Evolution of the cybercrime market: from thieves to a regulated system

There's no doubt that the technological advances and new forms of communication are leading us into an increasingly digital world. The ways people interact and communicate, the workplace and the very functioning of the economy and markets are all changing.

This new world has already been colonized by criminals, generating new criminal patterns and roles in what has become known as cybercrime.

This phenomenon, despite its relative youth, already has its own unique evolution, which is so vertiginous that it has reached levels of adaptation and development that other legal sectors could only dream of.

The cybercrime market

As we previously commented on in a previous post, cybercrime already moves more money that drug trafficking or the illegal sale of weapons.

We're talking about a full-fledged market, where thousands and thousands of individual or organized cyber-criminals sell their services actively and very lucratively.

This, as the reader can verify, is coupled with a very businesslike language and presentation, which is strange nonetheless as we're talking about activities that are illegal and are persecuted by the authorities in many countries.

The first question that may come to mind is: How is it possible that an illegal activity could evolve like this? Without wanting to go further, it is, however, interesting to wonder how such a market can work.

By that we mean that this business market is obviously full of scammers, criminals and cheats who often do business with other people who in turn also want to cheat others and commit fraud or crimes. In addition, all this can take place and is made more powerful thanks to the anonymity that the internet offers.

How can anonymous criminals trust other anonymous criminals to make good on the promised service or to deliver the purchased product? Even if they do receive it, how can they be sure that the service or product is "in good condition"?

If a person buys online on eBay and feels scammed, this user can make a claim, call the police, report the seller... But, can the same thing happen in a criminal-operated environment?

It seems strange to think that in this cyber-criminal market there is room for judges and police, and it is even paradoxical to imagine an illegal market governed by laws that everyone has to comply with in order for it to work.

But it is precisely these elements that, in general terms, are designed in the market to make it sustainable, secure and reliable for its users. In short, for a market to be successful, it needs regulations, order and security among the participants. It's clear that none of this can happen in an illegal market such as cybercrime, so how could this market have flourished?

Well, first of all, it's worth mentioning that when we talk about the cybercrime market, we're not talking about a single, defined entity, rather we should talk about different markets or markets within a global industry that is cybercrime.


Structures of cybercrime

Just like in other industries, there are markets that are better, worse and average. There are some that operate like a true den of thieves, which are the weak, minority markets that are clearly doomed to fail. There are others, however, that have been able to generate certain operating structures that allow for their development and success.

To do so, just like what happens in the context of cybercrime in general, they have established and copied what already works in legal markets.

It seems obvious: if we're selling products and services like other companies such as eBay or Amazon, why not copy how they operate? While it's true that they may be criminals, it doesn't mean they're stupid.

The obstacles that must be overcome in order for a market like this to work are:

  • Although, for obvious reasons, it's not possible to guarantee the identity and trustworthiness of users, certain tools need to be generated that at least make it possible to generate a reputational ranking for members.
  • Although the transactions and interactions between buyers and sellers must be private without any traceability, there is a need for a certain type of verification system and guarantees that make the participants have or feel a certain sense of security in their purchases/sales.

The cybercrime markets that are thriving are based on operating structures similar to forums. Yes, it may seem strange after what we've said about criminals negotiating with other criminals, but with a couple of tweaks it actually works correctly.


The first important element in this system is the need for administrators who manage it, just like in any other community or forum.

Among their duties, these administrators control the flow of users in the community and enforce a series of operating rules.

Yes, operating rules are necessary, even if we're in an illegal context. This is reminiscent of what we often hear about the "code of honor" among thieves.

How Cybercrime Market work?

Based on this basic structure, the operation of the cyber-criminal community doesn't differ much from any other legal system. There are a number of steps:

  • Users register and are assigned a unique ID.
  • Users can make comments and search for those made by other users, in a way that generates a space for reliable communication.
  • In connection with this, it's possible to establish a system of "reputation points" for users. These reputation points can influence the user's status. (If you've ever bought something from Amazon, you'll be able to recognize this system).
  • There are moderators who manage and supervise these communications. This regulation system is essential in order for the market to work properly.

In short, we're not talking about anything new that doesn't already take place on platforms such as eBay, Amazon, Alibaba... The small difference is that in this market, illegal products and services are being offered. In this case, we're talking about buying stolen credit cards or Skype accounts for example.


A very important element in this cyber-criminal market is reputation. As we've already mentioned, if someone buys a stolen credit card and it doesn't work, it'd be strange for them to end up reporting it to the police as a scam or going to a consumer office.

This system must be able to do a good job of distinguishing between the "good" and the "bad" users in order to generate confidence.

When a user is newly registered, they are classified as such and have a very basic status, which doesn't allow them to access certain information, services or products.

As a seller begins to make transactions and interact, they begin to gain status and become a "verified seller".

This makes them more and more reliable and therefore they are given a higher level of visibility and privileges in the system. There are levels that can only be reached by invitation from the administrators or from other users who are part of the system's elite.

Customer service and claims

But surprisingly, some of these markets even incorporate what we might call a "Customer Service" or "Complaints" system that buyers can turn to if they feel "scammed".

What differentiates a den of thieves from a regulated system is precisely this. Here the administrators come into play, who analyze the case and even carry out something similar to an investigation, ultimately making a decision in favor of either the buyer or seller.

Sellers who break the system's internal rules or who are "reported" by buyers are expelled from the market, which generates an ecosystem of trust that tends to favor the most veteran or reputable sellers.

Because the fact is that criminals need other people (their buyers) to survive, even if they dedicate themselves to ripping off, deceiving or causing harm to others. This implies, albeit paradoxical, the need to follow and obey certain rules of conduct.

Negotiating and coexisting in a den of thieves is impossible without certain regulations. And this seems to be something that the cybercrime market has learned very well.

Posted by Pablo de la Riva

Pablo de la Riva founded his first company when he was 21 years old – a security consulting firm – and buguroo is his first software startup experience. He has been working in the anti-fraud sector for almost 15 years, first as a cyber-security analyst, then as a team leader, later as CTO with almost 200 people reporting to him and now as CEO.

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities