#CloudSec2016: Cybercrime Underground by Geography

In his keynote at CLOUDSEC conference in London on September 6 2016, Robert McArdle, EMEA Manager of the forward-looking threat research team at Trend Micro, compared the geographical differences in the cybercrime undergrounds around the globe

When it comes to defense, knowing your adversary is the very first step, McArdle told the audience at CLOUDSEC. Furthermore, understanding the cybercrime trends in your adversary’s geography will allow you to build the best defense.

Whilst there are common trends which transcend geography – ID theft, weapons and drugs, and hardware, for example – there are huge differences in the cybercrime landscape in various parts of the world.

Rather than categorize by country, McArdle categorised “the big three cybercrime undergrounds” by language. He considers Russian-speaking countries; English-speaking countries; and China, to be the most notable. 


“The Russian – and I refer to all Russian-speaking countries, including the Ukraine – cybercrime underground is the oldest and most mature. They’re cybercrime pioneers, with most threats starting in Russia and then moving elsewhere.”

Russia has more criminal offerings than anywhere else, explained McArdle, and is responsible for igniting trends such as malware-as-a-service and cybercrime-as-a-service. “Their cybercrime ‘offerings’ are constantly evolving and worryingly, prices for most goods are falling due to a rise in competition.” McArdle spoke of an “ebay-style market for stolen data which allows cyber-criminals to search for various stolen data by geography or type.


“The vast majority of the Chinese underground is easy to access because it’s on the clear web – the dark web is blocked,” McArdle explained. That’s not the only difference. Due to the language barrier, China’s main target for malware is itself. “People find this surprising. Sure, APTs from China target the west, but malware is almost entirely targeted at Chinese-speaking users.”

Other trends in the Chinese underground are a lot of spam – including Point of Sale spam  – and widespread use of ATM skimmers and pocket spammers. “Interestingly, most skimming devices are manufactured in China, sold into the Latin America underground, and then used on victims in Europe,” McArdle explained.


These trends include the UK, Canada, Australia, and many other English-speaking countries, but these trends mainly focus on the US as it has the most active underground. “In the English-speaking countries, there is more focus on physical goods, murder for hire, and Denial of Service attack tools.” ID theft is also very common. “In the US in particular, it’s very easy to impersonate identity with a social security number combined with public resources.”

With the “big three” out of the way, McArdle turned his attention to three other interesting cyber undergrounds.


“Brazil is a less mature market, but very up and coming.” What’s interesting about Brazil, Trend Micro’s McArdle said, is the amazing amount of online tutorials available to tutor people on how to become a cyber-criminal. “Banking crime is huge in Brazil. Most new banking attacks start in Latin America and hit Europe 6-12 months later.”

Also notable in Brazil, said McArdle, is the “total disregard for getting caught. The cyber-criminals advertise their own success on social media.”


Japan is the least mature of the markets, said McArdle, but certainly the most “wacky and strange”. There are very strict regulations around malware, so there is more focus on taboo and illegal subjects.

“They have really strange business models in Japan. For example, there are hidden webcams and Trojans, but often the webcam footage is shared among the cyber-criminals rather than used for blackmail or extortion.”


Of all the European countries, the German underground is the most mature according to McArdle, and only “slightly behind Russia”.

The German underground market builds its own malware, and engages in a lot of cybercrime trading with Russia. “There has also been a big rise in the sale of fake ID due to the refugee crisis.”

In conclusion, McArdle issued advice to “know your enemy, and focus on the appropriate geography. If you’re looking at financial/banking cybercrime, for example, focus on Latin America,” he concluded.

What’s Hot on Infosecurity Magazine?