'Exploring the social organisation and structure of stolen data markets' by Thomas Holt in (2013)
Global Crime argues that
As consumers are increasingly using the Internet to manage their finances, there has been a concomitant increase in the risk of theft and fraud by cybercriminals. Hackers who acquire sensitive consumer data utilise information on their own, or sell the information in online forums for a significant profit. Few have considered the organisational composition of the participants engaged in the sale of stolen data, including the presence of managerial oversight, division of labour, coordination of roles and purposive associations between buyers, sellers and forum operators. Thus, this qualitative study will apply Best and Luckenbill's framework of social organisation to a sample of threads from publicly accessible web forums where individuals buy and sell stolen financial information. The implications of this study for criminologists, law enforcement, the intelligence community and information security researchers will be discussed in depth.
Holt concludes -
Over the last decade, research has begun to examine the ways that cybercriminals acquire, sell and use personal information to engage in fraud and theft. These studies highlight the types of products sold and the social relationships between participants, though few have considered the organisational composition of actors and techniques to manage exchanges between participants. This study explored these issues using Best and Luckenbill's 80 organisational framework through a qualitative analysis of posts from both Russian and English language forums.
The findings indicate that the participants in stolen data forums operate at various stages of deviant sophistication. Those who sell and buy data appear to operate as colleagues within the market to facilitate the exchange of data. Individuals do not have to work with others, but the collegial environment provides access to those who can facilitate partnerships to achieve a specific goal. An individual could buy cards from one seller and then seek out an encasher or provider who will liquidate an account. They may use these sellers again, or seek out others based on the availability of products and access to resources. Furthermore, these markets appear to make economic crimes much easier to commit, and foster a substantive division of labour between participants based on the range of products and services available. This study supports the assertion that ‘parts of the Net will soon develop into a new “improved” underworld’ to obtain all manner of resources and engage in crimes. At the same time, the buying and selling process is peer-driven because actors can engage one another and influence action through recommendations. Buyers can discuss their experiences and interactions with sellers, and those who receive extremely positive feedback may be more likely to obtain multiple clients. Forum administrators can provide reviews of products or influence the status of a seller which may also affect their share of the market. Additionally, administrators can ban users on the basis of fraudulent claims in order to moderate user activity. These mechanisms help to reduce the risk of loss for buyers, though the relatively low barriers to enter and participate in a forum allow unscrupulous vendors to take advantage of prospective buyers. Individuals may ignore clear warning signs based on personal interests or needs and lose money with no formal recourse for compensation. Thus, actors in stolen data forums share similar risks with hawking markets for stolen goods in the real world or even street corner drug sales.
This study also demonstrates that these forums vary in their organisational complexity based on extended duration over time and the presence of purposive relationships between groups. Two of the forums sampled constitute formal organisations, while the other two appear to be driven by teams due to their short duration and generally limited organisational complexity. The two forums that operate as formal organisations were also based on Russian language, suggesting that they may be more sophisticated than the two English language forums sampled. It is unclear if this is a function of distinct differences in the nature of the forum populations, or a reflection of general differences in the organisational structure of each forum overall. Additional research is needed with a larger sample of forums in various languages to understand the nature of formal organisations across the market. These findings will increase our knowledge of variations in the structure of stolen data markets in various settings across the computer underground.
The findings of this study call to question policy recommendations made by previous researchers. Some have argued for the use of slander attacks against forums, by flooding threads with posts claiming that a seller is giving bad data or attempting to cheat customers. Such a campaign may initially cause confusion among participants, but this can be diffused through the internal mechanisms available to forum participants. Escrow services enable participants to have a satisfactory exchange, or engage in transactions with those who have gone through checking services. Prospective buyers could also examine advertisements and reviews posted on other sites to vet a sellers’ reputation. Finally, administrators may ban those users and edit the posts of those actors who attempt to disrupt the market with false posts and information.
Rather than promoting simple attempts to disrupt forums, there may be a greater merit in cataloguing the behaviours and organisational composition of market actors to develop successful undercover identities for law enforcement. Federal agencies have infiltrated several forums through participation as data buyers, or in some cases, by turning market participants into confidential informants. The success of these tactics depends on an implicit understanding of the formal and informal mechanisms between participants to manage relationships and transactions. This information can only be generated through constant observation of participant behaviours across multiple forums to discern differences in subcultural and market forces.
There is also a need for careful revision and adjustment of cooperative agreements to facilitate the international investigation and prosecution of data thieves. The findings of this study demonstrate that participants are compromising banks, businesses and citizens in the US and European Union. The participants, however, appear to be either native to the Russian Federation or Russian speakers living abroad. Currently, the US and the Russian Federation have difficulty collaborating to successfully facilitate the extradition of cybercriminals. As a result, it is vital that law enforcement agencies find ways to improve existing extradition treaties and cooperative frameworks to ensure that responsible actors may be detected and brought to justice.
Finally, there is a need for additional research to replicate the exploratory findings of this study and the organisational composition of participants in the sale of stolen data. Additional research needed in order to understand the relational networks that facilitate stolen data markets. For instance, it is unclear how frequently sellers appear as buyers within the market, or how buyers connect sellers together in the larger marketplace generally. Social network analyses of the posters and threads are needed in order to identify the relationships that undergird the social organisation of participants. Furthermore, it is unknown how the organisational composition of forums affects the price of goods and services within the market. Additional research is also needed to understand how product testing, verification of services and participant feedback influence the cost of financial information or cashout services. .