Modus Operandi and Cyberprofiling

Criminal profiling is a psychology-based technique in which, on the basis of an analysis of the behavior engaged in by offenders at the time of their crime, an attempt is made to identify the characteristics describing it in order to assist police investigators in their arrest.

In some measure, the behavior displayed by a criminal is supposed to reflect what they are like and which physical, psycho(patho)logical or social features they are most likely to exhibit. Based on this criminal “portrait”, the police can search for or prioritize the suspects that match this profile.

This technique is structured and consolidated in the FBI , specifically in its Behavioral Science Unit (BSU), a team that was created precisely for the purpose of supporting police investigators in any crimes where an analysis of criminal behavior can offer clues relative to what the criminal may be like.

This criminal profiling is based on a premise that is used frequently in the field of psychology; namely, we define ourselves by our behaviors. We are what we do and we do what we are.

In order to prepare this criminological profile, the profiler analyzes, among other aspects, what is known as the Modus Operandi (MO), which can be defined as any behaviors criminals engage in to commit their crime and which fulfill one of these three objectives:

  • To protect the criminal’s identity: The use of gloves, masks, darkness, etc. are modus operandi behaviors because they serve to hide the criminal’s identity.
  • To complete the crime, fulfill the criminal objective: Breaking a window and entering a home to steal is part of an method of operation because it serves to access a place where valuable objects can be found.
  • To facilitate the aggressor’s escape: Tying up a victim and blindfolding them while the offender escapes are modus operandi behaviors because they enable them to escape easily and prevent the victim from seeing the direction they went in.


Analyzing an a criminals modus operandi is the details of answers the question of how a crime is committed and, therefore, it is a fundamental element of analysis because it reveals the instrumental behavior engaged in by the offender.

On analyzing these behaviors, we can gather a variety of information on what the criminal might be like and what characteristics they may exhibit at different levels:

  • Physical: Certain behaviors displayed at the scene can provide information relating to specific physical characteristics. Complexion and appearance, for example, can be inferred from the interaction with the victim. A struggle with a victim and how they are subsequently manhandled can reveal particular physical strength.
  • Psychological: Some behaviors reflect specific psychological and/or emotional traits. For example, an analysis of the injuries caused in a victim may suggest their degree of anger, rage, sadism, impulsiveness, mental imbalance, etc.
  • Knowledge / skills: Certain behaviors deployed by the criminal can serve to infer the depth of knowledge they have about different subjects and their learning ability. For example, we can deduce whether a criminal is acquainted with a geographical area or whether they have any prior knowledge about the victim and their routines.
  • Educational aspects: The offender’s use of certain instruments or techniques can show that they are familiar with a specific subject or discipline. For example, the sabotage of an alarm and video surveillance system when committing a burglary may show us that they have some training in electronics and in security systems.
  • Criminal experience: modus operandi behaviors that show great skill or perfection when it comes to troubleshooting or executing a crime may indicate that this offender is not new to the game and has previous experience. Robbing a jeweler’s taking into account the alarm system response times and identifying the most valuable items may suggest that the thief is experienced in this type of robbery.
  • Forensic awareness: This is related, to some extent, to the above and refers to the offender’s knowledge of criminal investigation techniques and which enable them to erase their trail or tamper with the crime scene in order to lead investigators up the garden path. This awareness is sometimes acquired gradually through the criminal experience itself and, on occasions, after having been arrested or having done time. Nowadays a lot of this forensic awareness can be enhanced by looking for information online and even by watching TV series. One example of this forensic awareness could be an offender who switches off their mobile phone and takes the battery out because they know the signal it emits can help track them.

In recent years, use of this profiling approach has begun in the field of cybercrime giving rise to what is known as Cyberprofiling. Based on the same premise, a cybercriminal leaves a trail behind them in their crime which offers us information on what they are like, which can also be used to identify or find them.

Even though the virtual context has its own specific features, people never stop behaving, everything is behavior and all of it reflects what we are like, even when we are trying to hack a server.


Everyone possesses a series of mental and personality traits that echo the way we think, how we interact with others, what we like and what we do not.

For instance, it is easier for a hacker with traits of impulsiveness to fall into a honeypot, whereas another, who is extremely narcissistic, will tend to advertise their hacking more and expose their identity to a greater extent in order to garner recognition; they are unlikely to act as part of a group.

Furthermore, we all have limited education and knowledge, which is what we are able to use when we interact or solve a problem. A hacker may have training in developing their own malware or may not and needs to buy a kind that is commonly used on the black market. The level of danger of one or the other is going to be different.

Coupled with this, people also have personal traits that determine their behavior. Living in a specific geographical area, having a job or family responsibilities impact how, when, where and in what way we behave.

A specific hacker’s logging on pattern can show us the likelihood of their being employed or not, what times they have available for carrying out their criminal activity and how they balance this activity with their other “normal” routines. A hacker who lives alone and is unemployed will reveal activity patterns that are different from those of another who works and has a family.

In conclusion, everything we are and what we are like is projected onto our activity, onto our behavior and leaves footprints that can be used to build a profile that represents us, even in our virtual activity.

This premise allows us to use the modus operandi concept in the cybercrime arena in the same way as we do in analogical criminology. This means that a virtual modus operandi attempts to achieve the same 3 objectives: to hide the cybercriminal’s identity, to complete commission of the cybercrime and to facilitate their escape.

An analysis of the modus operandi of a cybercrime can provide us with information on whether we are facing script kiddies, a hacktivist, a spy, someone seeking profit, revenge, etc.

In cybercrimes such as phishing or sexting, the modus operandi the cybercriminal deploys can reveal details about their communication or social skills.

This enables us, through content analysis and other techniques, to deduce the educational level of a specific hacker, whether they are a misfit or not, the possibilities of social activity, hobbies, etc. It is highly likely that the profile of a pharmer, who engages in this type of cybercrime, is very different from that of a carder, who only seeks economic gain.


On occasions, the modus operandi of a cybercrime can demonstrate premeditation or, on the contrary, opportunism. Intrusion often entails knowing the victim in depth, dedicating time and effort to gathering information about them, which sometimes enables a search to be carried out in the past for specific contacts or accesses that were not as sophisticated or did not have as many security measures in place.

To sum up, Cyberprofiling is an additional technique that can be used in the investigation and analysis of cybercrimes which can delve deeper into a development element required increasingly by cybersecurity, the physical identification of the cybercriminal.

Protecting and preventing are key elements in security, but nothing or very little will change if we do not also firmly commit to reducing and eliminating risks. In order to do this, it is essential to be able to identify and capture cybercriminals and commit them for trial, and it is in this aspect where Cyberprofiling can offer support by providing profiles containing information on the probable personal, psychological and social traits that a specific cybercriminal may exhibit.

This can help filter suspects and open up search lines which, in the end, conclude with the criminal’s identification and arrest.

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA at buguroo. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.

Did you like it? Share in your social communities

We recommend you...