IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The keys to catching a cyber crook

Why greed, carelessness and an itch for glory are highly exploitable chinks in a cyber criminal's armour

The recent capture of the REvil ransomware gang ended one of the longest cyber crime manhunts in history. This also sent a message to the criminal underworld; if a group like REvil can be caught, then nobody is beyond the reach of the law. Given the ’s ingenuity – demonstrated through a series of infamous attacks over the years – how were they ever caught?

The fear among legislators is that cyber criminals tend to get away with it. "Governments have been caught on the backfoot by the adoption of technology by organised crime gangs," Colum Smith, chief vision officer at Taylor Rose MW Solicitors, tells IT Pro. Indeed, leading UK judge Sir Geoffrey Vos is so concerned about the dangers of "applying analogue rules to the digital environment" that he's pushing through new powers to track digital assets and bring cyber criminals to court.

Hackers, however, aren’t necessarily criminal masterminds. Often, all it takes is for them to make one slip up while investigators are watching. REvil may have been brought down by the combined might of the FBI, Interpol, Europol, the US Department of Justice (DOJ), ethical hackers and security firms, but it was a mundane click by a REvil insider that let the FBI infiltrate its system. After accidentally activating investigators' monitoring technology, 'O—neday' was last seen writing on a forum: "The server was compromised, and they were looking for me. Good luck, everyone; I'm off."

Lapses in concentration

Rookie hackers, such as so-called 'script kiddies' who've been lucky to find a security hole, are relatively easy to catch. The TalkTalk hackers, for example, were arrested after failing to realise their IP address was visible through their provider. The police promptly turned up on their doorsteps. "The guys weren't very good at it," says Kevin Curran, senior IEEE member and professor of cyber security at Ulster University. "They were like naive teenagers, so they were easily caught. It only took a few weeks."

The availability of exploits and hacking services through the dark web has made cyber crime an easy option for inexperienced chancers, says Elise Constante, VP of research and threat intelligence at Vedere Labs. "That lowers down the entry level for a hacker. You don't need to be an expert anymore to create damage, and they may not be very good at covering themselves."

Even seasoned hackers make mistakes, though. Diligent cyber criminals use devices such as Tor and encrypted virtual private networks (VPNs) to mask their IP addresses, and may also launder connections by routing them through a daisy-chained series of hacked proxy servers. Itonly takes a momentary lapse of these operational security (OpSec) procedures, though, to expose the hacker, leaking IP information that can't be put back in the box.

One brilliant hacker brought down by an OpSec oversight is Ross Ulbright, creator of drugs marketplace Silk Road. "This guy was really, really clever, but he was caught because he used his 'altoid' handle while his VPN was turned off," says Curran. "The trouble for him was that he was too successful. There are guys making a few thousand or even a few million that'll never get caught, because law enforcement can't justify the resources. But the FBI commitment to catching Ulbright was huge."

Ransomware risks

Ransomware may seem like a high-reward, low-risk crime strategy because it delivers an untraceable payday, thanks to Bitcoin and other cryptocurrencies. It has a couple of ingrained flaws, however, that make its perpetrators vulnerable. "If I do a ransomware attack on you, I've now got to deal with you as a customer," says Simon Edwards, founder of SE Labs. "I've got to walk you through getting the money off you. That makes the risk higher for me, because what if you track me?"

Then there's the need to cash the ransom. You still can't buy much using Bitcoin, so you have to convert it, and those transactions will turn up in the blockchain ledger. DarkSide, the gang behind the Colonial Pipeline attack, had its assets seized in May 2021 when blockchain analytics firm Elliptic revealed $90 million in ransom payments to DarkSide and its affiliates. The February 2022 arrest of a New York couple involved in the 2016 Bitfinex hack, too, reminds us that crypto crime is far from untraceable.

"The human is the weak link, always," says Constante. "As long as they stay in cryptocurrency they are sort of safe, but they want to cash in. They use techniques similar to money laundering; for example, lots of small transactions. The moment they go and get out $50,000 or $100,000 or $1 million, however, that's where they get caught."

Criminals are all-too-human 

As well as leading them to cash stupidly large sums of money, greed also turns criminals into sitting ducks for social engineering. When Kevin Curran was tasked with unmasking a Twitter troll, the only detail he could find was an email address. So he sent a message saying "is this iPad yours?", plus a photo of an expensive device. The bait worked, and the troll got in touch.

Related Resource

Three ways your customer identity strategy fuels business growth

Moving your business forward in innovative ways to jump-start growth

Whitepaper cover with title and three cube graphic on light blue backgroundFree Download

Arrogance, however, may be hackers' biggest human flaw, with many unable to resist ‘signing’ their coding work like artists. This makes them easy to track by steganographers who look for unique identifiers in code. "Hackers want to show off their skills," says Harman Singh, director of Cyphere. "They leave comments in the codebase in spyware and rootkits, often in a distinctive writing style."

Organisations like Anonymous trade on their infamy, so capture is part of the plan. Others, though, seem to forget that showing off can land them in prison. LulzSec hacker Sabu, whose real name is Hector Monsegur, was arrested after bragging on internet relay chat (IRC) without hiding his IP address. Even Ross Ulbright couldn't resist hinting at his Silk Road work on LinkedIn, of all places.

Criminals do now tend to limit their self promotion to the dark web, but investigators know this. There are entire security platforms, such as Cybersixgill and Recorded Future, devoted to monitoring closed forums, and investigators are even using techniques such as neuro-linguistic programming (NLP) to identify individuals.

Security firms say they've noticed a shift in discipline, with hackers growing less likely to claim responsibility for attacks, especially those exposed by embarrassing opsec failures. "In 2021 we had four record-breaking DDoS attacks, but no-one claimed them," says Daniel Smith, head of security research at Radware. "This is a major turnaround from the decade before, when groups like Lizard Squad and Anonymous used DDoS attacks to market themselves."

Hackers may be learning to keep quiet, but investigators are mastering new hacker hunting manoeuvres at pace. Soon, the criminals are going to need a whole new dark web to keep themselves hidden.

Featured Resources

ZTNA vs on-premises VPN

How ZTNA wins the network security game

Free Download

The global use of collaboration solutions in hybrid working environments

How companies manage security risks

Free Download

How to build a cyber-resilient business ready to innovate and thrive

Outperform your peers in your successful business outcomes

Free Download

Accelerating your IT transformation

How Cloudflare is innovating for CIOs to start 2023

Watch now


Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Tech pioneers call for six-month pause of "out-of-control" AI development
artificial intelligence (AI)

Tech pioneers call for six-month pause of "out-of-control" AI development

29 Mar 2023
Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft Security Copilot could be a seismic success for the tech industry

Microsoft Security Copilot could be a seismic success for the tech industry

29 Mar 2023