Executive Summary

The Internet Organised Crime Threat Assessment (iOCTA) informs decision makers at strategic, policy and tactical levels about on-going developments and emerging threats of cybercrime affecting governments, businesses and citizens in the EU. It draws on highly valuable contributions from law enforcement authorities in the EU and from other countries. Partners in the private sector and academia also provided important input to the report.

Combating cybercrime requires a different approach from that which has been traditionally taken in respect of most crimes. In contrast to the off-line world where criminals normally need to be physically present at the crime scene and can typically only commit one offence at a time (i.e. rob one bank or burgle one house at a time), criminals in cyberspace do not need to be close to the crime scene, they might never even travel to the target country, and can attack a large number of victims globally with minimum effort and risk by hiding their identity.

In practice, the need for a different approach to tackle cybercrime confronts police forces with new challenges. This calls for much stronger cross-border cooperation and orientation. New partners need to be found and integrated into existing cooperation frameworks, as we have seen with the European Cybercrime Centre (EC3) at Europol. In many jurisdictions outside the EU there are, however, no adequate legal frameworks in place for judicial cooperation. In fact, the whole concept of a territorially-based investigative approach conflicts with the borderless nature of cybercrime.

Even within the EU the differences in legislation and legal instruments to detect, attribute and exchange information in relation to cybercrimes cause significant impediments. The latter applies not only to law enforcement, but also to its cooperation with the private sector. While there is an overflow of information available to millions of citizens and businesses, few effective measures are available to law enforcement to access that information in order to aid the apprehension of criminals that undermine public safety and economic interests. On top of that, economic austerity has hampered the ability of EU law enforcement (LE) to adapt swiftly and sufficiently to the new realities that cybercrime has introduced.

Meanwhile cybercrime itself is a growing problem. Trends suggest considerable increases in the scope, sophistication, number and types of attacks, number of victims and economic damage. There are two important factors worth highlighting in this context: Crime-as-a-Service and anonymisation.

The Crime-as-a-Service (CaaS) business model drives the digital underground economy by providing a wide range of commercial services that facilitate almost any type of cybercrime. Criminals are freely able to procure such services, such as the rental of botnets, denial-of-service attacks, malware development, data theft and password cracking, to commit crimes themselves. This has facilitated a move by traditional organised crime groups (OCGs) into cybercrime areas. The financial gain that cybercrime experts have from offering these services stimulates the commercialisation of cybercrime as well as its innovation and further sophistication.

Relationships between cybercriminals are often transient or transactional and although they may form more coherent, project-based groups, they lack the structure and hierarchy of a traditional organised crime group. The current definitions of organised crime therefore do not reflect the digital underground economy, although this behaviour may reflect how all serious crime will be organised in the future.

The anonymisation techniques used in parts of the Internet, known as Darknets, allow users to communicate freely without the risk of being traced. These are perfectly legitimate tools for citizens to protect their privacy. However, the features of these privacy networks are also of primary interest to criminals that abuse such anonymity on a massive scale for illicit online trade in drugs, weapons, stolen goods, forged IDs and child sexual exploitation.

Criminal marketplaces are complemented by anonymous payment mechanisms such as virtual currencies. While in principle legitimate, they are abused by criminals for criminal transactions and money laundering. Centralised schemes such as WebMoney are commonly exploited. However crypto-currencies continue to evolve and it is likely that more niche currencies will develop, tailored towards illicit activity and providing greater security and true anonymity.

This report highlights important developments in several areas of online crime. The changes in the production of malware are increasing rapidly in scale and sophistication. These are producing cybercrime capabilities ranging from simple key logging and theft of sensitive data, to ransomware and sophisticated and complex banking Trojans. Malware is also essential in creating and controlling botnets. Recent developments in the use of peer-to-peer networks to host command and control infrastructure create additional difficulties for law enforcement to disrupt or takedown botnets.

In the area of payment fraud the size of financial losses due to online fraud has surpassed the damage due to payment fraud with physical cards. This causes huge losses, not only for the payment card issuers, but also for airlines, hotels and online retailers.

Child sexual exploitation online continues to be a major concern with offences ranging from sexual extortion and grooming, to self-produced child abuse material (CAM) and live streaming, which pose particular investigative challenges. Offenders are facilitated by many of the same services and products as typical cybercriminals including anonymisation tools, secure e-mail, bulletproof hosting and virtual currencies.

Current and future developments such as Big and Fast Data, the Internet of Everything, wearable devices, augmented reality, cloud computing, artificial intelligence and the transition to IPv6 will provide additional attack vectors and an increased attack surface for criminals. This will be exacerbated by how emerging and new technologies will be used and how they will influence people’s online behaviour.