure targeted RaaS infrastructure (Stage 2), OFAC sanctions and Chainalysis-led tracing target monetisation (Stage 3). The fraud side (BEC, romance scams, deepfake-CEO calls) bypasses this chain entirely, transacting through wire fraud and ACH — IC3 reports note 86% of BEC funds move by wire or ACH and are usually unrecoverable.

The drivers are structural and reinforcing: (1) digital-economy expansion creates ever more high-value, internet-reachable targets — corporate file servers, cloud admin panels, edge VPNs, OT/ICS, and crypto custodial wallets; (2) cryptocurrency rails enable cross-border value-transfer that legacy financial controls cannot reliably interdict, raising the floor on plausible payment sizes (Chainalysis observed median ransom rose 368% in 2025); (3) division of labor (RaaS, IABs, droppers, mixers) lowers the technical bar for entry and means a single takedown rarely removes capability — disrupted brands re-emerge under new names while affiliates migrate; (4) safe havens — the limited reach of Western law-enforcement into Russia, DPRK, Iran and parts of China — provide jurisdictional cover for the technical core; (5) state incentives — for DPRK, cyber-heist proceeds fund sanctioned national programs (a known channel for the Bybit US$1.5B); for Russia and Iran, criminal infrastructure provides plausible-deniability for politically-useful activity; (6) generative-AI accelerates the lowest-cost vector (phishing/vishing) by automating bespoke pretexting at scale and enabling deepfake CEO-impersonation calls that have already produced documented US$25M+ single-incident losses.

The modern era opens with the 1986 Computer Fraud and Abuse Act in the United States, codifying the first computer-specific criminal offences (mail/wire-fraud predecessors having proven inadequate). The 2001 Budapest Convention internationalised the framework. The first inflection point came with the 2017 WannaCry cryptoworm, which married a leaked NSA exploit (EternalBlue) to ransomware and demonstrated planetary blast radius; the second came with 2019-2021 ransomware industrialisation (Conti emerges in 2019, REvil, then DarkSide hits Colonial Pipeline in May 2021, then BlackCat in November 2021). 2022 brought the first major Russia-side action (FSB charges against REvil members in January) and the largest dark-market takedown to date (Hydra in April). 2023-2024 was the law-enforcement counter-attack: the December 2023 ALPHV seizure, the February 2024 Operation Cronos against LockBit, the May 2024 Operation Endgame against droppers, and adoption of the UN Hanoi Convention in December 2024. The 2025-2026 window features the Bybit heist (Feb 2025, US$1.5B) confirming North Korea's central role, ENISA's October 2025 landscape report documenting decentralisation, Operation Endgame Phase 3 (Nov 2025, 1,025 servers down), and FBI IC3 publishing record losses (US$20.9B for 2025) in April 2026. The 1,619-entry CISA KEV catalog as of mid-June 2026 captures the cumulative weight of exploited vulnerabilities driving access. See timeline[] for the full dated chronology.

Global; not geographically bounded on the victim side. On the perpetrator side there is sharp geographic concentration: peer-reviewed analysis (the World Cybercrime Index) identifies Russia and Ukraine as the most technical hubs, Nigeria as a high-volume scam centre, and the Council on Foreign Relations Cyber Operations Tracker attributes 77% of state-sponsored cyber operations to four jurisdictions — China, Russia, Iran and North Korea. The defender side concentrates in Washington (CISA, Arlington VA; FBI Cyber Division and IC3), The Hague (Europol EC3), London (UK NCA), Athens (ENISA), and the major Western threat-intelligence vendors. The cryptocurrency rail is global by design but disproportionately laundered through Russian-speaking exchanges and DPRK-affiliated mixers. See geo[] for spatial pins.

• LockBit former market-leading RaaS brand (disrupted Feb 2024) Considered the world's most prolific RaaS group before Operation Cronos; double-extortion model.
• Conti / Wizard Spider Russia-based RaaS developer Wizard Spider developed Conti in December 2019; the family later became a major RaaS platform.
• REvil (Sodinokibi) former Russian-speaking RaaS (Russian FSB action Jan 2022) Ran the Happy Blog leak site; high-profile Apple-supplier (Quanta) extortion.
• BlackCat / ALPHV Rust-written RaaS, second-most-prolific brand before Dec 2023 takedown 1,000+ victims in 18 months, >US$300M ransoms before FBI seizure December 2023.
• Lazarus Group DPRK state-sponsored threat group / criminal hybrid Responsible for WannaCry (2017) and the US$1.5 billion Bybit crypto heist (Feb 2025) — the largest in history.
• Scattered Spider / UNC3944 English-speaking social-engineering affiliate group MGM and Caesars intrusions Sept 2023 — partnered with BlackCat for ransomware deployment.
• CISA US national cybersecurity coordinator and KEV catalog maintainer Maintains the Known Exploited Vulnerabilities catalog (1,619 entries, 327 ransomware-linked as of June 2026).
• FBI Internet Crime Complaint Center (IC3) Primary US intake and reporting authority for cybercrime 859,532 complaints in 2024; US$20.9B reported losses in 2025 (+26% YoY).
• European Cybercrime Centre (EC3, Europol) EU cross-border law enforcement coordinator Coordinated Operation Endgame, which dismantled 1,025 servers in Phase 3 (Nov 2025).
• UK National Crime Agency UK lead serious / organised crime agency Led the international Operation Cronos that disrupted LockBit in February 2024.
• Chainalysis principal commercial blockchain-analytics source for ransom-payment tracking Tracked US$1.25B (2023) → US$812.55M (2024, -35.82%) ransomware payments.
• ENISA EU cybersecurity agency / annual Threat Landscape author Analysed 4,875 incidents 1 Jul 2024 - 30 Jun 2025; 77% DDoS; documents ransomware decentralisation.

1. 1986-10-16 U.S. enacts the Computer Fraud and Abuse Act — the first US computer-specific federal criminal statute.
2. 2000-05-01 FBI launches the Internet Crime Complaint Center (IC3) as the central US intake point for internet-facilitated criminal complaints.
3. 2001-11-23 Council of Europe opens the Budapest Convention on Cybercrime for signature — first international cybercrime treaty.
4. 2017-05-12 WannaCry ransomware cryptoworm spreads worldwide using the leaked NSA EternalBlue exploit; attributed to Lazarus Group / DPRK.
5. 2018-11-16 U.S. Cybersecurity and Infrastructure Security Agency (CISA) established within DHS.
6. 2019-12-01 Conti ransomware first deployed by the Russia-based Wizard Spider group; later evolves into one of the most prolific RaaS brands.
7. 2021-05-07 Colonial Pipeline ransomware attack halts US Southeast fuel distribution; the DarkSide ransom is paid under FBI oversight.
8. 2021-11-01 BlackCat / ALPHV ransomware family first appears — first widely-deployed Rust-written ransomware.
9. 2022-01-14 Russia's Federal Security Service announces it has dismantled REvil and charged several members — Russia's first ransomware enforcement action of note.
10. 2022-04-05 U.S. and Germany seize Hydra Market — the largest Russian-language dark-web marketplace.
11. 2023-09-11 Scattered Spider / UNC3944 socially-engineers MGM Resorts IT help desk; deploys BlackCat ransomware. MGM later discloses US$100M cost.
12. 2023-12-19 U.S. DOJ announces disruption of ALPHV/BlackCat; FBI seizes leak site and distributes a decryption tool to victims.
13. 2024-02-19 Operation Cronos: UK NCA leads 10-country coalition that infiltrates LockBit's network, seizes infrastructure, indicts two Russian nationals, and replaces the LockBit leak site with a seizure banner.
14. 2024-05-29 Operation Endgame Phase 1 — Europol-coordinated takedown of the IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot dropper ecosystems used by ransomware affiliates.
15. 2024-12-24 UN General Assembly adopts the Convention against Cybercrime (Hanoi Convention) amid civil-society warnings about surveillance-power expansion.
16. 2025-02-21 Lazarus Group steals approximately US$1.5 billion from cryptocurrency exchange Bybit via a Safe{Wallet} supply-chain compromise — the largest crypto heist on record. FBI attributes to DPRK on 26 February 2025.
17. 2025-10-01 ENISA publishes the Threat Landscape 2025: DDoS dominates incident counts (77%), ransomware operations decentralising, criminal-state convergence accelerating.
18. 2025-11-13 Operation Endgame Phase 3 — Europol-coordinated takedown of 1,025 servers tied to Rhadamanthys, VenomRAT and the Elysium botnet.
19. 2026-04-07 FBI IC3 publishes 2025 Annual Internet Crime Report — US cybercrime losses jump 26% year-over-year to US$20.9 billion.
20. 2026-06-12 CISA KEV catalog (v2026.06.12) lists 1,619 known-exploited vulnerabilities, of which 327 are linked to known ransomware campaigns — Microsoft (377), Apple (93), Cisco (91), Adobe (79), Google (72) lead by vendor.

Cybercrime is a high-growth, fragmenting market. Direct US losses tracked by FBI IC3 climbed from roughly US$16.6 billion in 2024 to US$20.9 billion in 2025 (+26% YoY). Worldwide cost estimates diverge by an order of magnitude — Cybersecurity Ventures' widely-cited US$10.5 trillion projection treats cost very broadly (including downtime, brand damage, recovery, lost productivity), while more conservative methodologies put 2025 worldwide direct damages closer to US$1.2 trillion. On the criminal supply side, Chainalysis measures the most-defensible single signal: ransom payments to crypto wallets, which fell 35.82% from US$1.25 billion (2023) to US$812.55 million (2024) following the ALPHV, LockBit and Endgame disruptions. The market structure of the 2020s is unmistakably industrialised: a small number of RaaS brands handle most observable ransomware volume, supported by a specialised supplier layer (initial-access brokers, droppers, mixers). Concentration is unstable — takedowns reset leadership every 12-24 months. The fastest-growing sub-segments through 2026 are AI-enabled fraud (deepfake-CEO scams, AI-generated phishing) and state-criminal-hybrid crypto theft (DPRK's Lazarus reached a US$1.5B single-incident record at Bybit). ENISA's 2025 Threat Landscape (4,875 incidents, 1 Jul 2024 - 30 Jun 2025) found DDoS dominated incident volume at 77%, with hacktivism converging with state-aligned operations against EU public administrations.

Size

Direct US losses US$20.9B in 2025 (FBI IC3, +26% YoY); worldwide cost estimates range from ~US$1.2 trillion (more conservative methodologies) to US$10.5 trillion (Cybersecurity Ventures, including indirect costs); Chainalysis-tracked ransom payments US$812.55M in 2024 (down 35.82% YoY).

Segments

Ransomware-as-a-service (RaaS) and double-extortion · Initial-access brokers and infostealer-log markets · Malware-as-a-service (droppers / loaders) · Business-email compromise and AI-enabled fraud (deepfake voice/video) · Darknet markets (credentials, drugs, services) · Cryptocurrency heists and laundering (DEX hacks, bridge exploits, exchange compromise) · State-sponsored cyber-criminal hybrid operations (DPRK, RU-aligned) · DDoS extortion and hacktivism-as-service

Dynamics

Total ransom payments fell 35.82% in 2024 under sustained law-enforcement pressure, but the median individual payment ROSE 368% (from US$12,738 to US$59,556 in 2025) — indicating consolidation toward fewer, higher-value targets and away from small-business volume. Brands cycle on a 12-24 month rhythm (REvil 2022, ALPHV 2023, LockBit 2024, post-LockBit successors 2025) — disruption is real but capability rebuilds. AI-enabled phishing and deepfake fraud is the clearest growth vector; the criminal-state boundary continues to erode.

Through end-2027, ransom-payment totals are roughly even chance to plateau or modestly recover (US$0.8-1.2B annually on-chain) rather than continue falling, as decentralised post-LockBit operators stabilise and median payments rise. AI-enabled fraud — voice clones, deepfake video and AI-generated phishing — is likely to be the highest-growth sub-segment, given documented multi-million-dollar single-incident losses and the falling cost of voice-clone tooling. State-criminal hybrid crypto theft is likely to produce at least one further nine-figure single-incident heist over the next 18 months, with DPRK-aligned operators the highest-confidence source. Coordinated multi-national disruption is likely to continue but unlikely to fundamentally collapse the ecosystem in this window; further Operation-Endgame-style sweeps and individual brand takedowns are the most probable shape. The principal wildcards are (a) whether the Hanoi Convention's implementation accelerates or fragments international cooperation, (b) whether crypto-regulator action measurably tightens monetisation rails, and (c) whether AI-defender tooling closes the asymmetric advantage that AI-enabled fraud currently confers on attackers.