Cybercrime is no longer a fringe activity carried out by lone hackers in basements. Today, it operates as a mature, service-driven underground economy complete with specialization, outsourcing, predictable revenue models, and even customer support.
In many ways, modern cybercrime operates disturbingly like the businesses it targets.
Understanding how the cybercrime economy operates is critical to defending against modern threats. More importantly, it highlights why traditional, trust-based security models continue to fail, and how Zero Trust principles can disrupt cybercrime at its economic core.
What is cybercrime?
Simply put, cybercrime refers to criminal activities using digital technologies, networks, and devices. It includes everything from phishing, identity theft, and fraud, ransomware, data theft, and the sale of stolen information.
Cybercriminals can target individuals, businesses, and governments alike, and the motives can be financial, ideological, or political. Small and medium-sized businesses (SMBs) are particularly attractive targets, since they are less likely to have adequate security resources. According to the Verizon 2025 Data Breach Investigations Report small businesses account for 43% of all cyberattack targets, despite controlling far less total revenue than large enterprises.
Cybercrime continues to rapidly evolve, accelerated by advanced technologies like AI, often outpacing the development of countermeasures. Conversely, this evolution has matured the cybercrime economy into a highly organized ecosystem that no longer requires extensive technical or hacking knowledge as a prerequisite. The economy is open to anyone around the world willing to take the risk.
From lone hackers to today’s thriving black market: How underground forums and cryptocurrency bolstered cybercrime
Early cybercrime was opportunistic and relatively unsophisticated.
Individual attackers scanned for new vulnerabilities and wrote their own malware to exploit them. Systems and networks were targeted more for curiosity, experimentation, or recognition among their peers in the hobbyist hacker community than for consistent financial gain.
These attacks were usually noisy and manually executed, making them difficult to repeat or scale into a dependable source of profit.
That dynamic began to change as cybercriminals adopted the same practices that drive legitimate businesses: distribution, accessibility, and scale. Underground forums and marketplaces allow attackers to buy and sell tools instead of building everything themselves, while cryptocurrencies anonymize transactions and make both purchasing malware and soliciting ransom payments more accessible and harder to trace.
Over time, cybercrime evolved into a distributed ecosystem in which different actors play discrete roles, each optimized for efficiency and profit.
This shift mirrors the broader SaaS economy. Instead of writing malware from scratch, attackers now subscribe to it. Instead of breaking into networks themselves, they purchase access. As outlined in this analysis of malware-as-a-service, cybercrime has become a repeatable, scalable business model, rather than a series of one-off attacks.
Inside the modern cybercrime economy
Modern cybercrime is best understood not as a single threat or even a single class of attackers, but as an ecosystem with multiple components working together. Similar to how a grocery store relies on a supply chain of farmers, distribution centers, and marketers to feed people over a wide network of stores, attackers rely on multiple parties providing specialized roles that ultimately bring their product, data theft, to their victims faster and easier.
Below are descriptions of the major components of this ecosystem and how they fit together:
Underground forums and marketing channels
Cybercriminals sell and trade their tools, stolen data, and services across a set of online platforms, rather than in a single centralized marketplace. Historically, this activity has taken place on underground forums, many of which are hosted on the dark web.
Here, users advertise their wares: stolen credentials, malware, exploit code, initial network access, ransomware partnerships, and even the data they’ve successfully stolen.
Most underground forums do not allow open registration. Instead, users are typically required to receive an invitation, pay a membership fee, or demonstrate prior involvement in cybercrime, such as previous sales, exploit development, or references from existing members. The community tends to be close-knit, and violating rules or attracting unwanted attention can incite a ban from one or all forums and damage their reputation among their peers.
In recent years, a significant portion of this activity has moved to the app Telegram, where in addition to marketing their wares, attackers would use the app’s messaging features to chat directly with their victims to negotiate ransom payments.
For years Telegram has been the preferred cybercrime platform thanks to its disengagement from moderating content for illegal activity, but this changed in 2024 when it started taking a stronger stance after the arrest of their CEO.
Malware‑as‑a‑Service (MaaS) and Ransomware‑as‑a‑Service (RaaS)
In the early days of cybercrime, attackers were typically responsible for both writing malware code and deploying it against their targets. This works well enough when an attacker has the time to devote to surveilling and researching a specific target, but it's difficult to scale to any useful notion of profit.
MaaS, by comparison, works by separating malware development from malware operation: Developers build modular, reusable malware packages, while affiliates deploy it through phishing, exploits, or stolen credentials.
The malware typically communicates with an external command and control infrastructure, allowing operators to issue commands, rotate payloads, and collect stolen data without direct access to victim systems.
RaaS works much the same way, but instead of deploying malware, operators encrypt victim endpoints to hold them hostage.
Affiliates manage these criminal campaigns through web-based dashboards, which lowers the technical barrier to entry and enables malware and ransomware to be deployed at scale as a repeatable service.
This shift gained momentum as ransomware proved consistently profitable in the mid-2010s. This business model and various affiliate networks have made cybercrime accessible to a much wider range of attackers, including those less technically capable.
Initial Access Brokering
Data theft starts with access to data, and MaaS and RaaS operators might rely on another party, Initial Access Brokers (IABs), to ensure their malware packages have reliable access to victim systems.
Initial Access Brokers specialize in gaining unauthorized but persistent access to networks, typically through stolen credentials, exposed remote access services, or unpatched internet-facing systems.
IABs perform the hard work of acquiring vulnerable targets, performing reconnaissance to identify potential points of access, and installing some method of reliable access, such as configuring their own login credentials or installing a malicious backdoor. They then sell this access upstream on underground marketplaces, where MaaS and RaaS affiliates and other attackers can purchase it in bulk.
Credential harvesting
Credential harvesting refers to the collection of authentication materials such as usernames, passwords, session tokens, browser cookies, API keys, and cloud credentials. This harvesting is commonly performed by infostealer malware, phishing kits, or scripts deployed onto a system after it's been compromised.
These harvested credentials are the primary currency of the cybercrime economy. Credential theft is increasingly valuable to MaaS operators and IABS because valid credentials alone don’t necessarily raise the suspicions of security teams or log analyzers.
Phishing kits and Phishing-as-a-Service
Phishing kits industrialize the social engineering aspect of credential harvesting by packing all the individual components of a typical phishing campaign into an automated “kit.”
A kit typically includes prebuilt webpage templates of familiar websites that victims might mistakenly input their login information. Scripts included in the kit can collect and forward captured credentials directly to attackers or credential harvesters.
Lately, the components of phishing kits are more likely to be provided by malicious parties offering Phishing-as-a-Service (PhaaS), further lowering the barrier to attackers who might not want to host a kit on their own backend infrastructure. Paying a subscription fee to such a service gives attackers access to:
- Adversary-in-the-Middle (AiTM) features, enabling session token theft to bypass MFA
- AI message writing utilities to craft convincing phishing email and text messages
- Email or SMS delivery infrastructure
- Web-based management dashboards
- Customer support, available across different languages and time zones
Exploit kits
Exploit kits are to vulnerabilities as phishing kits are to phishing messages. As implied in the name, exploit kits automate the exploitation of vulnerabilities, described in the following hypothetical scenario:
- The attacker purchases access to an exploit kit that is advertised as targeting specific software, services, or vulnerability classes already known to be exposed in the environments they want to target.
- The attacker uses the exploit kit against an existing exposure path, such as internet‑facing infrastructure or systems identified earlier through reconnaissance, an IAB, or previously stolen credentials.
- The exploit kit automatically attempts exploitation and, if successful, delivers a secondary payload that establishes a foothold on the compromised system.
- After access is established, the attacker shifts from exploitation and begins post-compromise activity, such as lateral movement and identification of sensitive data.
- Data is exfiltrated, ransomware is deployed, or the access into the compromised network is marketed to other malicious actors.
DDoS‑for‑Hire
Not all cybercrime services are focused on gaining access or deploying malware. Some exist to disrupt their targets on demand.
Distributed denial‑of‑service (DDoS) attacks work by overwhelming a target with traffic or requests until legitimate users can no longer access the service, making availability, rather than data theft, the primary objective.
Even when attackers are not seeking credentials, access, profit, or ransom, DDoS can still be valuable for harassment or competitive sabotage. Some advanced attacks may even deploy DDoS as a distraction for defenders while simultaneous intrusions are deployed elsewhere on a target’s network.
DDoS has become productized into DDoS‑for‑hire services that use botnets made of compromised endpoints or cloud‑based resources capable of generating massive traffic volumes. In April 2026, Operation PowerOFF dismantled dozens of DDoS‑for‑hire platforms and identified more than 75,000 users globally, highlighting how widely these services are used.
Accessing a DDoS‑for‑hire service typically requires no technical skill at all. Attackers simply register on a website, choose a subscription plan, enter a target, and click a button.
Supply chain attacks
Supply chain attacks are a scalable form of third-party compromise, where attackers target trusted software, updates, plugins, or services to gain access to every downstream customer that relies on them.
While all supply chain attacks involve third parties, not all third-party compromises are supply chain attacks, as supply chain incidents deliberately exploit transitive trust to achieve many breaches rather than just one. They typically manifest as backdoors maliciously added to compromised legitimate software, as seen when an attacker purchased dozens of WordPress plugins and embedded a backdoor that was then distributed to thousands of unsuspecting sites.
Like phishing kits, exploit kits, and MaaS, supply chain attacks are a means to the ultimate goal of credential theft, persistent access, and malicious activity such as data exfiltration or deploying ransomware. Analysis of recent WordPress plugin activity highlights how attackers increasingly treat software ecosystems themselves as attack surfaces, bypassing traditional perimeter defenses by abusing trusted distribution channels.
Zero Trust as a countermeasure to the cybercrime economy
The evolution of the cybercrime economy shows attackers remain adaptable and capable, adapting to technological and entrepreneurial trends to stay profitable.
The Verizon 2025 Data Breach Investigations Report shows that phishing accounted for 16% of breaches and another 22% were from stolen credentials. As the automated, AI-driven, service-based cybercrime economy continues to accelerate the technical capabilities of its offerings, the world expects these figures to climb.
By enforcing explicit allowlisting, least privilege, and continuous verification at the endpoint and application level, Zero Trust principles are the only effective countermeasure to the modern cybercrime economy, inherently, even when their services are deployed successfully:
- Malware deployed on a computer after a user fell for a convincing phishing email written by AI can’t run when all application executions are denied by default.
- Phony web pages deployed by a phishing kit won’t be loaded when Zero Trust network policies block their traffic.
- Compromised WordPress plugins are stopped from installing when they aren’t explicitly permitted by allowlisting policies.
If you want to apply these principles from a unified, easy-to-use interface, ThreatLocker provides a Zero Trust platform that stops untrusted applications, scripts, and behaviors in networks of all sizes, even after malicious actors have made their way inside.
