When personal data is stolen in a breach, such as the recent high-profile attacks on Optus and Medibank, it often begins a journey through a shadowy criminal marketplace which follows surprisingly traditional models of supply and demand.
Passwords, personal information, copies of identity documents and contact details of victims may pass through a web of transactions, mediated in online forums or hidden on the dark web, and denominated in cryptocurrency, before ending up in the hands of those who plan to exploit them.
“There are several different markets out there – or forums,” Dean Williams, systems engineer at NortonLifeLock explains.
“You can often find verified data breach stores where you can search by the organisation name and have access to the entire list right down to buyer-seller platforms where you can buy different levels of [personal information] at different quantities.”
The largest ones offer cybercrime products as a service, where you can order a distributed-denial-of-service attack to bring down a site, order ransomware tools or services and malware that people can then use on their proposed targets.
“It means that people can enter into the world of cybercrime without having traditional cyber skills because you are just ‘buying bad’, or renting,” Katherine Mansted, director of cyber intelligence at CyberCX said.
Transactions are in cryptocurrency – often bitcoin. Initial access to an organisation in Australia can cost around US$500, but Mansted said there was no standard price because it depends on the size of the organisation, the quality of access, and the sector that organisation is in. The price is usually higher for companies in larger countries like the US.
Building credibility in these groups can be through proving what you have – in a data breach the seller of the records will often provide a sample to allow users to cross-check against existing breaches to ensure it is genuinely new material.
Some sites even have Reddit-style upvoting systems.
“Because of the presence of law enforcement and researchers, marketplaces rely on reputation systems to try to separate real cybercriminals from pretend. And, of course, the reputation systems also provide buyers and sellers with a degree of protection from scammers,” Brett Callow, threat analyst at Emsisoft said. “Some marketplaces also offer middleman services which hold funds until buyers confirm the product is as described.”
Law enforcement are able to take down some marketplaces or some of the biggest sellers of services, but experts say it is a game of whack-a-mole. When one group or site falls away, a new one will rise up.
“Unfortunately, there’s so much money to be made from cybercrime that there will always be people who are willing to step up to fill gaps in the ecosystem,” Callow said.
“When we do searches, we find that sites do drop and then reappear in the same format, but under a different URL,” Williams said.
Sign up to Guardian Australia’s Morning Mail
Our Australian morning briefing email breaks down the key national and international stories of the day and why they matter
“You’ve got to look at it as a game of cat and mouse. Criminals are very, very good at pivoting.”
Mansted said black markets work “just the same” as any other.
“Certain groups have the ascendancy and then they don’t,” she said. “Certain groups sell the best stuff and command the best price for it, different people have high skills and they rise up and sometimes they rise up to find the attention of law enforcement and then they have a quick end.”
Hackers can be employees of these markets, she said.
“It’s not just hackers in hoodies, it’s grandmas in Russia and former Soviet countries, it’s people who, in any part of the world, literally clock on to work each day, like businesses, criminal businesses within a market and an economy,” she said.
“And then once you understand that, you can actually start to figure out how to actually stop their economy. You can figure out which bits are vulnerable and so that’s where you can focus your attention.
“It’s a market economy – we just have to figure out how to make it less profitable for them.”