A new paper by Dr Qiaoyu Luo and Dr Yun Zhao has found that a growing number of cybercrime organisations are now recruiting ordinary law-abiding citizens to unwittingly participate in their operations.
Advancements in technology mean profit-driven cybercrime has become increasingly industrialised in recent years, fragmenting cybercrime activities into simple tasks.
This makes it easier for cybercriminals to obscure the illegality of their processes and recruit unknowing law-abiding individuals, who carry out a wide range of criminal activities, including identity theft, cyberfraud and money laundering.
Within the context of China, Dr Luo collected qualitative data through semi-structured interviews with former cybercriminals, cybersecurity professionals and law enforcement officers between 2020-2022.
He found that the industrialisation of cybercrime had allowed criminals to overcome the security risks associated with employing non-criminals.
Typically, a criminal organisation must balance the requirement of skills against the continuation of secrecy when recruiting members.
In order to establish a basic level of trust and loyalty, criminal recruitment usually relies on existing social connections, such as those between family and friends.
However, an excessive focus on secrecy, relying exclusively on recruitment through social ties, can come at the cost of skill diversity.
Conversely, a too-heavy prioritisation of skills makes it challenging to find skilled recruits who will also uphold organisational secrecy and remain loyal.
As with traditional crimes, the primary route into cybercrime was through existing social ties, either offline or online (e.g. relationships formed through gaming or online chatting).
However, the industrialisation of cybercrime has allowed for activities to become fragmented and operations to become simplified.
Cybercrime groups now operate using an assembly line model, where cybercriminals perform repetitive, basic tasks akin to traditional manufacturing during the Industrial Revolution.
As a result, many tasks performed by cybercriminals – when viewed in isolation – may not even be classified as illicit.
Being responsible for one specific task in the cybercrime supply chain reduces the level of skill required for individuals to participate – and allows ordinary law-abiding individuals to perform these tasks effectively.
Simplified processes also reduce the need for coordination between different actors, mitigating the trust and secrecy concerns that might come from employing a non-criminal.
At the same time, this division of labour blurs the line between legal and illegal online activity, helping groups maintain secrecy, and making it difficult for recruits to recognise whether their activities are criminal.
When even internal members are unaware of being engaged in illegal activity, the organisation’s secrecy is maintained, even with law-abiding recruits.
Therefore, protected by the anonymity and transnational nature of the internet, criminals have begun openly recruiting members online, often through social media. These posts stress that participation is legal and risk-free, and target those wanting to make money quickly.
Similarly, some cybercrime groups in China are found to advertise on legal job-hunting websites, fabricating posts such as IT technicians or salesmen to lure individuals into joining their group and assisting with criminal activities.
With the continuous emergence of new technologies and the deepening industrialisation of cybercrime, the phenomenon of unwitting involvement in criminal activities is likely to increase.
The authors explain:
Reducing this phenomenon is critical to effective cybercrime governance. Our research shows that one of the core issues behind unknowing participation lies in the rise of crime-related processes, many of which exploit loopholes in legitimate business models.
While strengthening legislation targeting these vulnerabilities is one potential solution, it often lags behind the evolving tactics of criminals, resulting in a ‘patchwork’ approach.
A more sustainable strategy may lie in fostering collaboration with private enterprises, enabling them to establish their own regulatory frameworks and share the responsibility for crime prevention.
