- We conducted an independent, academic study into how much money cybercriminals are earning and what they spend it on.
- The findings are part of a larger nine-month study titled Into the Web of Profit, sponsored by Bromium.
- The report is free and you can reserve your copy here.
This is part two of a two-part series based on our project, Into the Web of Profit. Read part one.
C’mon. You’ve considered it before, haven’t you? What if you just decided to go rogue and become a cybercriminal? How much could you earn? Would it be enough to buy a private island? No wait, the trick is to buy stock right and live off the dividends and profits. But if you aren’t a high earner, would you earn enough to pay the bills. And eventually afford a lawyer?
Dr. Mike McGuire has the lowdown on how cybercriminals are spending their money and it likely won’t surprise you. But it may make you take a second look next time you’re in Vegas and a group of high-rollers emerge from a limousine drinking Cristal.
Let’s Break It Down
Data gathered through first-hand interviews with 100 convicted or currently engaged cybercriminals, combined with Dark Web investigations, reveals that:
- 15% spend most of their money on immediate needs like buying nappies (diapers) and paying bills
- 20% focus their spending on bad habits like buying drugs or paying prostitutes
- 15% spend to attain status, or to impress romantic interests and other criminals, for example, buying expensive jewelry
- 30% convert some of their revenues into investments like property or financial instruments, and other items that hold value such as art or wine
- 20% spend at least some of their revenue on reinvestments in further criminal activities like buying IT equipment
Indeed, the report notes a growing market catering to cybercriminals by allowing them to buy things with virtual currency. Sites such as White Company, Bitcoin Real Estate and de Louvois offer luxury products priced in Bitcoin, which is becoming a concern for financial analysts (note: some of these sites come and go rather quickly – if a link fails, they’ve moved on).
“The range of spending habits among cybercriminals was fascinating,” says Dr Mike McGuire, the researcher. “A lot of cybercriminals spend their money on increasing their status, whether that be with peers or romantic interests. One individual in the UK, who made around £1.2m per year, spent huge amounts of money on a trip to Las Vegas, where he claimed to have gambled $40,000 and spent $6,000 hiring sports cars so that they could “arrive in style” to casinos and hotels.
“Another UK cybercriminal funnelled his proceeds into gold, drugs, expensive watches and spent £2,000 a week on prostitutes,” McGuire continued. “It’s alarming how easily cybercriminals are able to spend their illicit gains – there is an ever-growing market that is almost tailor-made for cybercriminals to make these ostentatious purchases with little to no regulation or oversight.”
Further findings will be released during the RSA Conference in San Francisco. Dr. McGuire will present the full findings during his speaker speaking slot on April 20th from 09:00-09:45 AM on the Security Mashup track – code MASH-F01. He’ll also do short theater presentations in the Bromium booth located in the South Hall (in the back), booth #641.
Into the Web of Profit is a nine-month academic study by Dr. Mike McGuire, Senior Lecturer in Criminology at Surrey University. It draws from first hand interviews with convicted cybercriminals, data from international law enforcement agencies, financial institutions, and covert observations conducted across the Dark Web. Get the free report: Bromium.com/cybercrime.
About Dr. Mike McGuire: Dr. Michael McGuire joined the Department as Senior Lecturer in Criminology at the University of Surrey, U.K. in September 2012. Dr McGuire read Philosophy & Scientific method at the London School of Economics where he acquired a first-class BSc Econ and he completed his Ph.D., at Kings College London. He has subsequently developed an international profile in the study of technology and the justice system and has published widely in these areas. Contact: email@example.com.
Want more research! Visit our research page to learn how protect-to-detect and blaming end users isn’t solving today’s security problems.