Cybercrime Pays: New study finds cybercriminal revenues hit $1.5 TRILLION annually
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Cybercrime Pays: New study finds cybercriminal revenues hit $1.5 TRILLION annually

A new study commissioned by Bromium examined new criminality platforms and the booming cybercrime economy

A new study, commissioned by Bromium and presented by Dr. Michael McGuire at RSA, has found that the cybercrime economy has grown to $1.5 trillion dollars annually. That’s $1.5 TRILLION US dollars in illicit profits.

The study, which was one of the first of its kind, aimed to examine the “dynamics of cybercrime” in the context of revenue flow and profit distribution. Over the course of nine months, Dr. McGuire, working in his capacity as a senior lecturer in Criminology at Surrey University, conducted interviews with convicted cybercriminals, analyzed data from international law enforcement operations and financial institutions, and conducted covert observations on the Dark Web. What Dr. McGuire found was a burgeoning industry, where the professionalization of cybercrime has become commonplace. This cybercrime economy is self-sufficient and blurs the lines of legality.

“The findings of Dr. McGuire’s research provide shocking insight into just how widespread and profitable cybercrime has become,” commented Gregory Webb, CEO of Bromium. “The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum. We can’t solve this problem using old thinking or outmoded technology. It’s time for new approaches.”

Conservative estimates in The Web of Profit research show cybercriminal revenues worldwide of at least $1.5 trillion

If you’re keeping track at home, $1.5 trillion is roughly equivalent to the GDP of Russia. Just let that sink in for a second. In fact, if Cybercrime were a country – run by President Guccifer 2.0 – it would have the 13th highest GDP in the world.

Breaking down that $1.5 trillion figure a little more, we can see how profitable some of these illicit activities actually are:

  • $860 billion – Illicit/illegal online markets
  • $500 billion – Theft of trade secrets/IP
  • $160 billion – Data trading
  • $1.6 billion – Crimeware-as-a-Service
  • $1 billion – Ransomware

The report finds that Cybercrime functions on a number of levels, with some large “enterprise” style operations netting well over $1 billion while SME-style outfits made between $30,000-$50,000. But, Dr. McGuire was quick to caution against calling cybercrime operations analogous to businesses, instead preferring to describe cybercrime as an economy.

“A hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale.”

The rise of “Platform Crimality” is creating a “Monstrous Double” of the legitimate information economy

One of the newest trends in cybercrime is the move towards “Platform Criminality” wherein the facilitation of cybercrime, as opposed to the performance of the act itself, is the truly lucrative proposition.

Platform capitalism – a term used to describe the likes of Uber, Facebook and Amazon – is offering fertile ground for hackers to further their gains. Whether by hacking companies to acquire user data; intellectual property; disseminating malware; selling illegal goods and services; setting up fake shop fronts to launder money; or simply connecting buyers and sellers, it is evident that cybercriminals are adept at manipulating existing platforms for commercial gain. Yet beyond platforms being the targets and unwitting enablers of cybercrime, the report suggests they have provided inspiration – as a model of platform criminality emerges.

Per Dr. McGuire, “the main contribution of platforms is to connect individuals with a service or product.” While an individual hacker may only make upwards of $30,000 per year, a manager on a Cybercrime platform can make $2M per job. McGuire found numerous examples of services and products for sale on these various platforms (some examples are below). There’s even “Customer Service.” A fact made even more absurd when you contrast it with the fact that you practically have to hire a Private Investigator just to find a phone number to reach Google or Facebook.

  • Zero-day Adobe exploits, up to $30,000
  • Zero-day iOS exploit, $250,000
  • Malware exploit kit, $200-$600 per exploit
  • Blackhole exploit kit, $700 for a month’s leasing, or $1,500 for a year
  • Custom spyware, $200
  • SMS spoofing service, $20 per month
  • Hacker for hire, around $200 for a “small” hack

Not that this should surprise anyone, but these trends show no signs of slowing down. Cybercrime is a rapidly evolving industry, and everything about it – from the ways its perpetrated to the methods used to facilitate it – are growing more sophisticated. In 2018, the Cybercrime economy is worth $1.5 trillion.

Ten years from now… who knows?


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.