Inside the business of cybercrime – exclusive interview with Jonathan Lusthaus, RiskConnect speaker

Jonathan Lusthaus will be a keynote speaker at the upcoming RiskConnect conference, organised and brought online by Web Shield. As a dedication to all Risk and Compliance Professionals, this year’s RiskConnect Virtual will be offered FREE for all participants.

Jonathan, you have such an impressive professional background – you are the Director of The Human Cybercriminal Project in the Department of Sociology at University of Oxford, have wrote a book, are a regular speaker at major conferences (Black Hat, Enigma, the International Conference on Cyber Security); it is obvious that you are passionate about this topic – cybercrime. How did you come to work within this field?

I came to work on cybercrime almost by accident. When I moved to Oxford as a student, my original thesis topic didn’t pan out. In a classic student conundrum, I was forced to come up with a new dissertation idea at short notice. As it happened, just before the deadline for announcing topics, the journalist Misha Glenny came to Oxford to give a talk on a new book on cybercrime he was writing. That project would become Darkmarket, and his sneak preview opened my eyes to a world I had never considered before.

Cybercrime was something I had thought of as a purely technical phenomenon. But it clearly involved people too. These people communicated with each other, worked together and traded products on large online marketplaces. This was a secret unmapped world. I knew immediately that I wanted to explore and map this new underground economy that seemed to be hidden from sight. And from that point on, I became obsessed with the subject.

Tell us more about The Human Cybercriminal Project. 

Founded in 2013, by myself and Federico Varese, the Human Cybercriminal Project aims to pioneer research on social aspects of cybercrime. Many approaches investigating cybercrime thus far have focused on the technological elements, but there is now a great need to understand the ‘human’ side of online crime: Who are the cybercriminals? What motivates them? Where do they come from? How do they operate? The project is based at the University of Oxford and partnered with UNSW Canberra Cyber in Australia. 

Your research focuses on the ‘human’ side of profit-driven cybercrime: can you portray for our readers how does a cybercriminal look like, speaks, appears online, organises, builds trust within its ‘fellow workers’?

In a nutshell, there is no one type of cybercriminal. It’s actually a very large and diverse world. People often think of criminal hackers, but cybercriminals come in all shapes and sizes. Some are very technical and involved in coding malware or other tools. But others are completely non-technical and may for example be involved in low level aspects of fraud or money muling. There is a huge spectrum in between. There is a clear division of labour within cybercrime, so it makes sense that different types of people need to be involved.

In my view, the best way to look at cybercrime is as an industry. There are entrepreneurs and workers underneath them. Some groups look a lot like legitimate businesses, apart from the criminal nature of their activities. There are also markets where users can trade online, whether stolen card data, technical tools, or money laundering services and so on. And the way they trust each other is also very similar to legitimate industry and other parts of life. Online, reputation is really important. But cybercriminals have also figured out some enforcement systems like arbitration and escrow, which are surprisingly professional. Then there are other offenders that may operate scams or carry out attacks online, but know a number of their collaborators in person, and may even work in an offline office-like setting. 

Could you please give more details about your book: Industry of Anonymity: Inside the Business of Cybercrime?

This book took me almost a decade to complete. I became obsessed with the puzzle of how cybercriminals trust each other when they don’t know who they are dealing. I also realised there wasn’t really a map of what cybercrime looked like around the world. So, I started visiting countries, 20 in total by the end of my 7 years of fieldwork. These travels took me to a number of cybercrime hotspots including Russia, Ukraine, Romania, China, Nigeria, Brazil, and more. I interviewed 238 people, including some leading former cybercriminals, along with law enforcement agents and security professionals. I visited the sites where key historical events took place, such as a conference held in Odessa by some of the pioneers of the cybercrime industry.

There are so many stories from this long adventure and so many interesting characters that I met along the way. I think back to the first former cybercriminal I ever interviewed, who I was quite nervous to meet. But in the end, I found out that he was just as worried about meeting me, as he thought I might be an uncover agent. I’ve been in police stations all over the world interviewing investigators, and I’ve effectively become pen-pals with convicted cybercriminals spending long stretches of time in prison.  

When it comes to organising/conducting cybercrime as a business, what are some differences that you noticed in different parts of the world?

There are definitely different flavours of cybercrime around the world. This goes back to the point about specialisation. Local conditions produce cybercriminals with different skillsets, who then go on to play particular roles within the cybercrime industry. For instance, the former Soviet States are well known for their excellent education system in technical disciplines. They are producing a supply of capable programmers and tech entrepreneurs, but without the job market to support them. In cybercrime, offenders from this region have become known for the production of malware and other tools, which are widely used throughout the business. These offenders have also driven a number of innovations in credit card fraud, banking fraud, and beyond.

Meanwhile in other parts of the world, there is a different offender profile. For instance, Nigerian offenders have traditionally been known for more low-tech scams. In the early days, advance fee fraud, or 419 scams was a common one. Most people know these as those email scams. More recently, these offenders have become associated with business email compromise, where scammers impersonate the CEO or other manager in an organisation and direct company funds to be paid into an account that the fraudsters control. In Romania, the archetypal scam has been online auction fraud, which is essentially the sale of products that don’t exist and are therefore never delivered. 

Investigating cybercrime marketplaces in regions like South America – Brazil, Africa – Nigeria, Eastern Europe – Romania, seems stressful… what’s the secret to managing stress?

I’m not sure if there is a secret. I often got nervous before I did particular interviews or visited certain countries. Actually, I think a little bit of stress is a good thing, as it sharpens the mind and makes you think about possible risks. I always prepared for the worst possible outcome in different situations. Thankfully, I don’t have too many horror stories over this seven-year period. I met a lot of friendly and helpful people along with way. Ultimately, people are people no matter what they do or where they are in the world. And that applies to the former cybercriminals I met as much as anyone. Many of them were very polite and very easy to engage with. They committed criminal acts in the past but were not ‘bad guys’ in a more personal sense.  

About Jonathan Lusthaus

Dr Jonathan Lusthaus is Director of The Human Cybercriminal Project in the Department of Sociology, a Research Associate at the Centre for Technology and Global Affairs, and a Research Fellow at Nuffield College, University of Oxford. He is also an Adjunct Associate Professor at UNSW Canberra Cyber. Jonathan’s research focusses on the ‘human’ side of profit-driven cybercrime: who cybercriminals are and how they are organised. He is a regular speaker at major conferences, such as Black Hat, Enigma, and the International Conference on Cyber Security. Jonathan has also written widely across academic, policy and media publications, including for the European Journal of Sociology, the Council on Foreign Relations and The New York Times. Jonathan holds a doctorate in sociology from the University of Oxford, where he was a Clarendon Scholar.

He is the author of Industry of Anonymity: Inside the Business of Cybercrime published by Harvard University Press. Fieldwork for this study took place over a 7-year period, involved travel to cybercrime hotspots around the globe, and included almost 250 interviews with law enforcement, the private sector, and former cybercriminals.