Encyclopedia of Security and Emergency Management

Living Edition
| Editors: Lauren R. Shapiro, Marie-Helen Maras

Criminals: Cybercriminals

  • George GrisposEmail author
Living reference work entry
DOI: https://doi.org/10.1007/978-3-319-69891-5_80-1


Cybercriminal Digital crime Digital criminal 


Cybercriminals commit or support criminal acts in a digital world. These acts can be classified as either digital-focused crimes, where a criminal act has emerged as result of technology, or digital-assisted crimes, where a criminal has used technology in a supporting capacity to commit a criminal act.


Industry reports indicate that cybercriminals continue to target organizations around the world. The PricewaterhouseCoopers (PWC 2018) Global Economic Crime and Fraud Survey indicated that a third of all respondents had been a target for cybercriminals. The survey also reported that a quarter of the respondents were victims of digital extortion or had suffered from asset misappropriation during the last year. These increases come at a great financial cost. The 2017 Ponemon Cost of Cybercrime report estimated that the financial losses from criminal enterprise cost organizations an average of $11.7 million in 2017, an increase of 23% since the previous year and a 62% increase over the last 5 years (Ponemon Institute 2017).

The reality is that the continuous amalgamation of technology into everyday life is creating an environment that is potentially conducive to cybercrime (Grispos 2016; Grispos et al. 2019). Cisco (2011) summarized the problem with the quote “wherever users go, cybercriminals will follow” (p. 14). Hence, there is a need to discuss the impact of cybercrime on society, examine who is involved in cybercriminal activities, and investigate how cybercriminal behaviors can be effectively reduced. This entry examines the historical perspective of cybercrime, defines and characterizes cybercriminals through various demographics, and discusses what, potentially, motivates cybercriminals. The entry concludes by presenting an overview of various strategies that are being undertaken to counter cybercrime.

History of Cybercriminals

One of the first documented cases of cybercriminal activity took place in November 1988, when a university student called Robert Morris wrote a computer worm (aka the “Morris Worm”). This computer worm infected the Advanced Research Projects Agency network (ARPAnet) and resulted in 10% of the computer systems attached to ARPAnet to be shutdown. The Morris Worm also infected systems within many universities, medical research facilities, and military buildings. Morris was eventually convicted of violating United States Code Title 18, the Computer Fraud and Abuse Act and was sentenced to 3 years of probation, 400 hours of community service, and fine of $10,050 (Markoff 1990). However, one positive outcome from the Morris Worm was the establishment of the Computer Emergency Response Team Coordination Center (CERT/CC), whose purpose is to provide a central point for coordinating responses to “Internet” attacks by cybercriminals.

Since the 1980s, the number of individuals and organizations that rely on computers for their business records and other functions, both in closed (i.e., only connected within the company) and open (i.e., connected to computers within and outside the company) networks, has grown exponentially. Hence, there is a growing demand for individuals and organizations to secure personal and customer information, as well as systems that are used to process and store this information. However, the software and applications that are executed on these systems are often vulnerable to a variety of cyberattacks, forcing software manufacturers to either release updates to prevent attacks or worse, repair the damage caused by cybercriminals. For example, malware authors around the world have caused millions of dollars in damages through computer viruses and computer network worms such as Melissa, Love Bug, and Code Red (Hoar 2005). Likewise in 2003, the SQL Slammer worm resulted in millions of individuals around the world to go without cellular or Internet service as well as the cancellation of flights from airports in the United States (Hoar 2005).

The past few years has also seen a rise in a new type of cybercrime, committed not just by individuals, but by state-sponsored groups. For example, a North Korean-backed hacking group was considered to be responsible for an attack on the film production company, Sony Pictures. This attack resulted in personal information and intellectual property being obtained and released to the general public. However, what is more concerning is that many of these state-sponsored groups now aim to cause physical damage through the digital world (Grispos et al. 2017). As a result, these cybercrimes have resulted in physical damage to buildings, the shutdown of nuclear reactors, and even medical hospitals closing their doors to patients (Loukas 2015).

Defining Characteristics of Cybercriminals

An analysis of the literature suggests that a general consensus on the term “cybercriminal” has yet to emerge, and this is perceptible in the following descriptions:
  • “person (who) uses the Internet, computers and related technology in the commission of a crime” (Maras 2016, p. 4)

  • “is a person who commits an illegal act using a computer with an ulterior (m)otive” (Chouhan 2014, p. 49)

  • “individuals (who exploit) the speed, convenience and anonymity of the Internet to commit a diverse range of criminal activities that knows no borders, either physical or virtual” (INTERPOL 2018, p. 1)

While there is much ambiguity surrounding the definition of a cybercriminal, there have also been attempts to characterize cybercriminals from the perspective of their gender, ethnicity, and social interactions with other criminals. Several researchers have argued that most cybercriminals are male (Bachmann 2010; Cueto 2015; Jordan and Taylor 1998; Motoyama et al. 2011). One potential reason is that there are more male than female computer science majors enrolled in universities who subsequently become programmers, who can, potentially, turn into hackers (Cueto 2015). Evidence for this theory is visible in the number of male cybercriminals who have been arrested and prosecuted for a variety of cybercrimes. For example, Kevin Mitnick obtained unauthorized access to systems belonging to Digital Equipment Corporation, Pacific Bell, and several United States Government agencies. Mitnick was eventually prosecuted and served 5 years in prison. Similarly, Michael Calce was sentenced to 8 months “open custody” for launching several Denial-of-Service (DoS) attacks against organizations including Yahoo, eBay, and CNN.

An alternative demographic that has been examined in more detail in the last decade is related to the race/ethnicity of cybercriminals. The evidence suggests that most cybercriminals are Asian or of European descent, given that these are the racial backgrounds of most programmers (Cueto 2015). Moreover, this notion has been fueled by a growing number of cybercriminal incidents that are purported to have originated in countries, such as North Korea, China, and Russia. For example, Kozlowski (2014) examined three cyberattacks on Estonia in 2007, Georgia in 2008, and Kyrygysytan in 2009, with the aim of answering who was responsible and why the attacks were undertaken. Kozlowski (2014) concluded that in all three cases, these countries had tense relations with Russia, and that attacks were either carried out by patriotic cybercriminals on behalf of the Russian government or by the Russian government itself. Russian cybercriminals continue to be attributed for a variety of cybercrimes, including a number of attacks that resulted in American companies losing tens of millions of dollars due to scams and fraudulent activities (Gregorian 2018). Similarly, as China’s internet presence continues to increase, the state of cybercrime in China has been the focal point for several studies (Kshetri 2013; Lewis 2005; Yip 2011). Kshetri (2013) has reported that China often ranks in the top three countries for hosting malware, generating spam, click fraud, and being responsible for cyberattacks.

While most cybercriminals are understood to act alone, many cybercrimes are not committed in isolation (Hutchings and Chua 2016). For example, cybercriminals will compromise servers to steal credit card information, then compromise another server to store and sell this information in the near future (Hutchings and Chua 2016). This can complicate efforts to identify and associate crimes with a particular cybercriminal or group. Further confusing matter is the emergence of organized cybercriminal groups (Choo and Smith 2008). While individuals within these groups are considered highly technical cybercriminals, they are unlikely to know each other in the physical world (Choo and Smith 2008). Therefore, unless digital evidence can be found exposing a cybercriminal’s organizational topology, some group members might never be known to law enforcement investigators.

Cybercriminal Motivations and Activities

Cybercriminals can be motivated by a variety of reasons to commit criminal acts, including social, political, religious, economical, revenge, and thrill-seeking motives. In the leaked classified American intelligence case, Chelsea (Bradley) Manning claimed that the information was disclosed to raise awareness of the wars in Afghanistan and Iraq, effectively cyber-activism (Thorsen et al. 2013). Likewise, Kevin Mitnick has often stated that committing his cybercrimes was more for fun and to challenge himself intellectually (Shimomura and Markoff 1995). However, on the other side of the spectrum are cybercriminals who commit crimes as part of a political statement or as part of an organized crime syndicate. An example of a political cybercrime is the 2014 Sony hacking by North Korea, who objected to the screening of “The Interview” and threatened to attack American cinema theaters who screened the film (Haggard and Lindsay 2015). Similarly, cybercriminals such as Nicolae Popescu who was part of a much larger group of individuals that were responsible for a wide variety of fraudulent financial activities (Lusthaus and Varese 2017).

In order to fulfill these motivations, cybercriminals will undertake a variety of different activities. Wall (2007) argued that there are three generations of cybercriminal activities: crimes in the machine (i.e., computer content), crimes using machines (i.e., computer related), and crimes against the machine (i.e., computer integrity). Wall (2007) speculated that in the future, cybercriminal and victim interaction will be completely automated by technology and therefore, removing the need for victim interaction. In addition to Wall’s classification, several organizations and governmental bodies have attempted to develop taxonomies that define and determine a range of cybercriminal activities. However, a consensus on what should be included in these taxonomies has yet to materialize. For example, the United Kingdom’s National Crime Agency’s (2018, p. 1) taxonomy of cybercriminal activities include:
  • Phishing – email messages asking for either security information or personal details

  • Hijacking – when a cybercriminal controls your webcam, or hijacks files on a digital device and holds them ransom, usually until a financial payment is made

  • Keylogging – where a cybercriminal records what is typed on a computer’s keyboard or obtains screenshots of the victim’s computer screen

  • Ad clicking – cybercriminals directing a victim’s computer, after the victim has clicked a specific link, which is often malicious

  • Hacking – cybercriminals who gain unauthorized access to a computer system

  • Distributed Denial of Service (DDoS) attacks – cybercriminals who attempt to disrupt the availability and “connect-ability” of a computer system

The Australian Cybercrime Online Reporting Network (2018, p. 1) provides an alternative taxonomy describing cybercriminal activities, which in some cases focus on traditional crimes where cybercriminals have extended their effect into the digital world:
  • Attacks on computer systems – this includes hacking, malware, and viruses.

  • Cyber-bullying – online behavior that is intended to make victims fearful and could also result in harassment.

  • Prohibited offensive and illegal content – viewing, distributing, or promoting digital content that has been considered illegal or prohibited in a specific jurisdiction.

  • Online child sexual abuse material – viewing, distributing, or promoting material that shows child sexual abuse. This includes grooming and sexting.

  • Identity theft – cybercriminals misusing personal information or online accounts that belong to the victim.

  • Online trading issues/Online scams or fraud – illegal activities related to buying or selling online.

  • Email spam and phishing – cybercriminals distributing unwanted email messages or promoting material to obtain personal information from a victim.

The aforementioned techniques used by cybercriminals lead to a variety of consequences that range from minor to severe. For example, the WannaCry hack that resulted in messages from hackers demanding ransom payments resulted in 327 payments totaling $130,000 (Gibbs 2017). However, the WannaCry hack also impacted several National Health Service (NHS) hospitals in the United Kingdom, which cumulated in 19,000 medical appointments to be cancelled (Field 2018). Similarly, in 2018 Under Armour revealed that its MyFitnessPal mobile app had been hacked, which resulted in 150 million accounts being compromised. Usernames, email addresses, and hashed passwords were stolen (Lamkin 2018). Many of these user details were placed for sale on the dark web on websites such as Silk Road, an online black market (Hong 2015). Once these details are purchased by other cybercriminals, they can be used to commit additional cybercrimes (i.e., identity theft). For example, Amar Singh and his spouse Neha Punjani-Singh were found guilty of identity theft and credit card scams that resulted in victims losing $13 million (Carrega-Woodby 2012).

Countering Cybercriminals

The increasing rate of cybercrime prompts the discussion on the implementation of countermeasures to deter cybercriminals from committing such acts. These countermeasures can be broadly classified any actions, technology, or devices that can be applied with the purpose of preventing or mitigating the impact of a cybercrime (MacKinnon et al. 2013). It must be noted that no single solution exists to counter cybercrime, and that a number of legal and behavioral countermeasures are often needed to prevent cybercriminals from succeeding.

From a legal perspective, the increasing impact and costs associated with cybercrime has prompted European nations along with Canada, Japan, and the United States to ratify the Budapest Convention on Cybercrime (Council of Europe 2001). The purpose of this international treaty was to counter computer-related criminal activities through increased cooperation between national law enforcement agencies, harmonizing related laws, and improving the quality of cybercriminal investigations. Similarly, efforts had also been made to bring cybercriminals to justice in the International Criminal Court (Ophardt 2010).

Thus far, legal countermeasures have often been insufficient. Consequently, many organizations have implemented behavioral countermeasures in an effort to counter offenses by cybercriminals. These types of countermeasures range from raising public awareness to educating the community on defining cybercrime, detecting and reporting cybercriminal activities, implementing policies and technical safeguards, as well as educating and training the population on safe cyber-practices (Yang and Hoffstadt 2006). Alternatively, many financial organizations such as banks, are choosing to implement biometric countermeasures (methods that rely on physical or behavioral traits, such as a fingerprint) in order to prevent cybercrimes from transpiring.


Cybercriminals are a distinct type of criminal, who engage in devious behavior involving some form of technology. While a consensus on the definition of the term “cybercriminals” or their activities has yet to emerge, it is very difficult for organizations and governments to ignore the problem. This is because the focus of cybercriminal activity has moved from attacks that temporarily disrupt research networks and steal classified intellectual property of the company and/or their clients’ personal information to hijacking that literally shut down medical hospitals and delay patient treatments until the ransom is paid. Hence, ordinary citizens are now being impacted by cybercrime even though they are not the intended target. Therefore, it is imperative that organizations and businesses have the ability to identify, define, and investigate cybercrime, when it occurs. This means providing these organizations with tools, techniques, and laws to counter cybercriminals as they change face in the coming decades.



  1. Australian Cybercrime Online Reporting Network. (2018). Learn about cybercrime. Retrieved from https://www.acorn.gov.au/learn-about-cybercrime
  2. Bachmann, M. (2010). The risk propensity and rationality of computer hackers. International Journal of Cyber Criminology, 4, 643–656.Google Scholar
  3. Carrega-Woodby, C. (2012). Queens couple pleads guilty to roles in largest ID theft scam in US history. Retrieved from https://nypost.com/2012/08/06/queens-couple-pleads-guilty-to-roles-in-largest-id-theft-scam-in-us-history/
  4. Choo, K.-K. R., & Smith, R. G. (2008). Criminal exploitation of online systems by organised crime groups. Asian Journal of Criminology, 3(1), 37–59.CrossRefGoogle Scholar
  5. Chouhan, R. (2014). Cyber crimes: Evolution, detection and future challenges. IUP Journal of Information Technology, 10(1).Google Scholar
  6. Cisco. (2011). Cisco 2011 annual security report.Google Scholar
  7. Council of Europe. (2001). Convention on cybercrime.Google Scholar
  8. Cueto, J. (2015). Race and gender among computer science majors at Stanford. Retrieved from https://medium.com/@jcueto/race-and-gender-among-computer-science-majors-at-stanford-3824c4062e3a
  9. Field, M. (2018). WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled. Retrieved from https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/
  10. Gibbs, S. (2017). WannaCry: hackers withdraw £108,000 of bitcoin ransom. Retrieved from https://www.theguardian.com/technology/2017/aug/03/wannacry-hackers-withdraw-108000-pounds-bitcoin-ransom
  11. Gregorian, D. (2018). Feds say Russian hackers duped U.S. companies out of tens of millions in advertising dollars. Retrieved from https://www.nbcnews.com/news/us-news/feds-say-russian-cybercriminals-duped-u-s-companies-out-tens-n940946
  12. Grispos, G. (2016). On the enhancement of data quality in security incident response investigations. University of Glasgow.Google Scholar
  13. Grispos, G., García-Galán, J., Pasquale, L., & Nuseibeh, B. (2017). Are you ready? Towards the engineering of forensic-ready systems. Paper presented at the 11th international conference on research challenges in information science (RCIS), Brighton, United Kingdom.Google Scholar
  14. Grispos, G., Glisson, W., & Cooper, P. (2019). A bleeding digital heart: Identifying residual data generation from smartphone applications interacting with medical devices. Paper presented at the proceedings of the 52nd Hawaii international conference on system sciences. Maui, HI, USA.Google Scholar
  15. Haggard, S., & Lindsay, J. R. (2015). North Korea and the Sony hack: Exporting instability through cyberspace. Asia-Pacific Issues (117), 1.Google Scholar
  16. Hoar, S. B. (2005). Trends in cybercrime: The dark side of the Internet. Criminal Justice, 20, 4.Google Scholar
  17. Hong, N. (2015). Silk road creator found guilty of cybercrimes. Retrieved from https://www.wsj.com/articles/silk-road-creator-found-guilty-of-cybercrimes-1423083107
  18. Hutchings, A., & Chua, Y. T. (2016). Gendering cybercrime. In Cybercrime through an interdisciplinary lens (pp. 181–202). Routledge. New York, NY, USA.Google Scholar
  19. INTERPOL. (2018). Cybercrime. Retrieved from https://www.interpol.int/Crime-areas/Cybercrime/Cybercrime
  20. Jordan, T., & Taylor, P. (1998). A sociology of hackers. The Sociological Review, 46(4), 757–780.CrossRefGoogle Scholar
  21. Kozlowski, A. (2014). Comparative analysis of cyberattacks on Estonia, Georgia and Kyrgyzstan. European Scientific Journal, 10(7), 237–245.Google Scholar
  22. Kshetri, N. (2013). Cybercrime and cyber-security issues associated with China: Some economic and institutional considerations. Electronic Commerce Research, 13(1), 41–69.CrossRefGoogle Scholar
  23. Lamkin, P. (2018). Under Armour admits huge MyFitnessPal data hack. https://www.forbes.com/sites/paullamkin/2018/03/30/under-armour-admits-huge-myfitnesspal-data-hack/
  24. Lewis, J. A. (2005). Computer espionage, Titan rain and China. Center for Strategic and International Studies-Technology and Public Policy Program, 1.Google Scholar
  25. Loukas, G. (2015). Cyber-physical attacks: A growing invisible threat. Oxford: Butterworth-Heinemann.Google Scholar
  26. Lusthaus, J., & Varese, F. (2017). Offline and local: The hidden face of cybercrime. Policing: A Journal of Policy and Practice, PAX042, 1–11.  https://doi.org/10.1093/police/pax042
  27. MacKinnon, L., Bacon, L., Gan, D., Loukas, G., Chadwick, D., & Frangiskatos, D. (2013). Cyber security countermeasures to combat cyber terrorism. In Strategic intelligence management (pp. 234–257). Elsevier. Waltham, MA, USA.Google Scholar
  28. Maras, M.-H. (2016). Cybercriminology. Oxford University Press, Oxford, United Kingdom.Google Scholar
  29. Markoff, J. (1990). Computer intruder is put on probation and fined $10,000. The New York Times.Google Scholar
  30. Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums. Paper presented at the proceedings of the 2011 ACM SIGCOMM conference on internet measurement conference. Berlin, Germany.Google Scholar
  31. National Crime Agency. (2018). Cyber crime. Retrieved from http://www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime
  32. Ophardt, J. A. (2010). Cyber warfare and the crime of aggression: The need for individual accountability on tomorrow’s battlefield. Duke Law & Technology Review, i.Google Scholar
  33. Ponemon Institute. (2017). 2017 cost of cyber crime study.Google Scholar
  34. Shimomura, T., & Markoff, J. (1995). Takedown: The pursuit and capture of Kevin Mitnick, America’s most wanted computer outlaws-by the man who did it. New York: Hyperion Press.Google Scholar
  35. Thorsen, E., Sreedharan, C., & Allan, S. (2013). Wikileaks and whistle-blowing: The framing of Bradley manning. In Beyond WikiLeaks (pp. 101–122). Springer. London, United Kingdom.Google Scholar
  36. Wall, D. S. (2007). Policing cybercrimes: Situating the public police in networks of security within cyberspace. Police Practice and Research, 8(2), 183–205.CrossRefGoogle Scholar
  37. Yang, D. W., & Hoffstadt, B. M. (2006). Countering the cyber-crime threat. American Criminal Law Review, 43, 201.Google Scholar
  38. Yip, M. (2011) An investigation into Chinese cybercrime and the applicability of social network analysis. ACM WebSci ’11, Koblenz, Germany.Google Scholar

Further Reading

  1. Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic. Waltham, MA, USA.Google Scholar
  2. Rogers, M. K. (2011). The psyche of cybercriminals: A psycho-social perspective. In Cybercrimes: A multidisciplinary analysis (pp. 217–235). Springer. Berlin, Heidelberg.Google Scholar
  3. Smith, R., Grabosky, P., & Urbas, G. (2004). Cyber criminals on trial. Criminal Justice Matters, 58(1), 22–23.CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of Interdisciplinary InformaticsUniversity of Nebraska at OmahaOmahaUSA