Skip to main content
SearchLoginLogin or Signup

On the Dynamics behind Profit-Driven Cybercrime : From Contextual Factors to Perceived Group Structures, and the Workforce at the Periphery

Published onMay 30, 2023
On the Dynamics behind Profit-Driven Cybercrime : From Contextual Factors to Perceived Group Structures, and the Workforce at the Periphery


As information technologies (IT) have become a central component of everyday life, new crime opportunities have emerged, especially profit-driven ones. From ransomware to banking theft or credit card fraud, there are now various sophisticated profit-driven cybercrime schemes. A large strain of literature has focused on understanding how those behind cybercrime organize in online environments (for a review, see Maimon and Lounderback, 2019). Recently, rather than analyzing behaviors in online environments, several scholars have started to investigate the origin of those behind profit-driven cybercrime or, in other words, their “offline” contexts (Leukfeldt et al. 2017a, b, c,d; Lusthaus, 2019; 2018; Lusthaus and Varese, 2021). These studies have emphasized how local dimensions -or contexts- play an important role in shaping cybercrime participation. In the same vein, studies have shown that cybercrime participation clusters in specific regions of the world (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010; Kiegler, 2016; 2012).

These findings raise questions as to whether contextual factors can explain cybercrime participation. “Factor” refers to circumstances that contribute to a result and “contextual” is the environment in which individuals evolve. Contextual factors are circumstances, identified at the environment level, that can explain why individuals end up participating in such crimes. Previous research investigating contextual factors behind crime participation (and thus not focused on cybercrime) have identified several such factors, including lax law enforcement (Morselli et al., 2011; Paoli et al., 2009; Tremblay et al., 2009; Reuter, 1983), the possibility of corruption (Tremblay et al., 2009; Tremblay et al., 1998), lax social norms/moral condemnations (Tremblay et al., 1998) and the perceived legitimacy of the products or services traded (Dewey, 2016). A small number of studies have identified similar factors influencing cybercrime participation (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010). They have also highlighted additional factors specific to profit-driven cybercrime, including the presence of other offenders, internet accessibility and a population with IT skills (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010; Kiegler, 2016; 2012).

Although these four previous studies have identified contextual factors influencing cybercrime participation, this strain of literature is still at its inception. For example, two of these studies focus on specific regions: Lusthaus and Varese studied Romania while Lusthaus (2019) analyzed eastern Europe and Vietnam. Lusthaus (2018) did a phenomenal job of unveiling the anonymity of those behind cybercrime through 238 interviews across 20 countries, yet the study focuses on explaining the dynamics of the cybercrime industry and not on finding specific contextual factors -although the author discusses this topic throughout the book. Kshetri (2010) examined how the structure of cybercrime differs between developed and developing countries, as opposed to identifying specifically contextual factors. Finally, by examining 132 countries, Kiegler (2012) attempts to find what characteristics predict whether a nation has high spam and phishing activity specifically, while Kiegler (2016) clusters countries according to specific dimensions: malware, fraud, spam, digital piracy, the gross domestic product, and internet use. Both studies highlight higher wealth and higher internet penetration as characteristics explaining high cybercrime prevalence in a country. Yet, the evolving landscape requires more in-depth analysis of the geographies of cybercrime, as highlighted in Lusthaus et al. (2020).

Hence, the initial goal of this study was to contribute to this strain of literature by identifying and generalizing what contextual factors influence individuals to participate in profit-driven cybercrime. To achieve this goal, semi-structured interviews with 22 cybercrime experts were conducted, along with an inductive thematic analysis of their narratives. The method used broadened the initial scope of the study, and its results now corroborate key findings on contextual but also organizational dynamics behind profit-driven cybercrime.

In short, three key contextual factors were pinpointed: (1) lack of legal economic opportunities, (2) lack of deterrents, and (3) availability of drifting means, that is, the encounters wherein individuals discover that participating in profit-driven cybercrime is possible. These contextual factors encompass most factors identified in previous studies, related to both crime and cybercrime participation. They are also rooted in important theoretical work in criminology, including Merton (1968; 1938), Stafford and Warr (1993) and Matza (1990). The development of quantitative models aimed at testing the relative importance of these three factors in influencing crime participation (concentration) in specific regions could be the next step to develop evidence-based policies aimed at the prevention of cybercrime participation.

Additionally, beyond this study’s initial goal and thanks to the inductive analysis approach taken, further key insights on the dynamics behind the organization of profit-driven crime were uncovered. Analyzing experts’ discourses illustrated that they perceived group structures behind profit-driven cybercrime as either organized, enterprise-like, loose networks, or communities. Although these structures have been reported in previous studies on cybercrime organization (for a review, see p.28-29), the findings of this study raise questions on their prevalence globally. Bouchard and Morselli (2014) discussed how being involved in criminal activities is a resource-pooling process. These various structures likely reflect a version of the reality of such resource-pooling processes. The structure of criminal groups may also depend on the origin of the individuals involved and their contexts. Future studies should investigate what makes one structure appear in a given region, as opposed to another structure.

Moreover, experts’ narratives highlighted that, whatever their structures, groups behind profit-driven cybercrime contract workers to help with crime orchestration, from developing websites to transferring packages or translating texts. This finding relates to the well-established cybercrime-as-a-service literature which states that the cybercrime industry is now a volume industry (Moore et al., 2009) where every task can be broken down into mini tasks achieved by specialized individuals (Lusthaus et al., 2022; Collier et al. 2020; 2021; Leukfeldt, Kleemans and Stol 2017a, b, c, d). However, given experts’ discourses, the study raises further questions on this hiring/contracting process and the willingness of many such workers to actively participate in cybercrime. The presence of the workforce also echoes the concept of “economic influence”, brought forth in Tremblay et al. (2009), which captures the effect of a criminal organization outside of its specified boundaries (p.4-5). A small organization can thus have a relatively large sphere of economic influence, reaching many individuals working in the market or in its periphery. How contextual factors influence cybercrime participation for such workers should be of interest to further research. Also, whether specific group structures lead to exploiting this workforce should be investigated, along with understanding and conceptualizing the “drifting into crime” process for these workers.

Hence, through an inductive thematic analysis of semi-structured interviews with experts, this study corroborates key insights hitherto discussed only sparsely in profit-driven cybercrime studies, while also providing additional research avenues.


The literature on shifts and patterns in the mobility of criminal groups gives information on contextual factors influencing crime participation. Morselli et al. (2011) reviewed past studies on criminal groups involved in market offenses and identified factors that allow a criminal group to expand or shrink in terms of active members, active participation (e.g., number of offenses), and market reach (e.g., number of buyers). Among key factors related to crime participation known in the literature, Morselli et al. (2011) emphasized lax law enforcement (also identified in Paoli et al., 2009; Tremblay et al., 2009; Reuter, 1983) and corruption (also identified in Tremblay et al., 2009; Tremblay et al., 1998). These two factors reduce the risks of arrest and give a feeling of impunity, leading individuals to believe that they will not face the consequences of their actions, subsequently encouraging crime participation.

In another study, Tremblay et al. (1998) additionally identified strong social norms/moral condemnations as a key factor influencing criminal groups to shrink. Specifically, social norms and moral condemnations refer to the degree of moral acceptance, in a society, of criminal activities. For example, when the illegal product or service is widely condemned socially, those trading it will face additional constraints, such as having to hide not only from law enforcement but also from everyone surrounding the criminal activity. This reduces the number of actors willing to participate in the criminal activity. Dewey (2016) similarly differentiated legitimate/illegitimate markets from legal/illegal ones, highlighting that some markets may be illegal but considered legitimate by the population, thus increasing the potential number of participants for these illegal -yet considered to be legitimate- markets.

While the cited studies above focus on profit-driven crime (mainly market offenses), the topic of the present research is profit-driven cybercrime. In the past two decades, many studies have investigated cybercrime participation by testing classical criminology theories like deterrence, social learning, and routine activity theories mainly in online environments (for a comprehensive review, see Maimon and Louderback, 2019). However, these studies do not provide information on the “offline” contexts of individuals involved in profit-driven cybercrime. Recently, to overcome this limitation, several scholars have started studying the origin and growth of those behind profit-driven cybercrime (Leukfeldt et al., 2019; Leukfeldt et al., 2017a, b, c, d; Leukfeldt, 2014). All these studies have found that groups behind profit-driven cybercrime are locally embedded and that social ties matter (Leukfeldt et al., 2019; Leukfeldt et al., 2017a, b, c, d; Leukfeldt, 2014). As highlighted by Lusthaus et al. (2020), acknowledging that cybercrime is locally embedded opens a vast array of research in the geographies of cybercrime.

Kiegler (2012), by using data from 132 countries, provided a first attempt at finding what characteristics predict whether a nation has high spam and phishing activity. The author concluded that wealthier nations with high internet penetration had higher cybercrime activity. In 2016, the same author clustered 190 countries according to specific dimensions: malware, fraud, spam, digital piracy, the gross domestic product, and internet use (Kiegler, 2016). Again, wealth and high internet penetration, were highlighted as an important factor influencing high cybercrime prevalence in a country.

Lusthaus (2018) interviewed 238 individuals from law enforcement, the cybersecurity industry, and individuals who have been involved in cybercrime to uncover how the cybercrime industry functions. While doing so, the author explored socio-economic contexts that may explain why individuals participate in cybercrime. Specifically, the study emphasizes factors such as lax law enforcement, corruption, lack of legal opportunities along with easy internet accessibility, a large population with IT skills, and the presence of other offenders as key factors influencing cybercrime participation.

Lusthaus (2019) leveraged the results of his study published in 2018 (and presented above) to develop a model that explains why Eastern Europe is a hub for cybercrime. The model includes four factors: 1) high technical literacy, 2) large networks of individuals involved in cybercrime, 3) low economic opportunities in the technological sector and 4) limited law enforcement and wide-spread corruption. Then, the author uses Vietnam (considering it has ties with a communist legacy, like Eastern Europe) as a case study to test the model and try to predict new cybercrime hubs. However, in the case of Vietnam, the author concludes that the four elements of the models are not met in this country and, thus, conclude that Vietnam -given the current context- should not be a cybercrime hub in the near future (Lusthaus, 2019).

Moreover, recently, Lusthaus and Varese (2021) investigated the Romanian context as a hub for cybercrime activities and highlighted the legacy of communism (i.e., access to internet but not to western software, which led individuals to learn how to compromise software to circumvent their protections), economic development (i.e., low salaries and few economic opportunities in the technology sector), and corruption as key factors explaining cybercrime participation.

Finally, outside this strain of literature and several years ago, in a paper published in Third World Quarterly, Kshetri (2010) argued that the organization of those behind cybercrime in developing economies differed from those in developed countries. Through a review of newspapers and the grey literature, the author reasoned that countries with few resources devoted to fighting cybercrime may experience an increase in the number of individuals involved in cybercrime while diminishing their stigmatization. The author also argued that individuals in developing economies may be attracted into such crimes “because of high unemployment and low wages” in their countries (Kshetri, 2010, p. 1057).

Hence, the literature on both crime and cybercrime participation illustrates several contextual factors. However, in the context of profit-driven cybercrime, there is a need to systematize and generalize such factors. Indeed, so far, two studies specifically unveiling contextual factors conducted case studies on specific regions (Lusthaus, 2019; Lusthaus and Varese, 2021) or emphasized mainly wealth and GDP as key factors explaining cybercrime prevalence in a country (Kiegler, 2012; 2016). On the other hand, Lusthaus (2018)’s work is phenomenal in “lifting the anonymity veil” of those involved in profit-driven cybercrime, but the author does not conduct a systematic analysis of contextual factors. Finally, Kshetri (2010), in the early 2010s, identified several cybercrime hubs in developing countries, but the findings are based on insights given in newspapers and/or the grey literature, such as industry reports, and should be further corroborated. Key factors that span regions can then be used to develop quantitative models that test the relative importance of these factors in influencing cybercrime participation.

Hence, the study’s goal is to contribute to this strain of literature by further identifying and generalizing what contextual factors influence individuals to participate in profit-driven cybercrime. To do so, an inductive thematic analysis of semi-structured interviews with 22 cybercrime experts was conducted. Questioning experts, moreover, led to finding further key insights on the dynamics behind the organization of profit-driven cybercrime, including how group structures are perceived and the importance of a workforce helping in crime orchestrations.


Recruiting Experts 

One way to identify experts is to find out whether they are vetted by others in the field as such (Moseley and Mead 2001). Such a criterion means that individuals knowledgeable on the topic can refer someone they consider to be an expert suitable for the study. This criterion was used to accept a participant and consider that participant an expert using two approaches. First, we recruited participants through the Stratosphere Laboratory1. The Laboratory is formed of well-established researchers from academia and the cybersecurity industry with an expertise in cybersecurity and cybercrime. Laboratory members were told about the study’s aim: that we sought experts who were knowledgeable on groups behind profit-driven cybercrime. Second, we used a snowballing method: experts were asked at the end of the interview whether they knew other individuals who would be knowledgeable about the study topic. 

Information about Experts

A total of 22 experts participated in the study. These experts spanned disciplines and backgrounds, as shown in Table 1. The geographic character of participants was also diverse, as shown in Table 2.


In fact, the wide geographic representation of research participants was done on purpose to uncover contextual factors that crossed borders and cultures and avoid bending the results for a single geographic region.


However, the diversity in experts’ professional positions and respective subfields was rather an artifact of the Laboratory’s network. This is because these individuals were referred to us by Laboratory members as experts not based on their professional position but rather on their status within the cybersecurity community as individuals who were knowledgeable on the topic. Hence, their professional position is interesting to provide background, but what matters is their experience and knowledge on the topic, which, for many, was acquired outside of their official position. For example, a total of 64% of experts interviewed had discussed with individuals involved in such criminal activity. Such experiential knowledge was acquired informally as some experts knew these individuals from social ties, such as going to school with them. One expert even ended up hanging out with a group involved in online credit card theft. In two cases, experts were contacted by those involved in the crime to explain why they were conducting their crimes, as opposed to the experts reaching out to these individuals. Some experts had been undercover in forums and a few reported having participated in online criminal activities “back in the day”.

Other direct relations with individuals involved in cybercrime were developed due specifically to experts’ professional positions. For example, two experts interviewed individuals involved in profit-driven cybercrime as part of their professional employment. Those who did not have direct experiences had conducted in-depth investigations of individuals involved in such crime, including reading their online interactions and getting to know them through time. For some, such investigations were part of their professional positions while, for others, they were conducted out of curiosity.

The diversities in background, positions and subfields provide strength to the overall narrative, as themes that span countries and expertise illustrate potential trends that can help understand why and how individuals participate in profit-driven cybercrime.

Limits and Strengths of Interviewing Experts

A limit of this study is that active cybercrime participants have not been directly interviewed. In the literature, a few scientific studies have successfully interviewed active members (Collier et al., 2021; 2020; Lusthaus, 2018), yet reaching this population is difficult due to the illicit activities these individuals are involved in. Alternatively, interviewing experts or individuals who have been involved in cybercrime “back in the day” to understand those behind such crime has been the main data source for three studies on the topic: Lusthaus (2019; 2018) and Lusthaus and Varese (2021). This is because individuals with substantial knowledge on a topic, such as cybercrime, can provide valuable insights on complex social processes and interviewing them can lead to interesting research orientations (Bogner and Menz, 2009). Still, to make sure that the experts were knowledgeable on the study’s topic (and for ethical reasons), we sent them the consent form with all details on the research prior to the interview. This allowed them to assess whether they felt they could contribute to it or not. Once the interviews were completed, the snowballing method also allowed us to reach additional experts who, according to the person who had just completed the interview, were suitable for the research.

In the end, there was no doubt that the participants of this study had extensive knowledge on the topic either through their extracurricular activities, their social networks, or their professional positions, as discussed above. They told real-life stories of individuals involved in profit-driven cybercrime and shared their impressions on what contextual factors could influence individuals to participate in such activities.

Finally, another limit of this research is the relatively small sample. This small sample is due to the massive amount of information shared per expert and, as we started analyzing at the twentieth interview, we noticed an interesting overlap in experts’ narratives along with conceptual links between what they said and the literature. We do not claim that the results presented below are representative of the whole social phenomenon studied, but rather synthesize (and summarize) key concepts from the literature and provide future research avenues.

Interview Process 

When a contact accepted to participate in the research, an introductory email was sent and, through a series of online exchanges, a time and date was set for the interview and the consent form was shared. This resulted in 21 interviews with 22 experts, as one interview was conducted with two experts at the same time. The interviews happened between July and December 2020 and spanned from 40 to 180 minutes each, with an average of 90 minutes. All interviews took place online through various mediums depending on experts’ preferences. Upon the interviewees’ approval, the audio was recorded, and each interview was transcribed and anonymized with an internal ID number.

The interview protocol encompassed three topics related to the objective of the study, which was to understand the contexts of individuals behind profit-driven cybercrime. The first topic asked about experts’ experiences with groups behind profit-driven cybercrime. The second topic inquired about contexts wherein many individuals involved in profit-driven cybercrime cluster, and the third topic asked about factors that experts thought could influence individuals to participate in such activities. The interviews were semi-directed with the interviewer asking a question related to the first topic and then semi-directing the discussion once participants started to share their experience and knowledge.

Thematic Analysis 

Interview transcripts were imported into the NVivo 12 software for analysis and a thematic analysis was conducted to find patterns and meaning in the text. Thematic analysis is a method to identify, analyze, and report themes representing meaning from text data (Braun and Clarke, 2006). The analysis was inductive and, thus, no preliminary codes nor themes were established. Instead, the text for each interview was broken down into narrative units, groups of words that make sense together, and a theme was attributed to them. Themes can be identified at the semantic or latent level. More precisely, at the semantic level, researchers look for specific patterns in the data, based on what is said, and do not look beyond. The themes are then summarized and the interpretation and relation to the theory are conducted afterwards (Boyatzis, 1998). At the latent level, researchers go beyond the semantic context, reporting underlying ideas and assumptions experienced by the individuals based on their conversations and the researchers’ interpretations of such conversations (Boyatzis, 1998). The themes were extracted at these two levels: semantic and latent. Semantic-level themes included those summarizing perceived contextual factors behind profit-driven crime. When we interpreted further how experts perceived the organization behind those involved in profit-driven cybercrime, the themes were extracted at the latent level.

Once all interviews had been analyzed, subthemes were grouped into overarching themes, which are presented below. In the results, these overarching themes are supported with quotations from experts. For anonymity and confidentiality, each expert quotation is accompanied with the interviewee’s internal ID, such as Expert CR0000. To help readers make sense of the data every time an expert is quoted below, experts’ nationality is provided. Specifically, experts’ internal IDs are preceded by a two-digit code (following the ISO 3166-1 alpha-2 international and standardized codes) representing their country.

Ethical Considerations 

This research has been approved by Simon Fraser University ethics department (study number 2020s0121 – former institution of the lead author) and University of Montreal (study number CERSC-2021–131-D – current institution of the main author) under minimal risks. Experts received a consent form prior to the interview. Participants were also told that their participation in the study was voluntary and that they might withdraw from the study should they choose to do so prior to the final publication of the manuscript.


A Confluence of Contextual Factors  

Contextual factors are circumstances, identified at the environment level, that can explain why individuals end up participating in online economic crime. The assumption behind this analysis is that there exist common contextual factors that can explain why many individuals participate in profit-driven cybercrime. From the thematic analysis, three contextual factors spanned experts’ narratives: (1) lack of legal economic opportunities, (2) lack of deterrents, and (3) drifting means. These factors represent a cocktail that, all together, creates favorable contexts that could influence individuals to exploit profit-driven cybercrime opportunities. These factors are presented below.

Lack of Legal Economic Opportunities 

Throughout the interviews, the lack of legal economic opportunities was often mentioned in experts’ narratives as a contextual factor influencing individuals to participate in profit-driven cybercrime. For example, Expert IN1200 mentioned that, in a specific context where such crime is prevalent, “You can count on your fingers the security companies that we have on the defender side. And the thing is that there are other local companies, which are not paying enough.” Expert UA1300, in the same vein, mentioned that it is “very hard to be employed in this field I guess”. More bluntly, Expert FR402, when talking about an individual involved in profit-driven cybercrime, said, “He lived in the country where you don't have much money, even if you are a security engineer, your paycheck is like shit.” 

Expert RU901 did notice that those living in the countryside were more likely to end up in such activities: “If you live in a small city, then, even if you're smart enough, you might not be able to have a good job in that city”. Expert FR401 said “the rate of unemployment in those districts is very specific, very high. So, it's way easier to recruit mules in those districts”. Experts RO1001 and RU100 also mentioned how high unemployment rates (due to the fall of the Soviet Union) mixed with high technological development led individuals to seek online crime opportunities. Expert GR200 mentioned inequality, recalling that the individuals he investigated came from unequal societies. He stated that those in poorer conditions (where there were few legal opportunities to make decent salaries) were more likely to seize online crime opportunities.  

However, experts also stressed that such a factor does not excuse these behaviors and that participating in such activities is more a choice than a necessity. For example, Expert RU900 mentioned, “if you want to have a legal job, there is always a way of you getting in […] Yeah, there is a way of doing some remote work. Actually, nowadays it's easier.” Similarly, Experts RU901 and IN1200 mentioned the possibility of using bug bounty programs to earn money by legally finding bugs in software. Expert RU901 went as far as to say, “There is always a way out. People just don't see it. Or don't want to see it.” Individuals do not necessarily participate in such crimes to survive, although the lack of legal economic opportunities may be the factor that influences them to choose this opportunity over another, legal one.  

Lack of Deterrents

The second contextual factor, lack of deterrence, refers to the lack of measures or practices aimed at discouraging individuals from conducting profit-driven cybercrime for fear of retribution or consequences (be it formal or informal). The lack of deterrents usually expected from law enforcement agencies, justice systems, or peer judgments was mentioned by several experts. The absence of these deterrents provides a feeling of impunity to individuals involved in profit-driven cybercrime.

For example, Expert UA1300 stated: “you can realize that they [individuals involved in profit-driven cybercrime] do not care, because no one in this country has ever been jailed for doing something bad in cyber”, while Expert RO300 mentioned, “the local institution which investigates economic crime is still really, really badly organized”. Expert FR401 revealed how one individual involved in online economic crime texted him: “Okay you know, law enforcement in [country] they really suck at their job”. 

Expert MX1103 mentioned, “We know that the police enforcement doesn't have the skills nor the people to catch anyone doing anything”. This feeling of impunity due to law enforcement inefficiency was mentioned quite bluntly by Expert GB700 when talking about the organization behind profit-driven cybercrime: “So I think they're quite aware of that. I don't get a sense that, in terms of the more organized crime, the cash motivated cybercrime, I don't get the sense they have any fear about law enforcement whatsoever.”

The misaligned incentives of law enforcement agencies (such as having more pressing issues or international cybercrime arrests not being included in their statistics) were also mentioned as an explanation of law enforcement inefficiency. For example, Expert RO1001 said, “One, law enforcement individuals need to know. Second, they need to care. And third, they need to do something, and they probably have other more pressing issues.” Expert RU901 discussed how investigators were less likely to open an investigation in their country if there were no local victims, allowing individuals to target victims abroad without the threat of law enforcement. 

Expert TW502 also mentioned that some individuals involved in profit-driven cybercrime ended up moving from their origin country to other countries where law enforcement would not bother them. These individuals thus exploited loopholes across jurisdictions. Corruption was also raised as an issue by experts. For example, Expert UA1300 mentioned that there is no deterrence “because they know they can like pay money not to be jailed and to get this question solved.”  Expert RO1001 also stated that, if ever you feel threatened by the police, “You could also bribe them [law enforcement officials]. That's normal.” As stated by Expert MX1100, “If a policeman arrests you for something, you can give him some money to let you go and he will accept it”. 

In terms of peer judgments, Expert UA1300 mentioned that the absence of negative peer judgment may also be a factor influencing individuals: “It's an unsaid rule, not to judge a person at all […] It's just none of your business”. Expert AR600 mentioned that individuals committing online crimes considered that their actions were legal (i.e., legitimate) based on their own moral values: “it was legal to us”.

Drifting Means

To get involved in profit-driven cybercrime, one must start somewhere. Experts discussed various encounters, both in person and online, wherein individuals discovered that participating in profit-driven cybercrime was possible. Hence, the drifting means factor refers to encounters wherein individuals discover that participating in profit-driven cybercrime is possible. These encounters included, for example, knowing friends of friends, school recruitment, online advertising, and gaming. The term “drifting” ties to Matza’s (2017; 1990) work, which considers drifting as a state in which the tie binding self to legal expectations is broken. When one is relieved of moral restraints, crime becomes a possibility. The drifting means factor represents the third contextual factor that influences individuals to participate in profit-driven cybercrime, the factor that leads to crime participation. 

Drifting by knowing a “friend of a friend” was a common element mentioned by experts. For example, Expert RO300 said, “You always have a friend of a friend of a friend who's doing something weird, and you can have money, if you need something just ask… Social friend or a friend of a friend.” Expert RO300 even referred to Granovetter’s (1985) theory of strength of weak ties and stated: “it's not necessarily your closest friends but someone who knows someone who knows someone...”  who may lead one to be involved in such activities. Also, being recruited at school was often mentioned by experts. For example, Expert FR402 stated that some individuals “are just students and they are recruited [by groups involved in profit-driven cybercrime] every year on different campuses”. In an extreme example, Expert CZ800 said, “There is some department at Technical University which is full of hackers groups, great ones, and they recruited some of these guys to help them build these online operations.” On a more personal level, Expert RU100 mentioned that someone tried to recruit her engineering friend to write malware at school: “He was studying with a guy who tried to recruit him to write malware”. Expert RO300 also mentioned that, at her high school, individuals were actively recruiting students to participate in illicit online activities, as the school was well known as a good computer science school at the national level. Alternatively, Expert CZ800 mentioned that criminal groups involved in profit-driven cybercrime recruited individuals straight from the street. He gave an example of a person he knew who:

“[…] was just jogging in the street and they [individuals from the organized group] noticed that his clothes were kind of old, so they understood that he can be one of the guys. And they turned him into the money mule, actually.”

Drifting through online means was also mentioned. Many statements referred to online recruitment through online advertising using legitimate, well-known channels and platforms. Expert FR402 supported this idea quite clearly: “They look for people who are looking for jobs in famous job websites”. Expert FR401 also mentioned, “They are recreating news on Instagram, mostly. Saying, okay you want to make some money okay create an account in that bank”. Even the large French job website Poll Emploi was leveraged, according to that same expert: “They successfully created an account on the Poll Emploi website and posted the job offer and I guess they successfully recruited mules from the National Job Offer web portal”.

Expert FR402 talked about how online advertising was used to recruit freelancers and employees with ads like “You want to work for a remote company with commission? You will receive the money and you will have to send the money back somewhere and you will have a commission with the money transferred”. Expert RU900 stated bluntly: “There are a lot of online jobs and they're posted by cyber criminals” as well as “I mean, if you see the online jobs, it’s easy to see some things that are fishy because usually they pay more than others and they don't have proper contacts”, meaning that they will ask to be contacted via informal networks like jabber, ICQ or Proton mail. Expert RU901 also said, “Actually we saw a lot of postings on job sites searching for a good developer with knowledge of low-level Windows architecture, and yeah, it looked shady.” Expert MX1101 similarly mentioned seeing postings for job offers to recruit individuals in criminal activities. Expert FR401 told a story where a woman told him:

“[…] ‘someone is asking me to translate that message, but I am not sure it is legal and can you give me some advice?’ And it was a message about that ransomware targeting la Gendarmerie Nationale, you know!?”

The woman was thus interested in a translation job offer that asked her to translate a ransomware note targeting the French police! On the other hand, Expert MX1102 talked about receiving messages asking him if he would be willing to do some “extra work”, which was clearly illegal, according to him, such as “Hey, I like your skills, I like your history. I know who you are. And I would like to propose you with a deal”. This expert illustrated that online recruitment may be not only passive, via online ads, but also active, with individuals messaging others with shady offers.  

Finally, online gaming also represents a means of drifting towards profit-driven cybercrime. Expert EN700 mentioned, “Look, I know computer gamer sounds weird and sounds niche, but you've got to realize this is the training ground”. That expert discussed how there is a crossover between gaming, hacking and crime. Gamers want to hack the game they play, and their curiosity leads them to underground forums and down-the-rabbit-holes of participating in the community and conducting illicit activities. Expert FR402 corroborated this hypothesis, mentioning: “So in Germany, so it’s mostly kids and as you said they played Minecraft and they have to DDoS the server to each other and quickly you understand that buying a stolen credit card is super easy”. Similarly, Expert RU900 mentioned: 

“All right, like a lot of young people, they develop malware for games. And then they never get caught. And then a few years pass, and they start to do malware stuff, stealing credit cards and things like that.”

The Perceived Structure of Groups behind Profit-Driven Cybercrime

Throughout the interviews, how experts perceived the structure of groups behind profit-driven cybercrime varied, both across experts and within an expert’s discourse. There were also mentions of individuals positioned at the periphery of such groups. We discuss these findings below. 

Organized Crime  

Sometimes, experts presented groups behind profit-driven cybercrime as organized crime groups. In such depictions, the groups were structured, with everyone having a well-defined role and knowing each other from the “offline world”. Some of the groups discussed by experts formed due to the emergence of online crime opportunities following the democratization of IT. These groups were considered as knowledgeable on online money stealing processes and techniques. Expert RU901 depicted them as “more mature criminals, actually criminals who know the drill and who know how to organize this pyramid of people and how to actually make money out of it,” while Expert FR402 stressed their maturity: “From everyone I saw, it was people aged forty+. Nobody under forty I saw”. Similarly, Expert GR200 argued that such groups were formed of “Old kind of people; you know that they have not just graduated from University but are rather part of an organization that has been known for a while”. The relative size of such groups, in terms of the number of people, was also perceived as limited. For example, Expert RU900 mentioned that “when one of them [crime groups] gets caught, you can count them on one hand”. Similarly, Expert FR402 mentioned that, considering only Russia, the sum of individuals involved in such groups represented fewer than 100 people: “like those people who will take the lead and are the top of the top, those people are the very few”. However, according to experts, these individuals were successful at what they did, which explained why they stayed within such a business for many years. For example, Expert RU900 mentioned: “They're very rich, they have the resources to do this [sophisticated criminal schemes]”. Similarly, Expert FR402 said that these groups are the ones we hear the most about; they are the ones “making one or two million a month” and they meet “in yachts and big hotels and pictures of their parties with cocaine and drugs get leaked to the media”. 

Some organized groups mentioned by experts were also “traditional” criminal groups, such as drug cartels, who sought online crime opportunities. Expert RU901 mentioned that, in many cases, when a criminal group was uncovered, “several members came from traditional crime”. Alternatively, Expert MX1103 talked about how traditional drug cartels were recruiting tech savvy individuals, stating: “So basically a lot of drug cartels here in [country] are so interested [in technical abilities], they find that they need to recruit these kinds of guys”.


The second type of structure perceived by experts was enterprises: either groups organized as enterprises or actual enterprises. The first of these comprised criminal groups with employees and an enterprise-like structure. For example, Expert FR402 talked about an individual working as an employee for a criminal group “to steal from banks from different countries and have a commission, a salary”.  Similarly, Expert RU901, when talking about an individual developing malware for a criminal group, mentioned that the work was like a “day-to-day job”. That same expert referred to individuals responsible for cashing out money as “low-level personnel”, using the word “personnel” and so reflecting the idea of their being enterprise workers. Expert RO1001 went even further in the analogy, mentioning that those behind profit-driven cybercrime “are organized just like normal companies with CEO, CTO and marketing departments.” 

There were also mentions of actual enterprises involved in profit-driven cybercrime. Expert FR400 experienced an attack on infrastructure and, upon investigating the threat, found that the organization behind it was a legal company. An analogy of companies with a double identity, legitimate activities and illegitimate activities, was also found in the discourse of experts. For example, Expert RO1001 mentioned, […] there are companies in Russia that have, for instance, two floors. One floor is a legitimate tech business, and the other floor is a non-legitimate tech business”. Expert IN1200 also talked about double-identity companies subcontracting individuals who “are not aware of the company's operation or whatever the company is doing” because “they are not actually aware of this stuff, whether it's legal or illegal since they are like a kind of employee for that company. For them like they are just getting money to do that job.” Expert MX1100 similarly told a story of a legal enterprise that installed ATMs across a city with skimmers built into them. By the time the enterprise was caught, the money had been stolen and reinvested in the legal sphere. 

Loose Networks 

Experts also perceived the organization behind profit-driven cybercrime as loose networks of entrepreneurs seeking to associate for business opportunities. Such discourse was tied to the idea of specialization (referring to separation of tasks in the cybercrime industry) and how online convergence settings were used to find business associates. For example, when Expert RU901 discussed the organization behind profit-driven cybercrime, he mentioned the separation of tasks; for instance, “the programmers are completely disconnected from the people who are selling it actually”. In this discourse, programmers were seen as entrepreneurs who associated only for a contract; they were not part of an organization. Expert FR402 expanded on an individual who developed a banking Trojan that targeted French banks. That individual started by selling “his malware, but he was mocked on different forums. So, he decided to run his business on his own […] and started making a lot of money”. According to the expert, that individual moved to Ukraine and found a way to buy fake identities and passports, as well as ways to launder the stolen money through mule accounts. He was depicted as an independent entrepreneur with a good network. 


Experts also talked about online communities driving profit-driven cybercrime. There were mentions of “attacker community”, “underground hacker community”, and “there is a big community, you know, people who write malware and they are teaching for free” (Expert RU900). Some of these underground communities were considered exclusive, as Expert RU901 mentioned: “The real business is happening in the underground forums, which is hard to access”. Similarly, Expert FR401 stressed that “You have to prove yourself to enter this kind of stuff so it's very difficult for any company or for any guy like me to enter in those”. These communities were seen as a place where entrepreneurs could do “serious business” rather than “sell already hacked computers, already stolen cards and stuff like that” (Expert RU901). Expert RU901, in the previous statement, referred to underground platforms open to anyone. 

Other communities were less profit-driven and more knowledge- sharing, as in the statement above referring to individuals teaching each other for free. Expert AR600 also talked about a community where “a lot of methodologies on how to get money was shared”, and the person in that community said: “This was the first time that I felt in a community. […] I do not know. It was really nice”. 

Workforce at the Periphery

We also noticed mentions of individuals evolving at the periphery of profit-driven cybercrime groups (regardless of their structures), meaning that these individuals were not part of the groups as active protagonists; they only completed various tasks for them. This workforce encompassed a wide range of individuals mentioned by experts, from IT professionals seeking work contracts to translators (like the woman who responded to a job offer on Poll Emploi) to those transferring the money (i.e., money mules). 

Several experts mentioned how one could end up involved in profit-driven cybercrime by accepting contracts that could be considered legitimate at first. For example, Expert RU901 mentioned that groups behind profit-driven cybercrime “hire, like pentesters and those people [penetration testers] they do not know that they are actually doing cybercrimes”. As Expert RU100 also stated: “to run a botnet, you need to have servers and all the servers they need to be taken care of by administrators. They need programmers and programmers need to write good code”. Similarly, Expert RO300 mentioned: 

“Yeah, perhaps you just do a little job for them first and you get paid, and you don't really know that you've done something illegal and then it's like, hey, it's just a grey zone, or they won't really deny that money, and so on. And, yeah, it's a step-by-step kind of thing”.

Slowly, these individuals might drift into crime, as mentioned by Expert UA1300: 

“Some of them have started their activity unconsciously, as a freelancer. So, they were just sort of, you know, advertising their services and someone has contacted them. And they started to work and after that, they realized what was it like, and... But there was no sense to sort of give it up”.

Such a depiction was corroborated by Expert RU900, who stated: “They give you, like some testing tasks. You do things, they pay you. And they, and then they say, okay, we are doing something different. Like we're doing malware”. Based on experts’ discourses, those actively involved in such crime contracted workers without being entirely honest on the illicitness of the activities. This was possible because specific activities surrounding profit-driven cybercrime were not necessarily illegal at first sight, such as developing websites or setting up servers. 

Alternatively, middlemen to hide criminal tracks were also needed and often mentioned by experts. For example, Expert FR402 talked about a scheme that bought goods with stolen online accounts and in which someone was hired as a quality manager to receive the goods:

“So, you are hired to be a quality manager and you receive packages. You have to open the packages and make sure that everything is right, and you send the packages somewhere else and that is your job”.

Money mules were also mentioned as necessary middlemen. These individuals were perceived as the ones who “get caught because they leave most traces, and it's easy to find them,” as mentioned by Expert RU901. Expert EN700 mitigated that statement, stating that the risks might not be very high for them: “Finding mules is not really difficult. Mules will take all the risk, but the risks are not so burdensome”. Similarly, Expert FR401 mentioned that, in his experience, mules were not found guilty when caught because of the suspicion that the individuals might not be aware that the money cashed out was stolen. Overall, the mention of these workers, be they money mules or IT professionals, suggested that, for profit-driven cybercrime schemes to succeed, there might be more individuals involved than only motivated offenders. 


This study sheds light on contextual factors, group structures and the peripheral workforce behind profit-driven cybercrime through the perspective of cybercrime experts. We discuss the results in relation to the literature below.

The Triad of Contextual Factors

The first factor, lack of legal economic opportunities, refers to situations where individuals do not have interesting legal opportunities to exploit their skills, leading them to participate in such profit-driven crime. This factor is not explicitly mentioned in previous research on the mobility of criminal groups but is mentioned in four studies on profit-driven cybercrime (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010). Moreover, this factor recalls Merton (1938)’s seminal work on Social Structure and Anomie, and specifically strain theory. Strain theory states that individuals are more likely to pursue illegitimate means to attain desirable cultural goals when they cannot do so through legitimate means. To explain how individuals adapt to patterns of goals and means, Merton (1938) sketched five modes of adaptation. Of interest to our findings is the innovation adaptation, which represents individuals who embrace cultural goals but are blocked from legitimate avenues to attain such goals. This blockage leads them to reject the legitimate means (as opposed to the goal) and to find new avenues, to innovate, to achieve their goals. Specifically, the factor lack of legal economic opportunities links to Merton’s idea that a differential access to legal opportunities may lead individuals to innovate and find other means to achieve their goals. In a context where there is a lack of legal opportunities to achieve economic goals, individuals may turn to criminal opportunities and, in such a situation, crime becomes a means to pursue an end – to make money. In such a perspective, crime participation is a product of society’s forcing individuals to do things that individuals would not do otherwise (Bernard, 1984). This line of thinking opens research avenues toward understanding what concentration of legal economic opportunities can deter most individuals from participating in profit-driven cybercrime. 

The second factor, lack of deterrents, encompasses elements that lead to a feeling of impunity for individuals committing criminal activities. Impunity means being exempt from punishment for actions that usually are considered to deserve punishment. Mechanisms that lead to this feeling of impunity mentioned by experts include law enforcement inefficiency, lack of peer judgments (social norms/moral condemnations), and the possibility of corrupting law enforcement. These mechanisms have also been identified as major factors influencing crime (Morselli et al.2011; Paoli et al. 2009; Tremblay et al. 2009; Tremblay et al. 1998) and cybercrime participation (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010). Hence, the lack of deterrents factor encompasses these factors as they are all related to a feeling of impunity. Moreover, note that the lack of deterrents that induces a feeling of impunity recalls Stafford and Warr’s (1993) argument that avoiding punishment increases the chances of committing more crime in the future. According to these authors, avoiding punishment may do more to encourage criminal behavior due to the actor’s feeling “immune” to consequences (p.125). Hence, the lack of deterrents leading to a strong feeling of impunity could even encourage cybercrime participation over time. Further research should look at how this feeling of impunity develops over time, in relation with both perceived law enforcement efficiency and social norms/moral condemnations.

The third factor, drifting means, refers to an encounter wherein individuals discover that participating in profit-driven cybercrime is possible. Encounters mentioned by experts were multiple, including friends at schools, online advertising platforms, or gaming activities. Drifting means encompasses the factor “the presence of other offenders”, identified in previous research on the contexts behind cybercrime (Lusthaus, 2019; 2018; Lusthaus and Varese; 2021; Kshetri, 2010). Specifically, we define the drifting means factor as involving three steps: 1) encountering a situation or a space where individuals participate in profit-driven cybercrime, 2) realizing that participating in such crime is possible, and 3) participating. Thus, the term “drifting” ties to Matza’s (2017; 1990) work, which considers drifting as a state in which the tie binding self to legal expectations is broken. When one is relieved of moral restraints, crime becomes a possibility. The factor drifting means implies this drift state, but also a condition that triggers the will to participate in crime. Further research should investigate such drifting processes as an attempt to understand whether specific drifting means (knowing friends or being recruited, for example) are more likely to facilitate crime participation than others.

Moreover, Matza’s (2017; 1990) concept was revisited in Goldsmith and Brewer’s (2015) work on digital drift. The authors argued that online encounters lead to unstable relationships due to the possibility of online pseudo anonymity and the few consequences faced when engaging in and disengaging from online relationships. Hence, based on Goldsmith and Brewer’s (2015) work, online drifting means identified in this study could facilitate engagement and disengagement processes into and from cybercrime, especially compared to offline means. Further studies could investigate the differences between offline and online drifting means.

Lastly, note that factors such as internet accessibility (or internet penetration) and a large population with IT skills, identified in previous research on cybercrime (Lusthaus 2019; Lusthaus and Varese, 2021, Kshetri, 2010; Kiegler, 2013; 2016), were not identified in this study. This is because these factors represent necessary conditions for profit-driven cybercrime to be prevalent in a geographic region rather than contextual factors influencing individuals to participate in profit-driven cybercrime, as sought in this study. Also, Keigler (2013; 2016)’s finding that wealthier nations (with higher GDP) have higher cybercrime prevalence was not corroborated in this study. Wealth may be another proxy for internet penetration. Moreover, whether some countries are considered “wealthier” than others depends on which countries are included in the analysis. Further investigation (and conceptualization) on the topic is thus needed.

Group Structures and Beyond

Results from the interviews also illustrated various group structures behind profit-driven cybercrime. These are not isolated perceptions, as the literature illustrates that many scholars have conceptualized profit-driven cybercrime groups through these various structures as well, from organized crime to enterprises, loose networks, or communities. 

For example, there have been several accounts of organized crime groups behind profit-driven cybercrime (Leukfeldt et al. 2020; Bulanova-Hristova et al. 2016). Lusthaus and Varese (2021) also discussed how IT accessibility coupled with the fall of the Soviet Union has led to the creation of organized carder groups. On the other hand, groups behind profit-driven cybercrime have also been conceptualized as firms (Lusthaus et al., 2022) and even as firms with offices, floors, and workers (Lusthaus, 2018) or as loose and flexible networks of individuals in both online spaces (Décary-Hétu and Dupont 2012; Dupont et al. 2016) and offline spaces (Leukfeldt et al. 2019; Leukfeldt, Lavergne and Kleemans 2017; Leukfeldt et al. 2017a, b, c, d; Leukfeldt 2014). The organization of such individuals as communities was also mentioned in previous research on underground platforms (Dupont 2019; Holt and Dupont 2019). 

All in all, these perceived structures represent different angles of a complex social phenomenon. Which structure is also reported likely depends on the observer’s perspective. Bouchard and Morselli (2014) discussed how being involved in criminal activities is a resource-pooling process, with small groups embedded in larger networks. These various structures likely reflect a version of the reality of such resource-pooling processes. Moreover, the structure of criminal groups may also depend on the origin of the individuals involved, their contexts. This is important considering the local embeddedness of groups involved in profit-driven cybercrime (Lusthaus 2018; Leukfeldt et al. 2017a,b,c,d; Leukfeldt 2014). The three contextual factors identified above could be of interest to further research interested in understanding why and how specific group structures emerge in specific contexts.

Workers at the Periphery of Profit-Driven Cybercrime

Throughout the interviews, individuals involved in various tasks surrounding profit-driven cybercrime, such as transferring packages on behalf of a group, managing website servers, or laundering money, were often mentioned by experts. This workforce did not represent motivated offenders behind the cybercrime, those who thought of the whole scheme, but rather a necessary instrument or a needed accessory for the scheme to be complete. The presence of the workforce at the periphery echoes the concept of “economic influence” discussed by Tremblay et al. (2009). Economic influence captures the effect of a criminal organization outside of its specified boundaries (p.4-5). A small organization can thus have a relatively large sphere of economic influence, reaching many individuals working in the market or in its periphery.

Several studies focused on the organization of profit-driven cybercrime online have highlighted how profit-driven cybercrime is now characterized by specialization (Lusthaus, 2018; Collier et al. 2020; 2021; Moore et al., 2009 and more). Hence, individuals do not have to know the whole crime script, but rather need only to specialize in one task and outsource the remaining ones. For example, Lusthaus et al. (2022) studied the group behind the Gozi banking malware and concluded that the core members of the group included about six people, while the other individuals involved were rather contractors/freelancers. Numerous studies also mentioned groups who, in order to orchestrate their criminal schemes, recruited individuals from the IT sector (Collier et al. 2020; 2021; Leukfeldt, Kleemans and Stol 2017a, b, c, d). Moreover, Collier (2021; 2020)’s finding stressed that a great number of tasks linked to profit-driven cybercrime are outsourced to low-paid contractors who do the “invisible” work that is or resembles legitimate work.

Hence, the literature indicates that those behind profit-driven cybercrime take advantage of the specialization trend and outsource many tasks (Lusthaus, 2018; Collier et al. 2020; 2021; Moore et al., 2009 and more). The findings of this study raise further questions on this hiring/contracting process and on the willingness of many of these workers to knowingly -or at least voluntarily or with explicit consent- participate in profit-driven cybercrime. That workers end up participating in cybercrime may be because many tasks behind cybercrime are not “criminal” at first sight, such as translating texts or developing websites (Leukfeldt et al., 2020; Bijlenga and Kleemans, 2018). As stated by Leukfeldt et al. (2020): “The criminal character does not have to be clearly visible to the person concerned or it can be denied afterward” (p.6). Further research should look into this recruiting mechanism and to what extent many of these contractors or freelancers are willing to contribute to cybercrime. Also, when deciding whether to accept a task that looks shady at first sight, these workers may be influenced by the same contextual factors pinpointed above: lack of legal economic opportunities, lack of deterrents, and drifting means.

The results also highlight that some of these workers were recruited through public channels, as opposed to cybercrime platforms reported in cybercrime studies. Recently, Paquet-Clouston et al. (2022) found that a public forum population on internet marketing had cybercrime connections. Hence, public forums gathering freelancers who are looking for economic opportunities may be part of the sphere of economic influence of profit-driven cybercrime groups. Further research should investigate these online grey spaces that may represent channels to recruit such workers.

Finally, whether specific group structures lead to further exploiting this workforce could be further researched. For example, organized or enterprise-like groups may be more inclined to take advantage of these workers, compared to groups formed organically through loose networks or communities.


Through semi-structured interviews with cybercrime experts, this study corroborates key findings on contextual and organizational dynamics behind profit-driven cybercrime. In sum, three contextual factors are developed, which relates to the literature on both crime (Morselli et al., 2011; Paoli et al., 2009; Tremblay et al., 2009; Reuter, 1983; Tremblay et al., 1998; Dewey, 2016) and cybercrime participation (Lusthaus, 2019; 2018; Lusthaus and Varese, 2021; Kshetri, 2010). The lack of legal opportunities factor explains why individuals might be interested in profit-driven cybercrime, while the lack of deterrents factor implies a feeling of impunity and explains that, in certain contexts, individuals may not be deterred from participating in such activities due to law enforcement inefficiency, lack of peer judgments (social norms), and the possibility of corrupting law enforcement. The third factor, the drifting means factor, explains how one may end up in such activities. Settings where the three contextual factors converge are settings where there might be a high proportion of individuals involved in such crime. Lusthaus et al. (2020) highlight the need to develop a global cybercrime index to better understand the geographies of cybercrime. With such an index, assessing where these three factors converge in space and quantifying their relative influence on cybercrime prevalence should be of interest to further research.

In terms of organizational dynamics, the study finds that experts perceived groups behind profit-driven cybercrime either as organized, enterprise-like, loose networks or communities. Such structures have also been reported in previous studies on the organization of profit-driven cybercrime (see p.30 for review) and illustrate various resource-pooling processes (Bouchard and Morselli, 2014). Studying how and why specific structures emerge, given the local and offline dimension of cybercrime groups (Lusthaus and Varese, 2021), should be of interest to further research. Potentially, the contextual factors identified above play a role in determining the prevalence of each structure in a specific geographic region.

Beyond these organizational forms, the study emphasizes that groups behind profit-driven cybercrime have a large sphere of economic influence, hiring various workers to help them with crime orchestration, from developing websites to translating texts. The presence of such workers involved in the crime orchestration has been reported in studies on profit-driven cybercrime (Lusthaus et al., 2022; Collier et al. 2020; 2021; Leukfeldt et al., 2019; Leukfeldt, Kleemans and Stol 2017a, b, c, d, Bijlenga and Kleemans, 2018). However, this study highlights how some of these workers may not have willingly consented to participate in cybercrime, at least at first contact when they started working. Further research should look into how peripheral workers, such as contractors or freelancers, end up participating in profit-driven cybercrime.


Bernard, T. J. (1984). Control criticisms of strain theories: An assessment of theoretical and empirical adequacy. Journal of Research in Crime and Delinquency21(4), 353-372.

Bijlenga, N., and Kleemans, E. R. (2018). Criminals seeking ICT-expertise: an exploratory study of Dutch cases. European Journal on Criminal Policy and Research24(3), 253-268.

Bogner, A., and Menz, W. (2009). The theory-generating expert interview: epistemological interest, forms of knowledge, interaction. In Bogner, A., Littig, B and Menz, W. (Eds.) Interviewing experts (pp. 43-80). London: Palgrave Macmillan.

Bouchard, M., and Morselli, C. (2014). Opportunistic Structures of Organised Crime. In The Oxford Handbook of Organised Crime. Oxford University Press.

Boyatzis, R. E. (1998). Transforming qualitative information: Thematic analysis and code development. London: Sage.

Braun, V., and Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101.

Bulanova-Hristova, G., Kasper, K., Odinot, G., Verhoeven, M., Pool, R., de Poot, C., Werner, Y., and Korsell, L. (2016). Cyber-OC – Scope and manifestations in selected EU member states. 298.

Collier, B., Clayton, R., Hutchings, A., and Thomas, D. (2020). Cybercrime is (often) boring: Maintaining the infrastructure of cybercrime economies.

Collier, B., Clayton, R., Hutchings, A., and Thomas, D. (2021). Cybercrime is (often) boring: Infrastructure and alienation in a deviant subculture. The British Journal of Criminology, 61(5), 1407–1423.

Cressey, D. R. (1969). Theft of the Nation: The Structure and Operations of Organised Crime in America. Transaction Publishers.

Décary-Hétu, D., and Dupont, B. (2012). The social network of hackers. Global Crime, 13(3), 160–175.

Dewey, M. (2016). Porous borders: The study of illegal markets from a sociological perspective (Working Paper No. 16/2). MPIfG Discussion Paper.

Dupont, B. (2019). The ecology of cybercrime. In The Human Factor of Cybercrime. Routledge.

Dupont, B., Côté, A.-M., Savine, C., and Décary-Hétu, D. (2016). The ecology of trust among hackers. Global Crime, 17(2), 129–151.

Goldsmith, A., and Brewer, R. (2015). Digital drift and the criminal interaction order. Theoretical Criminology19(1), 112-130.

Granovetter, M. (1985). Economic Action and Social Structure: The Problem of Embeddedness. American Journal of Sociology, 91(3), 481–510.

Holt, T. J., and Dupont, B. (2019). Exploring the Factors Associated with Rejection from a Closed Cybercrime Community. International Journal of Offender Therapy and Comparative Criminology, 63(8), 1127–1147.

Hutchings, A., and Holt, T. J. (2015). A Crime Script Analysis of the Online Stolen Data Market: Table 1. British Journal of Criminology, 55(3), 596–614.

Kigerl, A. (2016). Cyber Crime Nation Typologies: K-Means Clustering of Countries Based on Cyber Crime Rates. International Journal of Cyber Criminology10(2). Retrieved March 15th, 2023 from:

Kigerl, A. (2012). Routine activity theory and the determinants of high cybercrime countries. Social science computer review30(4), 470-486.

Kshetri, N. (2010). Diffusion and effects of cyber-crime in developing economies. Third World Quarterly, 31(7), 1057-1079.

Leukfeldt, E. R. (2014). Cybercrime and social ties. Trends in organised crime17(4), 231-249. 

Leukfeldt, E. R., Kleemans, E. R., Kruisbergen, E. W., and Roks, R. A. (2019). Criminal networks in a digitised world: on the nexus of borderless opportunities and local embeddedness. Trends in Organised Crime22(3), 324-345.

Leukfeldt, E. R., Kleemans, E. R., and Stol, W. P. (2017a). Cybercriminal networks, social ties, and online forums: Social ties versus digital ties within phishing and malware networks. The British Journal of Criminology57(3), 704-722.

Leukfeldt, E. R., Kleemans, E. R., and Stol, W. P. (2017b). Origin, growth, and criminal capabilities of cybercriminal networks. An international empirical analysis. Crime, Law, and Social Change67(1), 39-53. 

Leukfeldt, E. R., Kleemans, E. R., and Stol, W. P. (2017c). A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime, Law, and Social Change67(1), 21-37.  

Leukfeldt, R., Kleemans, E., and Stol, W. (2017d). The use of online crime markets by cybercriminal networks: A view from within. American Behavioral Scientist, 61(11), 1387-1402. 

Leukfeldt, E. R., Kruisbergen, E. W., Kleemans, E. R., and Roks, R. A. (2020). Organised financial cybercrime: Criminal cooperation, logistic bottlenecks, and money flows. The Palgrave Handbook of International Cybercrime and Cyberdeviance, 961-980.

Leukfeldt, E. R., Lavorgna, A., and Kleemans, E. R. (2017). Organised cybercrime or cybercrime that is organised? An assessment of the conceptualisation of financial cybercrime as organised crime. European Journal on Criminal Policy and Research23(3), 287-300.

Leukfeldt, E. R., and Yar, M. (2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis. Deviant Behavior, 37(3), 263-280. 

Llinares, F. M., and Johnson, S. D. (2018, September 14). Cybercrime and Place. The Oxford Handbook of Environmental Criminology.

Lusthaus, J. (2019). Modelling cybercrime development: the case of Vietnam. In Leukfeldt, R. and Holt, T. (eds.) The human factor of cybercrime (pp. 240-257). Routledge: London.

Lusthaus, J. (2018). Industry of Anonymity: Inside the Business of Cybercrime. Harvard University Press.

Lusthaus, J., Bruce, M., & Phair, N. (2020, September). Mapping the geography of cybercrime: A review of indices of digital offending by country. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 448-453). IEEE. 10.1109/EuroSPW51379.2020.00066

Lusthaus, J., Van Oss, J., & Amann, P. (2022). The Gozi group: A criminal firm in cyberspace?. European Journal of Criminology,

Lusthaus, J., and Varese, F. (2021). Offline and Local: The Hidden Face of Cybercrime. Policing: A Journal of Policy and Practice, 15(1), 4–14.

Maimon, D., & Louderback, E. R. (2019). Cyber-dependent crimes: An interdisciplinary review. Annual Review of Criminology2(1), 191-216.

Matza, D. (2017). Delinquency and Drift. Routledge.

Merton, R. K. (1938). Social structure and anomie. American Sociological Review, 3(5), 672–682.

Merton, R. K. (1968). Social Theory and Social Structure (The Free Press). The Free Press.

Moore, T., Clayton, R., and Anderson, R. (2009). The Economics of Online Crime. Journal of Economic Perspectives, 23(3), 3–20.

Morselli, C. (2009). Inside Criminal Networks (1st edition). Springer.

Morselli, C., and Giguere, C. (2006). Legitimate Strengths in Criminal Networks. Crime, Law, and Social Change, 45(3), 185–200.

Morselli, C., Giguère, C., and Petit, K. (2007). The efficiency/security trade-off in criminal networks. Social Networks, 29(1), 143–153.

Morselli, C., Turcotte, M., and Tenti, V. (2011). The mobility of criminal groups. Global Crime, 12(3), 165–188.

Moseley, L., and Mead, D. (2001). Considerations in using the Delphi approach: Design, questions, and answers. Nurse Researcher, 8(4), 24–37.

Paoli, L., Greenfield, V. A., and Reuter, P. (2009). The World Heroin Market: Can Supply be Cut? Oxford University Press, USA.

Paquet-Clouston, M., Paquette, S. O., Garcia, S., & Erquiaga, M. J. (2022). Entanglement: cybercrime connections of a public forum population. Journal of Cybersecurity8(1),

Reuter, P. (1983). Disorganised Crime: Illegal Markets and the Mafia. MIT Press.

Stafford, M. C., and Warr, M. (1993). A reconceptualization of general and specific deterrence. Journal of research in crime and delinquency30(2), 123-135.

Tremblay, P., Bouchard, M., and Petit, S. (2009). The size and influence of a criminal organization: A criminal achievement perspective. Global Crime, 10(1–2), 24–40.

Tremblay, P., Cusson, M., and Morselli, C. (1998). Market offenses and limits to growth. Crime, Law, and Social Change, 29(4), 311–330.


Table 1 – Experts Professional Positions 

N = 22



Cybersecurity specialists at anti-virus companies (e.g., malware analysts)


Cybersecurity specialists at banks


Cybercrime group investigators at threat intelligence companies


Cybercrime group investigators for government agencies 


Journalists specialised in technology and crime


Independent contractors investigating cybercrime groups 


Head of communication for a cybersecurity company 


Malware researcher who did not specify the company he worked for

Table 2 – Experts Geographic Location








Czech Republic






















No comments here
Why not start the discussion?