This week in digital trust » Episode 90

#90 The human side of cybercrime – with Dr Jonathan Lusthaus

12 December 2023

This week we explore the human side of cybercrime, via a conversation with Dr Jonathan Lusthaus, director of The Human Cybercriminal Project at the University of Oxford.

Jonathan has spent over a decade researching who cybercriminals are, what drives them, and how they organise themselves, collaborate and innovate.

We explore his findings – which he chronicled in his book Industry of Anonymity – and why he ultimately believes that the cybercrime industry is “a tragedy”.

Listen now

Transcript

This is an automatically generated transcript. We make our best efforts to check that it is an accurate reflection of the episode, but it may contain some errors and unedited content.

Arj
Welcome to this week in Digital Trust, elevenM’s regular conversation about all things tech policy, privacy and cybersecurity. I’m Arj joining you today from Awabakal country.
And today we’re going deep into the world of cybercrime through the eyes of a sociologist via conversation with Dr. Jonathan Lusthaus.
Jonathan is Director of The Human Cybercriminal Project at the University of Oxford and an associate professor in global sociology in the Department of Sociology. For over a decade, Jonathan has conducted research into the human side of cybercrime, exploring who cybercriminals are, what drives them, and how they organise themselves and collaborate. He’s the author of a fantastic book on this subject titled Industry of Anonymity Inside the Business of Cybercrime.
He’s a regular speaker at conferences and the author of several articles and publications. Hope you enjoy the conversation.

Jonathan Lusthaus, welcome to this week in Digital Trust.

Jonathan Lusthaus
Thanks very much for having me.

Arj
We’ve been wanting to have you on for a while. I personally have been following your work for quite a while. I mean, we crossed paths back when I worked for one of the major banks here in Australia and it’s been really…
Great to follow your work from afar, but to actually have the opportunity to talk to you is very exciting. You’ve written a book, I should mention that upfront, Industry of Anonymity Inside the Business of Cybercrime. It’s such a detailed book, the product of seven years of fieldwork, multiple countries. You’ve written about this on your blog going back 10 years. So I will put the links in the show notes. But I wanted to sort of start by actually understanding what was it that as a sociologist and from that kind of background drew you. to cybercrime in these groups? I mean, even like what were you doing at the time that sort of led you to pivot into this seemingly kind of quite different domain to what you might expect a sociologist to study?

Jonathan
Yeah, so you’re absolutely right. It seems somewhat counterintuitive, kind of putting together the human and the technical. That’s something that we often think of as being opposite poles.
But yet it’s very important that we have to engage with the interaction. And me personally, that’s kind of become my career is engaging about that point where we see this crossing of the human and the technical. And from my perspective, I’m kind of maybe not the person that you’d expect to do this because I’m completely non-technical. In fact, like I can barely make a computer work, setting up, you know, to engage in a podcast like this is like a challenging activity for me. So.
For me, the entry point wasn’t, oh, I’m fascinated by the technology, I wanna learn more about that. It was actually having no background at all, no understanding at all, and coming in as an outsider, which I can explain a little bit in terms of the value of that when you’re engaging the world as an outsider. That puts you in a position where actually, people are quite giving with the information they have because you’re non-threatening, you’re coming at it, not as someone who’s competing or threatening in that kind of way, but someone who’s just there to learn.
But the way I got into it was actually through a kind of idea of exploration. To me, this was about a hidden world. So this is when we move into the human part of it. So this sort of online space where, you know, we have people carrying all these kinds of criminal activities. But who are they? It’s sort of this hidden place. The people are hidden and then the kind of world they inhabit, how they work together is kind of hidden. And so the way I came to it was actually when I was beginning my studies as a sociologist at a classic problem of having to choose what I was going to write my thesis on. And I had a few ideas and nothing was really working out.
And right at the point where I had to kind of declare my topic was the point at which a seminar was given in my department by a journalist called Mischa Klenny. So not to plug a different book, but other than my own, but Mischa Klenny at that time was writing a book called Dark Market on one of the really big kind of cyber crime marketplaces that existed at that time in the kind of mid 2000s … just before that time.
And so this was the first opportunity I had to kind of see the human dimension. So what he was talking about was there’s people here trading, they’re selling credit card data, they’re carrying out these various activities and they’re working together in a kind of trading environment. And I thought, this is fascinating. This is like a secret place, this is a hidden world. And so that’s what actually drove me into this was trying to map something that hadn’t been mapped to try and understand something that we couldn’t see.
And that I became fascinated with. And so over time, I learned more and more about the technical components. I still wouldn’t describe myself as someone who’s technically capable by any means. But I had to educate myself on the core concepts and the core ideas to make sense of this world, to understand the humans involved. And that’s what’s driven me up to this point now, even many years later, where I’m still just fascinated with trying to understand something that quite simply is hard to see.

Arj
Could you Peel back a little bit for us on what the approach is. How do you do that? How do you get into a hidden world like that? And I very few of our listeners, I imagine, come from a sort of sociology or research background, but what is the scope of what you did?
You know, I know you did sort of over some 200 interviews and so forth, but you know, what are the sort of nuts and bolts of actually getting into the hidden world?

Jonathan
Yeah, so I mean, the core nut, so to speak, is that it takes a lot of time.
There are different approaches people use. As you mentioned, I’m a sociologist. I study people. There’s many different ways to do that. You can do that through statistical analysis of existing data sets. You can do that through interviews. You can do that through textual analysis, all sorts of different ways. But one of the core problems with studying something like the world of cybercrime is there’s just a lack of data, like good quality data, particularly if we’re talking moving away from the technical, trying to understand the people. And so the approach I took was actually, in some sense, an old fashioned kind of ancient approach, which is, you know, studying something brand new, you’re studying technology, cyber security, all these kind of happening of the moment types of threats.
But I was doing it, as you mentioned, through interviews, I was doing it through field work, which is one of the oldest types of sociology that you can do. And so the trick there was really like building up a social network over time. So that’s why it takes so much time is I came in as a person with no contacts, no knowledge, no nothing.
And I had to build that up from scratch. I started in the UK trying to find people who worked in the private sector who were in this space, trying to find people in law enforcement, and then starting to find some of the former cyber criminals themselves. And in that first sort of wave of research, I did about 10 interviews in the UK to start this off, and I got from each one of those categories, some participants. And from that point on, I started to build a knowledge base. And then it became a process of… What does this look like around the world? Like studying one country is one thing. And one of the first people I interviewed said to me, our cybercrime is a universal problem. It’s the same everywhere in the world. This is years ago, right? So we’re talking about when actually, even if you interviewed some of the top experts in the world, they didn’t necessarily have a good picture of what was happening at that human level. And so this was the information I had.
And so the first thing I did was actually go do field work in Singapore because I just happened to be passing through and it was a good opportunity to do field work. And as soon as I did that, if anyone knows anything about the nature of Singapore and crime, it’s a very different environment to just that anywhere else in the world because the level of control is so much higher. And as a result, the level of like local cyber crime was extremely low. So they’re not really producing cyber criminals of any kind. Whereas it seemed clear that other countries are definitely producing cyber criminals. So from that point on, what I started to do was engage the field work in a way of trying to get to a range of different countries to try and understand how cybercrime differed locally.
So what was happening at that local level, what was driving it in certain places, but not others. And ultimately to try and draw a picture of what are the key hubs, what are the hotspots where we’re seeing cybercrime come from and in large volumes, but also where we’re seeing different kinds of cybercrime. So some that are more technical, some that are more scam-based, all this kind of stuff. And so that seven-year process was really a process of traveling around the world. So I was exploring this hidden world, but then I started exploring the actual geographical world to make sure that I was getting to all the key elements, all the key people that I could find. But the short answer is it was just a huge amount of time.
That was the key to it, is I had to move myself into that world. I never became a participant in that world, but I had to just network and engage and get this deeper understanding of who was in this world and sort of build up these relationships over time.

Arj
Mm, that picture you painted of the sort of geographic diversity is very interesting, I think, because even today, I think it…
The quip is always, if you’ve been hacked, is that it was Vlad from Russia and there’s this sort of shorthand that everyone’s in Eastern Europe, but clearly it’s a much more richer picture than that. Can you give some insight into the personalities of those involved? I mean, again, there’s probably a preconception that cybercrimes and hackers are just sort of sheltered 14-year-old guys in basements, but what were you sort of discovering?

Jonathan
Yeah, it’s a good question and it’s a difficult question to answer because there’s no one single profile, basically. And the reason for that is partly what we just discussed, the kind of geographical dimension, the local dimension, which is we’re seeing all these different parts of the world producing cybercriminals. And as a result of that, they produce different kinds of cybercriminals because the local conditions are different in each place.
So the example used of, say, Russia, we’re seeing, you know, cybercriminals coming from there that are highly educated or highly capable. So some of them have multiple degrees, a lot of them are the same types of people that you’d expect to work in the private sector, to work in the technology sector, and some of them actually are the same people. So that profile is quite different to, say, an example like Romania or Nigeria, other parts of the world where the types of offenders we’re seeing are not so much that high level educated form of offender. I mean, some of them have a level of education, but we’re not talking about the super technical, we’re not talking about the malware coders, we’re talking about people involved more in social engineering and scams and things like this.
And so their profile looks quite different, which leads us to the second point. It sort of interacts with geography, but there’s so many different roles within cyber crime at present. It’s such a high level of specialization, such a kind of clear division of labor, that the people who get involved in these different roles look very different to each other. So to take at the two extreme ends, that one example of say, someone is coding malware, the profile of that person is gonna be, you know either highly educated or certainly, you know, just highly capable. Maybe they didn’t get a high level of education, but they figured out how to do this stuff. They sort of train themselves or learn from the community. But these are very, very smart and in a technical sense, smart people.
At the other end, we might look at say cashing out of the kind of money laundering side of things. The profile of someone coming into that world is very different. It could be a relationship to kind of conventional crime, you know, might be involved in other forms of criminality, might have a past background in that area. At the organisational level and that money side, It’s still a skill set that’s important. There’s still like a trade craft there. But once we get down to say like the individual mules, these might just be a whole range of different types of people. Some of them are quite desperate. Some of them just need cash. Some of them might be from drug using communities. There’s a whole range of different people. And so that’s why we struggle to say, what’s the profile of the cyber criminal? Because cyber crime covers so much. So once we drill down into the subcategories, we can think more carefully, both geographically in terms of role, what we might expect to see but there’s just a lot of variation happening there.

Arj
So even in that answer, you’ve started to paint quite a detailed picture of sort of, we’ll use the word actually around specialization and the sort of scale and sophistication of this. I’d like to sort of dig into that a little bit. So you’ve described your book, Industry of Anonymity’s key theme as being that cybercrime has matured into a large profit-driven industry. So could you take us through that kind of discovery. What were you expecting to see? What did you see? How did it mesh with your kind of preconceptions of cybercrime?

Jonathan
Yeah. So when I started, you know, we’re talking about 2010, basically, 2010, 2011 was when I was starting to engage with this. You know, I think the expectations, not just of myself, but of people in general, was largely we didn’t know what to see. Like we didn’t know what to look for. So there was beginning to see suggestions of different things, like sort of big pieces of malware and things like this. But in terms of like who the authors were in kind of the public sort of discourse around this, nobody really knew who they were, where they were from. There was just a lot of questions and not many answers.
So at that point, you know, what I was trying to do was just figure out what was happening. And I think the stereotype, which continues a little bit to this day, was sort of, you know, the teenager in the basement, that kind of stereotype. It’s a kid just messing around and those kids still exist and actually seeing those kids make a comeback in recent years, in lapses and things like this where they’re starting to cause quite a bit of damage.
But the idea there was originally this is a problem of teenagers messing around and that’s part of it. But what I saw over time as I gathered more and more data, did more and more interviews was how professional it was. And as we talked about already how specialized it was. And as I mentioned in relation, say the Russian speaking scene, We were talking about people who were basically professionals, who were educated, who were kind of industry level professionals. It’s just the industry of the criminal one instead.
So what we were seeing was the kind of emergence of cyber criminal startups, of businesses that really looked like conventional business in a certain kind of way, but were involved in making money through malware and through different types of operations. So that kind of industrialization was something that both was occurring over time.
But it was also something that just empirically I was unpacking over time as I got more and more information, as I talked to more and more people. And so the big kind of difference was just how professional, how industrialized, how specialized it had become and how much it looked like conventional business, how much it looked like, you know, the technology sector, but just one set up for criminal ends rather than one set up for positive ends.

Arj
Did you have an opportunity to see any of these kind of firms as you describe them in person?

Jonathan
So, I mean, it would be difficult to get into one of the firms, so to speak, in the sense that you’d have to basically be an undercover agent. So that was one of the difficulties. I mean, it’s a difficulty in general. I mean, just trying to gather information, gather data, but it’s a difficulty as an academic, you know, we’re sort of in a slightly different position to either law enforcement or to journalists in terms of how we’re bound by kind of ethical regulations, by risk assessments, all these kind of things.
So I certainly never went to embed myself within a particular group. And in fact, my strategy often was to engage with former offenders. So people who’d either retired or they’d been arrested. And the reason for that was generally they were much more open in the information they would give. So I could trust that information because they had less reason to lie, but also meant that there was no risk of me getting involved in ongoing law enforcement investigation or things like this. And so that to me was a kind of core part of my strategy. And I think offered me a kind of access and a level information that that might have been harder to get.
In terms of on the ground, you know, it’d be the difference if you’re maybe doing a documentary or something like this, you might go looking for these places. So the one example, which is different, slightly different to what you’re asking, but when I was in Nigeria, what I did too was go looking for some of the internet cafes that I thought, okay, these are gonna be hubs. They’d been written about these sort of hubs where people carrying out various scans or sort of going to these internet cafes, cyber cafes. And this was where it was all happening. And so I remember in Lagos, looking for one of these places and asking people, can I go to one of these places? And of course, they were gone. They didn’t exist anymore. So the reason for that was the mobile revolution, right? Which is all of this was happening in a way in which it was now sort of in people’s houses, in their mobiles, rather than in these centralized locations. So even when you go looking for these things, you don’t always find them for different reasons.
But it was a kind of like a part of what I was trying to do, what was to engage with the physical, because I was there – It’s an example we might talk about later, but I did visit the hotel where Carta Planet, which was one of the big marketplaces at the birth of profit-driven cybercrime, where they had a big convention, and I visited the hotel where they had that meeting. So I tried to have these little moments of engagement in, I don’t know if you’d call it cybercrime tourism or things like this, but ultimately I was not in a position, and certainly I would have been breaching my rules of engagement in terms of ethics and risk if I’d gone directly into some of these criminal organizations. But even if I had that clearance, it’d be a very difficult thing to do, particularly as a researcher.

Arj
Fair enough. One of the things I often hear from when we talk to, say, businesses about cybercrime is they start to have an appreciation, particularly in recent years, about the level of capability of these attackers, that they’re highly skilled.
Maybe even to some degree, the sort of the organisational elements, you know, the fact that they might be, you know, effectively in an office and, you know, it’s not they’re not in the bunker, they’re not in the basement. But one of the things that you kind of talk about is this, I guess, the because it is an industry, the market, you know, the fact that there’s actually sort of cooperation at a particularly, you know, large scale.
How does that work? I mean, this is a global kind of, you know, operation cyber crimes a global operation you talked about that It’s largely online There’s a great quote in your book where you sort of talk about a nickname is all you have is often kind of you know The sort of the the characteristic for a lot of these actors So how do they cooperate on a global scale in a situation where many of them are pseudonymous? You know nicknames are all completely anonymous

Jonathan
Yeah, so That was kind of the core challenge that set the book up in some sense. That was the core puzzle that I was interested in before I knew anything, which was how do these people work together? How have they built this industry so successfully that seems to be so large when they’re dealing with what appear to be sort of like criminals online? So people who might be anonymous and people who are criminals, these don’t seem to make good partners. You know, why would you trust someone who’s a criminal and why would you trust someone who’s a criminal? that you don’t know where they live, you don’t know who they are, you can’t go and beat them up if something goes wrong. So how do you actually do business online with someone like that?
So that was kind of the core puzzle that set up the book and obviously as I did more and more research over time, I realized that part of the solution to that puzzle was cheating, which is this offline dimension that we just talked about, this local dimension, which a number of these people just seem to know each other and work together with people that they knew from the local community or from growing up together or otherwise and that kind of got them around this trust problem.
And that was one way that they solved this. But the other one was, OK, there are still a substantial number of people who are engaging with offenders online, who are doing business online, sometimes in these these large marketplaces that look like kind of eBay, but eBay for for criminal goods and services. How are they able to trust each other? And the solution to that problem was actually familiar to us, which was they weren’t doing anything particularly new. They were using the same type of mechanisms that everyone uses in human life.
So if you talk about eBay as an example, you see similar types of mechanisms to legitimate platforms, which is, they’re very much interested in reputation. So they have rating systems, they have feedback and reviews and so if you buy a product, you can say whether it was good or bad, whether you got it or not, all these kinds of things. So reputation is really important to them and working with the same people and buying from the same people is important to them. So a lot of the former offenders I spoke to, that was something that mattered, was having those personal relationships, even in an online setting knowing that they had a past track record with someone and that person could be trusted.
So they have these range of sort of online mechanisms that are very familiar to us that are all about how to trust someone, how to assess trustworthiness basically. So reputations one, performance is another, which is getting people to demonstrate something whether through providing a sample or showing a skill set that they might have. And then we get to appearance, which is very difficult because you can change so much about your appearance online. You can basically pretend to be a completely different person.
And a lot of the former offenders I spoke to were very clear on the fact that they could interpret something about a real identity, some aspect of a real identity from an online persona. And so they were sort of very clear on that. They weren’t always, I think, 100% accurate in terms of their assessment. But they seemed to think there were certain tells, basically, that you could look for. And over the course of my research, I think the two that really stuck out to me were With time, so the amount of time you spend online, it’s very hard to fake that. The longer you’ve been in a community, the longer you’ve built up a reputation. That really matters, I think, in terms of whether people are gonna trust you or not.
And the other one is language. It’s very hard to pretend to be a native speaker of a language when you’re sort of involved in a… real-time chat or something like this. You know, the various translation tools we have don’t operate at that level, but you know, there’s little words that are chosen, things like this that will sort of indicate if you think you’re speaking to someone from say a Russian speaking background or from a different background, there’ll be little tells, depending on which language you’re speaking. And so that was very important.
And then the last part of this, which is not so much about trustworthiness, but it’s actually about enforcement, which is they’ve developed Arbitration systems, so basically informal court processes if different criminals get into dispute on these marketplaces. Esco systems, so if they’re doing a large transaction, there’ll be a trusted third party who will hold the funds. Just like if we’re buying a house in a legitimate world, we want to have that trusted guarantor. So, but again, those are examples of not inventing something brand new, but doing things that we know work in other settings. And so what they’ve done is basically take all these things that work for humans in general some in the broader sort of offline world, some that work in online platforms, and they’ve adapted them to work within cybercrime. And that’s the way they’ve tried to solve the problem in terms of that online space.
With that said, it’s never perfect. These mechanisms are never perfect. And they’re never perfect for us in the legitimate world. I mean, the court system does not resolve all the disputes that we have in the world. There’s still scams on eBay, all this kind of stuff. All these problems still exist, but it reduces the risk. And ultimately there’s still a lot of gain.
So, you know, a number of them will just see this as a proposition where, okay, I might get ripped off from time to time, but if I can still make money, I’ll make money and I take that as the cost of doing business.

Arj
Okay, so now we’re sort of, I guess, five years on from the book being published. You know, what changes have you seen? Do the findings hold up? Yeah, so it’s a good question because it was one of my concerns when I finished the book, but also when I was writing the book, because, you know, this book took seven years of field work and eight years to sort of write it up and publish it.
And then as soon as it came out, I thought, oh, what if something happens that just drastically changes the way we see cybercrime? I sort of wasted a huge chunk of my life, right? That was my big fear. And now we look sort of five years later, we have this time to look back. And the surprising thing is how little has changed in kind of broad human terms about how this world works. So…
Obviously on a daily basis, we’re seeing changes in code and little tweaks and all these kind of things in terms of getting around countermeasures. We see that is very, you know, that’s a regular problem. But in broader terms about what these people are actually doing, the change is much slower. So what I was surprised to see looking back, kind of reflecting on this is how little innovation there’s been. So if I think, for use an example, as the book, as I was finishing it up, ransomware was, it was kind of around the banking trojans was the main malware threat at that point when I finished up the book. So if there’s been any change, it’s been the rise of malware, of ransomware in some sense. So it already was, you know, it was already existing and kind of on the way, but after the book kind of finished and came out, that’s the process we’ve seen. Because we’re talking about a five-year period where that has been probably the dominant form of malware. And that’s a long time.
So if we’re thinking about cybercrime as a dynamic, fast-moving enterprise, it’s clearly not that fast moving because, you know, two of the main threats we can think about, ransomware, business email, compromise would be another one, have been around for years and they’ve changed a little bit, but they don’t change that dramatically. So the ransomware example, we’ve seen tweaks in the business model. We’ve seen a shift from sort of non-targeted attacks to very targeted attacks. More recently, we’ve seen a shift from, okay, it’s all about sort of locking up the data, now the threat of leaking the data, other kinds of threats.
But these are still shifts within a broader business model of extortion. And so we do see those changes, but even those changes don’t occur on a daily basis, right? They occur over months or they occur over years. So if anything, the message coming out of having written this book, and in some sense from me taking this huge risk of trying to understand something that was supposedly fast moving and dynamic, is actually that it’s less fast moving and dynamic than we think it is.

Arj
That’s so fascinating. Do you… Have any sense of whether COVID, the pandemic, had much of an impact? I mean, just thinking about how it’s affected business just at large. You know, do these groups have had to sort of change the way they work because of the pandemic?

Jonathan
So it’s a good question. I wouldn’t represent myself as an expert on it, having not done specific work on that particular topic. But certainly, you know, reflecting on what was written and what’s been out there, there were some challenges, I think. You know, if we think about just the movement of money and things like this, there’s actually a huge offline component to that. So when things close down, that becomes much more difficult. We see the way in which society is functioning, obviously the shifts are more work from home. I think everyone’s probably well aware of the security issues that brings all these kinds of questions. So it does certainly change the environment, but I’ve sort of thought about COVID and then there’s been other shocks in terms of, say, the war in Ukraine and things like this, sort of looked for these big moments where maybe you see a big shift.
And generally the shift has been less than I would have expected. So in some sense, things do change, absolutely. And there are these moments where we see those changes. But as long as there’s money to be made and the kind of approaches and the tactics that they’re using still work, they will continue to use them. I think that’s the main kind of message.
And so there are moments where they have to shift because of countermeasures or because of things happening in the world. But generally, there’s an inertia. And they sort of continue down the road that they’re on to a large degree.

Arj
That’s interesting. And I mean, certainly there’s some takeaways there for a lot of our listeners who work for businesses about, I guess, the persistence of the threat and the business model, you know, it’s not going away anytime soon.
I’d like to close on a phrase that is in the book that leapt out to me, which is you say that the cybercrime industry is a tragedy, which I think would be in some ways quite confronting and challenging for some of our listeners who probably see it more as a, you know, or a pain to be frank, and something that is something that they’d rather not contend with. But the fact that you describe it as a tragedy, could you expand on that idea for us?

Jonathan
Yes. So the point about that is, is not to take away from the impact on the harms caused. The tragedy is actually that those impacts and harms happen in a way that seems to be avoidable, or certainly if not avoidable, is sad that it happens in this way. And that’s because the people carrying out these types of activities shouldn’t really be doing it in the first place. So, you know, if we think about this point around industrialization, you know, the point I’ve made multiple times in this conversation about the intelligence, the education levels, the capability of the people involved in this in different parts of the world, it just seems to be so much human capital amongst these people. And it seems a waste of that talent, a waste of that ability that they’re engaging in cyber crime. And then we get into the harm, which is… all the costs, all the harm that’s caused by getting into this criminal activity.
So the tragedy is that we haven’t figured out how to provide opportunity to these groups of people. Because as I mentioned, these are people in certain cases, at the more technical end, with a similar profile to those working in the tech sector. And particularly when you look at places like Russia, Ukraine, other parts of the former Soviet Union. The core problem there is you know, this education system that’s setting people up to be, you know, very well educated in STEM disciplines, very capable, very, very well suited to working with in technology. And yet the opportunity that follows that education is so limited.
So there’s a, you know, sort of a market that’s dominated within the tech sector by a small number of large sort of government backed companies. There’s a lack of capital for entrepreneurs. So if you’re a young person, you’re excited about doing business out there in the world and you want to get involved in tech, how do you do that? So some people have figured it out. They figured out how to do that locally or how to kind of go internationally.
But for many people, they’re stuck in this environment where there’s no opportunity for dynamism. There’s no opportunity for innovation. And so what they’re doing, instead of getting involved in legitimate startups, they’re creating criminal startups because that’s the avenue they have. They don’t need as much capital. It’s much easier to take off. And that’s creating a whole space where all this ingenuity, all this capability, is being pushed into criminal ends. And built off that is a whole pool of coders and programmers and all these other people who might not be at the entrepreneurial end, but they’re very capable, themselves also being employed within this shadow industry, what I call Criminal Silicon Valley.
And so that’s the kind of key tragedy is this sort of large, massive people who are very capable, who could be put to positive ends, who could have opportunity, who could have a life that Ultimately, they would be very happy to take in the sense of having good income, good employment and achieving positive ends. But they’re almost forced into this shadow place where they’re forced to operate for these criminal ends, because quite simply the economy and the opportunity structure is just not set up for them.

Arj
I think that’s a really fascinating way for us to think about the problem. We often talk about the human factor in cybersecurity, but more in terms of, you know, the victims and also the fact that human frailty is often exploited in order to carry out attacks.
But to think about the human factor that’s on the side of the cyber criminal groups, I think is really illuminating. And it always helps, I think, in any situation to kind of at least have some reflection on kind of motivation intent behind someone’s actions.
Really grateful that you’ve come on and helped. give us that picture.
There’s so much more in your work. It’s an incredibly detailed, comprehensive, rich kind of piece of work. And I would love for people to be able to find more of what you’ve done. Is there any particular link or reference you want to sort of point people to?

Jonathan
I always joke, everything I know is in the book. So that’s always a good place to start. I also have a newsletter, which is also called Helpfully Industry of Anonymity, where I provide not just sort of summaries of research on cybercrime, but also do sort of updates on what’s happening in the world right now, try to provide a kind of bigger picture analytical take from my perspective. So if you’re interested in that, that newsletter is also, I think, a good resource to stay up to date with my thinking on all these kind of things.

Arj
Terrific. Well, we’ll put links to all of those in the show notes. But in the meantime, thank you very much for joining us. Wonderful conversation, long overdue and I hope we can chat again in the future. Thanks, Jonathan.

Jonathan
Thanks very much for having me. I appreciate it.