Cover: Markets for Cybercrime Tools and Stolen Data

Markets for Cybercrime Tools and Stolen Data

Hackers' Bazaar

Published Mar 25, 2014

by Lillian Ablon, Martin C. Libicki, Andrea M. Abler


Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 1.9 MB Best for desktop computers.

Use Adobe Acrobat Reader version 10 or higher for the best experience.

ePub file 2.6 MB Best for mobile devices.

On desktop computers and some mobile devices, you may need to download an eBook reader to view ePub files. Calibre is an example of a free and open source e-book library management application.

mobi file 4.1 MB Best for Kindle 1-3.

On desktop computers and some mobile devices, you may need to download an eBook reader to view mobi files. Amazon Kindle is the most popular reader for mobi files.

Summary Only

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback82 pages $24.50

Research Questions

  1. What are the fundamental characteristics of black and gray markets for hackers?
  2. How did they grow into their current state? What direction do they appear to be heading?
  3. How can the existence of these markets harm the information security environment?

Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets for both tools (e.g., exploit kits) and take (e.g., credit card information). This report, part of a multiphase study on the future security environment, describes the fundamental characteristics of these markets and how they have grown into their current state to explain how their existence can harm the information security environment. Understanding the current and predicted landscape for these markets lays the groundwork for follow-on exploration of options to minimize the potentially harmful influence these markets impart. Experts agree that the coming years will bring more activity in darknets, more use of crypto-currencies, greater anonymity capabilities in malware, and more attention to encrypting and protecting communications and transactions; that the ability to stage cyberattacks will likely outpace the ability to defend against them; that crime will increasingly have a networked or cyber component, creating a wider range of opportunities for black markets; and that there will be more hacking for hire, as-a-service offerings, and brokers. Experts disagree, however, on who will be most affected by the growth of the black market (e.g., small or large businesses, individuals), what products will be on the rise (e.g., fungible goods, such as data records and credit card information; non-fungible goods, such as intellectual property), or which types of attacks will be most prevalent (e.g., persistent, targeted attacks; opportunistic, mass "smash-and-grab" attacks).

Key Findings

The Hacking Community and Cyber Black Markets Are Growing and Maturing

  • The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states.
  • The cyber black market does not differ much from a traditional market or other typical criminal enterprises; participants communicate through various channels, place their orders, and get products.
  • Its evolution mirrors the normal evolution of markets with both innovation and growth.
  • For many, the cyber black market can be more profitable than the illegal drug trade.

These Cyber Black Markets Respond to Outside Forces

  • As suspicion and "paranoia" spike because of an increase in recent takedowns, more transactions move to darknets; stronger vetting takes place; and greater encryption, obfuscation, and anonymization techniques are employed, restricting access to the most sophisticated parts of the black market.
  • The proliferation of as-a-service and point-and-click interfaces lowers the cost to enter the market.
  • Law enforcement efforts are improving as more individuals are technologically savvy; suspects are going after bigger targets, and thus are attracting more attention; and more crimes involve a digital component, giving law enforcement more opportunities to encounter crime in cyberspace.
  • Still, the cyber black market remains resilient and is growing at an accelerated pace, continually getting more creative and innovative as defenses get stronger, law enforcement gets more sophisticated, and new exploitable technologies and connections appear in the world.
  • Products can be highly customized, and players tend to be extremely specialized.


  • Explore how computer security and defense companies could shift their approaches to thwarting attackers and attacks.
  • Explore how bug bounty programs or better pay and incentives from legitimate companies might shift transactions and talent off the illicit markets into legitimate business operations.
  • Explore the costs and benefits of establishing fake credit card shops, fake forums, and sites to increase the number and quality of arrests, and otherwise tarnish the reputation of black markets.
  • Explore the ramifications of hacking back, or including an offensive component within law enforcement that denies, degrades, or disrupts black-market business operations.
  • Explore the options for banks or merchants to buy back their customers' stolen data.
  • Explore the effects of implementing mandates for encryption on point-of-sale terminals, safer and stronger storage of passwords and user credentials, worldwide implementation of chips and PINs, and regular checks of websites to prevent common vulnerabilities put a dent in the black market, or enforce significant changes to how the market operates.
  • Explore how to apply lessons learned from the black market for drugs or arms merchants to the black market for cybercrime.
  • Determine whether it is more effective for law enforcement to go after the small number of top-tier operators or the lower- or open-tier participants.
  • Examine whether governments and law enforcement worldwide could work together to prosecute and extradite when appropriate, and coordinate for physical arrests and indictments.

The research described in this report was sponsored by Juniper Networks and conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.