Would you trust a cybercriminal? Exploring the cold start problem in an online cybercrime market
Would you trust a stranger? Or an unknown business? How much trust would you place in a known cybercriminal? We often hear about the risk of cybercrime, but what is at stake for the crooks? Much cybercrime requires some level of reliance on others, whether it be renting infrastructure to run botnets, or cash-out services to monetise illicit gains. When an offender is cheated, they can’t complain to the police, or take the other party to court. If it were a face-to-face interaction, criminals may at least be able to retaliate using violence if cheated, but online their opponents may be anonymous and protected by physical distance.
It is for these reasons I, along with my colleagues at the Cambridge Cybercrime Centre, am interested in trusting the untrustworthy within cybercrime communities, where information asymmetry abounds. Trust tends to be developed over time, with repeated interactions. Criminals can also rely on signalling mechanisms developed to facilitate trust, such as reputation systems with underground markets, which are clearly modelled on eBay and Amazon recommendation systems.
The use of escrow services can also mitigate some of the risks (although perhaps displacing them to those that operate such services, who can run exit scams).
One of the great unknowns, however, is how new entrants to the cybercrime scene can establish this much needed reputation. In economics this is known as the cold start problem—the conundrum faced by new actors who find that others do not want to trade with them due to lack of reputation, but they cannot gain reputation as nobody will trade with them.
We recently had the opportunity to explore how the cold start problem may be overcome in an online black market. We collected data relating to 190,000 contracts from a new reputation system that had been set up in an established cybercrime market. The market traditionally provided a place for advertisements, but did not facilitate transactions. However, due to reports of scammers (often referred to as ‘rippers’ within cybercrime communities), a new market system was established. This includes logging contracts between users, which are then visible to those who pay a small fee. This new system provides users with a way to dispute transactions, and acts as a recommendation system to signal trustworthiness to potential buyers.
We explored this data, which spanned two years, over three discrete periods, which we called the set-up, stable, and COVID-19 eras. The first era, set-up, contained contracts made voluntarily on the market. The stable era starts when contracts became compulsory, while the COVID-19 era begins when the global pandemic was declared by the World Health Organisation. In our paper (Vu et al., 2020) we track the effects of the pandemic on this cybercrime market, concluding that it stimulated, but did not transform, the market.
We found the most common marketplace activity was the provision of cash-out services, transferring currency from one type to another. The most exchanged currency types are Bitcoin and PayPal, and the funds exchanged are presumably obtained illicitly. We found most cold starters (new actors joining the market during the stable period) started to gain their reputation by engaging in low-level currency exchange, gradually increasing as they became more trusted on the market. In this way, the contract system allowed them to signal their experience and trustworthiness. Over time, including during the pandemic, we observed an increasing trend towards greater concentration of a few key actors on the market, who accounted for a disproportionately high number of transactions.
References
Vu, A. V., Hughes, J., Pete, I., Collier, B., Chua, Y. T., Shumailov, I., & Hutchings, A. (2020). Turning up the dial: The evolution of a cybercrime market through set-up, stable, and COVID-19 eras. Proceedings of the ACM Internet Measurement Conference, Pittsburgh.
