Cybercrime-as-a-Service Operations

Reference work entry


This chapter explores the cybercrime-as-a-service operations that have changed the cybercrime marketplace from a direct sales model to a managed service model. As cybercrime evolved, so did the motivation and skill of the hackers. What began as a highly skilled activity undertaken by individuals driven by curiosity and research grew to a horde of lightly trained yet motivated young people looking for notoriety and/or a quick profit as tools became easier to use and more readily available. As the ability to profit from cybercrime grew exponentially, hackers began to sell their services, and eventually it was more profitable and less risky to sell a packaged cybercrime as a service than commit the crime. The cybercrime-as-a-service operations now involve many types of cybercrime including botnets, distributed denial of service attacks (DDoS), credit card fraud, malware, spam, and phishing attacks. The services are sold through hacker forums, direct web sales, and on the dark web using cryptocurrency. The world’s law enforcement agencies have recognized the threat of cybercrime-as-a-service operations, and there have been recent high-profile arrests of the operators and takedowns of the cybercrime-as-a-service operations.


Cybercrime as a service Botnets DDos Fraud Economy Dark web 


  1. Alhomoud, A., Awan, I., Disso, J., & Younas, M. (2013). A next-generation approach to combating botnets. Computer, 46(4), 62–66. Retrieved from Scholar
  2. Alnabulsi, H., & Islam, R. (2018). Identification of illegal forum activities inside the dark net. In 2018 international conference on machine learning and data engineering (iCMLDE).
  3. Arbor Networks. (2015, January). Arbor networks 10th annual worldwide infrastructure security report finds 50X increase in DDoS attack size in past decade. Press Release. Retrieved from
  4. Arghire, I. (2017a). Poison Ivy RAT campaign leverges new delivery techniques. Security Week. Retrieved from
  5. Arghire, I. (2017b). Neverquest trojan ceases operations. Security Week. Retrieved from
  6. Bacurio, F., & Salvio, J. (2017). A peculiar case of Orcus RAT targeting bitcoin investors. Retrieved from
  7. Bedwell, P. (2016). Exploit kits for drive by download attacks. Retrieved from
  8. Bell, S. (2018). The dark art of malware creation. BullGuard Blog. Retrieved from
  9. Benjamin, V., Li, W., Holt, T., & Chen, H. (2015). Exploring threats and vulnerabilities in hacker web: Forums, IRC and carding shops. In Proceedings of the 2015 IEEE international conference on intelligence and security informatics. Baltimore.
  10. Botsman, R. (2017). How darknet sellers build trust, the Amazon for drug dealing is built around user reviews. Nautilus. Retrieved from
  11. Brison, U. (2015, February). ‘Fullz’, ‘Dumps’, and more: Here’s what hackers are selling on the black market. Retrieved from
  12. Buntz, B. (2017). 8 strategies to transition to a product-as-a-service business model. IoT World Today. Retrieved from
  13. Cao, L, & Qiu, X. (2013, July). Defense against botnets: A formal definition and a general framework. In Proceedings of the 2013 IEEE eighth international conference on networking, architecture, and storage, Xi’an, Shaanxi, China, pp. 237–-241. Retrieved from
  14. Cimpanu, C. (2016). You can rent a Mirai botnet of 400,000 bots. Bleeping Computer. Retrieved from
  15. CISA. (2018). Security tip (ST18-004), protecting against malicious code. Cyber and Infrastructure Security Agency. Retrieved from
  16. Computer Fraud and Abuse Act of 1986. (2012). 18 U.S.C. Section 1030. Retrieved from
  17. Cooke, E., Jahanian, F., McPherson, D. (2005). The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the steps to reducing unwanted traffic on the internet workshop 2005, Cambridge, MA. Retrieved from
  18. Cooney, M. (2010). Researchers unsheathe new tool to battle botnets. Network World. Retrieved from
  19. Crozier, R. (2009). Cybercrime-as-a-service takes off. Retrieved from
  20. Curran, D. (2018). My terrifying deep dive into one of Russia’s largest hacking forums. The Guardian. Retrieved from
  21. De Groot, J. (2019). A history of ransomware attacks: The biggest and worst ransomware attacks of all time. Data Guardian. Retrieved from
  22. Dhanjani, N., & Rios, B. (2008). Bad sushi: Beating phishers at their own game. Presented at the Annual Blackhat Meetings, Las Vegas, Nevada.Google Scholar
  23. Dittrich, D. (2012). So you want to take over a botnet. In Proceedings of the 5th USENIX workshop on large-scale exploits and emergent threats, LEET ‘12. San Jose. Retrieved from
  24. DOJ. (2018a). Akron man arrested and charged for launching denial of service attacks that shut down web sites for city of Akron and Akron Police Department. DOJ. [Press Release]. Retrieved from
  25. DOJ. (2018b). Latvian national pleads guilty to “Scareware” hacking scheme that targeted Minneapolis star tribune website. DOJ. [Press Release]. Retrieved from
  26. Du, P., Zhang, N., Ebrahimi, M., Samtani, S., Lazarine, B., Arnold, N., Dunn, R., Suntwal, S., Angeles, G., Schweitzer, R., & Chen, H. (2018). Identifying, collecting, and presenting hacker community data: Forums, IRC, carding shops, and DNMs. 2018 IEEE international conference on intelligence and security informatics (ISI).
  27. Egan, M. (2019). What is the dark web & how to access it. Tech Advisor. Retrieved from
  28. Europol. (2017). Five arrested for spreading ransomware throughout Europe and US. Europol. [Press Release]. Retrieved from
  29. Europol. (2018). World’s biggest marketplace selling Internet paralyzing DDOS attacks taken down. Europol. [Press Release]. Retrieved from’s-biggest-marketplace-selling-internet-paralysing-ddos-attacks-taken-do
  30. FBI. (2017). Darknet takedown authorities shutter online criminal market AlphaBay. Retrieved from
  31. Fireeye. (2014). Poison Ivy: Assessing damage and extracting intelligence. Fireeye. Retrieved from
  32. Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An inquiry into the nature and cause of the wealth of internet miscreants. Paper presented at CCS07, October 29–November 2, 2007 in Alexandria, VA.Google Scholar
  33. Fruhlinger, J. (2018). What is ransomware? How these attacks work and how to recover from them. CSO Online. Retrieved from
  34. Fruhlinger, J. (2019). What is phishing? How this cyber attack works and how to prevent it. CSO Online. Retrieved from
  35. F-Secure. (2018). SPAM is still choice of online criminals, 40 years later. F-Secure. Retrieved from
  36. FTC. (2019). Malware. Federal Trade Commission. Retrieved from
  37. Grebennikov, N. (2007). Keyloggers: How they work and how to detect them. Kaspersky Lab. Retrieved from
  38. Greenberg, A. (2013). End of the silk road: FBI says it’s busted the web’s biggest anonymous drug black market. Forbes. Retrieved from
  39. Greenberg, A. (2018). Operation bayonet: Inside the sting that hijacked an entire dark web drug market. Weird. Retrieved from
  40. Guccione, D. (2019). What is the dark web? How to access it and what you’ll find. CSO Online. Retrieved from
  41. Hahad, M. (2018). Ransomware-as-a-service: Hackers’ big business. Security Magazine. Retrieved from
  42. Hamandi, K., Salman, A., Elhajj, I., Chehab, A., & Kayssi, A. (2015). Messaging attacks on Android: Vulnerabilities and intrusion detection. Mobile Information Systems, 2015, 1–13. Scholar
  43. Herley, C., & Florencio, D. (2010). Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In T. Moor, D. J. Pym, & C. Ionnidis (Eds.), Economics of information security and privacy (pp. 35–53). New York: Springer.Google Scholar
  44. Holt, T. (2013). Examining the forces shaping cybercrime markets online. Social Science Computer Review, 31, 165–177. Retrieved from Scholar
  45. Holt, T. (2014). Understanding the underground economy for stolen data (ACJS Today, November 2014). Greenbelt: Academy of Criminal Justice Sciences. Retrieved from Scholar
  46. Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets on-line: Products and market forces. Criminal Justice Studies, 23, 33–50.CrossRefGoogle Scholar
  47. Holt, T. J., Smirnova, O., & Chua, Y.-T. (2016). Exploring and estimating the revenues and profits of participants in stolen data markets. Deviant Behavior, 37(4), 353–367.CrossRefGoogle Scholar
  48. Holz, T., Engelberth, M., & Freiling, F. (2009). Learning more about the underground economy: A case-study of keyloggers and dropzones. In M. Backes & P. Ning (Eds.), Computer security-ESCORICS (pp. 1–18). Berlin/Heidelberg: Springer.Google Scholar
  49. Hord, J. (2019). How SMS works. Retrieved from
  50. Huang, K., Siegel, M., & Madnick, S. (2017). Cybercrime-as-a-service: Identifying control points to disrupt. Interdisciplinary consortium for improving critical infrastructure cybersecurity, MIT. Retrieved from
  51. Hutchings, A., & Clayton, R. (2016). Exploring the provision of online booter services. Deviant Behavior, 37, 1163–1178.CrossRefGoogle Scholar
  52. Hyslip, T., & Holt, T. (2019). Assessing the capacity of DDoS-for-hire services in markets. Deviant Behavior.
  53. Hyslip, T., & Pittman, J. (2015). A survey of botnet detection techniques by command and control infrastructure. The Journal of Digital Forensics, Security, and Law, 10(1), 7–26.Google Scholar
  54. Imperva. (2019). Botnet DDoS attacks. Retrieved from
  55. Jackson, D. (2007). Gozi Trojan. Retrieved from
  56. Karami, M., & McCoy, D. (2013). Understanding the emerging threat of DDoS-as-a-Service. In Proceedings of the 6th USENIX workshop on large-scale exploits and emergent threats.Google Scholar
  57. Karami, M., Park, Y., & McCoy, D. (2015). Stress testing the booters: Understanding and undermining the business of DDoS services. WWW2016, 1033–1044.Google Scholar
  58. Kaspersky. (2019). What is a botnet. Kaspersky Lab. Retrieved from
  59. Kim, E., McDaniel, P., & LaPorta, T. (2013). A detection mechanism for SMS flooding attacks in cellular networks. In Proceedings of the 9th international conference on security and privacy in communication systems. Sydney.Google Scholar
  60. Knote, M., Perdisci, R., & Feamster, N. (2015). ASwatch: An AS reputation system to expose bulletproof hosting ASes. In Proceedings of SIGCOMM 2015. London. Retrieved from
  61. Kolias, C., Kambourakis, G., Stabrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7), 80–84.CrossRefGoogle Scholar
  62. Krebs, B. (2010). Body armor for the bad web sites. Krebs on Security. Retrieved from
  63. Krebs, B. (2014). Peek inside a professional carding shop. Krebs on Securty. Retrieved from
  64. Krebs, B. (2017). Ransomware for dummies: Anyone can do it. Retrieved from
  65. Krebs, B. (2019). Canadian police raid “Orcus RAT” author. Retrieved from
  66. Kwon, K.-N., & Lee, J. (2003). Concerns about payment security of internet purchases: A perspective on current on-line shoppers. Clothing and Textiles Research Journal, 21(4), 174–184.CrossRefGoogle Scholar
  67. Laing, B. (2018). Malware-as-a-service: The 9-to-5 of organized cybercrime. Retrieved from
  68. Lewis, J. (2018). Economic impact of cybercrime – No slowing down. McAfee. Retrieved from
  69. Lynch, S. (2018). U.S. shuts down cyber crime ring launched by Ukrainian. Reuters. Retrieved from
  70. Manky, D. (2013). Cybercrime as a service: A very modern business. Computer Fraud and Security, 6, 9–13.CrossRefGoogle Scholar
  71. Mark, J. (2019). SMS attacks on the risk in 2019. DFNDR Blog. Retrieved from
  72. Martindale, J. (2018). From pranks to nuclear sabotage, this is the history of malware. Retrieved from
  73. Mathews, L. (2016). World’s biggest Mirai botnet is being rented out for DDoS attacks. Retrieved from
  74. McAfee. (2013a). What is a “Drive-By” download? McAfee. Retrieved from
  75. McAfee. (2013b). What is a keylogger? McAfee. Retrieved from
  76. McAfee. (2018). Economic impact of cybercrime – No slowing down. McAfee. Retrieved from
  77. Medium. (2018). Protect your website: How to avoid SMS traffic flooding attacks. Retrieved from
  78. Mendoza, M. (2016). The cybercrime business model and its value chain. Retrieved from
  79. Microsoft. (2018). Exploits and exploit kits. Retrieved from
  80. Moreno, M. (2016). Malware as a service: As easy as it gets. WebRoot. Retrieved from
  81. Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums. IMC, 11, 71–79.Google Scholar
  82. Mullis, S. (2013). Cybercriminal intent: How to build your own botnet in less than 15 minutes. Fireeye. Retrieved from
  83. NJCCIC. (2017). Poison Ivy. Trojan Variants. Retrieved from
  84. NJCCIC. (2019). Exploit kits. NJCCIC. Retrieved from
  85. Noga. (2017). New “dissain” exploit kit may signal reemergence of the popular hacker tool. Retrieved from
  86. Norton. (2019a). What is bulletproof hosting. Norton by Symantec. Retrieved from
  87. Norton. (2019b). What is malware and how can we prevent it. Retrieved from
  88. Oikarinen, J., & Reed, D. (1993). Internet relay chat protocol RFC 1459. Internet Engineering Task Force. Retrieved from
  89. Otto, G. (2018). Asia’s hackers are finding a home on the dark web. Cyberscoop. Retrieved from
  90. Paganini, P. (2013). Cybercrime as a service. Infosec Institute. Retrieved from
  91. Palmer, D. (2016). Phishing-as-a-service is making it easier than ever for hackers to steal your data. ZDNet. Retrieved from
  92. Palmer, D. (2017). New dark web scheme lets wannabe cybercriminals get in on ransomware – for free. ZDNet. Retrieved from
  93. Palmer, D. (2018). What is ransomware? Everything you need to know about one of the biggest menaces on the web. Retrieved from
  94. Palotay, D. (2017). Ransomware as a Service (RaaS): Deconstructing Philadelphia. Sophos. Retrieved from
  95. Patterson, D. (2018). Dark web: A cheat sheet for business professionals. TechRepublic. Retrieved from
  96. Proofpoint. (2017). Philadelphia ransomware brings customization to commodity malware. Proofpoint. Retrieved from
  97. Proofpoint. (2018). Proofpoint threat report: Banking Trojans dominate the malware landscape in the first months of 2018. Retrieved from
  98. Rankin, B. (2018). A brief history of malware – Its evolution and impact. Retrieved from
  99. Rendell, D. (2019). Understanding Malware. Computer Fraud and Security 2019(1):17–19. Scholar
  100. Rossow, C., & Gortz, H. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the 2014 Network and Distributed System Security (NDSS) symposium. San Diego. Retrieved from
  101. RSA. (2019). Drive-by download. [White paper]. RSA. Retrieved from
  102. Rutherford, R. (2018). The changing face of phishing. Computer Fraud and Security, 2018(11), 6–8. Scholar
  103. Schwartz, M. (2017). Rent the latest exploit toolkit for $80 per day. Bank Info Security. Retrieved from
  104. Seals, T. (2018). Bad botnet growth skyrockets in 2017. Insecurity Magazine. Retrieved from
  105. Searchsecurity. (2019). Keylogger (keystroke logger or system monitor). Tech Target. Retrieved from
  106. SentinelOne. (2016). What is “bulletproof hosting” and why should you worry? Retrieved from
  107. SETI. (2019). SETI@Home. Berkeley SETI. Retrieved from
  108. Shapira, Y. (2018). DarkSky Botnet. Radware Blog. Retrieved from
  109. Sood, A., & Enbody, R. (2013). Crimeware-as-a-service-A survey of commoditized crimeware in the underground market. International Journal of Critical Infrastructure Protection, 6, 28–38. Scholar
  110. Spamhaus. (2019). The definition of Spam. Spamhaus. Retrieved from
  111. Stefnission, S. (2018). Malware businesses blending the legitimate and the illegitimate. Security Week. Retrieved from
  112. Trend Micro. (2019). Command and Control [C&C] server. Trend Micro. Retrieved from
  113. Turiel, A. (2017a). Build, buy, or lease? The 15 minute botnet. Cyren Security Blog. Retrieved
  114. Turiel, A. (2017b). Legitimate botnets do exist. Cyren Security Blog. Retrieved from
  115. Turkel, D. (2015). There are now programs that anyone can use to extort money from you. Business Insider. Retrieved from
  116. Veracode. (2019). Rootkit: What is a rootkit? Veracode. Retrieved from
  117. Vipre. (2019). Security 101: Combat exploit kits with patch management. [White Paper]. Retrieved from
  118. Wainwright, R., & Cilluffo, F. (2017). Responding to cybercrime at scale: Operation Avalanche – A case study. Center for Cyber & Homeland Security, The George Washington University. Retrieved from
  119. Wales, F. (2014). 10 signs a career in coding and software development might be right for you. The Guardian. Retrieved from
  120. Webroot. (2013). How much does it cost to buy 10,000 U.S.-based malware-infected hosts? Retrieved from
  121. Whitaker, Z. (2016). BBC, Trump web attacks “just the start,” says hacktivist group. ZDNet. Retrieved from
  122. Williams, R., Samtani, S., Patton, M., & Chen, H. (2018). Incremental hacker forum exploit collection and classification for proactive cyber threat intelligence: An exploratory study. In Proceedings of the 2018 IEEE International Conference on Intelligence and Security Informatics (ISI). Miami.
  123. Witkoswki, T. (2001). Credit fraud usually starts with paper trail. Cincinnati Business Courier. Retrieved from
  124. Yip, M., Webber, C., & Shadbolt, N. (2013). Trust among cybercriminals? Carding forums, uncertainty, and implications for policing. Policing and Society, 23, 1–24.CrossRefGoogle Scholar
  125. Zargar, S., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (distributed denial of service) flooding attacks. IEEE Communications Surveys and Tutorials, PP(99), 1–24.Google Scholar

Copyright information

© The Author(s) 2020

Authors and Affiliations

  1. 1.Norwich UniversityNorthfieldUSA

Personalised recommendations