On the Motivations and Challenges of Affiliates Involved in Cybercrime
by Masarah Paquet-Clouston and Sebastian Garcia
Published onJan 01, 2023
On the Motivations and Challenges of Affiliates Involved in Cybercrime
The cybercrime industry is characterised by work specialisation to the point that it has become a volume industry with various “as-a-service” offerings. One well-established “as-a-service” business model is blackmarket pay-per-install (PPI) services, which outsource the spread of malicious programmes to affiliates. Such a business model represents the archetype of specialisation in the cybercrime industry: a mass of individuals, known as affiliates, specialise in spreading malware on behalf of a service. Extant literature has focused on understanding the scope of such a service and its functioning. However, despite the large number and aggregate effect of affiliates on cybercrime, little research has been done on understanding why and how affiliates participate in such models. This study depicts the motivations and challenges of affiliates spreading Android banking Trojan applications through a blackmarket PPI service. We conducted a thematic analysis of over 6,000 of their private chat messages. The findings highlight affiliates’ labour-intensive work and precarious working conditions along with their limited income, especially compared to their expectations. Affiliates’ participation in cybercrime was found to be entangled between legal and blackmarket programmes, as affiliates did not care about programmes’ legal status as long as they yielded money. This study contributes to the literature by providing additional evidence on the downsides of work specialisation emerging from the cybercrime industry.
The cybercrime industry is characterised by specialisation and professionalisation trends, with a large variety of cybercrime services easily available through a few clicks (Grier et al. 2012; Huang et al. 2018; Manky 2013; Sood & Enbody 2013; Thomas et al. 2015; van Wegberg et al. 2018; Hutchings & Holt 2015; and more). Various “as-as-service” cybercrime business models, such as ransomware-as-a-service, are currently thriving (Kamil et al., 2022). Other well-established “as-a-service” business models within the cybercrime industry are blackmarket pay-per-install (PPI) services (Manky, 2013). Such services outsource the spread of malware to affiliates (Caballero et al. 2011; Doshi et al. 2010; Kotzias et al. 2016; Kotzias & Caballero 2017; Stevens 2009). Affiliates are individuals at the bottom of cybercrime supply chains who specialise in the spread of unwanted programmes and are paid for each successful installation. Extant literature has investigated the structure of PPI services and their impact on end-users (Caballero et al. 2011; Rossow et al. 2013; Kotzias et al. 2016; Thomas et al. 2016; Kotzias and Caballero 2017). However, while affiliates represent a large number of individuals who contribute daily to the cybercrime ecosystem, little is known about this workforce. So far, only Collier et al. (2020; 2021) have focused on a similar workforce: the authors studied individuals who maintain cybercrime infrastructures and showed that work specialisation (observed in the cybercrime industry by Anderson et al. (2019) and Moore et al. (2009)) is changing the industry, inducing individuals to conduct monotonous and lowly paid tasks.
Affiliates are the archetype of such work specialisation, yet little is known about their motivations and challenges when participating in the cybercrime industry. Understanding why and how affiliates participate in blackmarket PPI services can inform policies on the prevention of cybercrime participation for this population. This is especially relevant considering that affiliates represent a large population (Manky, 2013) that greatly contributes to the diffusion of malware (Caballero et al. 2011; Rossow et al. 2013; Kotzias et al. 2016; Thomas et al. 2016; Kotzias and Caballero 2017). Hence, to shed light on this specific population, the objective of this study is to depict the motivations and challenges of affiliates involved in a blackmarket PPI service.
To do so, we used a leaked private chat log of a small group of individuals involved in spreading malicious Android applications on behalf of a blackmarket PPI service. The chat log contained 32 one-to-one conversations between one individual, named the Main Entrepreneur in this study, and 31 of his1 business partners, totaling 6,249 messages over 11 months. We conducted a thematic analysis of the conversations, which led us to develop four large themes: 1) facing a hostile business environment, 2) amateur work, 3) being lenient towards criminality and 4) seeking money and economic independence. These themes are supported with sub themes and quotations in the result section.
From these themes and sub themes, we find that the affiliates’ studied were involved in labour-intensive work and faced precarious working conditions. Their participation in the cybercrime industry translated into conducting tedious tasks, such as constantly changing and obfuscating malicious applications to avoid detection or continuously filling websites with fake content to make them look legitimate. Affiliates also faced precarious working conditions: payments from the blackmarket PPI service were uncertain and their business partners unreliable, creating a challenging business environment to work in. Moreover, as the blackmarket PPI business model paid affiliates only for successful installations, affiliates had to bear the costs of all unsuccessful installations. These findings are in accordance with Collier et al. 's (2020; 2021) argument that the cybercrime industry is now filled with lowly paid workers conducting tedious tasks. Affiliates’ precarious working conditions further corroborate Collier et al.’s (2020; 2021) argument that work specialisation emerging from the cybercrime industry (as a volume industry) has started to reproduce the divisions of labour, cultural tensions and conditions of alienation found in mainstream capitalist economies (Collier et al., 2021, p.1,408).
Affiliates were also found to earn limited income, especially compared to their expectations. Meanwhile, according to a previous study ([anonymised for review purposes]), those behind the blackmarket PPI service had access to millions of euros through compromised bank accounts. Hence, the findings of this study suggest that there exists great income inequality within the cybercrime industry. Such income inequality has been observed in traditional criminal settings (Levitt and Venkatesh 2000; Tremblay and Morselli 2000) and relates to Collier et al’s (2020; 2021) findings on the state of the cybercrime industry as reproducing mainstream capitalist labour divisions.
Affiliates’ participation in cybercrime was also found to be entangled between legal and blackmarket programmes. In short, the affiliates studied did not care about the legality of the programmes they engaged in as long as the programme was profitable. From this finding, we conclude that the individuals studied represent a workforce for both blackmarket and legal PPI services. Moreover, this finding supports the idea that many specialised mini-tasks (Anderson et al. 2019; Moore et al. 2009; Huang et al., 2018), such as affiliates’ tasks aimed at triggering installations of malicious software, can be performed by anyone. In other words, affiliates do not have to develop an “attackers’ mindset” (meaning someone who thinks of the whole criminal scheme to successfully steal bank account credentials) to participate in the cybercrime industry.
This study sheds light into the business experience of affiliates participating in a blackmarket PPI service. It highlights many downsides of cybercrime specialisation, at least for affiliates, and thus contributes to a strain of literature exposing similar findings about the cybercrime industry (Collier et al., 2021; 2020; Anderson et al., 2019; Moore et al., 2009; Sembera et al., 2021). Leveraging these observations, policy recommendations for cybercrime participation prevention, such as developing awareness campaigns that focus on the downsides of the cybercrime industry, are presented in the conclusion section.
In the following text, the literature review is presented in Section 2, followed by the data, methods and contextual information (Section 3). The results of the thematic analysis are presented in Section 4 followed by a discussion and a conclusion (Sections 5 and 6).
The literature review below introduces what is known about the cybercrime industry and various cybercrime “as-a-service” business models that are currently thriving online. Then it goes over the state of the literature on one specific model of interest to this study: pay-per-install (PPI) services. Recent studies on the business experience of individuals involved in various cybercrime tasks are also briefly discussed. This literature review provides a framework for interpreting and understanding the study results, which focus on the people at the bottom end of the value chain of blackmarket PPI services, known as affiliates.
Cybercrime à la carte
In 2013, Manky (2013) argued that cybercrime had become a “big business” with specialised cybercrime syndicates exhibiting strict hierarchical structures with specific roles down the supply chain (p.11). Such a depiction presents stereotypical images of corporate organised crime groups (von Lampe 2008) as applied to cybercrime. This representation, nevertheless, still illustrates quite well a trend that many other researchers have exposed over the past years: the commoditization of the industry surrounding cybercrime-for-profit. The idea that the cybercrime industry is now characterised by specialisation and professionalisation, with individuals offering à la carte cybercrime services, is quite well established in the cybercrime literature (Grier et al. 2012; Huang et al. 2018; Manky 2013; Sood and Enbody 2013; Thomas et al. 2015; van Wegberg et al. 2018; Hutchings and Holt 2015; and more). Offering cybercrime products and services is possible through the rise of online meeting places, such as open and closed forums, chat rooms and darknet markets (also known as cryptomarkets or anonymous online marketplaces). As summarised by Leukfeldt et al. (2017), these places represent online offender convergence settings that can be used for market (trading of products or services), social (discussing), or learning (sharing skills) purposes. Through them, criminal expertise can be sought, co-offenders can be found, various criminally related products can be bought and sold, and even new skills can be learned (Leukfeldt et al. 2017; Soudijn and Zegers 2012). Such online meeting places have been widely studied in the past, including their social organisations and network structures (Décary-Hétu and Dupont 2012; Holt 2013; Holt and Smirnova 2014; Motoyama et al. 2011; Yip et al. 2013; Leukfeldt 2014), their market offerings (Christin 2013; Soska and Christin 2015), their market dynamics (Holt and Lampke 2010; Paquet-Clouston et al. 2018), how trust is built among participants (Dupont et al. 2016; 2017), and which place is most likely to be sustainable in the long run (Afroz et al. 2013).
Through these online meeting places, various “as-a-service” activities are offered, including the rental of botnets for denial of service attacks (DDoS) (Musotto and Wall 2020) or the creation of generic phishing attacks (Hyslip 2020). To understand cyberattacks through the alignment of various cybercrime services, Huang et al. (2018) developed a framework with 24 hypothetical value chains (i.e., alignments of various services to create a cyberattack). The framework differentiates between primary activities representing the core of a cyberattack (such as attacking services) and supporting activities which help an operation (e.g., obfuscation-as-a-service). Through the alignment of different activities, Huang et al. (2018) argued that individuals can specialise in one skill, commercialise that skill, and cooperate with others to conduct more complex cybercrime-related tasks or cybercrime value chains. Through such coordination, many scholars have argued that productivity and profitability have increased for all actors operating at various levels of the cybercrime supply chain (Lusthaus 2018; Huang et al., 2018; Moore et al. 2009, Huang et al. 2018; Thomas et al. 2015).
A striking example of such a profitable and productive model is ransomware-as-a-service. In such a model, a specialised group provides affiliates with the infrastructure and technology to launch ransomware attacks. Given the current prevalence of such threats and their massive impact on today’s economy (Bewer, 2016; Oosthoek et al., 2022; Kamil et al., 2022), ransomware-as-a-service has been the focus of several studies (Salvi, 2019; Meland et al., 2020; Maurya et al., 2018; Alwashali et al., 2021). For example, Salvi (2019) reviewed the general working of five ransomware-as-a-service kits: Philadelphia, Stampado, Frozr Locker, Satan, Jokeroo. The results highlighted how easily anyone could become an affiliate without any technical knowledge, especially considering the low prices of the ransomware kits provided to affiliates (ranging sometimes below US$ 50).
On the other hand, Meland et al. (2020) studied ransomware-as-a-service listings in darknet markets over two years and developed a value-chain model to include all actors involved in such activities, from those selling the service to affiliates, victims and money mules. According to the authors, 65% of listings on the darknet were aimed at affiliates who have a good enough level of technical knowledge to purchase the product. Interestingly, the authors also found that the proportion of ransomware-as-a-service advertising and sales on darknet markets was limited compared to others, such as carding. This finding is in accordance with two other studies evaluating trends in “as-a-service” cybercrime listings in cybercrime forums. They both showed that the number and the proportion of “as-a-service” cybercrime listings were limited (Van Wegber et al., 2018; Akyazi et al., 2021). Given the high prevalence of ransomware attacks (Bewer, 2016; Oosthoek et al., 2022; Kamil et al., 2022) and continuous observations of “as-as-service” models surrounding this specific cybercrime (Salvi, 2019; Maurya et al, 2018; Alwashali et al., 2021), business deals might happen through other channels. Paquet-Clouston et al. (2022), for example, found that there exists a population overlap between public forums on internet marketing and cybercrime forums. Indeed, deals related to cybercrime can take place in open and public forums that are not branded as cybercriminal, especially when the criminal aspect of the deal can easily be concealed, such as in the cases of developing a website or debugging a software, as discussed by Leukfeldt et al. (2020) and Bijlenga et Kleemans (2018).
In the end, how cybercrime models develop depends on many factors, such as the complexity of the scheme and who is targeted. Van Wegberg et al. (2017) argued that the most generic schemes, those that target as many users as possible, are most likely to outsource parts of the value chain to the cybercrime industry. A well-established model that focuses on targeting as many users as possible is a blackmarket pay-per-install (PPI) service, which is the cybercrime-as-a-service model the individuals studied were involved in. What is known about such a service in the literature is presented below.
Pay-Per-Install Services (PPI)
PPI models specialise in outsourcing the spread of malicious programmes to affiliates, who themselves then specialise in infection techniques. (Caballero et al. 2011; Rossow et al. 2013; Kotzias et al. 2016; Thomas et al. 2016; Kotzias and Caballero 2017). In Manky’s (2013) stereotypical examples of such generic business models (which the author calls “cybercrime syndicates”), PPI models are divided into three layers of actors. First, the executivesuites, equivalent to C-level individuals in enterprises, are those who develop the criminal schemes and supervise cybercrime-related activities. Second, the recruiters set up recruitment programmes (PPI or PPC services) to attract those at the bottom of the chain of command, the third actors dubbed by the author the infantry. The infantry comprises an army of individuals (the affiliates) who initiate infections of users’ machines through various methods, such as sending infected links or poised PDFs. According to the author, it is to efficiently (and automatically) pay for the work of the infantry that comprehensive PPI monetisation models have been developed in the cybercrime industry. Such monetisation services are common in the legal sphere, and their role in the spread of wanted or unwanted programmes has been investigated by various scholars, as discussed below.
PPI services (legal or illegal) act as intermediaries between individuals who want their programmes to be installed on devices and others who can enable these installations through various means (e.g., freeware that offers to install another programme during its installation). The individuals to whom the PPI services outsource the installation of programmes (wanted or unwanted) are known as affiliates (Caballero et al. 2011; Doshi et al. 2010; Kotzias et al. 2016; Kotzias and Caballero 2017; Stevens 2009). Generally, affiliates add advertisements in their programmes (through downloaders provided by the PPI) and are paid between $0.01 and $2 for every install generated through such advertisement, depending on the geographic location of the install (Kotzias and Caballero 2017), p.1). The impact of PPI services on the user ecosystem is massive: Thomas et al. (2016) explored the ecosystem of legal PPI services using Google Safe Browsing Telemetry and found that such services drive over 60 million download attempts. They mentioned that this number is three times more than malware download attempts.
Kotzias and Caballero (2017) studied the economics behind legal PPI services and concluded that maintaining such services leads to high revenues. However, the authors also noticed that the gap between revenues and net income in all operations indicated that maintaining such operations required large expenses, thus leading to potential low profit margins (p.2). The authors also illustrated that legal PPI services started approximately around 2010-2011 and peaked in revenue in mid-2014. After that, the authors mentioned that various security measures have been put in place by security vendors to prevent the installation of potentially unwanted software, thus significantly impacting the market (Kotzias and Caballero 2017).
When PPI services are used to spread malware, they are known as blackmarket PPI services (Thomas et al., 2016), underground PPI services (Kotzias and Caballero 2017), or silent PPI services (Kotzias et al. 2016). The difference between legal PPI services and their blackmarket counterparts is that, for the former, the software is installed with the consent of the user who approves the installation (maybe unwittingly, but still approves) while, for the latter, the software is installed silently, without the user’s knowledge (Kotzias et al. 2016; Kotzias and Caballero 2017; Thomas et al. 2016). In such blackmarket services, the prices paid to affiliates range from $0.10 to $0.18 per install, according to Caballero et al. (2011).
How PPI services that are considered legal are intertwined with their blackmarket counterparts is unclear. For example, Caballero et al. (2011) actively infiltrated PPI programmes and showed how such programmes are responsible (and have a vast potential) for distributing malware. An industry report illustrated that what appeared a priori as a legal PPI service distributed the click-fraud malware Seftnit (Trend Micro 2014). The motto of the legal PPI service studied by Trend Micro was “Monetise on non-buyers”, illustrating the service’s leniency towards cybercrime participation. However, Kotzias et al. (2016) investigated whether legal PPI services distributed malware, or whether malware installed legal PPI bundles to monetise compromised devices and found only sporadic accounts of such events. The authors concluded, in this case, that legal blackmarket PPI services were disjointed.
Participating in the Cybercrime Industry
All in all, extant literature has investigated PPI services, understanding how they operate (Caballero et al. 2011; Rossow et al. 2013), investigating their prevalence and impact on end-users (Kotzias et al. 2016; Thomas et al. 2016), or conducting economic analyses of their operations (Kotzias and Caballero 2017). Several industry reports have also discussed the business model (Doshi et al. 2010; Trend Micro 2014; Stevens 2009). However, little is known on the motivations and challenges of those involved in such generic business models, especially those at the bottom of the value chain, the affiliates, or the infantry -as named by Manky (2013). Why would one engage in such work?
The quick answer that comes to mind is money. However, “whether cybercrime pays” is a topic of debate nowadays. Several studies have highlighted the potential large profits that cybercrime activities may entail in stolen data markets (Holt et al. 2016), traditional ransomware operations (prior to ransomware-as-a-service) (Huang et al. 2018; Paquet-Clouston, Haslhofer, et al. 2019), or sextortion spam campaigns (Paquet-Clouston, Romiti et al. 2019). Others have, however, highlighted rather small earnings for specific cybercrime participations such as maintaining an automatic obfuscation-as-a-service platform for Android malware (Sembera et al. 2021) or being involved in specific cybercrime- supporting infrastructures such as managing servers (Collier et al. 2020; 2021). This is due to specialisation trends in the cybercrime industry, leading to the creation of a volume industry focused on heavy production for meagre profit (Anderson et al. 2019; Moore et al. 2009).
Additionally, Collier et al. (2020; 2021) highlighted an interesting reality that emerged due to such cybercrime specialisation. The authors investigated the role of shared purpose-built illicit infrastructures and the hidden work performed by those behind them. Shared purpose-built illicit infrastructures are infrastructures that allow various “as-a-service” models to thrive in the cybercrime industry (e.g., maintaining the infrastructure behind botnet-as-a-service or ensuring that an underground forum is online). These studies illustrated that the work performed by those behind such infrastructures is tedious, boring, and rote. From their findings, the authors argued that the majority of jobs now available in the cybercrime industry are jobs of infrastructure maintenance and those performing them are lowly paid workers. They concluded that cybercrime market participation is not only boring, but also brings little revenue, revealing a completely different narrative than the contemporary one that cybercrime is highly profitable (Holt et al. 2016; Huang et al. 2018; Paquet-Clouston, Haslhofer, et al. 2019; Paquet-Clouston, Romiti, et al. 2019). Hence, according to the authors, the work conditions in these economies have started to reproduce the divisions of labour, cultural tensions and conditions of alienation found in mainstream capitalist economies (Collier et al. 2021: 1,408). PPI business models, which pay affiliates for each successful install, recall such capitalist labour division: workers at the bottom of the value chain are paid only for the successful work they achieve.
Yet we, as cybercrime scholars, know little about this mass of individuals, affiliates, contributing to cybercrime. To provide a first understanding, this case study offers a qualitative assessment of privateconversations of affiliates spreading Android banking Trojan applications. Hopefully, this assessment -coupled with other studies-on the topic- can help shape better policies to discourage affiliate participation in such cybercrime business models.
Methods and Data
This section focuses on the methods and data of the case study. It starts by presenting contextual information surrounding the private conversations, followed by specific information on the dataset. Explanations on the data analysis process are also outlined, along with how we linked the private chat log with a blackmarket PPI service. Finally, to facilitate the presentation of the results, we assigned roles to individuals in the private chat log, and thus each role is explained below, along with ethical considerations related to the study.
Private Chat Log
Veronica Valeros from the Stratosphere Laboratory2 discovered the private chat log on the VirusTotal platform. VirusTotal is a “free service that analyses files and URLs for viruses, worms, Trojans and other kinds of malicious content” (VirusTotal n.d.). Anyone can submit a file to VirusTotal for inspection through a public web interface. The files submitted are available to anyone who has an account with them. VirusTotal’s Terms of Service mention that a file submitted on their service should be considered public. For these reasons, the chat log is treated as a public file, although it is accessible to only those who have a paid account with the company.
More precisely, the private chat log contained 32 one-to-one conversations between one individual and 31 of his3 business partners, adding up to 6,249 messages over 11 months. The conversations were in Russian and 90% of them were translated by Anna Shirokova, a Russian-speaking researcher who participated in Garcia et al. (2019). The remaining 10% was translated using the Google Translate application online. Also, all conversations were related to business: there were no intimate/personal conversations.
Each conversation contained a flow of messages between the main individual and another business partner. For each message, the specific time and date were available along with the sender’s and the recipient’s usernames, the content of the message in Russian, and its translated version. The first message was sent on June 11th, 2017, and the last message was sent on April 17th, 2018. It thus spans 11 months, or 310 days. However, over 95% of the conversations took place during nine months, from September, 2017 to April, 2018. Figure 1 shows the number of messages exchanged in the chat log for these nine months, with November and December, 2017 being those with the highest number of messages exchanged.
In terms of frequency of messages, of the 32 one-to-one conversations, 12 had one message and 9 had fewer than 20 messages exchanged; 5 included between 20 and 100 messages; 4 between 100 and 400 messages; and 2 more than 1,000 messages, which represent the core of the dataset.
Figure 1 Private Chat Log Frequency of Messages Sent per Month
Inductive Thematic Analysis
Affiliates represent a mass of workers at the bottom of the specialisation chain and understanding why and how these individuals participate in blackmarket PPI services can inform policies on the prevention of cybercrime participation. We derived our research question from the study’s objective, which was to depict the motivations and challenges of the affiliates in the private chat log. Hence, the research question that led the data analysis was: “What are the motivations and challenges of these individuals?” Given this question, we conducted an inductive thematic analysis as described below.
Thematic analysis is a method to identify, analyse, and report themes representing meaning from text data (Braun and Clarke, 2006, p.79). To do so, the NVivo qualitative data analysis computer software (NVivo n.d.) was used for the codification process and each conversation was broken down into narrative units representing themes, dubbed “nodes” in NVivo. The inductive approach allowed us to keep an open mind as much as possible: no theme or preliminary codes were predetermined prior to the start of the analysis. Instead, new themes were created and modified as the conversations were analysed. Due to the complexity in the terms used and the difficulty in understanding some of the translated content, each conversation was analysed and read at least three times. Each time, new meaning was extracted as the flow was better understood. A summary of the conversation was also recorded in the memo area of the software to facilitate remembering the whole flow of the conversation.
Once all messages were coded, a transversal analysis of the sub-themes that emerged in each conversation was conducted. The sub-themes were merged into four themes that best encompassed all sub-themes and topics uncovered. Throughout the results, each theme found is supported with paraphrases from the conversations.
Link between the Private Chat Log and the Blackmarket PPI Service
That the private chat log was linked to malicious activities is certain because it contained key information related to an Android banking Trojan botnet that infected nearly 800,000 Russian phones and had access to millions of Euros. Messages in the chat log included passwords, IP addresses and internal URLs used by the Command and Control (C&C) servers of the Android botnet. The complex technical analysis of the botnet has already been published in Garcia et al. (2019).
The conversations in the private chat log showed that three individuals made many attempts to generate and install malicious applications in phones of victims and then connected to the botnet’s C&C web server to track payments for each installation. These three individuals were thus affiliates of a blackmarket PPI service. They were paid for each malicious application installed on a phone. We do not know, however, how the individuals in the conversation ended up as part of such a service since the conversations focused mainly on their daily tasks. These daily tasks revolved around creating Android portal websites advertising what appeared like “legitimate applications” while they were in fact malicious applications.
Assigning Roles to Private Chat Log Participants
To facilitate the presentation of the results, we assigned roles to individuals participating in the conversations. First, the main individual in the chat log is given the role of an entrepreneur and is called the “Main Entrepreneur” throughout the manuscript: “main” because he is the one participating in all one-to-one conversations and “entrepreneur” because of the way he developed his business. Such business centred around hiring individuals to develop Android portal websites that were then used in the blackmarket PPI service. Baumol (1996) defines entrepreneurs as individuals who are ingenious and creative and find ways to create wealth, power, and prestige. When focused on innovation and productive activities, entrepreneurs benefit societies by creating wealth. However, entrepreneurship can also be destructive, especially when the entrepreneurs focus on rent-seeking at all costs and engage in tax evasion or unproductive activities to do so (Baumol 1996). The main individual is therefore given the role of entrepreneur, as defined by Baumol (1996), because of his ingenuity in creating wealth (websites) by leveraging the expertise of other workers. However, these websites are destructive because they contribute to cybercrime by advertising malicious applications.
The other individuals in the private chat log are considered the business partners of the Main Entrepreneur. We assigned seven roles to individuals participating in the most active conversations, which are the 11 conversations that have more than 20 messages, encompassing 6,134 of the 6,249 messages (98.15%). The conversations with fewer than 20 messages were not considered for role assignment since they did not contain enough information. These seven roles, presented in Table 1, were assigned to the 11 business partners.
Table 1 Roles for the Business Partners, Created from the Private Chat Log
Name of Role
Description of Role
Individual involved in developing websites and taking various strategies to promote them for monetisation
Individual developing websites
Individual managing PPI services
Individual writing text for better website visibility
Individual cleaning servers when infected with malware
Money Exchange Professional
Individual specialising in money exchanges
Individual providing services for better website visibility
In short, two business partners in the private chat log were website masters (Website Master 1 and Website Master 2). They were creating websites for rent-seeking purposes, just like the Main Entrepreneur. They discussed various aspects of the business with the Main Entrepreneur. Website Master 1 was also working in close collaboration with the Main Entrepreneur.
Two other business partners were developers (Developer 1 and Developer 2): individuals hired to develop websites on behalf of the Main Entrepreneur. Two additional business partners were identified as PPI representatives (PPI representative 1 and PPI representative 2). PPI representatives discussed with the Main Entrepreneur about various PPI programmes. Either they tried to recruit the main entrepreneur to participate in the programme or the main entrepreneur sought them out for business opportunities.
One business partner was tagged as a text writer. He was hired to write texts on the Main Entrepreneur’s websites. Texts relevant to the website’s topic can lead to higher visibility on search engines like Google or Yandex. Two incident responders were also identified in the private chat log (Incident Responder 1 and Incident Responder 2). They were hired to fix the Main Entrepreneur’s server, which was hacked at one point in the conversations.
There was one money exchange professional. He was contacted by the Main Entrepreneur to exchange money from one currency to another. Lastly, there was one search engine optimisation(SEO) professional, who was paid to improve the Main Entrepreneur’s website visibility through various SEO tactics, such as click redirections.
A summary of the aliases (representing their roles) is presented in Table 2, with the number of messages exchanged between each of them and the Main Entrepreneur, the first date and last date of interaction, and the sum of conversations.
Table 2 Business Partners related to the Main Entrepreneur
Role in chatlog
Website Master 1
Website Master 2
PPI Rep. 1
PPI Rep. 2
Incident Responder 1
Incident Responder 2
As shown in Table 2, Website Master 1 (conducting business similar to that of the Main Entrepreneur) and Developer 1 (hired to develop the Main Entrepreneur’s websites) were the two individuals with the highest number of messages exchanged with the Main Entrepreneur. Moreover, information about the botnet was shared among these three individuals. With a high degree of certainty, the Main Entrepreneur, Website Master 1, and Developer 1 were involved in cybercrime. They are the affiliates participating in the blackmarket PPI service related to the botnet. The other individuals were subcontractors doing short-term work for the Main Entrepreneur.
This research has been approved by Simon Fraser University (former affiliation of the lead author) and University of Montreal (current affiliation of the lead author) ethics departments under minimal risks. The research required asking for a waiver of consent in line with the Tri-Council Policy Statement (TCPS2) of the Canadian Panel on Research Ethics. There are ethical issues regarding the research that need to be acknowledged (Thomas et al. 2017). In terms of potential harms, studying these individuals can lead to marginalising them. To minimise this, we ensure participants’ confidentiality and privacy by not displaying the pseudonyms of the research participants found in the chat log file. We paraphrase their statements (rather than giving the exact quotation) to ensure that a quotation could not be easily linked to an individual in the chat log through automatic text search. Moreover, we anonymised the gender of the individuals by always referring to them as male. In terms of benefits, the research leads to a better understanding of the motivations and challenges of affiliates who participate in “as-a-service” cybercrime business models. It also illustrates many downsides of work specialisation emerging from the cybercrime industry and provides policy recommendations aimed at cybercrime participation prevention.
According to the private conversations, the Main Entrepreneur developed websites advertised as repositories for Android applications (i.e., Android portals). In fact, the Main Entrepreneur tried to make money out of these websites by participating in various PPI services that paid for downloads of Android applications. Depending on the programme’s conditions, he could be paid, for example, for an application being installed on a phone through his website or, once installed, for every user clicking on advertising banners inside the application. To attract users to his Android portals and download the advertised applications, the Main Entrepreneur took various strategies, from dealing with search engine optimization firms to hiring individuals to produce content or paying third parties to display links that point back to the websites (known as “buying links”).
During the period of study, the Main Entrepreneur was participating in the blackmarket PPI service. Thus, the applications available on the Main Entrepreneur’s websites (and the websites owned by Website Master 1) looked benign to the casual user, like a gaming application, while in fact they were banking Trojan applications. Through the inductive thematic analysis, we created four overarching themes which depict the motivations and challenges of the individuals studied. The themes found are: 1) facing a hostile business environment, 2) amateur work, 3) being lenient towards criminality and 4) seeking money and economic independence.
Facing a Hostile Business Environment
The first theme, “facing a hostile business environment”, means that the economic conditions surrounding the business were inauspicious. It includes two subthemes: 1) ephemeral and unreliable business partners, and 2) declining business prospects and unstable payments.
Ephemeral and Unreliable Business Partners
The business partners of the Main Entrepreneur were often unreliable, a pattern that seemed to be shared within the business context. For example, the Main Entrepreneur mentioned “I can’t launch new sites, the programmer disappeared” (Main Entrepreneur, October 2017) to Website Master 1. Then, Website Master 1 replied “I need to write to mine, he did not get in touch for a week” (Website Master 1, October 2017), adding, “Same story, and the programmer keeps disappearing all the time” (Website Master 1, October 2017). From these conversations, a long discussion ensued about how unreliable programmers are in the business, with the Main Entrepreneur mentioning “Well probably he was writing code in his head” (Main Entrepreneur, October 2017) when referring to files that had not been changed for a couple of days.
In another example, the Main Entrepreneur referred a trusted contact to PPI Representative 2, who then mentioned that the referred contact “[…] just wrote to me and then disappeared” (PPI Representative 2, November 2017). Similarly, Developer 1, who was hired by the Main Entrepreneur, often stopped working for no apparent reason, mentioning, for example “If I could understand what is going on, I would have told you. But now I’m saying I am working, but in fact I don’t. I am getting demotivated and do not want to do anything” (Developer 1, October 2017) or “Hi! I again stopped working on our business” (Developer 1, October 2017). These statements show how little motivation Developer 1 had to do the work. Following such conversations, Developer 1 sporadically worked until early January 2018, when he mentioned in a conversation “Yes, I decided to work, I made one edit, went to the second one, went to the [name] website, sat on the thought, analysed it. And I think that I will probably refuse the rest of the work” (Developer 1, January 2018).
Due to the recurrent problems with Developer 1, the Main Entrepreneur hired someone else who promised to complete the work quickly. Yet, when the Main Entrepreneur asked for an update, the person answered “I have a lot of work on the current active orders, urgent corrections, I don’t have time” (Developer 2, October 2017). The Main Entrepreneur replied that he would wait, yet the conversation stopped. This situation was mentioned by the Main Entrepreneur in another conversation “[…] I found one (programmer). He did something for 2 days and then disappeared” (Main Entrepreneur, October 2017). These examples are not unique but rather scattered throughout the conversations. They illustrate how ephemeral the business relationships are, with individuals frequently changing their minds about the idea of working together.
Declining Business Prospects and Unstable Payments
The conversations also illustrated that the business was somewhat saturated, not as good as “Back in the day” (Main Entrepreneur, April 2018). For example, when looking for business opportunities, the Main Entrepreneur mentioned he wished he could monetise “SMS as in good old times” (Main Entrepreneur, April 2018,) to which Website Master 1 replied “There is nothing like this now (smiley)” (Website Master 1, April 2018). In this case, the main entrepreneur most likely was referring to SMS monetisation programmes in which affiliates were paid for texts (fraudulently or not) sent to a specific number. When talking to another business partner, the Main Entrepreneur also mentioned “Conversion rate is not very good” (Main Entrepreneur, November 2017) and “Installations are very cheap now” (Main Entrepreneur, February 2018).
The instability and unreliability of PPI programmes were also often mentioned in the discussions. For example, the Main Entrepreneur said “I have no doubt in you (smiley face), but billing and operators are not reliable” (Main Entrepreneur, August 2017) to someone who hoped that the current business would last. Similarly, Website Master 1 said “Well, nothing you can do. You should always be prepared. This business is not stable” (Website Master 1, October 2017), meaning that one has to be always prepared for months without income. Similarly, when the Main Entrepreneur asked an affiliate marketer about a programme, the latter replied “Not yet, the monetisation is not stable” (PPI Representative 1, November 2017), adding the precision that “not every operator is working right now” (PPI Representative 1).
Payments from the blackmarket PPI service were also unreliable. Throughout the conversations, they were often postponed. The Main Entrepreneur was the middleman between Website Master 1 and those behind the blackmarket PPI service related to the botnet. He was the one transferring money for successful installations to Website Master 1 on their behalf. Questions raised by Website Master 1 as to when payments would be made were frequent, such as “Any news about the money?” (Website Master 1, November 2017) or “They will not give the money yet?” (Website Master 1, December 2017) or “Did they send it [money]?” (Website Master 1, March 2018). Most of the time, the Main Entrepreneur mentioned that payments were delayed, and eventually the interactions illustrated that the payments had been made. Website Master 1 had to be patient: he had to wait for those behind the programme to pay, but also for the Main Entrepreneur to transfer the money. The Main Entrepreneur was also unreliable, often paying Website Master 1 late and apologising for it “Hi, I'm sorry that I have not yet transferred, I was detained [for work] until Sunday, I will immediately transfer two payments.” (Main Entrepreneur, February 2018).
The business was so ephemeral that, by the end of the period of study, the programme that the Main Entrepreneur had been involved in over the past months had vanished. He thus again asked PPI Representative 1 for business opportunities, mentioning he was just “Jumping around, looking for something stable” (Main Entrepreneur, March 2018).
Based on these subthemes, the business environment in which these individuals evolved is hostile or, in other words, unpleasant and difficult. Moreover, note that no conversation indicated otherwise. Instead, none of the business relationships that had developed, either in terms of business partners or PPI programmes, seemed to be fulfilling or efficient. The prospect of making decent money seemed to be low. This, coupled with the amateur status presented below, illustrated a rather challenging business experience for these individuals.
For the business to be successful, websites have to attract visitors and entice them to download Android applications. To do so, a lot of work must be completed, from website design to content production and visibility. For these reasons, the Main Entrepreneur and his sub-contractors spent a lot of time trying to develop decently performing websites. Based on the discussion surrounding website development and the various difficulties faced, the second theme of amateur work was created. This theme included the subthemes 1) lacking technical skills, and 2) working with defective tools, illustrating that the difficulties faced were not resolved by professionals, but rather amateurs. A server hack incident further corroborated this finding.
Lacking Technical Skills
Often, when facing technical difficulties, the Main Entrepreneur and his business partners lacked the skills to resolve them efficiently as professionals. The discussions were filled with messages that illustrated this, such as “I am saying I don’t know how to split the traffic” (Main Entrepreneur, November 2017) or “I cannot understand how to get files from the cache folder” (Main Entrepreneur, December 2017) and even “I do not know how to make [use?] the API” (Main Entrepreneur, December 2017). Similarly, Website Master 1 mentioned “I'm not a super programmer either” (Website Master 1, December 2017) and “I am not a programmer, I know my files” (Website Master 1, December 2017). Yet having some programming skills would be useful for individuals developing Android portals.
Moreover, Developer 1 spent a lot of time trying to figure out how to make the websites efficient for search engine optimization purposes; there were hundreds of interactions between Developer 1 and the Main Entrepreneur, where they tried to figure out how to set up various techniques to optimise their websites. Yet the end results were not as expected, as Developer 1 mentioned “Our sites are not high-quality, they will not last long” (Developer 1, December 2017). The Main Entrepreneur tried to convince Developer 1 to continue, arguing “Let's make a couple of sites, modify the rest and if it doesn’t work in a couple of months, we’ll give up or sell” (Main Entrepreneur, January 2018).
Working with Defective Tools
The tools used and developed for the business were also flawed and required constant maintenance. For example, hundreds of conversations were focused on fixing a tool called “a parser” that crawls other Android websites to automatically fill the Main Entrepreneur’s website with new content. Yet the tool worked badly and was often broken, with the Main Entrepreneur asking Developer 1 to look at it “Can you check parser for [website domain name]? It does not parse many categories” (Main Entrepreneur, November 2017) or “Parser does not work” (Main Entrepreneur, November 2017) or “Hi, fix the parsers as you can, otherwise it’s not good […] (smiley)” (Main Entrepreneur, March 2018). It was unclear why the “parser” was always broken, but it was clear that they were having problems, with many messages aimed at fixing it. Some malicious applications that the Main Entrepreneur advertised on his website for monetisation were also flawed, as he mentioned “Before the application was getting flagged and did not bring a good conversion rate” (Main Entrepreneur, October 2017).
During the period of study, the Main Entrepreneur’s server was attacked, requiring him to shut down his entire operation and hire someone to clean the server. He mentioned when hiring the individual “I need to clean up the server and websites from malicious code and programmes” (Main Entrepreneur, November 2017). The incident happened, according to the Main Entrepreneur, because he allowed a friend to host a website on his server and that friend shared the server’s password publicly. Consequently, the server was hacked and leveraged to send spam and junk links by random fraudsters. The Main Entrepreneur thus had to hire someone to help him clean the server. The incident responder worked tirelessly, and the job took much more time than expected. As the conversation went on, it became clear that the way the Main Entrepreneur’s server was set up was unprofessional. The server cleaner mentioned “[…] Now you have all sites on one server user, you need to create a separate user for each site. Also, each database from the site must be under its own user […]” (Incident Responder 1, November 2017) and then stated “I went to sleep, your sites exhausted me” (Incident Responder 1, November 2017).
Three days later, one of the Main Entrepreneur’s websites was attacked again so he restored the backup files, yet the website was still infected. Not knowing what to do, the Main Entrepreneur asked for help again from the incident responder. The incident responder looked at the set up and noticed, again, unsafe settings. He mentioned “In order for the protection to be effective, as well as to prevent reinfection, you need to set secure PHP settings […]” (Incident Responder 1, December 2017) and “Now what needs to be done is to restore the site from a clean backup, re-update and set the settings” (Incident Responder 1, December 2017). This server incident showed that the Main Entrepreneur might not have been aware of good security measures and practices for the business he was involved in. Before the attack event, Incident Responder 2 also briefly helped the Main Entrepreneur with what seemed like common server issues, such as: “Well this is an error that means the server does not have the file”.
Overall, the core group of individuals in the private chat log (Main Entrepreneur, Website Master 1 and Developer 1) seemed to lack the required knowledge to conduct their business professionally and efficiently.
Being Lenient towards Criminality
That some of these individuals were involved in criminality was not obvious throughout the conversations, apart from the technical information shared about the botnet. No one talked about spreading banking Trojans, attacking, or contributing to a botnet. Instead, there were hints that, at least the Main Entrepreneur and his two closest business partners, were aware that the applications were malicious. Such interactions were grouped in the third theme, being lenient towards criminality, including the subthemes 1) shady activities and 2) fighting security measures.
The Main Entrepreneur and his two closest business partners were aware that they were manipulating malicious applications. For example, when talking about the malicious applications, the Main Entrepreneur said “I see the dangerous file” (Main Entrepreneur, November 2017). The Main Entrepreneur also talked with Website Master 1 and Developer 1 about an antivirus company blocking the malicious application and developed tactics to “clean” the file (also called “crypting”, which basically means obfuscating its code).
Other messages indicated lenient attitudes towards malicious or shady activities by individuals in the chat log. For example, in a conversation about the potential profitability of a programme, PPI Representative 2 mentioned “Conversion rate is different, but there is no guarantee that total sum will be better than from legal” (PPI Representative 2, November 2017) to the Main Entrepreneur, thus making a distinction between legal and non-legal business opportunities. In another conversation, the Main Entrepreneur asked the Money Exchanger to be -most likely- a money mule “Hi, are you here? I have a proposal for you. Are you interested in these sorts of deals, you give cash, and the customer will transfer money to a bank account + 7%?” (Main Entrepreneur, January 2018). The offer was refused, yet the conversation between the two continued, as the Main Entrepreneur acted as a middleman for a group that needed to transfer large amounts of money. Based on the conversation, the Money Exchanger asked for a percentage fee (between 10% and 15%) for every exchange while the Main Entrepreneur asked, on behalf of another group, for cash transfers to accounts in China or Bitcoin transfers. The conversation between them did not indicate whether the deals discussed took place, as there was disagreement about the percentage fees. Given the percentage fees and the transfer methods, there was little doubt -from a reader’s perspective- that the money exchanged came from shady proceedings.
Fighting Security Measures
The Main Entrepreneur’s websites were also often banned by Google or Yandex Search Engines, illustrating that the activities he was involved in may be considered suspicious from the point of view of legitimate search engine companies. However, whether they were banned because of the way the Main Entrepreneur attempted to gain website visibility, such as by purchasing links or Search Engine Optimisation (SEO) campaigns, or because some of the applications hosted on the websites were malicious, was unclear. For example, when talking about his websites in Fall 2017, the Main Entrepreneur mentioned “Damn it my tags were not removed yet” (Main Entrepreneur, October 2017), meaning that some websites were still blocked by the Google or Yahoo search engines. While talking to Website Master 1, the Main Entrepreneur said “I still have tags on mine” (Main Entrepreneur, October 2017) to which Website Master 1 answered “Well Yandex can keep them for a long time” (Website Master 1, October 2017). These bans seemed to be recurrent as, even in March 2018, when the Main Entrepreneur talked about the number of installations he had succeeded with, he mentioned 200 installations, and then said “With Yandex browser [and no ban], would be 40% more, but alas” (Main Entrepreneur, March 2018). Note that this statement indicates that Yandex blocking mechanisms reduce their revenue significantly!
Moreover, that applications were “cleaned” by being “crypted” which means that the applications were obfuscated to avoid detection by antivirus engines. The Main Entrepreneur took several steps to “clean” the malicious applications that were on his websites, as they were constantly flagged by antivirus engines as malicious, thus preventing the installation of the application on users’ devices. Such work seemed to be redundant and relentless, as shown in the conversation below between the Main Entrepreneur and Website Master 1:
“20:49 – Main Entrepreneur: [file name] the file, right?
20:50 – Website Master 1: Yes
20:51 – Main Entrepreneur: Try to re-crypt. and install.
21:17 – Website Master 1: Done
21:26 – Main Entrepreneur: And again, change file. Re-deploy.
21:49 – Website Master 1: Re-deployed”
Within an hour, the Main Entrepreneur and Website Master 1 had to change the malicious application file on their websites because it had been detected. Such conversations between the Main Entrepreneur and Website Master 1 were recurrent from October to December 2017: they constantly needed to re-crypt and re-deploy new malicious applications that had been detected by antiviruses. Such relentless and redundant work was highlighted again when the Main Entrepreneur was trying to convince Website Master 2 to spread malicious applications and Website Master 2 answered “Too much to deal with” (Website Master 2, October 2017). These findings spark the question: why were they involved in such work?
Seeking Money and Economic Independence
The fourth theme captured their motivation, which was seeking money and economic independence. However, whether such a motivation was fulfilled is doubtful: the estimated potential revenue is much lower than the expected revenue, as presented in the following subsection.
These individuals are involved in the business for money purposes, as seen in messages such as “Hi, it's time to work. The year has begun. Need to earn money this year” (Main Entrepreneur, January 2018) or “Hi, maybe we can still do what we agreed on? A few websites would be enough for the beginning. And it is not that much to do. At the end of the month when we finish, I will get a good payment” (Main Entrepreneur, October 2017). Distributing malicious applications seemed to represent an opportunity that could satisfy the Main Entrepreneur’s motivations. When Developer 1 did not want to work, the Main Entrepreneur was willing to pay double to motivate him “I will pay you double” (Main Entrepreneur, October 2017), illustrating that the opportunity may have been interesting enough to increase the developer’s salary. When the Main Entrepreneur talked to Website Master 2 about an opportunity to distribute such applications and Website Master 2 refused, the Main Entrepreneur replied “Why don’t you want to send this traffic? it is more profitable!” (Main Entrepreneur, October 2017). Thus, there seemed to be a premium profit in spreading malicious applications.
The idea of economic independence, of not working for someone else (such as a boss), was also mentioned by the Main Entrepreneur and Developer 1. In their conversation, the Main Entrepreneur tried to convince Developer 1 to continue the work he had started, motivating him with the idea of not working for someone else (as opposed to short-term contracts that Developer 1 did for the Main Entrepreneur). For example, the Main Entrepreneur mentioned:
“[…] Look at all the pros and cons. The motivation we have is not working for another boss (not to work for someone else). At the end of the month, I will pay you a good amount of money. Also, a motivation. Honestly, let’s do it, create a few websites and that’s it, then you can relax, and the rest of the work would be on me. Please understand it is important. And it’s not an option to look for another programmer” (Main Entrepreneur, October 2017).
As Developer 1 stopped working, being discouraged, the Main Entrepreneur tried to motivate him, mentioning:
“Ok, it doesn’t go this way. You need to pull yourself together and work. Otherwise, we will continue to work for someone else. And make money for other people. Seriously, you need to gather your strength and start to work, moreover I already started buying links for our domains” (Main entrepreneur, October 2017).
In this statement, the Main Entrepreneur again mentioned a wish to stop working for someone else. Yet Developer 1 was discouraged by the business, which seemed to yield little profit, not providing him with the recurrent income he was expecting “The fact is, I already did several times some stuff for passive income, and then did nothing. And passive income is gone” (Developer 1, November 2017) and “Yes, I don’t see any prospects, I realised that I was led by the fact that others make good money […] (Developer 1, January 2018). Passive income refers to developing a business that would pay regularly afterwards with little effort. In the previous statement, Developer 1 mentioned that he was led by the idea that others were making good money, thinking that he could achieve such economic independence as well.
Not as Much as Expected
The conversation between the Main Entrepreneur and Website Master 1 yielded insights into the potential revenue that can be achieved by a website master when participating in a blackmarket PPI service. This is because Website Master 1 distributed malicious applications on his own websites (just like the Main Entrepreneur) and, for every successful installation, the Main Entrepreneur transferred money to Website Master 1 on behalf of those behind the service.
We estimated the potential revenues of such a business by considering every time the Main Entrepreneur sent money to Website Master 1 with mentions such as “Money was transferred” for “[number] of installs”. For example, the Main Entrepreneur once said: “Transfer for 200 [installations], check it please” (Main Entrepreneur, November 2017), to which Website Master 1 replied “How much is this one now?” (Website Master, November 2017) and the Main Entrepreneur replied “Four thousand, with commissions 3700” (Main Entrepreneur, November 2017). The conversations indicated that Website Master 1 was paid 18.5 rubles (3,700 rubles / 200 installed applications) per malicious application installed. The commission fees were exchange fees charged by the online payment service QIWI, a payment service used by Russian citizens. Another example would be “Hi, 9k transferred check” followed by “For 500” (Main Entrepreneur, January 2018), which meant, in this case, Website Master 1 had been paid 18 rubles per malicious application installed on his behalf.
The potential revenue of Website Master 1 was thus calculated by considering all payment mentions like those presented above. When only the number of installations was mentioned, the latest price per application (in the conversation) was considered, which ranged between 17 and 20 rubles. Transferred payments found in the conversation are presented in Table 3, along with the date.
Table 3 Business Partners related to the Main Entrepreneur
Ruble Price per application
Website Master 1 thus made an estimated potential revenue of 125,840 rubles or around US$ 2,157.384 for 139 days (from October 2017 to February 2018) due to 6,827 devices installing the malicious application related to the botnet. This represented 6,827 potential victims over about five months. Whether such an amount was substantial depends on one’s perspective. Yet this revenue may not be exactly what these individuals were expecting: when the Main Entrepreneur was talking about other opportunities that could pay, he mentioned that “Movie sites can collect 20 thousand [rubles] per day” (Main Entrepreneur, November 2017). Over the 139 days of operation investigated above, this would have represented a revenue of 2,780,000 rubles (USD 47,659.86). This represents more than 22 times what Website Master 1 made with the malicious applications. It shows a great disconnect between their expectations and their actual earnings.
The results of the thematic analysis are presented below through three discussion points: 1) affiliates’ labour-intensive work and precarious working conditions; 2) affiliates’ limited income; and 3) affiliates’ entangled cybercrime participation. The limits of the study are also briefly presented at the end of the section. All in all, by studying the motivations and challenges of affiliates, this study sheds light into the business experience of participating in a blackmarket PPI service.
Affiliates’ Labour-Intensive Work and Precarious Working Conditions
The results of the study showed that the work conducted by the affiliates was labour intensive. Indeed, unless an individual had a secret recipe to compromise devices, such as a zero-day vulnerability, generating successful installations of malicious applications through Android portals required constant work. In other words, the work of the affiliates was tedious as they continuously repeated the same tasks, changing the malicious applications available on the website to new ones. This is because the malicious applications were constantly flagged by antiviruses and/or search engine companies, like Google and Yandex. Hence, the results of the study provide additional evidence in support of Collier et al.’s (2020; 2021) argument that, for many individuals, cybercrime participation has become tedious and, subsequently, in the authors’ words, quite boring.
The results of this study also showed that the working conditions of affiliates were quite precarious. The conversations indicated that payments from the blackmarket PPI service were uncertain and their business partners unreliable, creating a challenging business working environment. Moreover, the individuals studied were not paid for all the work they did, but only for the successful installations that they generated. This means that they were rewarded only if their work was successful and were the ones absorbing significant losses due to the security measures that have been implemented by security vendors. These security measures are known to have impacted the PPI market negatively, significantly reducing profit margins for all market actors (Kotzias and Caballero 2017). Recall that the Main Entrepreneur mentioned a decrease in revenue due to Yandex security measures: “With Yandex browser [and no ban], would be 40% more, but alas”. Moreover, as the infections are initiated by affiliates, they are the most exposed individuals in the cyberattack value chain, taking the highest risks. This risky position should not be understated: affiliates are in the frontlines, they are the infantry (Manky, 2013).
That blackmarket PPI business models pay affiliates only for each successful installation recalls the capitalist labour division evoked in Collier et al. (2021; 2020). Indeed, these authors argued that the working conditions in cybercrime economies have started to reproduce divisions of labour and conditions of alienation found in mainstream capitalist economies (Collier et al. 2021: 1,408). The affiliates are positioned at the end of the cybercrime business model and their specialised task is to generate successful malware infections, yet, as shown in the results, such a task is redundant and results in unmotivated “alienated” workers. Recall Developer 1 saying “I am getting demotivated and do not want to do anything”.
Affiliates’ Limited Income
In this study, the affiliates were indispensable workers necessary for the criminal scheme to be successfully orchestrated. Through their work, banking Trojan applications were made available on Android portals and downloaded by individuals. For this specific cybercrime model, the instigators of the criminal scheme needed these front-line workers, who do the tedious work at the end of the cybercrime attack, to spread the malicious applications. This tedious work did not translate into easy money.
In 2011, Caballero et al. reported a price of US$ 0.10 to US$ 0.18 per install for blackmarket PPI services. Our study’s timeframe is the end of 2017 and early 2018, and within this timeframe, the individuals studied were paid between 17 and 20 rubles per application installed, which represents between US$ 0.29 and US$ 0.34 (based on the exchange rate as of December 31, 2017). Because of a relatively high inflation rate for the ruble, one ruble in 2011 is equivalent to 1.59 rubles in 20175. Hence, the price paid per malicious application is slightly higher (equivalent to between US$ 0.18 and US$ 0.22 per installation) than what blackmarket PPI services paid in 2011 (US$ 0.10 to US$ 0.18 per installation). However, the level of work required nowadays to successfully achieve an installation, due to various security measures put in place by security vendors (Kotzias and Caballero, 2017), is much more significant, as illustrated throughout the private conversations. This could explain the slightly higher price paid by the blackmarket PPI service studied. Potentially, those behind the blackmarket PPI service accepted sharing a part of the costs resulting from increased security measures. However, to what extent this price increase offsets the amount of work required is unclear.
The findings also show that the affiliates studied participated in the cybercrime business with dreams of money and economic independence. However, the revenue of ~US$2,157.38 for about five months of work is far from the amounts mentioned in previous research on cybercrime participation for stolen data markets (Holt et al. 2016), traditional ransomware operations (prior to ransomware-as-a-service) (Huang et al. 2018; Paquet-Clouston Haslhofer, et al. 2019), or sextortion spam campaigns (Paquet-Clouston, Romiti, et al. 2019). The money earned was furthermore far from what the affiliates expected: recall Developer 1 saying “I realised that I was led by the fact that others make good money […]” (Developer 1, January 2018).
Nevertheless, how much one earns when participating in cybercrime depends on the type of activity one is involved in. Potentially, some activities pay more than others: in this case, participating in a blackmarket PPI service as an affiliate did not seem to pay as much as the affiliates expected. On the other hand, Garcia et al. (2019) estimated the revenues of the individuals behind the Android banking Trojan botnet and the associated blackmarket PPI service and concluded that they had access to millions of euros through the compromised banking accounts. Whether these amounts translate into revenue and then net profit is unclear. Kotzias and Caballero (2017) studied the economics behind legal PPI services and concluded that maintaining such services leads to high revenues, but that such operations also require large expenses, thus leading to potential low profit margins (p.2). Although there is no estimate of the blackmarket PPI service total profits, perhaps amounting to millions of dollars compared to affiliates making a few thousand dollars over five months, there is certainly a disparity in the amount of wealth flowing to the various participants.
Nevertheless, this disparity in the revenue of the affiliates compared to the revenue of those behind the blackmarket PPI service suggests that the inequality in revenues observed in capitalist societies may also be reproduced within the cybercrime industry, as raised in Collier et al. (2021; 2020). This finding is also in accordance with other research studying profit-driven crime in traditional criminal settings, such as drug markets. In these settings, a small group of individuals -the kingpins- often seem to make large amounts of money, while the rest do not, being quite unsuccessful (Levitt and Venkatesh 2000; Tremblay and Morselli 2000). Yet, in the case of the individuals studied, a little revenue seems better than no revenue, explaining their participation in PPI services. Given these results, further research should investigate this inequality in revenues within different cybercrime business models, as conceptualised by Huang et al. (2018).
Affiliates’ Entangled Cybercrime Participation
From the perspective of the affiliates studied, the legality of the programme installed did not seem to matter much, as illustrated in the leniency towards criminality theme. In other words, they were more interested in the potential revenues that any programme would bring, even considering the additional work that malicious programmes entail due to the need to overcome security features. These individuals thus represent a workforce for both blackmarket and legal PPI services. In the literature, whether there is a clearcut distinction between PPI services distributing legitimate software and those distributing malware is unclear (Caballero et al. 2011; Trend Micro 2014). For example, Kotzias et al. (2016) investigated thoroughly the potential overlap between both types of service (whether legal services distributed malware or malware included legal PPI bundles) and found only sporadic accounts of such events. Yet, what this study shows is that affiliates may be the ones mixing both services (legal and blackmarket) when developing their techniques to trigger installations.
Moreover, affiliates’ entangled cybercrime participation, mixing legal and blackmarket PPI services, might explain why cybercrime “as-a-service” listings are not as prevalent as expected in darknet markets (Van Wegber et al., 2018; Meland et al., 2020; Akyazi et al., 2021). Indeed, recruitment to any PPI service can happen through other channels that are not branded as “cybercrime”. One study has already shown that a population overlap exists between a public forum on internet marketing, which advertises PPI services, and cybercrime forums (Paquet-Clouston et al., 2022). Such forums provide a space to freely discuss affiliate marketing and may be a hotbed for recruiting affiliates who are lenient towards criminality.
Moreover, many specialised tasks within the cybercrime volume industry (Anderson et al. 2019; Moore et al. 2009) can be performed by workers such as the ones studied. These workers are not the motivated offenders who thought of the whole criminal scheme; they have nothing to do with an “attacker” mindset. However, this may depend on affiliates’ level of engagement. In this study, the affiliates advertised the malicious applications with the hope that website visitors would install them. Other affiliates could have taken a more aggressive strategy by, for example, developing attack methods that forced website visitors to download the malicious applications. Such a level of engagement depends on the business model along with affiliates’ willingness to participate in cybercrime. In ransomware-as-a-service (Salvi, 2019; Maurya et al, 2018; Alwashali et al., 2021) affiliates may have to participate in ransom negotiations, for example. Further research should map the different cybercrime “as-a-service” business models and look at affiliates’ level of engagement in crime required by each of these “as-a-service” business models.
There are two main limits that need to be acknowledged in this study. One lies in the cultural origin of the private chat log: Russian-speaking individuals. Note that “Russian-speaking” does not refer only to the Russian Federation; it encompasses a large population from various countries and different cultures, from Romania to Poland and Kazakhstan (examples are chosen randomly). Still, affiliates speaking other languages may face a different business context as well as other motivations and challenges when participating in blackmarket PPI services. Future studies should investigate these other populations to uncover the similarities to and differences from the group studied. Another limit lies in the small sample of the study. Still, given the small sample, we were able to conclude that the results are in accordance with other studies, such as those that looked at the experience of individuals who perform the hidden work behind shared purpose-built illicit infrastructures (Collier et al. 2020; 2021). All in all, this study is the first to look at the business experience of affiliates participating in blackmarket PPI services from an insider’s perspective, paving the way for future studies on the topic.
This study shed light on the motivations and challenges of affiliates involved in a blackmarket PPI service. To do so, we conducted an in-depth thematic analysis on private conversations of a small group of individuals involved in spreading malicious Android applications on behalf of a blackmarket PPI service. The findings illustrated that the affiliates studied faced a hostile and difficult business environment, with unreliable business partners and unstable PPI services. The work they conducted was tedious and such tediousness was exacerbated by their lack of technical skills and the flawed tools they worked with. They held lenient attitudes toward criminality and engaged in all sorts of PPI services with dreams of profits that never materialised, at least from the conversations studied.
Given these findings, we discussed how the individuals studied conducted labour intensive tasks while facing precarious working conditions. They earned limited incomes, especially compared to their aspirations. For example, we estimated that one affiliate made US$ 2,157.38 for 139 days of work (an average of 15.5 USD per day) while some statements indicated hope for 22 times that amount of money (USD 47,659.86). Given such hope to make money, affiliates’ cybercrime participation was entangled: they did not care whether the programme they participated in was legal or blackmarket, as long as it was profitable.
We conclude that these findings are in accordance with the current literature highlighting the downsides of cybercrime specialisation (Collier et al., 2021; 2020; Anderson et al., 2019; Moore et al., 2009; Sembera et al., 2021). Given this knowledge, two policy recommendations are briefly presented below. First, to discourage cybercrime participation, awareness campaigns illustrating the downsides of participating in “as-a-service” cybercrime business models for affiliates could be developed and disseminated. Collier et al. (2020; 2021) already suggested that, by shifting the narrative of cybercrime participation from the thrilling to the boring and tedious, the number of potential interested parties could be reduced. Our study extends these findings and shows that cybercrime participation for affiliates means facing precarious and risky working conditions while earning little revenue and conducting tedious tasks. Disseminating such a narrative in forums where affiliates look for economic opportunities could have a demotivating effect on their willingness to participate in blackmarket PPI services.
Second, prevention policies could be more active and could develop programmes that offer legal economic opportunities to these individuals. Such programmes could leverage their skills, knowledge and determination, but also their large number. They could be advertised in various forums where affiliates look for work opportunities. To better develop this policy prevention recommendation, further research should survey this population and assess their interests in terms of work opportunities.
The authors would like to thank the anonymous reviewers and the Stratosphere Laboratory team for their reviews and suggestions and Avast Software for the partial funding of this research.
Afroz, S., Garg, V., McCoy, D., & Greenstadt, R. (2013). Honor among thieves: A common’s analysis of cybercrime economies. 2013 APWG ECrime Researchers Summit, 1–11. DOI:10.1109/eCRS.2013.6805778
Alwashali, A. A. M. A., Abd Rahman, N. A., & Ismail, N. (2021). A Survey of Ransomware as a Service (RaaS) and Methods to Mitigate the Attack. In 2021 14th International Conference on Developments in eSystems Engineering (DeSE) (pp. 92-96). IEEE. DOI: 10.1109/DeSE54285.2021.9719456
Anderson, R., Barton, C., Bölme, R., Clayton, R., Gañán, C., Grasso, T., Levi, M., Moore, T., & Vasek, M. (2019). Measuring the changing cost of cybercrime [Workshop]. The 2019 Workshop on the Economics of Information Security, Boston, US. https://orca.cardiff.ac.uk/122684/
Bijlenga, N, and Kleemans, ER. (2018). Criminals seeking ICT-expertise: an exploratory study of dutch cases. European Journal of Criminal Policy and Research, 24(3):253–268. DOI: 10.1007/s10610-017-9356-z.
Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77–101. DOI:10.1191/1478088706qp063oa
Christin, N. (2013). Traveling the silk road: A measurement analysis of a large anonymous online marketplace. Proceedings of the 22nd International Conference on World Wide Web - WWW ’13, 213–224. DOI:10.1145/2488388.2488408
Collier, B., Clayton, R., Hutchings, A., & Thomas, D. (2020). Cybercrime is (often) boring: Maintaining the infrastructure of cybercrime economies. Workshop on the Economics of Information Security. DOI:10.17863/CAM.53769
Collier, B., Clayton, R., Hutchings, A., & Thomas, D. (2021). Cybercrime is (often) boring: Infrastructure and alienation in a deviant subculture. The British Journal of Criminology, 61(5), 1407–1423. DOI:10.1093/bjc/azab026
Dupont, B., Côté, A.-M., Boutin, J.-I., & Fernandez, J. (2017). Darkode: Recruitment Patterns and Transactional Features of “the Most Dangerous Cybercrime Forum in the World. American Behavioral Scientist, 61(11), 1219–1243. DOI:10.1177/0002764217734263
Dupont, B., Côté, A. M., Boutin, J. I., & Fernandez, J. (2017). Darkode: Recruitment patterns and transactional features of “the most dangerous cybercrime forum in the world”. American Behavioral Scientist, 61(11), 1219-1243. DOI:10.1177/0002764217734263
García S, Erquiaga MJ, Shirokova A (2019) Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error. VirusBulletin. https://www.virusbulletin.com/virusbulletin/ 2019/10/vb2019-paper-geost-botnetstory-discovery-new-android-banking-trojan-opsec-error/. Accessed 12 Feb 2020
Grier, C., Pitsillidis, A., Provos, N., Rafique, M. Z., Rajab, M. A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G. M., Ballard, L., Caballero, J., Chachra, N., Dietrich, C. J., Levchenko, K., Mavrommatis, P., McCoy, D., & Nappa, A. (2012). Manufacturing compromise: The emergence of exploit-as-a-service. Proceedings of the 2012 ACM Conference on Computer and Communications Security - CCS ’12, 821. DOI:10.1145/2382196.2382283
Holt, T. J. (2013). Examining the Forces Shaping Cybercrime Markets Online. Social Science Computer Review, 31(2), 165–177. DOI:10.1177/0894439312452998
Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets online: Products and market forces. Criminal Justice Studies, 23(1), 33–50. DOI:10.1080/14786011003634415
Holt, T. J., Smirnova, O., & Chua, Y. T. (2016). Exploring and Estimating the Revenues and Profits of Participants in Stolen Data Markets. Deviant Behavior, 37(4), 353–367. DOI:10.1080/01639625.2015.1026766
Huang, D. Y., Aliapoulios, M. M., Li, V. G., Invernizzi, L., Bursztein, E., McRoberts, K., Levin, J., Levchenko, K., Snoeren, A. C., & McCoy, D. (2018). Tracking Ransomware End-to-end. 2018 IEEE Symposium on Security and Privacy (SP), 618–631. DOI:10.1109/SP.2018.00047
Huang, K., Siegel, M., & Madnick, S. (2018). Systematically Understanding the Cyber Attack Business: A Survey. ACM Computing Surveys, 51(4), 70:1-70:36. DOI:10.1145/3199674
Hutchings, A., & Holt, T. J. (2015). A crime script analysis of the online stolen data market. British Journal of Criminology, 55(3), 596-614. DOI:10.1093/bjc/azu106.
Hyslip, T. S. (2020). Cybercrime-as-a-Service Operations. In T. J. Holt & A. M. Bossler (Eds.), The Palgrave Handbook of International Cybercrime and Cyberdeviance (pp. 815–846). Springer International Publishing. DOI:10.1007/978-3-319-78440-3_36
Kamil, S., Norul, H. S. A. S., Firdaus, A., & Usman, O. L. (2022). The Rise of Ransomware: A Review of Attacks, Detection Techniques, and Future Challenges. In 2022 International Conference on Business Analytics for Technology and Security (ICBATS) (pp. 1-7). IEEE. DOI: 10.1109/ICBATS54253.2022.9759000
Kotzias, P., & Caballero, J. (2017). An Analysis of Pay-per-Install Economics Using Entity Graphs. Workshop on Economics and Information Security (WEIS), 17.
Leukfeldt, R., Kleemans, E., & Stol, W. (2017). The Use of Online Crime Markets by Cybercriminal Networks: A View from Within. American Behavioral Scientist, 61(11), 1387–1402. DOI:10.1177/0002764217734267
Leukfeldt, ER, Kruisbergen, EW, Kleemans, ER et al. (2020). Organized financial cybercrime: Criminal cooperation, logistic bottlenecks, and money flows. In: Holt, T. and Bossler, A. (ed). Palgrave Handbook of International Cybercrime and Cyberdeviance, Switzerland: Palgrave Macmillan. 961-980. DOI: 10.1007/978-3-319-90307-165-1
Maurya, A. K., Kumar, N., Agrawal, A., & Khan, R. A. (2018). Ransomware: evolution, target and safety measures. International Journal of Computer Sciences and Engineering, 6(1), 80-85.
Meland, P. H., Bayoumy, Y. F. F., & Sindre, G. (2020). The Ransomware-as-a-Service economy within the darknet. Computers & Security, 92, 101762. Doi: 10.1016/j.cose.2020.101762
Moore, T., Clayton, R., & Anderson, R. (2009). The Economics of Online Crime. Journal of Economic Perspectives, 23(3), 3–20. DOI:10.1257/jep.23.3.3
Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums. Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference - IMC ’11, 71. DOI:10.1145/2068816.2068824
Musotto, R., & Wall, D. S. (2020). More Amazon than Mafia: analysing a DDoS stresser service as organised cybercrime. Trends in Organized Crime, 1-19. DOI:10.1007/s12117-020-09397-5
Oosthoek, K., Cable, J., & Smaragdakis, G. (2022). A Tale of Two Markets: Investigating the Ransomware Payments Economy. arXiv preprint:2205.05028.
Paquet-Clouston, M., Décary-Hétu, D., & Morselli, C. (2018). Assessing market competition and vendors’ size and scope on AlphaBay. International Journal of Drug Policy, 54, 87–98. DOI:10.1016/j.drugpo.2018.01.003
Paquet-Clouston, M. Paquette, S-O, Garcia, S & Erquiage, M-J (2022) Entanglement: Cybercrime Connections of a Public Forum Population. Journal of Cybersecurity. DOI: 10.1093/cybsec/tyac010
Paquet-Clouston, M., Haslhofer, B., & Dupont, B. (2019). Ransomware payments in the Bitcoin ecosystem. Journal of Cybersecurity, 5(1), tyz003. DOI:10.1093/cybsec/tyz003
Paquet-Clouston, M., Romiti, M., Haslhofer, B., & Charvat, T. (2019, October). Spams meet cryptocurrencies: Sextortion in the bitcoin ecosystem. In Proceedings of the 1st ACM conference on advances in financial technologies (pp. 76-88). DOI:10.1145/3318041.3355466
Rossow, C., Dietrich, C., & Bos, H. (2013). Large-Scale Analysis of Malware Downloaders. In U. Flegel, E. Markatos, & W. Robertson (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 42–61). Springer. DOI:10.1007/978-3-642-37300-8_3
Salvi, HU. (2019). RAAS: Ransomware-as-a-Service. International Journal of Computer Sciences and Engineering, 7(6), 586-590. DOI: 10.26438/ijcse/v7i6.586590
Sembera, V., Paquet-Clouston, M., Garcia, S., & Erquiaga, M. J. (2021). Cybercrime Specialization: An Exposé of a Malicious Android Obfuscation-as-a-Service. 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 213–226. DOI:10.1109/EuroSPW54576.2021.00029
Sood, A. K., & Enbody, R. J. (2013). Crimeware-as-a-service—A survey of commoditized crimeware in the underground market. International Journal of Critical Infrastructure Protection, 6(1), 28–38. DOI:10.1016/j.ijcip.2013.01.002
Soska, K., & Christin, N. (2015). Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem. Usenix Security Symposium, 17.
Soudijn, M. R., & Zegers, B. C. T. (2012). Cybercrime and virtual offender convergence settings. Trends in organized crime, 15(2), 111-129. DOI:10.1007/s12117-012-9159-z
Stevens, K. (2009). The Underground Economy of the Pay-Per-Install (PPI) Business. 23.
Thomas, D. R., Pastrana, S., Hutchings, A., Clayton, R., & Beresford, A. R. (2017). Ethical issues in research using datasets of illicit origin. Proceedings of the 2017 Internet Measurement Conference, 445–462. DOI:10.1145/3131365.3131389
Tremblay, P., & Morselli, C. (2000). Patterns in Criminal Achievements: Wilson and Abrahamse Revisited. Criminology, 38(2), 633–657. DOI:10.1111/j.1745-9125.2000.tb00901.x
van Wegberg, R. S., Klievink, A. J., & van Eeten, M. J. G. (2017). Discerning Novel Value Chains in Financial Malware: On the Economic Incentives and Criminal Business Models in Financial Malware Schemes. European Journal on Criminal Policy and Research, 23(4), 575–594. DOI:10.1007/s10610-017-9336-3
Yip, M., Webber, C., & Shadbolt, N. (2013). Trust among cybercriminals? Carding forums, uncertainty and implications for policing. Policing and Society, 23(4), 516–539. DOI:10.1080/10439463.2013.780227
Compliance with Ethical Standards
Disclosure of potential conflicts of interest
The authors declare that there is no conflict of interest.
Research involving Human Participants and/or Animals
The research has been approved by the Simon Fraser University ethics department (study number 2020s0121) (former institution of the lead author) and University of Montreal (study number CERSC-2021-131-D) (new institution of the lead author) under minimal risks.
This research required asking for a waiver of consent in line with Article 5.5 A of the Tri-Council Policy Statement (TCPS2). This is because we, as researcher, to do wish to focus on identifying the real person behind the pseudonym in the chat log. Doing so would put us in a position of associating a criminal activity to a real identity, putting us in an investigating or policing position that is not related to our research. Instead, to ensure participants’ confdentiality and privacy, we do not use the real pseudonyms. We also paraphrase their saying (rather than giving the exact quote as we usually see in qualitative research) to ensure that a quote example is not easily linked to an individual in the chat log through automatic text search.
Looking for a way out? It’s simple, When it comes to tracking Locations of mobile phones, computer system & individuals using them or remote mobile hacking into devices, This Genius hacker provides the very best of services, I’m glad to introduce him to you all, I have been fooled many times by some other Sham hackers that pretend to be what they are not and it really makes me feel bad. I was at the point of giving up, but luckily, I was introduced to the best hacker ever, contact his gmail on hackerspytech @ gmail com who he eventually offered me the best solution I ever needed retrieving some old deleted texts and a round-the-clock location monitoring of my husband’s phone and everything worked fine, he’s very fast honest and reliable, work with him today for the best solution. contact him on hackerspytech @ gmail com