• Brett Johnson

Know Your Enemy: Understanding Online Crime through the Cybercrime Triangle

Gathering the data, committing the crime, cashing out.  The three necessities of cybercrime.  The problem is a single criminal isn’t good at all three.  He is good at one.  Sometimes two.  Rarely all.  That’s why the cybercrime community as a whole exists:  It allows that one specific criminal to learn from and network with other criminals who are good in areas where he is not. 

Recently, Peter Taylor found inspiration in the Cressey Fraud Triangle (a model for explaining the factors causing someone to commit occupational fraud) to make a Three Necessities of Cybercrime Triangle following conversations he and I had regarding online crime.

Additional conversations with Peter Taylor and law enforcement agents led me to add to the Three Necessities Triangle to explain the overall dynamic of organized cybercrime.

The Online Criminal

The Cressey Fraud Triangle centers on occupational fraud and the insider.  Cressey states for fraud to occur three things must take place: 

1. Pressure.  A person must feel some degree of pressure or stress which would cause them to engage in fraud.  What that pressure may be varies, but it must be present.

2. A person must have the opportunity to commit the fraud.  Without the knowledge or the access to engage in fraud, it won’t happen.

3. Finally, a person must justify or rationalize the crime in an attempt to avoid guilt.

The Cressey Fraud Triangle, to a degree, can apply to cybercrime.

In my own criminal behavior, the pressure was the need to steal money in order to buy love.  It was never enough to tell someone I loved them and to show it through a relationship.  I felt the pressure to show my love by buying people expensive items.  Cash to satisfy that pressure has been the driving force of my criminal career.

My opportunity came from the knowledge gathered over my decades as a criminal.  From age 10 shoplifting food to feed me and my sister and finding out my mother was a career criminal and being enlisted by her to commit various frauds small and large, to becoming a social engineer to survive mom’s abuse, to finally branching off on my own to commit crimes solo.  I used the knowledge I’d gained as a child being raised in a criminal environment, learning from other criminals, trial and error, and more.  Later I would build and then lead the first organized cybercrime community, ShadowCrew.  The knowledge and mindset learned over the years coupled with that community was all the opportunity I needed to commit online crime.

I justified my crimes and believed the justifications.  I told myself and others I committed crime for my family, my sister, my wife, my stripper girlfriend.  I told myself I wasn’t hurting people, only banks and governments.  I told myself I was a good guy in real life, just not online.  All those excuses and more allowed me to continue breaking the law while easing my conscious. 

Many cybercriminals conform to parts of the Cressey Fraud Triangle, but Cressey isn’t the full answer.  What about the confidence and the ego it takes for an online criminal to commit those crimes?  What about a cybercriminals simple willingness to engage in crime?  Pressure?  Oftentimes the pressure is minimal or non-existent.  A kid wants a videogame, he uses stolen credit card data to steal the game.  Another becomes angry while playing Xbox Live and launches a DDOS attack against Microsoft.  Pressure, if any, is minimal.  Often there is no pressure.  A person reads of money being stolen by cybercrooks and decides to try it.  Cressey doesn’t address the biggest traits of a cybercriminal.

Individual Factors in Committing Online Crime

For a cybercriminal to be successful he must have The Willingness to commit the crime, the Ego to do it, and the Knowledge of how to commit the crime. 


Is the person willing to engage in cybercrime?  To what extent?  Willing to steal money from a senior citizen or single mother?  Unwilling to steal the identity of a child? Or maybe only willing to defraud the government, a bank, or a merchant?  What type of crime is the person willing and unwilling to commit?


If an online criminal doesn’t believe he can defeat security and commit a crime without being caught, he likely won’t break the law.  He needs the confidence and ego necessary to believe he can beat multimillion-dollar companies.  Fortunately, cybercriminals tend to have huge egos, narcissistic personalities, and unrealistic levels of confidence.

While many cybercrooks may possess traits geared toward committing crime, much of the cybercrime community works to further boost a criminal’s ego and confidence level.  Less skilled or respected members seek out those with more knowledge, respect, and ability.  They seek to learn from them, partner with them, or to raise their own respect level through association.  The more skill a criminal has or the more a criminal knows, the more popular he becomes in the environment.  This serves to feed the ego, narcissistic personality, and confidence of members within the cybercrime community.


The Willingness to commit crime and the ego to do it are useless if the criminal doesn’t know how to commit the crime.  Aspiring cybercriminals rarely understand how to engage in cybercrime.  They purchase credit card numbers and try to steal products or services without any knowledge of how to commit credit card fraud.  Most fail, few profit.  Acquiring knowledge is key to success.  Beginners learn from tutorials or live instruction, read criminal forums for nuggets of information, ask questions and more.  More skilled and experienced criminals learn by researching potential targets, reading whitepapers, studying indictments, Terms of Service, and more.

The cybercriminal operates within the framework of the Three Necessities Triangle

The Three Necessity Triangle

To reiterate, online criminals operate within the Three Necessities Triangle.  The Triangle is made of three legs:  Gathering the data, Committing the Crime, Cashing Out.  Those three legs form the basis of successful cybercrime.  All three must work properly or the crime fails.  The problem is a single criminal is not an expert in the three necessities.  He is an expert in one, sometimes two.  A criminal must rely on others who are better in areas he is not for the crime to be a success.  Organized cybercriminals have known this since modern cybercrime’s inception.  Only by networking with others does cybercrime become truly successful.  The ability to fill those expert vacancies relies on the overall world of organized cybercrime.

The Support Network of Online Crime

Forums, Marketplaces, Darkweb and Surfaceweb Groups form the overall framework of cybercrime which supports the Three Necessity Triangle and the criminal.

Cybercrime doesn’t operate as a normal business.  There aren’t dedicated employees.  Instead, members tend to cycle in and out of groups and crimes.  A person may be a member of a respected cybercrime group like Carbanak, while at the same time partnering with other smaller groups.  He may enter and exit those groups on a continuous basis or commit crime solo.  Leaders are appointed based on respect within the overall community.  Owners of forums and marketplaces aren’t paid salaries, but instead make money per transaction or engage in the same types of crimes members of the site are committing.  The cybercrime world most closely resembles that of a Co-Op:  A co-operative society or focused enterprise.  The difference being this co-op is committing crime.

The Cybercrime Co-Op works together to share information, network, and profit.  Information is either shared publicly using a forum structure or privately using encrypted messaging services.  Working together almost always involves using encrypted applications, emails, and messages.

The forum structure provides a Trust Mechanism which criminals use to gauge honesty among other criminals.  The Trust Mechanism allows criminals to successfully network with other criminals and further enables one to learn pertinent, correct information about new criminal techniques, trends, targets, and more. 

Criminal groups, forums, and marketplaces further assist a criminal in satisfying the three necessities of cybercrime.  Data thieves and cashiers (money mules) frequent the forums and marketplaces and advertise their products and services.  The forums and marketplaces also institute a review and vouching system which buyers use to find the best product to commit a specific crime.

Within the overall cybercrime community members know by looking at another member’s online name several things about that person:  They know the skill level of the person.  They know if the person can be trusted.  They know if they can network with the person or learn from the person.  They know if a person is selling a product or service how good the product is and how profitable the product can be when committing crime.

There are leaders among forum operators, marketplaces, stolen data sellers, users, and cashiers. The problem for law enforcement is there are hundreds, sometimes thousands of these individuals.  When law enforcement arrests the leaders of a segment, those waiting in the wings move into the vacated leadership role.  Because of the interconnected nature of the cybercrime community arrests and seizures tend to have little impact on the cybercrime platform.  Members already cycle in and out of groups and use the same username across multiple groups and sites.  That makes transitioning from a shut down forum or marketplace to a new one easy.  The admins of a new forum or marketplace require verification for a known username entering the site.  Users are verified by vouches from trusted members, PGP keys, email access, blockchain access, or other procedures.

288 views0 comments