Hacker Tradecraft · Volume 7
Hacker Tradecraft Volume 7 — The Black Hat: The Adversary
The unauthorized adversary, the structured criminal economy, the figures behind the case law, and the legal line that defines the whole hat
Contents
About this volume — read before continuing. This volume is a historical and descriptive treatment of black-hat actors and the criminal economy that organizes most of them in 2026. Every factual claim about a named figure or named operation is sourced from court records, U.S. Department of Justice press releases, threat-intelligence reports from established firms (Mandiant, CrowdStrike, Microsoft DSU, Kaspersky GReAT, Recorded Future, KELA, Group-IB), and mainstream press (Krebs on Security, Wired, The New York Times, The Washington Post, BBC, Reuters). Operational uplift is deliberately absent: the volume describes what black-hat operators do and use at the category level, not how to execute any specific technique. The §3 tools section names families and lineages; it does not explain how to operate them, how to evade detection, how to launder proceeds, or how to defeat attribution. The §5 “day in the life” sections are reconstructed from public threat-intelligence post-mortems and chat leaks, not authored as instructional fiction. The §8 mandatory danger callout points to Vol 19 (legal line and ethics) and explicitly disclaims operational utility. Forward operational detail belongs in the defensive (Vol 10) and authorized-offensive (Vol 6, Vol 11) volumes, not here.
1. Definition and boundary
The black hat is the unauthorized and malicious actor. Both halves of that definition do work: unauthorized distinguishes black-hat conduct from the entire white-hat universe of Vol 6, and malicious (or self-interested, or destructive — the disjunction matters in case law) distinguishes black-hat conduct from the grey-hat researcher of Vol 8 who operates without authorization but for constructive ends. The hat metaphor’s Axis 1 (Vol 5 §6.1) locates the three positions along a single spectrum — authorized / unauthorized-constructive / unauthorized-malicious — and the black hat occupies the third position by definition. The technical work on the wire often looks identical across all three positions; the legal status is determined entirely by where the operator sits on Axis 1, and the black hat sits on the wrong side of the legal line by construction.
The textbook framing of “the wrong side of the line” is the Computer Fraud and Abuse Act’s “without authorization or exceeds authorized access” language at 18 U.S.C. § 10301. Vol 3 §4 walked the statute’s history (the 1986 enactment as a response to WarGames and the 414s; the subsequent series of amendments through 2008); Vol 4 §1 walked the Supreme Court’s 2021 Van Buren v. United States decision2, which narrowed the “exceeds authorized access” prong (limiting it to access of files or folders the defendant was not entitled to enter at all) but left the “without authorization” prong substantially intact. The narrowing matters for white-hat and grey-hat edge cases; it does very little for the black-hat case, where the actor by definition has no authorization of any kind. The black-hat actor is the canonical CFAA defendant — and, in the modern era, is typically also the wire-fraud defendant, the conspiracy defendant, the aggravated-identity-theft defendant, the money-laundering defendant, and (depending on the operation) the IEEPA-sanctions-violation defendant. The black-hat case is rarely charged under CFAA alone in 2026; the stacked-charge geometry that emerged through the 1990s and matured through the 2000s is the prosecutorial norm. The Albert Gonzalez indictment (§7.1) is the canonical example of the stacked-charge pattern; Vol 19 §3 will walk the geometry at full statutory depth.
International equivalents track the same definitional structure. The UK’s Computer Misuse Act 1990 (as amended in 2006 and 2015) criminalizes unauthorized access at § 1, unauthorized access with intent to commit further offences at § 2, unauthorized modification at § 3, and the making/supplying/obtaining of articles for use in computer-misuse offences at § 3A. The Council of Europe Convention on Cybercrime (Budapest Convention, 2001, ETS No. 185) provides the multilateral baseline that approximately 70 ratifying states have implemented into domestic law; Articles 2–6 of the Budapest Convention define the core offences (illegal access, illegal interception, data interference, system interference, misuse of devices) that map onto the U.S. CFAA framework with minor terminological drift. The black-hat actor’s legal exposure is, in 2026, a stacked-jurisdiction problem: the same operation can produce charges in the actor’s home jurisdiction (often weak; many high-volume cybercrime actors operate from jurisdictions with poor cooperation), in the victim jurisdiction (often strong; the U.S. federal system is the modal example), and in the jurisdictions through which the proceeds flowed (the OFAC sanctions geometry of §6.4). Vol 19 §2 will walk the international scene at depth.
The boundary tested at the edges:
- Against white-hat work (Vol 6). The authorization paperwork stack — SOW, scope document, ROE, get-out-of-jail letter — is what makes the same technical activity white-hat instead of black-hat. The black-hat operator has none of these artifacts. A penetration tester whose engagement paperwork is properly executed is doing white-hat work; the same operator running the same scan against the same target without the paperwork has, in that moment, become a black-hat (or grey-hat — see immediately below).
- Against grey-hat work (Vol 8). Grey hats and black hats share the unauthorized half of the definition; they diverge on the malicious-or-self-interested half. A grey-hat researcher who scans an exposed S3 bucket to flag the misconfiguration to its owner — without authorization, but without intent to harm and without monetization — is operating in the grey-hat region of Axis 1. A black-hat actor who scans the same S3 bucket to exfiltrate its contents for resale on a darknet market has done the same technical thing for a different reason, and the difference is what the statute and the prosecutor actually examine. The grey-hat / black-hat boundary is, in case law, where motive and intent become load-bearing — Vol 8 §1 will walk this boundary in full from the grey-hat side. Note: the case-law focus on motive does not convert the grey-hat act into a legal act — both grey and black hats are operating without authorization and both face CFAA exposure. The difference is in how prosecutors and (sometimes) judges weight the case at the discretionary stages, and in the public conversation about disclosure norms (Vol 4 §3 walked the disclosure-history backdrop).
- Against authorized red-team work (Vol 11). A sanctioned red-team engagement looks operationally similar to a black-hat intrusion — that’s the point of red-teaming, which is adversary emulation. The discriminator is authorization: a red team operates under a signed engagement scope; the adversary the red team is emulating does not. Vol 11 §1 will treat this from the red-team side.
- Against nation-state-aligned operations. Nation-state hacking is, from the operating state’s perspective, sanctioned; from the victim state’s perspective, it is treated as black-hat-equivalent for legal-process purposes (the DoJ has used indictments against named PLA, GRU, IRGC, and RGB officers since 2014 — Vol 4 §4 walked the public-attribution-and-indictment pattern). The hat designation is jurisdictionally contested. This volume treats nation-state-aligned operators in §6.5 as a structurally-adjacent tier of the criminal economy; the actors themselves often perceive their work as authorized state service. Both framings are simultaneously true depending on which jurisdiction is asked.
The line — load-bearing callout. No authorization, no engagement. The black hat sits on the unauthorized side of Axis 1 by definition; everything else in this volume — the toolchain, the criminal-economy structure, the named figures, the operational lifecycle — assumes that line has already been crossed. The point of treating this material at engineer-grade depth is not to provide operational uplift but to make the adversary visible to the practitioner whose work is on the other side of the line. The full legal framing — CFAA statutory walkthrough, Van Buren analysis, the international scene, stacked-charge geometry, OFAC enforcement — is in Vol 19. This volume points at the legal frame from outside; Vol 19 is inside it.
1.1 The hat tracks the conduct, not the person
A definitional clarification worth making early — and worth carrying into the §7 famous-figures treatment. Black hat is a description of the conduct’s legal-and-ethical stance, not a permanent label attached to a person. The same individual can be a black-hat operator in one period of their life and a white-hat operator in another (Vol 6 §7.5 walked the Marcus Hutchins arc as the canonical case study; Hutchins’s 2014 Kronos work was black-hat and his 2017 WannaCry kill-switch work was unambiguously white-hat; both are true). Robert Tappan Morris (Vol 3 §5) committed a CFAA felony in 1988 and is, in 2026, a tenured professor at MIT; Kevin Mitnick (Vol 3 §8) was the federal-fugitive-archetype of the 1990s and built a successful security-consulting practice in the 2000s and 2010s. The hat-changes-over-time pattern is recoverable in some cases (Morris, Mitnick, Hutchins) and not in others (Bogachev, Yakubets — see §7); the differentiator is roughly whether the figure cooperated with prosecution, whether the conduct was prosecuted at all, and what the post-conduct trajectory looked like. The point for this volume is that “black hat” is what an actor did at a particular time, not what they are forever.
This matters for the §7 treatments because the named figures are described by their black-hat-era conduct — the indictments, the operations, the dispositions — and not by everything else they ever did. Where post-conviction trajectories matter to the larger story, the volume notes them; where they don’t, it doesn’t. The framing is documentary, not exhaustive biography.
1.2 What “malicious or self-interested” actually captures
The malicious-or-self-interested half of the definition does load-bearing work, especially against the grey-hat case. The 2026 working interpretation, drawn from case law and from the threat-intel literature, captures roughly five things:
- Financial gain — the modal black-hat motive in 2026. The criminal economy of §6 is structured around monetization (ransomware, BEC, data brokerage, cryptocurrency theft, sanctions evasion). The dollar volumes are large enough that financial-gain-as-motive accounts for the majority of cases by victim count.
- Espionage — state-aligned or competitor-aligned theft of intellectual property, government secrets, or strategic information. The APT taxonomy of Vol 4 §4 tracks the espionage tier; the operators are simultaneously black-hat from the victim state’s perspective and authorized from the operating state’s perspective.
- Sabotage or destruction — operations whose objective is harm to the target rather than information extraction. Stuxnet (Vol 4 §4.1) is the canonical case; Sandworm’s NotPetya (June 2017) and the Ukraine power-grid attacks (2015, 2016) are the better-documented sabotage operations.
- Ideological or political action (“hacktivism”) — Anonymous and the LulzSec lineage (2010–2012) are the historical canonical cases; more recent examples include some Lapsus$ activity (2021–2022) where the financial and ideological motives blurred. Hacktivism’s legal exposure is identical to other black-hat conduct in U.S. case law; motive doesn’t convert an unauthorized act into a legal one. Where ideological motive matters is at the press-and-public-perception level — the coverage of hacktivist conduct is sometimes sympathetic; the prosecution is not.
- Personal grudge or vindictiveness — the lowest-volume modal motive but a recognizable case-law pattern. Disgruntled former employees, ex-romantic-partners with technical access, and lone-wolf-grudge cases recur in the indictment literature.
The grey-hat case carves out a sixth motive — constructive disclosure — that, on the malicious-or-self-interested axis, is not present in the black-hat case. The constructive-disclosure grey-hat actor is unauthorized but not malicious; the black-hat actor is both. Vol 8 will treat the constructive-disclosure case at depth.
2. Origin and how the term is actually used
The term black hat entered information-security vocabulary in the same mid-1990s trade-press migration that introduced white hat — Vol 5 §3 walked the archaeology. The Western-cinema origin (silent-era visual coding through Hopalong Cassidy’s 1935 inversion through the Saturday-matinee B-Western golden age), the migration into computing in the ~1993–1996 window, the Black Hat Briefings founding in 1997 by Jeff Moss as the institutional event that cemented the metaphor in working vocabulary — those are the Vol 5 story. This section picks up from there: in 2026, how is black hat actually used?
2.1 The drift from individual archetype to organizational role
The most consequential drift in the term’s usage between 1996 and 2026 is that black hat in 1996 referred predominantly to a lone-wolf-villain archetype — the individual hacker, often male, often in his twenties, often pseudonymous, breaking into systems for personal motive (curiosity, infamy, occasionally financial). The archetype was modeled on the figures of Vol 3: Kevin Mitnick, the Legion of Doom and Masters of Deception principals, the Phrack/2600 contributors who occasionally crossed the line. The criminal economy of 2026 (§6) has changed what black hat actually means in practice. The modal black-hat operator in 2026 is not a lone-wolf villain — they are an affiliate inside a structured criminal-economy organization, or an initial access broker selling access to other operators, or a money launderer moving proceeds through cryptocurrency mixers, or a nation-state-aligned operator working a tasking cycle for an intelligence service. The individual-as-archetype reading still resonates in popular press; the organizational-role-as-archetype reading is what threat-intel reports describe and what indictments charge.
The drift is recoverable from public sources. Compare a 1995-era Phrack article describing an individual’s intrusion against a corporate target with a 2022-era Conti chat-log leak (§5.1) showing the affiliate-and-operator division of labor, the project-management overlay, the working hours, the IT-helpdesk-impersonation team. The 1995 actor is a person with a goal; the 2022 actor is an employee of a structured criminal organization with a payroll, a Jabber channel for technical support, a vacation policy, and a quarterly revenue target. Both are “black hats” in the textbook sense; the working-day texture is unrecognizable as the same job.
The press-and-popular-culture vocabulary tracks the drift inconsistently. A 2026 cyberwar-themed thriller will still cast the lone-wolf hacker as the antagonist; the same year’s New York Times coverage of a ransomware operation will describe it correctly as a structured criminal enterprise. Practitioners use the term black hat in either sense depending on context; the disambiguation is usually clear from the surrounding nouns (“a black hat” implies individual; “a black-hat operation” or “a black-hat group” implies organization).
2.2 Industry usage versus textbook usage
Where industry usage of black hat diverges from the textbook definition is mostly in two patterns:
- “Black hat” sometimes used loosely as a synonym for “skilled criminal hacker” with the skilled doing some of the work. The textbook definition does not require skill; an unsophisticated phishing operation that nets credentials is black-hat work even if the operator’s technical depth is modest. Industry usage occasionally drifts toward an implicit “black hat means sophisticated criminal” — which understates the long tail of low-sophistication black-hat actors who account for a substantial fraction of victim impact in the aggregate (Vol 17 will treat the social-engineering-driven low-sophistication tier at depth).
- “Black hat” as informal shorthand for “the adversary” in defensive contexts. Threat-hunters, SOC analysts, incident responders use the black hat or the bad guy to refer to a specific intrusion’s actor; the term is informal-and-loose but is operationally useful in the defensive context. Vol 10 (blue hat) will treat the defensive vocabulary at depth; the black-hat-as-adversary-shorthand usage is the most-common practitioner usage of the term.
Where the textbook and industry usages agree consistently is on the load-bearing point: black hat describes conduct on the wrong side of the authorization line and the wrong side of the constructive-versus-malicious line. Industry argues at the edges (the grey-hat boundary, the nation-state ambiguity); the core definition is stable.
| Term | Axis 1 stance | Axis 2 role | Typical 2026 usage |
|---|---|---|---|
| Black hat | Unauthorized, malicious or self-interested | None inherent | The textbook stance; the load-bearing definition |
| Cracker | Unauthorized | None inherent | Older Jargon-File-era distinction (hacker vs. cracker); largely dead in 2026 industry usage |
| Criminal hacker | Unauthorized, financially motivated | None inherent | Modal modern usage; emphasizes the criminal-economy framing |
| Threat actor | Unauthorized | Often state-aligned | Threat-intel reporting vocabulary; deliberately neutral on motive specifics |
| APT operator | Unauthorized, state-aligned | None inherent | Threat-intel sub-classification for the state-aligned tier |
| Ransomware affiliate | Unauthorized, financially motivated | None inherent | Specific criminal-economy role (§6.3) |
| Initial access broker (IAB) | Unauthorized, financially motivated | None inherent | Specific criminal-economy role (§6.1) |
| Hacktivist | Unauthorized, ideologically motivated | None inherent | Anonymous-lineage and successor groups |
| Insider threat | Authorization context-dependent | None inherent | Authorized to be in the system; unauthorized to act as they do — a specific edge case |
Table 7.1 — Black-hat-related vocabulary in 2026 industry usage. The textbook black-hat definition is Axis-1 only; the criminal-economy roles (§6) layer on top, and the engagement-role colors (red, blue, purple) from Vol 5 §6 don’t stack with black hat in the same way they stack with white hat (a black-hat actor isn’t “on the red team” — there’s no team to be on). The state-aligned tier is genuinely ambiguous on Axis 1 depending on which jurisdiction is asked.
2.3 The conference-name irony, from the other side
Vol 5 §4 and Vol 6 §2.2 walked the irony of the Black Hat Briefings (1997) — named after the bad guys but attended by the good guys. The same conference has, since its founding, also produced occasional collisions with the actual black-hat population. Multiple individuals indicted under CFAA between 1998 and 2026 have a documented Black Hat or DEF CON attendance history; the convention has, on rare occasions, hosted talks by individuals who would later be indicted for criminal conduct. The most-cited recent example is Marcus Hutchins’s August 2017 arrest at DEF CON 25 (Vol 6 §7.5 walked this from the white-hat side); Hutchins was arrested as he attempted to leave the United States after attending the conference, on a 2014 black-hat-era Kronos indictment. The conferences are not, in 2026, “black hat conferences” in any operational sense — the population in attendance is dominantly white-hat — but the names are an artifact of an era when the categories themselves were less stable, and the conferences remain culturally aware of the irony.
3. Tools of the trade
Capability-level, not operational. This section identifies the categories of tooling that black-hat operators use, with historical lineage and representative family names. It does not explain how to operate any of these tools, how to evade detection, how to bypass attribution, or how to launder proceeds. The point is to make the adversary toolkit visible to the practitioner — what defenders see in forensics, what indictments charge, what threat-intel reports describe — and to point to the legitimate cross-references for the operational engineering depth. Defensive operational depth is in Vol 10; authorized-offensive operational depth is in Vol 6 §3 and the engineering-cluster volumes Vol 13–Vol 16. Black-hat operational uplift is not here.
A core principle restated from Vol 6 §3: the white hat and the black hat use largely the same hardware and the same software. The Mimikatz that an authorized AD-pentest engagement uses on a Windows-domain compromise is the same Mimikatz that a ransomware affiliate uses on a victim domain controller; the same Cobalt Strike (in cracked form for the criminal market) implements similar Beacon tradecraft for both populations; the same HackRF that a wireless pentester uses to capture and replay a sub-GHz signal under scope is the same HackRF that a car thief uses to steal a rolling-code remote. The discriminator is authorization, not gear. Vol 5’s master taxonomy diagram (vol05-the-master-taxonomy-diagram) made the structural point; this section traces the implication on the black-hat side. The categories below describe what black-hat operators actually use; nothing in this section is black-hat-exclusive, and several categories are dominated in 2026 by tools whose original development was for legitimate red-team or research purposes and that were subsequently weaponized for criminal use.
The treatment is organized by category of capability. Within each category the discussion names representative lineages and families, points at the public-record evidence (court documents, threat-intel reports, established journalism), and cross-references the engineering-depth reference in the white-hat / defensive-volume coverage.
3.1 Initial-access tooling
The first phase of any black-hat operation is gaining initial access to the target. The 2026 tooling categories:
- Phishing kits and credential-harvesting infrastructure. Phishing remains the modal initial-access vector for financially-motivated operations; threat-intel reporting from Mandiant, CrowdStrike, and Microsoft DSU consistently puts phishing-driven access in the top-three vectors year over year. Phishing kits are commodity templates that clone a target organization’s login page (Microsoft 365, Google Workspace, banks, the major SaaS platforms) and exfiltrate captured credentials to a back-end the operator controls. Kits are sold on darknet markets and Telegram channels; the well-developed ones include rotation of staging domains, captcha bypass for the legitimate brand’s bot-detection, MFA-token interception for the brands that use SMS or push-based MFA, and analytics for the operator. The kit market has matured into a structured commercial ecosystem since the 2018–2020 window. The 2024–2026 development worth flagging is adversary-in-the-middle (AitM) phishing infrastructure (frameworks like the criminally-deployed variants of Evilginx, Modlishka, and Muraena lineages) which proxies the actual login session through the operator’s infrastructure, capturing the post-MFA session cookie rather than just the password — defeating most non-FIDO2 MFA in the process. CISA, Mandiant, and Microsoft have published advisories on the AitM tooling family; defenders should treat the post-MFA-session-cookie vector as the primary 2026 phishing concern. The defensive treatment of phishing is in Vol 10 and Vol 17.
- Exploit packs and vulnerability-aggregation services. Mass-exploitation tooling that bundles working exploits for recently-disclosed vulnerabilities, scans for vulnerable hosts at internet scale, and produces working access. The lineage runs from Blackhole (peak 2010–2013, taken down by the FSB’s arrest of Paunch / Dmitry Fedotov in October 2013) through Angler (peak 2015, mostly retired after Russian arrests in 2016) through RIG, Magnitude, Fallout, and the modern broker-and-aggregator services. Exploit packs are commercial products in the criminal economy; the technical depth of a 2026 exploit pack is below that of nation-state implants but above what an individual operator would build. The Lumen Black Lotus Labs, Recorded Future, and Trend Micro Research catalogs are the canonical references for current exploit-pack ecosystem tracking.
- Exposed-service brute-forcing and credential stuffing. Lower-sophistication initial-access vectors that target exposed RDP, SSH, VPN gateways, Citrix endpoints, and similar services. Credential-stuffing tools (Sentry MBA was the historical canonical example; SilverBullet, OpenBullet, and the post-2018 successors are the modern lineage) automate testing of breached-credential lists against target services. The exposed-RDP vector has been the single most-cited ransomware initial-access vector in CISA, FBI, and Sophos State of Ransomware reports across the 2020–2024 window. Vol 10 (blue hat) will treat the defensive posture against the exposed-service tier.
- Supply-chain compromise tooling. A 2017–2024 development that has matured into its own category. Compromising a vendor or upstream dependency to reach the vendor’s customers. NotPetya (June 2017, via the M.E.Doc Ukrainian tax-software supply chain; Vol 4 §4) and SolarWinds Orion (disclosed December 2020, attributed to Russian SVR APT29 / Cozy Bear / Midnight Blizzard) are the canonical historical cases; the December 2020 Kaseya VSA compromise (REvil affiliate, ransomware) is the canonical criminal-side case. Supply-chain compromise tooling is largely custom — the kits-and-frameworks pattern of the other categories doesn’t apply at the same depth — but the category is now a stable element of the black-hat capability map.
- Initial Access Brokers (IABs) as the alternative to operator-side initial access. The IAB category is a market role rather than a tool: brokers acquire access (via any of the above methods) and sell it to other operators who don’t want to invest in the initial-access phase. The IAB market is treated in §6.1 below; the tooling overlap with the other categories is total — IABs use the same phishing kits, exploit packs, and credential stuffing infrastructure as other operators, with the difference being that they sell the resulting access rather than monetize it themselves.
3.2 Remote Access Trojans (RATs) and command-and-control frameworks
Once initial access is established, the operator needs persistent remote control. The 2026 tooling map:
- Historical lineage. The RAT category is older than the term — Back Orifice (Cult of the Dead Cow, August 1998) and SubSeven (1999) established the consumer-facing pattern of “remote control trojan with a graphical client”; Sub7’s distribution as part of the late-1990s warez ecosystem made it the canonical example of the era. The 2000s saw the lineage professionalize through Bifrost, Poison Ivy, DarkComet (Jean-Pierre Lesueur / DarkCoderSc, 2008–2012, deliberately discontinued by the author when the Syrian government weaponized it against dissidents in 2012), Blackshades (the FBI’s Operation Wirewall in 2014 produced 90+ arrests across 19 countries), NjRAT (the Iranian / Middle Eastern landscape post-2013), and the 2010s mid-tier RAT ecosystem.
- Modern criminal C2 — cracked/leaked commercial frameworks. The 2020s development that changed the C2 landscape was the criminal market’s adoption of cracked or leaked versions of commercial red-team platforms. Cobalt Strike (originally Strategic Cyber LLC; Raphael Mudge; now Fortra) is the dominant commercial red-team C2 platform (Vol 6 §3.3) — and the criminal market has aggressively adopted cracked versions, with leaked builds circulating on darknet forums and Telegram channels. Mandiant, Microsoft DSU, and Google Threat Analysis Group have all published research on the criminal-Cobalt-Strike ecosystem; by 2022 Cobalt Strike was the single most-detected C2 family across enterprise incident-response engagements (Mandiant M-Trends 2022 and 2023 reports). Fortra’s licensing and abuse-mitigation work has had partial effect; cracked Cobalt Strike remains, in 2026, a major operational concern for defenders. Brute Ratel C4 (Chetan Nayak / Dark Vortex, commercially licensed) had a similar trajectory — a 2022 leak of the product into the criminal market produced widespread weaponization. Sliver (Bishop Fox; open-source) is the modern open-source-and-free alternative; its criminal adoption is rising as defenders have improved Cobalt-Strike detection.
- Modern criminal C2 — purpose-built families. Below the commercial-cracked tier, the criminal market has its own purpose-built C2 families. Lineages worth naming (without operational detail): Trickbot (initially a banking trojan, evolved into a full criminal C2 platform; the operators were heavily disrupted by the October 2020 Microsoft/Cyber Command/FBI joint operation but continued operating; multiple Trickbot-affiliated indictments since 2021); Emotet (similar trajectory; January 2021 Europol takedown; resurgence in late 2021; continued through 2024); Bumblebee (a 2022 development as a Trickbot/IcedID-lineage successor); IcedID / BokBot (2017–2024 banking-trojan-to-loader-to-C2 evolution); Qakbot / Qbot (FBI takedown August 29, 2023; significant disruption); various ephemeral families that come and go on threat-intel timeframes. The pattern across these families is that they originated as banking trojans (the 2010s monetization model — fraudulent transfers) and evolved into full C2 platforms supporting ransomware deployment (the 2020s monetization model — ransom payment).
- The “loader” as a separate category. Many criminal operations decouple initial access loader (the lightweight first-stage that establishes a foothold and pulls additional tooling) from persistent C2 (the longer-running operator-driven implant). Loaders are sold as services in the criminal economy — pay-per-install distribution — and the loader-as-service market has its own commercial structure. Microsoft DSU and Mandiant track this market consistently.
3.3 Information-stealer families
A 2018–2026 development worth flagging as its own category: stealers (or infostealers) are a class of malware whose objective is to harvest specific high-value information from a compromised host and exfiltrate it once, rather than maintain long-running access. The economics differ from full RAT operations: stealers monetize at lower per-victim revenue with much higher volume. The harvested information — browser-saved passwords, browser cookies (which often include authenticated SaaS sessions; AitM-phishing’s offline cousin), cryptocurrency wallet files, MFA-token caches, autofill data, system fingerprints — is sold in bulk on stealer-log marketplaces.
Representative families with public-record evidence:
- RedLine Stealer (2020 emergence; the 2022 leak of the source code to a competing operator catalyzed a multi-family ecosystem). RedLine logs accounted for the largest single stealer-family volume across 2022–2023 by KELA and Group-IB tracking. The operator known as “REDGlade” was the principal RedLine operator; in late 2024, joint U.S./international law enforcement actions targeted some of the RedLine-and-Vidar infrastructure.
- Raccoon Stealer (2019 emergence; the operator Mark Sokolovsky was arrested in the Netherlands in March 2022 on the strength of a U.S. indictment; extradited to the U.S. in 2023). The Raccoon prosecution is the cleanest public-record case for the stealer-as-a-service business model: the indictment names approximately $2.5 million in cryptocurrency proceeds and 50+ million stolen credentials.
- Vidar Stealer (2018 emergence; related to the Arkei lineage). Vidar logs are a fixture of the stealer-log marketplace.
- Lumma Stealer (the rising 2023–2026 family). Multiple threat-intel firms (Microsoft, Trend Micro, Recorded Future) have published on Lumma’s market share growth.
The stealer-log marketplace ecosystem is its own structural element — markets like Russian Market (active since approximately 2019), the previously-takedown’d Genesis Market (until April 2023, see §6.6), and various Telegram-channel-based markets aggregate the per-victim logs and resell them to downstream operators. The downstream use of stealer logs feeds into account-takeover fraud (financial accounts), corporate-account-takeover (SaaS sessions that lead to corporate compromise), and the broader credential-stuffing infrastructure of §3.1. The stealer category as a whole is, in 2026, one of the most-active black-hat technical categories.
3.4 Ransomware families — the RaaS lineage
The ransomware category gets its own treatment because of its 2017–2026 economic dominance. Vol 4 §6 walked the lineage as historical material; this section names the family lineage as a black-hat tooling category. The development arc:
- First-generation lockers / pre-modern (1989–2012). AIDS Trojan (Joseph Popp, 1989) is the documentary first instance; the 2005–2012 era saw a series of “police lockers” and screen-lock variants whose technical sophistication was low and whose economic model was per-victim payment of ~$100–500.
- CryptoLocker (September 2013). The first family with strong asymmetric-cryptographic locking and Bitcoin payment; the canonical inflection point. Distributed via the Gameover Zeus botnet operated by Evgeniy Bogachev (§7.3); approximately $27 million extorted before the May–June 2014 Operation Tovar takedown.
- CryptoWall (April 2014), TorrentLocker (2014), TeslaCrypt (2015), Locky (February 2016), Cerber (March 2016) — the second-generation families. Each developed specific technical or distribution refinements; collectively they established the “ransomware as commercial product” model.
- WannaCry (May 12, 2017) and NotPetya (June 27, 2017). The two state-aligned-or-state-derived 2017 incidents that produced the worst single-year ransomware-shaped damage in history. WannaCry attributed to DPRK Lazarus Group; NotPetya attributed to Russian GRU Sandworm. The technical depth of EternalBlue-driven self-propagation distinguished both from the criminal-affiliate model that followed.
- Ryuk (August 2018), Sodinokibi / REvil (April 2019), Maze (May 2019), Conti (December 2019), DoppelPaymer (2019), Egregor (September 2020), Ragnar Locker, Cuba. The third-generation Russian-speaking-operator-driven families that established the double-extortion model (encrypt AND exfiltrate; threaten leak as well as data destruction) and the formal Ransomware-as-a-Service (RaaS) business structure. Maze pioneered the double-extortion model and the leak site in late 2019; Conti, REvil, and the others adopted it within months.
- DarkSide (Colonial Pipeline, May 7, 2021), BlackMatter (DarkSide-rebrand, July 2021), BlackCat / ALPHV (November 2021), LockBit (September 2019, dominant through Feb 2024). The fourth-generation families that operated through the highest-impact-year window. The Colonial Pipeline ransom was paid (4.4 BTC, with $2.3 million recovered by the FBI in June 2021); the publicity catalyzed the U.S. government response (the May 2021 EO 14028, the September 2021 OFAC advisory updates, the broader counter-ransomware policy).
- 2024–2026 fragmentation post-Cronos. Operation Cronos (February 19, 2024; UK NCA + FBI + Europol seizure of LockBit infrastructure) and the broader takedown pressure produced the modal 2024–2026 ecosystem: a more-fragmented landscape with multiple smaller RaaS operations rather than two or three dominant families. ALPHV self-imploded in early 2024 in an apparent exit-scam after the Change Healthcare payment; LockBit limped through 2024 after Cronos; new families (RansomHub, Akira, Play, INC Ransom, and others) compete for the affiliate market. The fragmentation is, from a defensive perspective, mixed news — fewer dominant targets for law-enforcement disruption, but lower per-family operational maturity.
The RaaS lineage is the single most-cited family lineage in 2026 threat-intel reporting. Vol 4 §6 walked the economic and structural history; the families above are named here as a black-hat tooling category with the awareness that the operating ecosystem cycles families every two-to-three years on average.
3.5 Cryptocurrency-laundering rails
A 2014-onward category that has its own engineering-and-economic depth: the post-monetization laundering infrastructure that converts cryptocurrency proceeds into usable cash. The categories (named at existence level only; this volume does not describe how to operate any of them):
- Mixers and tumblers. Services that obfuscate the chain of cryptocurrency transactions by pooling deposits and producing payouts that don’t trace back to the original sources. Tornado Cash (Ethereum mixer, smart-contract-based) was the most-prominent example; OFAC sanctioned Tornado Cash on August 8, 2022 as a sanctions-evasion mechanism used by Lazarus Group and other ransomware actors3. The sanctioning of a smart-contract protocol (rather than a person or entity) was a novel application of OFAC authority and remains contested; the November 2024 Fifth Circuit ruling in Van Loon v. Department of the Treasury held that immutable smart-contracts could not be designated as “property” under IEEPA, partially limiting the original designation, and OFAC re-issued narrower designations in March 2025. ChipMixer (Bitcoin mixer) was taken down by Operation Tornado Black in March 2023 — a joint U.S./German/Belgian/Polish operation that seized infrastructure and indicted operator Minh Quoc Nguyen (Vietnamese national, charged in the Eastern District of Pennsylvania). Bestmixer.io was taken down by the Dutch FIOD and Europol in May 2019. Helix / Coin Ninja operator Larry Harmon pleaded guilty in 2020. The mixer-takedown cadence has been steady; new mixers replace taken-down ones on roughly six-to-twelve-month timeframes.
- Chain-hopping services. Services that move proceeds between cryptocurrencies (Bitcoin → Monero → Ethereum, for instance) to defeat single-chain tracing. The major chain-analytics firms (Chainalysis, TRM Labs, Elliptic) track this category as a structural element of the laundering pipeline.
- OTC desks (over-the-counter brokers). Higher-volume conversion-to-fiat services that operate with less KYC discipline than the major exchanges. Suex OTC (sanctioned September 21, 2021 as the first OFAC-designated cryptocurrency exchange) and Garantex (sanctioned April 2022) are the canonical sanctioned-OTC examples.
- Sanctioned exchanges. Cryptocurrency exchanges whose entire operation is the laundering pipeline; the OFAC designation list grows steadily.
The legal-enforcement geometry of the cryptocurrency-laundering rails is treated in §6.4 below; the chain-analytics defensive treatment is forward-referenced to Vol 10 (blue hat) and Vol 11 (red hat — adversary emulation often models the laundering flow as part of TTPs). The OFAC enforcement layer is treated in Vol 19.
3.6 The same RF, HID, and computer-hacking gear white hats use
For the engineering-hardware categories — software-defined radios, sub-GHz transceivers, Wi-Fi audit platforms, RFID/NFC research tools, USB HID-injection devices — the black-hat use case differs from the white-hat use case in targeting and authorization, not in technique. The HackRF One that a wireless pentester uses to capture and replay a rolling-code remote under an authorized physical-security engagement (Vol 6 §3.6) is the same HackRF that a criminal car thief uses to steal a vehicle; the technique is identical, the legal status is opposite. The Wi-Fi Pineapple that authorized engagements use for rogue-AP capture (Vol 6 §3.6) is the same hardware criminal operators use for credential capture against unsuspecting wireless clients in public spaces (the WiFi Pineapple deep dive §1 names this as the posture-most-sensitive tool in the project). The USB Rubber Ducky and Bash Bunny that authorized red-team engagements use for HID-injection demonstrations are the same hardware criminal operators use for “found-USB” attacks against employees of target organizations (the Ducky Script deep dive covers the family at engineering depth).
The cross-references for engineering depth (where the engineering work has been done at length; the black-hat-use-case discussion in this volume is descriptive and references the depth-treatment):
- HackRF One deep dive — wideband SDR; the engineering depth lives there. Black-hat use case adds rolling-code-replay automotive attack (a documented case-law family — Vol 4 §7 walked the criminal use case at a high level), GSM/4G-LTE interception (sophisticated, expensive, modal nation-state-aligned use case), and the IMSI-catcher operational profile (covered defensively by Rayhunter project for the defender’s view).
- Flipper Zero deep dive — integrated sub-GHz / RFID / NFC / IR handheld. Black-hat use case adds badge-cloning of corporate credentials in coffee-shop-encounter scenarios (the opportunistic-encounter threat model in Vol 15 when authored), garage-opener and gate-remote theft, occasional vehicle-key replay, and the broader low-sophistication-criminal use cases the device’s price point enables.
- WiFi Pineapple deep dive — purpose-built Wi-Fi-auditing platform. Black-hat use case adds rogue-AP-driven credential capture against unsuspecting wireless clients (the canonical criminal use case for the platform), evil-twin attacks, and the broader Wi-Fi-credential-harvesting infrastructure. The Pineapple deep dive’s §1 explicitly names this as the most posture-sensitive tool in the lineup.
- Proxmark3 RDV4 directory — lab-grade RFID/NFC tool. Black-hat use case adds the higher-sophistication-credential-cloning attacks against MIFARE Classic, MIFARE DESFire, HID Prox, iClass, and the proprietary credential ecosystems where the engineering depth matters.
- Ducky Script deep dive — Hak5 HID-injection family. Black-hat use case adds the “found USB” attack family (Black Hat USA 2016 Bursztein et al. published the canonical research on the realistic effectiveness rate — 45–98 percent of dropped USB devices were plugged in by finders), the O.MG Cable family’s covert HID-injection profile, and the broader BadUSB attack surface. The Ducky Script deep dive §1 also names this family as posture-sensitive.
3.7 The tooling table
| Category | Lineage / history | Representative families | Typical use | Defensive countermeasure | Forward reference |
|---|---|---|---|---|---|
| Phishing kits and AitM frameworks | 2000s-onward; AitM tier matured 2022–2026 | Commodity kits + criminally-deployed Evilginx/Modlishka/Muraena lineage | Initial credential and session-cookie capture | FIDO2 / WebAuthn MFA; conditional access; user training | Vol 17; Vol 10 |
| Exploit packs and aggregator services | 2009-onward (Blackhole → Angler → RIG → modern) | Various; per-quarter family churn | Mass-exploitation of recently-disclosed vulnerabilities | Patch discipline; EDR; web-filtering | Vol 10 |
| Brute-force / credential-stuffing tools | 2010s-onward | Sentry MBA, OpenBullet, SilverBullet lineage | Exposed-service initial access | MFA on all exposed services; rate-limiting; threat intel | Vol 10 |
| Commercial C2 (cracked) | 2012-onward Cobalt Strike + 2022-onward Brute Ratel leak | Cobalt Strike cracked builds; Brute Ratel leaked builds | Stealthy long-running operator-driven post-foothold control | EDR with C2-specific detection; YARA rules; network egress monitoring | Vol 6 §3.3; Vol 10 |
| Open-source C2 (criminally adopted) | 2019-onward | Sliver, Mythic, Havoc, Empire/Starkiller | Same as commercial, with lower-skill operators | EDR; network egress; behavioral anomaly detection | Vol 6 §3.3 |
| Banking-trojan-to-loader family | 2010s-onward; pivoted to loader role 2020s | Trickbot, Emotet, IcedID, Qakbot, Bumblebee | Initial foothold; ransomware staging; persistent low-noise C2 | EDR; email security; egress monitoring | Vol 10 |
| Information stealers | 2018-onward | RedLine, Raccoon, Vidar, Lumma | Single-shot harvest of credentials, cookies, wallet files | Browser-security policy; SSO with short-TTL tokens; behavioral analytics | Vol 10; Vol 17 |
| Ransomware families (RaaS) | 2013-onward; double-extortion model from 2019 | Conti, REvil, LockBit, ALPHV, RansomHub, Akira, Play, INC | Encrypt + exfiltrate + extort | Backup discipline; segmentation; EDR; IR readiness | Vol 4 §6; Vol 10 |
| Cryptocurrency-laundering rails | 2014-onward | Mixers (Tornado Cash, ChipMixer historically), chain-hopping, OTC desks | Post-monetization laundering | Chainalysis / TRM Labs intelligence; sanctions screening; law-enforcement coordination | §6.4; Vol 19 |
| RF gear (criminal use case) | Same hardware as white-hat | HackRF One, Flipper Zero, Proxmark3 | Replay attacks, badge cloning, IMSI catching | Rolling-code-with-time, modern access-control crypto, IMSI-catcher detection | Vol 13; Vol 14; Vol 15 |
| Wi-Fi audit gear (criminal use case) | Same hardware as white-hat | WiFi Pineapple; Marauder-firmware ESP32 platforms | Rogue AP, evil twin, credential capture | WPA3 SAE; client-side cert validation; network segmentation | WiFi Pineapple deep dive; Vol 14 |
| USB HID-injection gear | 2010-onward (Hak5 Rubber Ducky) | USB Rubber Ducky, Bash Bunny, O.MG Cable family | Found-USB attacks; covert HID payloads | USB device-control policy; user training; locked-screen idle policy | Ducky Script deep dive; Vol 16 |
Table 7.2 — The black-hat tooling map, organized by capability category. The “Defensive countermeasure” column points the practitioner at the working-mitigation for each category; the engineering depth on the countermeasures lives in Vol 10 (blue hat) and the cross-tool defensive sections. Every category listed here is dual-use — the same families and platforms support legitimate authorized work; the discriminator is authorization, not the tooling.
This is NOT operational. Read closely. The §3 treatment above identifies what black-hat operators use at the capability-and-lineage level. It does not explain how to operate any of these tools, how to evade detection, how to bypass attribution, how to handle the proceeds, or how to recruit affiliates. The point of treating the adversary toolkit at this level of detail is to make the threat surface visible to the practitioner whose work is defending against it. The corresponding operational depth — the actual working-day detail of running an authorized engagement that uses some of the same tooling — lives in Vol 6 §3 and the engineering-cluster volumes Vol 13–Vol 16. The defensive operational depth (what the blue-team does about each category) lives in Vol 10. This volume describes the criminal-economy capability map; the operational detail belongs in the defensive and authorized-offensive volumes, not here.
4. Methods and tradecraft — the intrusion lifecycle as crime
The intrusion lifecycle that a black-hat operation follows is, at the technical level, the same kill-chain that defenders use to organize their thinking about adversary behavior — Lockheed Martin’s Cyber Kill Chain (2011), MITRE ATT&CK (initially internal 2013, public January 2015), and the various derivative frameworks. The reconnaissance → initial access → execution → persistence → privilege escalation → defense evasion → credential access → discovery → lateral movement → collection → command and control → exfiltration → impact sequence is recognizable across nearly every threat-intel post-mortem published since 2015. What this section walks is the criminal version of the lifecycle — what changes when the operator is not under authorization, when the engagement has no end date, and when monetization rather than reporting is the objective.
4.1 The criminal kill chain in one diagram
RECONNAISSANCE INITIAL ACCESS FOOTHOLD-AND-EXPANSION
┌──────────────────────────────────────┐ ┌────────────────────────────────┐ ┌────────────────────────────────────┐
│ │ │ │ │ │
│ Target selection by: │ │ Phishing ──► │ │ Privilege escalation │
│ - Sector (vulnerability) │ │ Exposed RDP/VPN ──► │ │ (local then domain) │
│ - Revenue (payout potential) │ │ Exploit pack hit ──► │ │ │ │
│ - Insurance coverage (ransom) │ │ IAB purchase ──► │ │ ▼ │
│ - Geographic / sanctions posture │ │ Supply chain ──► │ │ Discovery (AD, file shares, │
│ │ │ │ │ credential stores, backups, │
│ IAB market browsing as alternative │ │ ▼ │ │ crown-jewel data) │
│ │ │ Foothold established │ │ │ │
│ ▼ │ │ │ │ ▼ │
│ Acquired access OR developed access │ │ │ │ Lateral movement │
│ │ │ │ │ │
└──────────────────────────────────────┘ └────────────────────────────────┘ └────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────────┐
│ │
│ PERSISTENCE (deliberate; opposite of authorized cleanup) │
│ - Multiple persistence mechanisms │
│ - Domain backdoor accounts │
│ - Web-shells on edge / OWA / Citrix │
│ - Golden-Ticket / Kerberos abuse │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────────┐
│ │
│ MONETIZATION (the load-bearing distinction from authorized work) │
│ │
│ (a) Ransomware: encrypt + exfiltrate + double-extort │
│ (b) Wire fraud / BEC: redirect payment flows │
│ (c) Data brokerage: sell stolen records on darknet │
│ (d) Cryptocurrency theft / drainer attacks │
│ (e) State-aligned intelligence (data to handler; no direct monetization) │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────────┐
│ │
│ CLEANUP-AS-OBSTRUCTION (anti-attribution; opposite of authorized cleanup) │
│ - Wipe forensic logs │
│ - Plant false-flag indicators │
│ - Destroy backups (ransomware aggravator) │
│ - Retain persistence for future operation │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────────┐
│ Laundering (cryptocurrency mixers, chain-hopping, OTC) and conversion to fiat │
└──────────────────────────────────────────────────────────────────────────────────┘Figure 7.1 — The criminal intrusion lifecycle. The lifecycle’s technical phases (recon → access → foothold → privilege escalation → lateral movement → persistence → impact → cleanup) mirror the MITRE ATT&CK matrix. Three differences from the authorized-engagement lifecycle (Vol 6 §4.1) carry the criminal character: the recon phase incorporates monetization-potential as a target-selection axis (not present in the authorized case), the persistence and cleanup phases are inverted (criminals invest in persistence and obstruct cleanup; authorized engagements remove persistence and restore baseline), and a dedicated monetization phase replaces the authorized engagement’s report-and-presentation phase. Operational detail at each step is in defensive Vol 10 and the MITRE ATT&CK technical reference, not here.
4.2 Reconnaissance — target selection by victim profile and monetization potential
The first criminal-side difference from the authorized engagement is in reconnaissance. An authorized engagement’s recon is constrained by the scope document; a criminal engagement’s recon is constrained only by the actor’s operational capacity and risk tolerance. Target selection criteria documented in threat-intel reporting (Mandiant M-Trends, CrowdStrike Global Threat Report, Microsoft DSU Cyber Signals) consistently identify:
- Sector vulnerability profile. Sectors with poor patching discipline, exposed legacy systems, and weak network segmentation are over-represented in victim populations. Manufacturing (frequently in the top three by victim count for several years), healthcare, education, professional services, and small-and-medium-sized financial firms are the modal sector profile. Critical infrastructure sectors got more selective treatment after Colonial Pipeline (May 7, 2021) — most major RaaS operators publicly stated they would avoid the U.S. critical-infrastructure list (the practical effect was variable; the policy was real).
- Revenue / payout potential. Target organizations are sized roughly by annual revenue (often using public business-registry data, LinkedIn employee counts as a proxy, and SaaS-data-broker information). Ransom demands are calibrated as a percentage of annual revenue (the threat-intel literature consistently estimates 0.5–3 percent of annual revenue as the modal ransom band). Larger targets get larger demands and longer pre-encryption dwell-times for data exfiltration.
- Cyber-insurance coverage. The post-2019 era saw RaaS operators specifically targeting organizations with known cyber-insurance coverage, on the theory that an insured victim would pay more readily and at higher dollar amounts. The Conti chat leaks (§5.1) made the insurance-targeting policy explicit; the underwriting community reacted across 2020–2022 with substantially tightened coverage terms.
- Geographic / sanctions posture. Russian-speaking RaaS operations consistently avoided Russian-language-locale targets (technical mechanism in many families: check for Russian/CIS keyboard layout or system locale and exit before encryption). The geographic discipline is a black-hat operational-security artifact rather than an ethical position — Russian law enforcement has historically permitted criminal activity targeting non-Russian victims while prosecuting attacks against Russian-domestic targets. Vol 19 §3 will treat the international-extradition geometry.
- Existing access from the IAB market. A consequential 2020-onward development is the IAB market (§6.1) as an alternative to operator-side recon. Many RaaS operations now purchase pre-acquired access to candidate targets and select among the available listings rather than doing their own reconnaissance.
4.3 Initial access — five vectors
The initial-access vectors threat-intel reporting consistently identifies, in approximate descending order of victim-count frequency across 2020–2026:
- Phishing (with AitM increasingly dominant from 2022). The modal initial-access vector by victim count. Email or SMS or messaging-app delivery; landing page that captures credentials and (in the AitM case) the post-MFA session cookie.
- Exposed RDP / VPN / Citrix / management-protocol services. The second-modal vector. Brute-force or credential-stuffing against exposed authentication endpoints; the Colonial Pipeline initial access was via a single legacy VPN credential (per the public Mandiant post-mortem and the U.S. Congressional testimony). Patching discipline and MFA discipline are the principal defenses.
- Vulnerability exploitation (against internet-exposed services). Specific high-impact CVEs each year drive a substantial fraction of initial access. Recent examples in the public record: ProxyShell (Exchange, 2021), Log4Shell (December 2021), MOVEit Transfer SQL-injection (May 2023, exploited by the Cl0p RaaS group at scale), Ivanti Connect Secure (January 2024), various Citrix NetScaler RCEs, the Fortinet SSL-VPN family. CISA’s Known Exploited Vulnerabilities (KEV) catalog is the canonical reference for the actively-exploited subset; patching against KEV-listed vulnerabilities is the canonical baseline defensive posture.
- IAB purchase (the 2020-onward category). Buying access from an Initial Access Broker rather than acquiring it directly. Modal listing prices in the $200–$10,000 range for most listings, depending on victim sector, access depth, and credential type; premium-tier listings (large-enterprise domain-admin or critical-sector deep access) extend into the $50,000+ band. See §6.1 for the full pricing chart.
- Supply-chain compromise. Lower-volume by victim count, higher-impact by aggregate damage. NotPetya, SolarWinds, Kaseya VSA, MOVEit, the December 2023 Okta-customer downstream impact, the various other supply-chain incidents.
4.4 Privilege escalation and lateral movement — typically AD-centric
Once initial access is established on a Windows enterprise target — the modal case in the criminal economy — the subsequent expansion phases are almost universally Active Directory-centric. The TTPs documented in indictments, threat-intel reports, and the Conti playbook leaks (May 2021) follow a recognizable pattern: local privilege escalation on the foothold host (often via unpatched local-elevation CVEs or unsafe service permissions), domain enumeration via standard Windows tooling (the criminal market uses essentially the same enumeration tools as the authorized red team — Mimikatz, BloodHound or its variants, ADRecon, PowerView — distinguishable on the wire only by the surrounding context), credential extraction from LSASS memory or the Domain Controller’s NTDS.dit, and lateral movement via SMB, WMI, WinRM, or Kerberos abuse to high-value hosts. The destination is, in the ransomware case, a Domain Controller (or a Tier-0 equivalent host) from which mass-deployment to the entire domain is feasible.
The authorized-versus-unauthorized distinction at this phase is scope, not technique. An authorized red-team engagement walks the same path; the difference is the engagement scope and the proof-versus-damage discipline (Vol 6 §4.6). The MITRE ATT&CK framework documents the techniques at full depth; defenders use the same framework to organize detection and response.
4.5 Persistence — the load-bearing distinction from authorized cleanup
Persistence is the working-day operational difference between an authorized engagement and a criminal one. An authorized engagement deliberately removes persistence at engagement close (Vol 6 §4.7); a criminal operation deliberately invests in persistence to maintain access for future operations (re-extortion, follow-on data theft, sale of the access on the IAB market, return engagement after the initial impact is resolved). Threat-intel post-mortems consistently identify multiple persistence mechanisms per criminal intrusion — web-shells on edge appliances (Citrix gateways, Exchange Outlook Web Access, VPN concentrators), backdoor accounts on domain controllers, scheduled tasks and Windows services on host fleets, Golden Ticket or Skeleton Key Kerberos abuse, persistent implants in firmware or hypervisor where the operator’s capability supports it. The investment-in-persistence pattern is, from a defensive perspective, the most operationally consequential difference between authorized and unauthorized intrusion — removing a persistence artifact (a forgotten Beacon from an authorized engagement) is trivial; finding and removing a deliberately-hidden criminal persistence is the months-or-years incident-response work that the major IR firms (Mandiant, CrowdStrike, Stroz Friedberg, Unit 42) are organized around.
4.6 Monetization — the five primary patterns
Monetization is the load-bearing distinction from authorized work. The authorized engagement’s deliverable is the report; the criminal engagement’s deliverable is the cash. Threat-intel reporting consistently identifies five primary monetization patterns:
| Pattern | Typical actor type | Modal payout | Detection difficulty | Notable case |
|---|---|---|---|---|
| Ransomware (encrypt + exfiltrate + double-extort) | RaaS affiliates; tier-1 organized | $1M–$50M+ per incident; 0.5–3% of annual revenue | Low for the encryption event (impact is obvious); high for the pre-encryption data theft | Colonial Pipeline May 7, 2021 ($4.4M paid; $2.3M recovered by FBI June 2021); Change Healthcare Feb 21, 2024 ($22M paid to BlackCat/ALPHV) |
| Wire fraud / Business Email Compromise (BEC) | Loose-affiliate networks; West African specifically over-represented | $50K–$50M per incident; FBI IC3 reported $2.9B BEC losses in 2023 | Moderate; relies on payment-verification controls | The 2019 FACC (Austrian aerospace) $61M case; the 2016 Ubiquiti $46.7M case; many others in DoJ press releases |
| Data brokerage / dark-market resale | Stealer-log operators; IABs; data-broker forum participants | Per-record pricing $0.05–$50; per-database wholesale $1K–$100K | Low for the breach; very low for the aftermarket transactions | The 2013 Target breach (40M cards via Fazio Mechanical HVAC supplier); the 2017 Equifax (147M records); many 2020s breach-and-resale incidents |
| Cryptocurrency theft / drainer attacks | Specialist drainer-as-a-service operators; smart-contract-exploiting groups | $100K–$600M per incident (the 2022 Ronin Bridge $625M is the canonical high) | Low (transactions on chain are publicly visible); attribution is the difficulty | Ronin Bridge March 2022 ($625M, Lazarus); Poly Network August 2021 ($612M, eventually returned); FTX November 2022 ($477M) |
| State-aligned intelligence (no direct monetization) | APTs; nation-state services | (No direct payout; data goes to handler) | Highest (operations designed for long-term covert presence) | APT1 / Comment Crew (Mandiant Feb 19 2013); SolarWinds (Dec 2020, APT29); various |
Table 7.3 — The five primary monetization patterns. Ransomware was the dominant pattern by total dollar volume across 2020–2024; BEC has consistently been the highest single-vector by reported loss (IC3 data) for several years. Cryptocurrency theft is the highest-per-incident pattern for the relatively-small population of capable actors. State-aligned operations don’t fit the monetization frame at the operator level — the actor is salaried by the state, not paid per operation — but appear in the table because the operational profile is otherwise structurally similar.
4.7 Cleanup as obstruction
The fifth criminal-side difference is cleanup. The authorized engagement’s cleanup phase restores the environment to baseline (Vol 6 §4.7); the criminal engagement’s cleanup phase obstructs investigation. Threat-intel reporting consistently identifies a recurring set of obstruction tactics:
- Log destruction. Wiping or tampering with Windows event logs, Linux syslog, application logs, security tool telemetry. The clearev Meterpreter post-module and equivalent functionality in criminal C2 frameworks automate this step.
- Backup destruction. Specifically in ransomware operations, the operator searches for and destroys backups before encryption to prevent recovery without paying. The 2019–2026 RaaS literature consistently documents backup-target enumeration as a pre-encryption phase.
- False-flag indicators. Planting artifacts that suggest a different actor or different motive. The most-cited example is Olympic Destroyer (2018 Pyeongchang Winter Olympics) — Sandworm’s deliberate planting of Lazarus-style indicators to mis-direct attribution; the multi-month attribution work documented by Kaspersky GReAT and Cisco Talos is the canonical case study.
- Anti-forensics tooling. A category of capabilities that delete or modify forensic artifacts (timestomp, file slack-space wiping, USN-journal manipulation). The criminal use is closer to the nation-state operator’s discipline than to the modal RaaS-affiliate’s.
- Retained persistence for return. As covered in §4.5, the criminal operator does not clean up persistence; the persistence is the platform for the next operation.
The MITRE ATT&CK framework’s Defense Evasion tactic (TA0005) and Impact tactic (TA0040) document the obstruction-and-destruction techniques at full taxonomic depth. The defensive-side coverage is in Vol 10; the red-team adversary-emulation coverage is in Vol 11.
5. A day in the life — reconstructed from court records
Framing — read first. Unlike the authorized-engagement day-in-the-life in Vol 6 §5, which was a composite narrative authored from observable patterns in the field, the black-hat day-in-the-life cannot be observed from inside. Black-hat operators are not publicly visible at work — the engagements have no conferences, the practitioners have no LinkedIn profiles describing their actual day, no readers can shadow a working session and write it up. The sections that follow are reconstructed from public-record sources: indictment documents, the Conti chat-log leak of February 2022, threat-intel post-mortems on documented operations, researcher accounts of dark-web-forum and Telegram-channel observation. Each subsection cites the specific reconstruction-from source(s) it draws on. The texture is documentary, not voyeuristic; the point is to make the adversary’s working pattern visible for defensive purposes, not to glamorize or to provide operational uplift. Where the reconstruction is uncertain or contested, the volume flags the uncertainty rather than papering over it.
5.1 A ransomware affiliate’s workday — reconstructed from the Conti leak
The single best primary-source dataset for the working day of a tier-1 ransomware operation is the Conti chat-log leak of February 27, 20224. A pseudonymous leaker — widely believed to be a Ukrainian Conti insider responding to Conti’s public alignment with Russia after the February 24, 2022 invasion of Ukraine — released the operation’s internal Jabber chat archives spanning January 2020 through February 2022. The archive contains approximately 60,000 messages across approximately 400 named accounts, in Russian, with substantial discussion of operational, organizational, and financial matters. Trend Micro, Mandiant, Check Point, BBC, and several academic researchers (notably Brian Krebs’s KrebsOnSecurity series and the Conti coverage by The New York Times) have published substantive analyses. The leak is the closest the field has come to a complete view inside an active criminal organization; the structural lessons it documents are largely confirmed by parallel observations against other major RaaS operations.
The picture the leak draws of a Conti affiliate’s working day:
The affiliate — call her Anna, drawing on a composite of named accounts in the leak — starts her workday on Moscow time, approximately 09:00. She reports to a project lead via the Jabber channel; the project lead manages a portfolio of active victim engagements at various stages of the lifecycle. Anna’s current assignment is a mid-sized U.S. healthcare-sector target that initial access was acquired against approximately three weeks ago via a phishing campaign that another affiliate’s team handled. Anna’s responsibility is the post-foothold expansion: privilege escalation to domain admin, enumeration of high-value data and backup infrastructure, and pre-encryption data exfiltration.
The morning is enumeration and lateral-movement work using the standard toolkit (Cobalt Strike Beacons inherited from the previous affiliate, AdFind for AD enumeration, BloodHound for path-finding, custom scripts). The Jabber channel has technical-support traffic from other affiliates — questions about specific defenders’ EDR detection, advice on a recurring credential-extraction issue, debate about a target whose backup infrastructure has resisted enumeration. The project lead occasionally pings Anna with status updates on the larger portfolio. Lunch is at the local equivalent of midday; the chat traffic continues through it.
The afternoon shifts to data-exfiltration work. The Conti operation maintained a dedicated set of cloud-storage and FTP endpoints for staging exfiltrated data; the exfiltration tool (a custom binary the operation maintained internally) uploads selectively to those endpoints. Anna’s exfil priority list — driven by the operation’s negotiation playbook — is finance department records, HR records (specifically for PII that has resale value separate from the ransom), customer-facing system data (for double-extortion leverage), and any documents containing the word “insurance” (the Conti leaks documented this last priority explicitly; the operation specifically harvested insurance documentation to inform ransom-demand calibration).
The end of the day is summary writing — Anna writes a project-status note for the project lead summarizing the day’s progress, blockers, and the projected timeline to the encryption event. The note format is standardized; the operation’s project-management discipline is, structurally, recognizably similar to corporate project management. Anna’s workday ends approximately 18:00 Moscow time; she returns the next morning to continue.
Other elements of the Conti operation the leaks documented:
- A formal HR function. The operation hired, fired, and managed payroll for approximately 100+ individuals across roles. Salaries were in the $1,000–$2,000/month range for entry-level technical roles, scaling to $5,000+/month for senior operators and managers. The HR function handled vacation policy, sick leave, and the limited benefits the operation offered.
- A negotiator role. A separate team handled the ransom-negotiation conversations with victim organizations and their incident-response firms. The negotiators worked from playbooks that calibrated the demand against the victim’s annual revenue, insurance coverage, and observed responsiveness. The negotiator team was distinct from the operators; the working-language was Russian internally with English-language scripts for the victim-facing conversations.
- A “support” function. Approximately a dozen accounts were dedicated to acting as IT-helpdesk-style impersonators in social-engineering follow-ons — calling victim organizations posing as the actual IT helpdesk to harvest additional credentials, redirect MFA tokens, or simply soften the target for the encryption phase.
- Discipline around operational security. The chat logs documented internal arguments about operational security failures (an affiliate’s mistake exposing infrastructure, the question of whether to trust new affiliate recruits, debates about which laundering services to use). The texture is recognizably that of a working organization with quality-control discipline, not the lone-wolf-villain archetype.
- Discipline around target selection. The chat logs documented explicit policies about which sectors to attack and which to avoid (the Russian-speaking-locale exemption was operationally enforced; the post-Colonial-Pipeline “no critical infrastructure” policy was discussed and partially implemented).
The Conti leak is the canonical primary source for what an active tier-1 RaaS operation’s internal life looks like. Other RaaS leaks have produced similar — though smaller-scale — corroboration: the Babuk leak in September 2021, the LockBit affiliate-panel exposure in 2022, various REvil-period leaks. The aggregate picture is consistent: in 2026, tier-1 RaaS operations are structured organizations with payrolls, project management, and quality-control discipline, not lone-wolf-villain archetypes.
5.2 An Initial Access Broker’s listing-and-sale flow — reconstructed from KELA, Group-IB, Recorded Future
The Initial Access Broker (IAB) role does not produce the kind of large public chat leaks the Conti operation did, but the market the IABs operate in is observable through threat-intel firms that maintain market-surveillance capabilities. KELA5, Group-IB6, and Recorded Future7 maintain consistent IAB-market tracking; the picture the published reports draw of an IAB’s working day:
The IAB — operating pseudonymously on one or more dark-web forums (Russian Market, the historically-prominent XSS and Exploit.in forums, various successor venues) — starts the day reviewing the prior 24 hours of his portfolio. His portfolio is a set of compromised accesses he has acquired but not yet sold: a Citrix endpoint at a U.S. legal firm acquired three days ago via credential stuffing, a Cisco AnyConnect VPN credential to a German manufacturer acquired last week, a domain-admin credential to a mid-sized U.S. retailer acquired two weeks ago. Each access is described in a standardized listing format: victim sector and country, revenue band (often estimated from public data, ZoomInfo, LinkedIn), access type, access level, evidence of validity (sometimes a screenshot, sometimes a credential validation timestamp), asking price.
The day’s work is a mix of listing maintenance and sales-conversation handling. The listings are posted on dark-web forums and/or specific Telegram channels; potential buyers (RaaS affiliates, data-broker operators, occasional state-aligned actors) reach out via the forum’s private-message system or via Jabber. The conversation pattern is recognizably commercial: questions about the victim’s defenses (“do they run [specific EDR vendor]? what’s the network topology?”), negotiation over price, requests for proof-of-access (typically a fresh screenshot or a small data sample), payment terms (escrow via the forum, direct cryptocurrency transfer, OTC).
The pricing structure documented in KELA, Group-IB, and Recorded Future reports across 2020–2026:
| Access type | Modal price range (USD-equivalent in cryptocurrency) | Notes |
|---|---|---|
| Single-host RDP | $50–$500 | Low-tier; commodity |
| VPN credential, mid-sized org | $500–$3,000 | The modal IAB listing |
| Domain-admin credential, mid-sized org | $2,000–$10,000+ | High-tier; ransomware-ready |
| Domain-admin credential, large enterprise (Fortune 1000) | $10,000–$50,000+ | Premium tier; rare |
| Citrix / Citrix-NetScaler access, enterprise | $1,000–$10,000 | Specific niche; correlated with patching cycles |
| Cloud-tenant (Azure AD / Entra ID) admin access | $1,000–$15,000 | Rising category; 2022-onward |
Table 7.4 — IAB market modal pricing, drawn from KELA / Group-IB / Recorded Future tracking across the 2020–2026 window. Prices fluctuate substantially with vulnerability-disclosure cycles, takedown pressure, and macroeconomic conditions in the criminal economy; the table reports approximate ranges.
The IAB’s working day continues through afternoon listing-curation and evening sales-conversation handling. The role is recognizably that of an inventory-broker. Some IABs specialize by access type, sector, or geography; others run general portfolios. The largest IAB operators have built out small teams that handle acquisition (the credential-stuffing and exploit-pack-driven acquisition pipeline) separately from listing-and-sale; the small-scale IABs are individual operators.
The IAB market is, in 2026, the canonical example of the criminal-economy’s specialization-of-roles. The IAB doesn’t monetize the access directly; they sell it to operators who do. The downstream operator doesn’t acquire the access directly; they buy it from the IAB. The market is efficient enough — and the role specialization is mature enough — that this is the modal initial-access pattern in tier-1 RaaS operations.
5.3 A nation-state APT operator’s tasking cycle — reconstructed from threat-intel reporting
The nation-state-aligned operator is, again, not directly observable, but the operational tempo is observable in the threat-intel literature. Mandiant’s APT-group reports (the APT1 report of February 19, 2013 was the canonical case; subsequent reports on APT28, APT29, APT41, Lazarus, Sandworm, Charming Kitten, MuddyWater, and others have followed similar structure), CrowdStrike Global Threat Reports, Microsoft DSU and MSTIC reports, and Kaspersky GReAT publications are the standing sources. The picture they draw of a nation-state-aligned operator’s working week:
Working hours track the operating-state’s local time, with allowances for the target’s geography. The 2013 Mandiant APT1 report famously documented PLA Unit 61398’s working hours as approximately 09:00–18:00 Beijing time, with reduced activity on Chinese holidays — a working-day texture that is structurally identical to any other office-bound job. Subsequent reports have documented similar patterns for Russian GRU and SVR units (Moscow-time working hours), Iranian IRGC operations (Tehran-time), and DPRK Lazarus Group (Pyongyang-time, with substantial off-hours activity reflecting the operation’s broader expectation of around-the-clock availability).
The tasking cycle differs from the criminal case in several structural respects:
- Tasking comes from a handler / intelligence chain rather than from operator-side target selection. The APT operator is given specific targets to develop access against, specific data to collect, specific operational objectives. The criminal operator is choosing targets for monetization potential; the state-aligned operator is executing tasking against a specified collection priority. The collection priority is set by the intelligence requirements of the operating state.
- The operations are designed for long-term covert presence rather than short-term monetization. Where a RaaS operation might dwell two-to-six weeks before encryption, an APT operation might dwell two-to-six years before the operator is even discovered. The SolarWinds Orion compromise (disclosed December 2020) had been active for approximately 9 months before discovery; many other APT operations have run longer.
- Operational security discipline is higher. State-aligned operators have, on average, substantially more disciplined operational-security practices than criminal operators. The tooling is often custom rather than commodity; the infrastructure is more carefully compartmentalized; the operator’s personal exposure to attribution is more carefully managed. The exceptions are notable: the 2018 GRU Mueller indictment documented surprisingly poor operational security from Russian GRU operators in some 2016-era operations.
- The data flows to the intelligence-service handler, not to the criminal economy. State-aligned operations are not (typically) monetized at the operator level. The exception worth flagging is Lazarus Group and BlueNoroff — DPRK financial operations — which operate at a tier that is structurally indistinguishable from criminal monetization while being explicitly state-aligned. The Ronin Bridge $625M theft (March 2022, Lazarus) and the broader DPRK cryptocurrency-theft pattern are the canonical hybrid cases; the FBI and U.S. Treasury have characterized these as state-aligned operations whose proceeds flow to the DPRK regime’s sanctions-evasion financial infrastructure.
The Mandiant APT1 report, the Mueller GRU indictment (July 13, 2018), the Park Jin Hyok criminal complaint (filed under seal June 8, 2018; unsealed September 6, 2018; covered in §7.4 below), the BlueNoroff treatment in Kaspersky GReAT reports, and various other public threat-intel sources are the load-bearing references for the nation-state working-day picture. The picture is consistent: in 2026, state-aligned operations are structured intelligence-service jobs with disciplined working hours and long-term operational planning, not the freelance-criminal-economy texture of §5.1.
6. The criminal economy
This section replaces the “How they get hired” section from the per-hat template (Vol 6 §6) with a structural treatment of the criminal economy in which black-hat operators work in 2026. The picture below is drawn from threat-intel reporting (Mandiant, CrowdStrike, Microsoft DSU, Recorded Future, KELA, Group-IB, Trend Micro, Check Point), U.S. Department of Justice indictments and press releases, OFAC sanctions designations, and major-press journalism (Krebs on Security, Wired, The New York Times, BBC, Reuters). The structural lessons are well-corroborated across sources; the named-organization specifics are flagged with their citations.
Vol 4 §6 walked the criminal economy as historical material — the 1989 AIDS Trojan baseline through the 2024 LockBit Operation Cronos takedown. This section organizes the same material as a structural map of the 2026 ecosystem, with the engineering-and-economic detail that the historical treatment didn’t carry.
6.1 Initial Access Brokers (IABs)
The IAB role is the load-bearing specialization in the modern criminal economy. As covered in §3.1 and §5.2 above: IABs acquire access to victim networks (via phishing, exploit packs, credential stuffing, or exposed-service brute-forcing) and sell that access to other operators rather than monetizing it themselves. The market matured between approximately 2018 and 2021 from an ad-hoc activity into a structured commercial role; KELA’s 2020 Initial Access Brokers Landscape report5 was the first systematic public-record treatment, and the firm has maintained the tracking series since.
The IAB market’s structural features:
- Listing format is standardized. Victim sector, country, revenue band, access type, access level, asking price. The standardization makes the market efficient — buyers compare listings across IABs and across the available portfolio. The standardization also makes the market visible to threat-intel firms, who monitor the listing flows and produce the per-sector / per-country analytics the published reports describe.
- Pricing tracks the access value. Table 7.4 above documents the modal pricing structure. The premium is on access depth (domain admin > regular VPN credential > single-host RDP) and on the target’s payout potential (a Fortune 1000 victim’s domain-admin access is many times more valuable than the same depth at a small-medium business).
- IABs operate on a small number of dominant forums. The Russian-language forums XSS (formerly DamageLab) and Exploit.in have been historically dominant; Telegram channels have become an increasingly important venue post-2020. Specific forums rise and fall on enforcement-action timeframes (BreachForums shut down in March 2023 with operator Conor Brian Fitzpatrick / Pompompurin’s arrest, restarted, then was disrupted again in May 2024 — the forum has been resurrected by successor operators multiple times). The forum ecosystem is a recurring law-enforcement target.
- The IAB-to-RaaS-affiliate pipeline is the modal initial-access pattern. A 2021–2024 development corroborated by multiple threat-intel sources: tier-1 RaaS operations now consistently source initial access from the IAB market rather than developing it themselves. The specialization makes both sides of the market more efficient.
6.2 RaaS operators
The Ransomware-as-a-Service (RaaS) operator runs the back-end: develops and maintains the ransomware kit (the encryptor binary, the negotiation portal infrastructure, the leak site), recruits and manages affiliates, sets the revenue-share terms, and handles the operational support of the platform. The role is, structurally, the criminal-economy analog of a franchisor — the platform provider — while the affiliates are the franchisees (§6.3 below).
The RaaS organizational structure documented in indictments and leaks:
- Conti (active approximately December 2019 through May 2022; operated by the Wizard Spider group; eventual reorganization into Black Basta, Karakurt, and other successors after the February 2022 chat-log leak fragmented the operation). The Conti chat-log leak (§5.1) is the most-complete public-record evidence on a tier-1 RaaS operation’s organizational structure. The published analyses document approximately 100+ named individuals across roles: senior management (3–5 individuals); developers (10–20); operators and affiliates (60–80 active); negotiators (5–10); HR / payroll / support (~10); IT helpdesk-impersonation team (~10). The organizational sophistication was on par with a small-to-medium software company.
- REvil / Sodinokibi (April 2019 through October 2021 plus a 2022 resurgence). REvil’s operator chain was substantially decapitated by the July 2021 Kaseya VSA attack’s law-enforcement aftermath; multiple arrests in Russia in January 2022 (Yaroslav Vasinskyi extradited to the U.S. in March 2022; sentenced May 2024 to 13 years 7 months; the rest of the named arrests in Russia produced minimal extradition movement). The REvil affiliate-panel design and the operation’s revenue-share terms (an initial 60/40 affiliate-favored split, rising to 70/30 after the operation’s reputation matured) are documented in the U.S. indictments and in research by Coveware and Mandiant.
- LockBit (September 2019 through Operation Cronos February 19, 2024; resurgent on impaired infrastructure post-Cronos). LockBit was the highest-victim-count RaaS operation in history at the time of the Cronos takedown — between 1,400 and 2,500 confirmed victims by various counts. LockBit’s affiliate-panel was uniquely well-designed; the operation marketed itself with affiliate-favorable terms (80/20 revenue split favoring the affiliate, faster payouts than competitors, a self-service decryption-validation tool that affiliates could use to confirm encryption-was-actually-recoverable before negotiation). The principal operator, indicted by U.S. DoJ in May 2024 as Dmitry Yuryevich Khoroshev (handle “LockBitSupp”), remains at large in Russia; the OFAC sanctioning and indictment unsealing in May 2024 produced significant operational disruption.
- BlackCat / ALPHV (November 2021 through March 2024; self-imploded apparent exit-scam after the Change Healthcare $22M payment in February 2024). BlackCat was the first Rust-language-implemented RaaS family and pioneered several technical innovations (more granular affiliate-control features, the searchable-leak-site model, attempts at API-driven negotiation). The March 2024 ALPHV exit-scam — the operators apparently absconding with affiliate funds after the Change Healthcare payment — is a cautionary case for the affiliate population of the criminal economy.
Revenue-share terms have been consistent across tier-1 operations: 70/30 to 80/20 affiliate-favored. The platform operator’s cut is 20–30 percent in exchange for providing the kit, the infrastructure, the negotiation handling, the leak-site operation, and the brand-recognition leverage in victim-negotiation conversations.
6.3 RaaS affiliates
Affiliates are operators who deploy the ransomware against targets they (or an IAB they purchased from) have gained access to. The affiliate is the franchisee; the affiliate pays the RaaS operator a revenue share in exchange for the kit and the platform. The affiliate handles the actual intrusion work (foothold expansion, data exfiltration, encryption deployment, anti-recovery work); the operator handles the platform, the negotiation, and (typically) the brand.
The affiliate role is the largest population in the criminal economy by headcount. The Conti leaks documented approximately 60–80 active affiliates at any given time; LockBit’s affiliate population at its peak was estimated at several hundred (the operation marketed itself aggressively to attract affiliates and may have over-stated its active-affiliate count for recruiting purposes — the operational-tempo data suggests an active count closer to 100–150). Across the modern RaaS ecosystem, the total active-affiliate population is, in 2026, estimated by threat-intel firms in the low thousands worldwide.
Affiliate skill levels vary widely. The senior tier — experienced operators who have worked across multiple RaaS platforms over years — overlaps in skill with mid-senior authorized red-team operators (Vol 11 will treat the skill-overlap from the red-team side). The junior tier is closer to script-kiddie-with-a-platform; the RaaS kit’s ease-of-use and the affiliate-support infrastructure make low-sophistication affiliates economically viable in a way that pre-RaaS-era criminal operations did not.
The legal exposure on the affiliate side is, in 2026, substantial. The DoJ’s enforcement-action cadence has increasingly targeted affiliates rather than just operators — the Yaroslav Vasinskyi (REvil affiliate; extradited March 2022, sentenced May 2024) prosecution is the canonical example; multiple other affiliate-tier prosecutions have followed. The operator-tier prosecutions (the LockBitSupp May 2024 unsealing; the various Conti-tier indictments) get the press; the affiliate-tier prosecutions are the actual law-enforcement workload.
6.4 Money launderers
The post-monetization laundering layer is its own structural specialization in the criminal economy. The cryptocurrency-laundering rails described in §3.5 above (mixers, chain-hopping, OTC desks, sanctioned exchanges) are operated by — and serve — a structurally-distinct population from the operators and affiliates. The specialization makes the market efficient; it also creates a chokepoint that law enforcement has aggressively targeted.
The OFAC enforcement geometry that defines the legal-exposure landscape for money launderers:
- Tornado Cash sanctioned August 8, 20223 — the first OFAC designation of a smart-contract protocol rather than a person or entity. Roman Storm and Roman Semenov, two of the Tornado Cash developers, were indicted by the Southern District of New York in August 2023 on charges of conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business, and conspiracy to violate IEEPA8. Roman Storm’s trial (S.D.N.Y., before Judge Katherine Polk Failla) ended on August 6, 2025 with a mixed verdict: the jury convicted Storm on the unlicensed-money-transmitting-business count (the lightest of the three, maximum 5 years) and deadlocked on the money-laundering and IEEPA-sanctions counts (each carrying a maximum of 20 years). The deadlock produced a partial mistrial on those counts; the DOJ filed a letter on March 9, 2026 requesting retrial of the deadlocked charges, proposing an October 5 or 12, 2026 start date. Storm remains free on bail pending sentencing on the convicted count. Semenov remains at large. The case is the canonical 2020s test case for the legal exposure of cryptocurrency-laundering-infrastructure developers — distinct from operators — under U.S. sanctions and money-laundering law; the mixed verdict (conviction on the structural-operating-business count, deadlock on the intent-to-launder-and-evade-sanctions counts) is the early jurisprudential signal that developer liability for permissionless smart-contract protocols is partially but not fully chargeable under current statute. The Fifth Circuit’s November 2024 Van Loon v. Department of the Treasury ruling held that immutable smart-contracts were not “property” under IEEPA, partially limiting the Tornado Cash sanctioning; OFAC re-issued narrower designations in March 2025 covering the specific entities and persons involved rather than the protocol itself.
- ChipMixer taken down March 15, 2023 by joint U.S./German/Belgian/Polish action9. Infrastructure seized; approximately $46M in cryptocurrency seized; operator Minh Quoc Nguyen indicted in the Eastern District of Pennsylvania.
- Bestmixer.io taken down May 2019 by the Dutch FIOD and Europol.
- Helix / Coin Ninja operator Larry Harmon pleaded guilty August 2020; sentenced 2021.
- Suex OTC OFAC-sanctioned September 21, 2021 — the first OFAC designation of a cryptocurrency exchange as a sanctions-evasion mechanism.
- Garantex OFAC-sanctioned April 5, 2022.
- Hydra Market taken down by joint U.S./German action April 5, 202210 — the largest dark-web marketplace at the time of takedown, with significant cryptocurrency-laundering services among its hosted offerings. Operator Dmitry Pavlov remains at large in Russia.
The OFAC sanctions geometry has changed the legal calculus for ransom payments themselves. The September 2020 OFAC advisory (updated September 2021) made explicit that paying ransom to a sanctioned individual or entity could constitute a sanctions violation by the victim organization (and its insurance carrier). The advisory has substantially restructured the cyber-insurance-and-incident-response decision process: many victim organizations now conduct sanctions-compliance review before any payment decision, and several major cyber-insurance carriers have tightened or restricted ransomware-payment coverage as a result.
6.5 The nation-state-aligned tier
The nation-state-aligned tier sits structurally adjacent to the criminal economy. The actors share substantial tooling and technique with criminal operators (§3, §4); the legal-and-economic structure differs.
- Tasking comes from the operating state, not from the criminal-economy market. The operator is salaried by the state’s intelligence service rather than paid per operation; the target selection is set by the state’s collection priorities; the operational tempo is the state’s, not the market’s.
- The operations don’t monetize at the operator level. The data flows to the handler / intelligence chain rather than to a darknet market. The exception worth flagging: Lazarus Group / BlueNoroff — the DPRK financial operations whose proceeds (cryptocurrency theft, fraudulent transfers, the Ronin Bridge $625M theft, the broader DPRK cryptocurrency-theft pattern across 2017–2026) flow to the DPRK regime’s sanctions-evasion infrastructure. These operations are state-aligned (the actors are RGB / Reconnaissance General Bureau personnel) and simultaneously structured like criminal operations (the monetization profile, the laundering pipeline). The hybrid case is unique to the DPRK among major-state operations; it reflects the regime’s specific sanctions-evasion-financial-need.
- The state-aligned actor’s legal exposure is jurisdictionally contested. From the operating state’s perspective, the operator is authorized state personnel; from the victim state’s perspective, the operator is a black-hat criminal subject to indictment and (in principle) extradition. The DoJ’s public-attribution-and-indictment pattern that started with the May 2014 PLA Unit 61398 indictment (Vol 4 §4.2) is the standing U.S. response; the indictments rarely produce convictions (the defendants are typically protected in their home jurisdictions) but they do establish public attribution at engineering specificity and impose travel restrictions on the named individuals.
- The APT taxonomy. Vol 4 §4.4 walked the 12-group taxonomy (APT1, APT28, APT29, APT30, APT33, APT34, APT38, APT40, APT41, Lazarus, Sandworm, Equation Group). The 2026 taxonomy continues to grow as additional groups are publicly named; the structural composition (a handful of major states, with the remaining attributable activity spread across several smaller programs) has stayed consistent.
6.6 The criminal-economy organizational chart
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ The 2026 Criminal-Economy Organizational Chart │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
INITIAL-ACCESS LAYER MONETIZATION LAYER LAUNDERING LAYER
┌───────────────────────────────┐ ┌─────────────────────────────────┐ ┌──────────────────────────┐
│ │ │ │ │ │
│ Initial Access Brokers │ sale │ RaaS OPERATORS │ │ Cryptocurrency mixers │
│ (IABs) │ ──────► │ (platform; ransomware kit; │ │ (Tornado Cash hist.; │
│ │ │ leak site; negotiation) │ │ ChipMixer hist.; │
│ Acquire access via: │ │ │ │ successor mixers) │
│ - phishing kits │ │ ↕ 70/30 to 80/20 split │ │ │
│ - exposed RDP/VPN brute │ │ │ │ Chain-hopping services │
│ - exploit packs │ │ RaaS AFFILIATES │ │ │
│ - credential stuffing │ │ (operators who deploy the │ │ OTC desks │
│ │ │ ransomware against targets │ │ (Suex hist., Garantex) │
│ Forums: XSS, Exploit.in, │ │ they've gained access to) │ │ │
│ BreachForums (volatile), │ │ │ │ Sanctioned exchanges │
│ various Telegram channels │ │ ───► Other monetization │ │ │
│ │ │ paths: │ │ Cash-out services │
│ Modal listing prices: │ │ - BEC / wire fraud │ │ │
│ $200 – $50,000+ │ │ - Data brokerage │ └──────────────────────────┘
│ │ │ - Cryptocurrency theft │ │
└───────────────────────────────┘ │ (Lazarus / Ronin Bridge) │ │
│ │ │
└─────────────────────────────────┘ │
│ │
▼ ▼
┌───────────────────────────────────────────────────────────────────┐
│ │
│ ENFORCEMENT OVERLAY │
│ │
│ • OFAC sanctions designations │
│ (Evil Corp Dec 2019; Suex Sept 2021; Garantex Apr 2022; │
│ Tornado Cash Aug 8 2022; various successor designations) │
│ │
│ • DoJ indictments │
│ (Gonzalez 2009; Butler 2010; Bogachev 2014; Park Jin Hyok │
│ Sept 2018; Yakubets / Evil Corp Dec 2019; LockBitSupp May │
│ 2024; Storm/Semenov Aug 2023; many more) │
│ │
│ • Coordinated takedowns │
│ (Operation Tovar June 2014; Operation Wirewall May 2014; │
│ AlphaBay/Hansa July 2017; Operation Trojan Shield June 2021; │
│ Hydra April 2022; Tornado Cash sanctions Aug 2022; │
│ ChipMixer March 2023; Genesis Market April 2023; │
│ Qakbot Aug 2023; BreachForums March 2023 + May 2024; │
│ Operation Cronos / LockBit February 19 2024) │
│ │
└───────────────────────────────────────────────────────────────────┘Figure 7.2 — The 2026 criminal-economy organizational chart, the criminal-actor-perspective version of the Vol 4 §6 pipeline. The Initial Access Brokers feed the RaaS-operator-and-affiliate layer; the affiliates handle the intrusion work and pay the operator a revenue share; the proceeds flow into the laundering layer; OFAC sanctions, DoJ indictments, and coordinated takedowns operate as an enforcement overlay across all three layers. The diagram simplifies a more-complex market — many actors play multiple roles; specialization is a tendency rather than a rule — but the structural pattern is recognizable across threat-intel reporting.
| Role | Function | Revenue model | Typical organization | Detection signal | Major prosecution |
|---|---|---|---|---|---|
| Initial Access Broker (IAB) | Acquire and resell access to victim networks | Per-listing sale, $200–$50,000+ | Individual operator or small team (1–5) | Listing patterns observable via threat-intel monitoring | Various; ongoing |
| RaaS Operator | Develop and maintain ransomware kit + back-end | Revenue share from affiliates (20–30%) | Structured organization (50–100+) | Branded leak site; kit-specific encryption signatures | LockBitSupp (Khoroshev) May 2024; Conti / Wizard Spider various; REvil affiliates 2022 |
| RaaS Affiliate | Deploy ransomware against acquired access | Bulk of ransom payment (70–80%) | Individual operator or small team | TTPs visible in victim incident response | Yaroslav Vasinskyi (REvil) sentenced May 2024; various others |
| Negotiator | Handle ransom-payment conversations with victims | Salary / share of negotiated payment | Subteam of RaaS organization | Negotiation-channel patterns | Embedded in RaaS prosecutions |
| Money launderer | Operate mixers, chain-hopping, OTC, conversion-to-fiat | Per-transaction fee (1–10% typical) | Variable — protocols (Tornado Cash), individuals (Helix’s Harmon), exchanges (Suex) | Chain-analytics tracing | Harmon (Helix) 2020; Storm/Semenov (Tornado Cash) Aug 2023; Nguyen (ChipMixer) 2023 |
| Forum operator | Run the darknet-marketplace infrastructure for the criminal-economy market | Listing / commission / membership fees | Individual or small team | Forum-takedown actions | Pompompurin (BreachForums) March 2023; various |
| Nation-state operator | Execute tasking against intelligence-priority targets | State salary | Intelligence-service unit | TTPs and infrastructure consistent with attributed group | Park Jin Hyok (Lazarus) Sept 2018; PLA Unit 61398 May 2014; GRU Mueller July 2018; various others |
Table 7.5 — Criminal-economy roles and their structural features. The role-specialization pattern documented here is the modal 2026 organization; smaller-scale operations consolidate multiple roles into individual operators, and the role boundaries blur at the edges. The “Major prosecution” column lists representative public-record cases; the full prosecution history is in DoJ press release archives and the threat-intel literature.
6.7 Takedown landmarks
The law-enforcement-action cadence across 2010–2026 is the second-load-bearing structural feature of the criminal economy (the first being the role-specialization map). Each major takedown has restructured the ecosystem to some degree; the cumulative effect is substantial.
Takedown Landmarks 2010–2026
2010 ─┬─
2011 ─┤
2012 ─┤ Liberty Reserve seizure (May 2013) — early cryptocurrency-laundering enforcement
2013 ─┤ Silk Road seized (October 2013) — first major dark-market takedown
│
2014 ─┤ Operation Tovar (June 2014) — Gameover Zeus / CryptoLocker / Bogachev
│ Operation Wirewall (May 2014) — Blackshades RAT, 90+ arrests
2015 ─┤
2016 ─┤ Avalanche infrastructure takedown (Dec 2016)
│
2017 ─┤ AlphaBay + Hansa coordinated takedown (July 2017) — dark-market disruption
2018 ─┤ Park Jin Hyok complaint unsealed (Sept 6, 2018) — Lazarus attribution
│ Mueller GRU indictment (July 13, 2018)
2019 ─┤ Bestmixer.io takedown (May 2019)
│ Evil Corp OFAC sanction + Yakubets indictment (Dec 5, 2019)
2020 ─┤ Trickbot disruption (Oct 2020) — Microsoft + Cyber Command
│
2021 ─┤ Emotet takedown (January 2021) — Europol
│ DarkSide (Colonial Pipeline) infrastructure seized + $2.3M recovered (June 2021)
│ Operation Trojan Shield (June 2021) — ANOM sting; 800 arrests across 17 countries
│ Suex OTC OFAC sanction (Sept 21, 2021) — first sanctioned crypto exchange
│
2022 ─┤ REvil arrests in Russia (January 2022; operation effectively ended late 2021)
│ Hydra Market takedown (April 5, 2022) — joint U.S./German action
│ Garantex OFAC sanction (April 5, 2022)
│ Conti chat-log leak (February 27, 2022) — internal disruption
│ Tornado Cash OFAC sanction (August 8, 2022) — first protocol designation
│
2023 ─┤ ChipMixer takedown (March 15, 2023) — joint U.S./German/Belgian/Polish
│ BreachForums shutdown + Pompompurin arrest (March 2023)
│ Genesis Market takedown (April 4–5, 2023) — Operation Cookie Monster
│ Qakbot takedown (August 29, 2023)
│ Storm + Semenov Tornado Cash indictment (August 2023)
│
2024 ─┤ Operation Cronos / LockBit (February 19, 2024) — UK NCA + FBI + Europol
│ BlackCat / ALPHV exit-scam (March 2024)
│ LockBitSupp (Khoroshev) unsealing + OFAC sanction (May 2024)
│ BreachForums second takedown (May 2024)
│
2025 ─┤ Tornado Cash designation narrowing (March 2025) post-Van Loon
│ Various ongoing enforcement actions
│
2026 ─┴─ Continued cadenceFigure 7.3 — Takedown landmarks 2010–2026. The cumulative enforcement work has substantially restructured the ecosystem; specific operations have produced specific structural effects (Operation Tovar removed Gameover Zeus and CryptoLocker; Operation Cronos disrupted LockBit; the Tornado Cash sanction and subsequent indictment changed the cryptocurrency-laundering risk calculus). The post-2024 ecosystem is more fragmented than the pre-2024 ecosystem; whether the fragmentation persists is a 2025-and-forward question.
7. Famous figures
Five black-hat figures, treated factually from public record. Each profile names what they did, when, the charges, and the disposition; where press myth diverges from the court record, the divergence is flagged. The selection emphasizes cases where the public record is well-documented and where the case has structural significance to the criminal-economy history this volume describes. Kevin Mitnick — the pre-1995 manhunt-era canonical black-hat-figure — is covered at full length in Vol 3 §8; this volume cross-references that treatment rather than duplicating it.
No glamorization, no dismissal. Each profile is a factual account drawn from court documents, DoJ press releases, and established journalism. The point is not to lionize the figures — the conduct each is named for caused substantial harm to specific victims — but also not to caricature them. The structural lessons each case teaches about the criminal economy are the analytical objective.
7.1 Albert Gonzalez — the TJX / Heartland breach and the modern card-theft template
Figure 7.4 — Albert Gonzalez, U.S. Secret Service mug shot released at the August 17, 2009 Heartland indictment announcement. File:Albert-gonzalez.jpg by U.S. Secret Service/US Attorney for New Jersey. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AAlbert-gonzalez.jpg).
Albert Gonzalez (b. 1981) was the operator behind the largest credit-card-theft cases of the mid-2000s — the TJX Companies breach (2005–2007, approximately 45.6 million card numbers exfiltrated), the Dave & Buster’s breach (2007), and the Heartland Payment Systems breach (2007–2008, approximately 130 million card numbers exfiltrated — the largest credit-card breach in U.S. history at the time)11. Gonzalez operated under multiple handles including segvec, soupnazi, and cumbajohnny; the operations involved SQL-injection attacks against the victim companies’ web infrastructure followed by deployment of memory-resident sniffer software on payment-processing systems that captured card-data at the point of swipe. The exfiltrated data was sold through carder forums (ShadowCrew and successor venues) and through direct-sale channels Gonzalez and his co-conspirators maintained.
Gonzalez was arrested in May 2008 in Miami; his initial cooperation with U.S. authorities under the cumbajohnny handle dated to a 2003 arrest for ATM-fraud activities, after which he had become a paid Secret Service informant — and then continued committing the TJX and Heartland breaches while operating as an informant. The dual-role aspect was central to the press coverage and to the sentencing argument; James Verini’s lengthy 2010 New York Times Magazine piece “The Great Cyberheist”12 is the canonical mainstream-press treatment of the case and remains the best single-source narrative of the Gonzalez operations.
Gonzalez pleaded guilty in the Eastern District of New York and the District of Massachusetts in September 2009, and in the District of New Jersey in December 2009. He was sentenced on March 25, 2010 to 20 years in federal prison — the longest U.S. sentence for a computer-fraud case at the time of sentencing13. He is scheduled for release in 2027; his post-conviction trajectory is not currently public.
Why the case matters historically. The Gonzalez operations established the modern card-theft template: web-application-vulnerability initial access, memory-resident sniffer software on payment systems, dark-market resale of the captured data. The structural pattern recurred through subsequent major breaches (the 2013 Target breach by the FIN6 / Carbanak lineage; the 2014 Home Depot breach by the same lineage; many others) and is, in the 2020s, still the modal pattern for payment-card theft. The case is also a cautionary lesson about the informant-and-criminal duality — the fact that Gonzalez was a paid Secret Service informant while committing the largest credit-card breaches in U.S. history at that point is the kind of detail the court records flag explicitly. The stacked-charge geometry the indictments displayed (CFAA + wire fraud + aggravated identity theft + access-device fraud + conspiracy) is the canonical example of modern federal-cybercrime prosecution.
7.2 Max Butler (“Iceman”) — CardersMarket and the consolidation strategy
Max Ray Butler (b. 1972), operating under the handles Max Vision, Iceman, Aphex, and Digits, was the figure behind the CardersMarket consolidation of 2006 — the operation that hostile-takeovered four major rival carding forums and consolidated their user bases under Butler’s control. The case is the canonical example of the criminal-economy market-consolidation pattern and is the subject of Kevin Poulsen’s 2011 book Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground14, which remains the best single source on Butler and on the mid-2000s carder economy.
Butler’s trajectory had two distinct phases. The first was a 1996–2001 period of grey-hat security research that ended in his arrest for a 1998 mass-patching operation (he had used a vulnerability to install patches on approximately 40,000 Pentagon and U.S. government systems — without authorization — to fix the underlying flaw before it could be exploited); he served 18 months in federal prison, was released in 2002, and immediately returned to underground activity. The second phase (2002–2007) was the carder-economy operations: building and operating the CardersMarket forum, executing the 2006 hostile-takeover consolidation of DarkMarket, ScandinavianCarding, TheVouched, and StealthDivision into a single CardersMarket platform under his control, and operating one of the largest credit-card-resale operations of the period.
Butler was arrested September 5, 2007 in San Francisco. The investigation that led to his arrest was a multi-year FBI / Secret Service operation that included substantial informant work by other carder-economy figures (most notably Christopher Aragon and David Thomas / El Mariachi). Butler pleaded guilty in June 2009 to two counts of wire fraud and was sentenced February 12, 2010 to 13 years in federal prison — at the time of sentencing, the longest U.S. sentence for computer-hacking offenses15. He served the sentence; his release date is not publicly cataloged.
Why the case matters historically. Butler’s CardersMarket consolidation is the canonical example of the unification-by-hostile-action pattern in the criminal economy — a pattern that recurs in subsequent decades whenever the criminal-economy market structure has been disrupted. The Iceman case also illustrates the trajectory pattern where a grey-hat researcher (Butler’s 1996–2001 phase) crosses into the black-hat criminal economy without intermediate steps; the structural lesson is that the grey-hat-to-black-hat transition is, for some practitioners, fast and final. Poulsen’s Kingpin is consistently cited in the field’s criminal-economy literature for the depth of its reconstruction; for the volume’s purposes, Butler is the canonical Phase-1-to-Phase-2 trajectory case.
7.3 Evgeniy Mikhailovich Bogachev — Gameover Zeus, CryptoLocker, and the FBI’s largest cyber bounty
Evgeniy Mikhailovich Bogachev (b. 1983), operating under handles Slavik, Lucky12345, and several others, was the operator of the Gameover Zeus banking-trojan botnet (2011–2014) and of the CryptoLocker ransomware family (September 2013 – May 2014) that the Gameover Zeus botnet distributed. The dual operations together extracted approximately $100M+ from victim financial institutions (the Gameover Zeus banking fraud) and approximately $27M in CryptoLocker ransom payments before being disrupted by Operation Tovar (May–June 2014) — a joint FBI / UK NCA / Europol / private-sector takedown that seized the Gameover Zeus infrastructure, recovered the CryptoLocker decryption keys (allowing free decryption for surviving victims), and produced sealed and subsequently unsealed indictments against Bogachev16.
Bogachev was indicted by a grand jury in the Western District of Pennsylvania on multiple counts in August 2012 (sealed indictment); the indictment was unsealed June 2, 2014 to coincide with the Operation Tovar announcement. He was simultaneously charged in the District of Nebraska. The FBI placed Bogachev on its Cyber’s Most Wanted list with a $3 million reward for information leading to his arrest or conviction — at the time the largest cyber bounty ever offered by the U.S. government17 (the bounty was subsequently exceeded by the Yakubets / Evil Corp $5M reward in 2019, §7.5 below).
Bogachev remains at large in Russia. The U.S. government’s December 2016 OFAC sanctions designation against Bogachev specifically alleged that the Gameover Zeus and CryptoLocker operations had been used by the Russian intelligence services to collect intelligence from victim systems — a designation that the New York Times subsequently corroborated with additional reporting in March 2017. The dual-purpose framing (criminal monetization + state-aligned intelligence collection) is the canonical example of the criminal-economy / nation-state-aligned tier boundary blurring at the operator level.
Why the case matters historically. Bogachev is the canonical figure for the criminal-economy / state-aligned-operations boundary case. The CryptoLocker operation was the inflection point that established modern ransomware as a commercial product (Vol 4 §6.2 walked this); Bogachev’s role as the operator who pioneered the asymmetric-cryptographic locking + Bitcoin payment model produces the lineage that runs through to LockBit and BlackCat and the current RaaS ecosystem. The case is also the canonical example of the protected-jurisdiction problem — a named, indicted federal-fugitive who has lived openly in Russia for over a decade with no realistic extradition path. The U.S. government’s $3M bounty has produced no arrest; Bogachev remains the most-wanted single cyber criminal in the U.S. federal system at the operator-individual level.
7.4 Park Jin Hyok — Lazarus Group, WannaCry, and the state-aligned-operator template
Figure 7.5 — FBI Wanted poster for Park Jin Hyok, released at the September 6, 2018 unsealing of the criminal complaint. File:Cartel de la orden de captura de Park Jin Hyok.png by FBI. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ACartel%20de%20la%20orden%20de%20captura%20de%20Park%20Jin%20Hyok.png).
Park Jin Hyok (b. approximately 1984) is the named operator in the DPRK Lazarus Group criminal complaint filed under seal on June 8, 2018 in the Central District of California and unsealed on September 6, 201818. The complaint names Park as a Reconnaissance General Bureau (RGB) / Lab 110 operative operating under the cover of the Chosun Expo Joint Venture (CEJV), a DPRK-government front company variously based in Dalian, China and Pyongyang. The named operations:
- The November 2014 Sony Pictures Entertainment attack — destructive intrusion that exfiltrated and publicly leaked approximately 100 terabytes of internal Sony Pictures data, ostensibly in retaliation for the studio’s planned theatrical release of The Interview (a satirical comedy depicting the assassination of Kim Jong Un). The attack used the “Guardians of Peace” persona; the U.S. government attributed the attack to DPRK in December 2014, and the 2018 Park complaint provided the engineering specificity behind that attribution.
- The February 2016 Bangladesh Bank Bangladesh-SWIFT theft — the most-ambitious bank fraud in history. Attackers compromised Bangladesh Bank’s SWIFT terminal, issued $951M in fraudulent transfer requests to the New York Federal Reserve; routing-bank checks intercepted the bulk of the transfers, but $81M was completed and moved through Philippine RCBC casinos before being effectively lost. The case is treated at length in the threat-intel literature and in the Bloomberg / New York Times coverage.
- The May 2017 WannaCry ransomware outbreak — 200,000–300,000 systems across 150+ countries in approximately 4 days. Vol 4 §6.3 walked the incident; the Park complaint provided the engineering attribution to Lazarus. Estimated global financial damage: $4 billion+.
- Additional targeting — U.S. defense contractors, entertainment companies, and financial institutions; the complaint catalogs the broader Lazarus operational tempo.
Park remains in DPRK and has not been extradited. The September 2018 complaint and the subsequent September 2018 OFAC sanctions designation (against Park, CEJV, and others) are the public-record artifacts; the engineering attribution work behind the complaint (the technical analysis linking the operations to a single actor group) was performed by FBI, NSA, and substantial private-sector contributions (Mandiant, Kaspersky GReAT, CrowdStrike, BAE Systems).
Why the case matters historically. Park Jin Hyok is the canonical state-aligned-operator template case. The complaint and the OFAC designation together demonstrate the U.S. government’s public-attribution-and-indictment-and-sanction pattern applied at the engineering specificity that emerged through the 2014–2018 window (Vol 4 §4.2). The case is also the canonical Lazarus-Group operational profile reference — the same actor group that produced the 2014 Sony attack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry outbreak is the same group that produces the 2017–2026 DPRK cryptocurrency-theft pattern (Ronin Bridge $625M in March 2022 is the most-cited recent operation). The hybrid criminal-and-state-aligned framing is most starkly visible in this case: Park is, simultaneously, a state intelligence officer (from the DPRK perspective) and a charged federal cyber criminal (from the U.S. perspective).
7.5 Maksim Yakubets (“Aqua”) — Evil Corp / Indrik Spider / Dridex and the $5M bounty
Figure 7.6 — Maksim Yakubets, U.S. DoJ image released at the December 5, 2019 Evil Corp indictment and OFAC sanctions announcement. File:Maksim Yakubets.jpg by U.S. Department of Justice. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AMaksim%20Yakubets.jpg).
Maksim Viktorovich Yakubets (b. 1987), operating under the handle Aqua and several others, is the named principal of the Evil Corp / Indrik Spider criminal organization and the operator of the Bugat / Cridex / Dridex banking-trojan family. Evil Corp’s operations across 2014–2019 are estimated to have extracted approximately $100M+ from financial-institution victims globally via banking-trojan-driven fraudulent transfers; the operation also pivoted into ransomware (BitPaymer, then WastedLocker, then Hades) across the 2017–2020 window as the banking-trojan monetization model became less reliable.
Yakubets was indicted in the Western District of Pennsylvania on December 5, 2019 on counts of conspiracy to commit wire fraud, bank fraud, and computer fraud19. Simultaneously, OFAC sanctioned Evil Corp as a designated criminal organization — naming Yakubets, Igor Turashev, and several other named principals — and the U.S. State Department announced a $5 million reward for information leading to Yakubets’s arrest or conviction, the largest single cyber bounty in U.S. history at the time of issuance20 (subsequently matched and exceeded by some specific case bounties but unmatched at the issuance date).
Yakubets remains at large in Russia. The OFAC sanctioning of Evil Corp (December 2019) had two consequential downstream effects: first, it made ransom payment to Evil Corp’s ransomware operations potentially a sanctions violation by the victim organization (which Evil Corp responded to by rebranding its ransomware multiple times — BitPaymer, then WastedLocker, then Hades, then PhoenixCryptoLocker, then Macaw — to evade victim-organization sanctions-compliance review); second, it established the modern template for combined-indictment-and-sanctions response that the U.S. government has subsequently applied to other ransomware organizations (the May 2024 LockBitSupp / Khoroshev unsealing was the same pattern at a different scale). On October 1, 2024, the UK NCA, the U.S. Treasury (OFAC), and Australia’s DFAT executed a coordinated trilateral expansion of the Evil Corp sanctions — the UK Foreign, Commonwealth & Development Office (FCDO) designated 16 individuals (including the original seven OFAC-2019 names plus newly-named family members Viktor Grigoryevich Yakubets — Maksim’s father — and Artem Viktorovich Yakubets — Maksim’s brother). The simultaneous DOJ indictment of Aleksandr Ryzhenkov — described in the U.S. indictment as Yakubets’s right-hand man — charged Ryzhenkov with deploying the BitPaymer ransomware family against numerous victims; the NCA’s Operation Cronos work (the February 2024 LockBit takedown, §6.7 above) identified Ryzhenkov as a LockBit affiliate, establishing a previously-undocumented operational link between Evil Corp and LockBit. The NCA’s contemporaneous “Evil Corp: Behind the Screens” public-record document put the cumulative-extortion figure at “at least $300M” from global victims across healthcare, critical national infrastructure, and government sectors.
Why the case matters historically. Yakubets is the canonical post-2019-OFAC-enforcement-era case. The dual-action approach (indictment + sanctions simultaneously) became the standard U.S. government response to identified ransomware operators in the subsequent years; the LockBitSupp case in May 2024 is the most-recent application. The Evil Corp rebrand-treadmill (Yakubets’s response to the sanctioning) is the canonical demonstration that sanctions can shape but not eliminate the operator’s behavior. The case is also the canonical example of the unreachable-but-named operator pattern — Yakubets has lived openly in Russia for over a decade with no realistic extradition path, but the indictment, sanctions, and bounty have produced substantial operational friction for his organization.
7.6 Kevin Mitnick — cross-reference to Vol 3
Kevin Mitnick (b. 1963, d. 2023) is the canonical pre-1995 black-hat-era figure and is treated at full length in Vol 3 §8. This volume cross-references Vol 3 rather than re-telling the story. The summary for the famous-figures context: Mitnick’s 1980s and early-1990s unauthorized-access operations against Motorola, Nokia, Sun Microsystems, Fujitsu Siemens, and dozens of other targets — predominantly motivated by curiosity rather than monetization — produced the manhunt-era press-coverage that established the lone-wolf-hacker archetype for the 1990s. Mitnick was arrested February 15, 1995, served 4.5 years of pre-trial detention plus a sentence, was released in 2000, and built a successful security-consulting practice (Mitnick Security Consulting; later joined KnowBe4 as Chief Hacking Officer) that he continued until his 2023 death. The Mitnick case is the canonical pre-criminal-economy lone-wolf-black-hat trajectory and the canonical case study in how the press narrative around an indicted hacker can diverge from the court record — Vol 3 §8.5 walks the divergence with historiography sourced from Markoff, Littman, and Mitnick’s own Ghost in the Wires.
Why the case matters historically for this volume. Mitnick is the bridge case between the pre-criminal-economy lone-wolf era and the criminal-economy era this volume describes. The conduct that produced Mitnick’s prosecution (unauthorized access for curiosity; substantial social-engineering use; no monetization) is structurally different from the modal black-hat conduct of the 2020s (monetization-driven; structured organizations; specialized roles). The trajectory difference is also instructive — Mitnick’s post-prison career as a working consultant is the canonical recovery case, parallel to Robert Morris’s MIT-faculty trajectory (Vol 3 §5) and unlike the Bogachev / Yakubets / Park / Khoroshev cases where no public-record recovery has occurred.
7.7 The figures roster
| Figure | Era | Operations | Charges + disposition | Why it matters |
|---|---|---|---|---|
| Albert Gonzalez | 2003–2008 | TJX (45.6M cards); Heartland (130M cards); Dave & Buster’s | Pled guilty 2009–2010; sentenced 20 years March 25, 2010 — longest U.S. computer-fraud sentence at the time | Modern card-theft template; informant-and-criminal duality; stacked-charge geometry |
| Max Butler (“Iceman”) | 2002–2007 | CardersMarket hostile-takeover consolidation; carder-economy operation | Pled guilty 2009; sentenced 13 years Feb 12, 2010 | Criminal-economy market-consolidation pattern; grey-to-black trajectory; Poulsen Kingpin canonical reference |
| Evgeniy Bogachev | 2011–2014 | Gameover Zeus; CryptoLocker | Indicted W.D. Pa. 2012 (sealed)/2014 (unsealed); $3M FBI bounty; at large in Russia | Criminal-economy / state-aligned boundary case; modern ransomware lineage; protected-jurisdiction problem |
| Park Jin Hyok | 2014–present | Sony Pictures (2014); Bangladesh Bank (2016, $81M); WannaCry (2017) | Complaint filed C.D. Cal. June 8, 2018 (sealed); unsealed Sept 6, 2018; OFAC sanctioned; in DPRK | State-aligned-operator template; Lazarus Group operational profile; hybrid criminal-and-state framing |
| Maksim Yakubets (“Aqua”) | 2014–present | Bugat/Cridex/Dridex; BitPaymer / WastedLocker; Evil Corp | Indicted W.D. Pa. Dec 5, 2019; OFAC sanctioned; $5M bounty (largest at issuance); at large in Russia | Post-2019 combined-indictment-and-sanctions template; unreachable-but-named pattern |
| Kevin Mitnick | 1980s–1995 (criminal era) | Unauthorized access vs. Motorola, Nokia, Sun, Fujitsu, etc. — curiosity-driven, not monetization | Arrested Feb 15, 1995; served 4.5 yr pre-trial + sentence; released 2000; d. 2023 | Pre-criminal-economy lone-wolf canonical case; recovery-trajectory case; Vol 3 §8 for full treatment |
Table 7.6 — The famous-figures roster in shorthand. Each entry is sourced from DoJ press releases, court documents, and established journalism; the in-prose treatment above carries the citations. The selection is not exhaustive — many other figures (Roman Seleznev / Track2; Aleksei Burkov / Cardplanet; the LockBit affiliates; the various indicted Russian, Chinese, Iranian, DPRK state-aligned operators; the various BEC-tier West African operators) belong in a longer roster. The five chosen here cover the modern card-theft template (Gonzalez), the market-consolidation pattern (Butler), the criminal-economy / state-aligned boundary (Bogachev), the state-aligned-operator template (Park), and the post-2019 OFAC-enforcement template (Yakubets), with the cross-reference to the canonical pre-criminal-economy case (Mitnick).
8. Callouts and cross-references
This section makes the volume’s load-bearing callouts and cross-references explicit, including the mandatory danger callout that every black-hat-content volume in this series carries.
8.1 The mandatory danger callout
The legal line — danger callout. This volume describes the criminal economy and the actors inside it from public-record sources. It is not a manual. The technical content above is at the category-and-lineage level; it does not describe how to execute any specific intrusion, how to evade detection, how to handle proceeds, how to recruit affiliates, or how to bypass attribution. The named figures in §7 are each currently incarcerated, sanctioned, named on FBI Cyber’s-Most-Wanted with multi-million-dollar bounties, or all three. The operations they conducted produced specific concrete harm to specific victims — financial-institution customers, ransomware-paying organizations, government targets — and the legal consequences they faced are the rule rather than the exception in 2026 federal cybercrime prosecution. The CFAA, the wire-fraud statute, the conspiracy statute, the aggravated-identity-theft statute, the money-laundering statutes, and the IEEPA-sanctions-evasion statute stack in the modern federal case — the Gonzalez 20-year sentence and the Butler 13-year sentence are not outliers; they are the modal disposition for high-volume cases. For the full legal framing — CFAA statutory walkthrough at §2, Van Buren analysis, international scene including Computer Misuse Act 1990 and Budapest Convention, stacked-charge geometry, OFAC sanctions enforcement, the modern federal-prosecutorial decision matrix — see Vol 19 (the legal line and ethics). This volume’s purpose is to make the adversary visible to the practitioner whose work is on the other side of the line; the operational content belongs in the defensive (Vol 10) and authorized-offensive (Vol 6, Vol 11) volumes, not here.
8.2 The look-here cross-reference callout
Where to read next. For the historical lineage — proto-hacking, the Morris Worm, the Mitnick manhunt, the LoD / MoD / Phrack / 2600 era — see Vol 3. For the modern history — pentest professionalization, nation-state hacking and the APT taxonomy, the bug-bounty economy, ransomware-as-a-business including the Vol 4 §6 treatment that this volume’s §6 builds on — see Vol 4. For the two-axis framing of the hat metaphor (authorization-vs-engagement-role) that this volume’s §1 builds on — see Vol 5 §6. For the white-hat treatment that establishes the other end of Axis 1 and the authorization-paperwork stack that black-hat operators by definition lack — see Vol 6. For the grey-hat treatment that occupies the unauthorized-but-constructive position on Axis 1 — see Vol 8. For the blue-hat defender response to the adversary this volume describes — see Vol 10. For the red-team treatment of sanctioned adversary emulation that uses some of the same capabilities — see Vol 11. For the full legal-and-ethics framing — the canonical reference for everything in §1, §6.4, and §8.1 above — see Vol 19.
8.3 Cross-references to other hat volumes
The black-hat treatment sits at the unauthorized-malicious end of Axis 1 (Vol 5 §6.1); the rest of the spectrum is treated in:
- Vol 6 (White hat) — the authorized end of Axis 1. The behavioral signature on the wire is often identical; the legal status is opposite. Vol 6 §1 reinforces the boundary from the white-hat side; this volume’s §1.1 reinforces it from the black-hat side.
- Vol 8 (Grey hat) — the unauthorized / constructive case. The most subtle boundary against black-hat work; the constructive-disclosure literature lives here. Vol 8 §1 will treat the case from the grey-hat side; this volume’s §1.2 sketches the malicious-versus-constructive distinction.
- Vol 9 (Green hat) — the newcomer / on-ramp. The transition that a black-hat-curious newcomer faces is treated here; the question of “how does someone become a black-hat operator” is more usefully framed as the green-hat-transition-failure case in Vol 9 than as a black-hat recruitment pipeline.
- Vol 10 (Blue hat — defender) — the defender’s response to the adversary this volume describes. The §3 tooling map and §4 lifecycle treatment are the inputs to Vol 10’s defensive treatment.
- Vol 11 (Red hat — adversary emulation) — sanctioned adversary emulation that uses some of the same capabilities (per Vol 6 §3.3). Vol 11 treats the red-team engagement that explicitly emulates specific black-hat operators or operations.
- Vol 12 (Purple hat — collaborative integration) — the practice that integrates the offensive (red-team / Vol 11) emulation of black-hat capability with the defensive (blue-team / Vol 10) detection-and-response. Both halves derive from this volume’s §3 and §4 material.
8.4 Cross-references to the historical and meta volumes
- Vol 3 §8 (Kevin Mitnick — the manhunt, the myth, and the reconstructed reality) — the canonical pre-criminal-economy lone-wolf black-hat case; cross-referenced from §7.6 above rather than re-told.
- Vol 3 §5 (the Morris Worm) — the canonical first prosecuted CFAA case (Morris); the recovery-trajectory parallel to Mitnick.
- Vol 3 §6 (Phrack, 2600, LoD, MoD) — the late-1980s / early-1990s group taxonomy from which the modern criminal-economy specialization is descended (though the modal modern actor is structurally distinct from the LoD-era figure).
- Vol 4 §4 (nation-state hacking, Stuxnet, APT naming, Snowden) — the state-aligned tier this volume’s §6.5 builds on. The 12-group APT taxonomy in Vol 4 §4.4 is the canonical reference.
- Vol 4 §6 (ransomware-as-a-business) — the historical treatment of the ransomware criminal economy that this volume’s §6.2 and §6.3 build on. The structural map here in §6 is the criminal-actor-perspective version of Vol 4 §6’s defensive-and-historical-perspective version.
- Vol 5 §6 (the two-axis problem) — the load-bearing axis-mapping that this volume’s §1 builds on.
8.5 Cross-references to the Hack Tools deep dives
The §3 toolchain section linked the per-tool engineering treatments. The canonical cross-references where the black-hat use case differs from the white-hat use case in targeting and authorization, not in technique:
- HackRF One deep dive — wideband SDR (1 MHz – 6 GHz). The black-hat use case adds rolling-code-replay automotive attacks, GSM/4G/LTE interception (nation-state-aligned), IMSI catcher operational profile.
- Flipper Zero deep dive — integrated sub-GHz / RFID / NFC / IR. The black-hat use case adds opportunistic-encounter badge cloning, garage-opener and gate-remote theft, occasional vehicle-key replay.
- WiFi Pineapple deep dive — the most posture-sensitive tool in the Hack Tools project. Criminal use case is rogue-AP-driven credential capture against unsuspecting wireless clients in public spaces; the Pineapple deep dive §1 explicitly flags this.
- Proxmark3 RDV4 directory — lab-grade RFID/NFC research. Black-hat use case is the higher-sophistication credential-cloning attacks against the proprietary credential ecosystems.
- Ducky Script deep dive — Hak5 HID-injection family. Black-hat use case includes the “found USB” attack family and the O.MG Cable covert HID-injection profile; the Ducky Script deep dive §1 also flags this as posture-sensitive.
- ESP32 Marauder Firmware deep dive — open-source Wi-Fi/BLE pentest firmware that overlaps with the Pineapple’s capability map at much lower cost.
- Rayhunter directory — the defender’s-view IMSI-catcher detection project, the structural countermeasure to the SDR-based IMSI-catcher black-hat use case.
8.6 Cheatsheet bullets — Vol 20 candidates
The following one-liners are the load-bearing rules of the black-hat treatment, destined for Vol 20’s laminate-ready synthesis:
- Authorization is binary; the black hat sits on the wrong side by definition. The CFAA “without authorization” framing is the load-bearing concept.
- In 2026, “black hat” rarely means a lone-wolf villain. It typically means an actor inside a structured criminal-economy organization: IAB, RaaS affiliate, RaaS operator, money launderer, nation-state-aligned operator.
- The discriminator from authorized work is authorization, not gear. White hats and black hats use largely the same tooling; the legal status is determined by the SOW, not by what’s in the kit.
- The federal prosecution stacks charges. CFAA + wire fraud + conspiracy + aggravated identity theft + money laundering + IEEPA. The Gonzalez 20-year sentence is the modal disposition for high-volume cases.
- The IAB-to-RaaS-affiliate-to-operator-to-launderer pipeline is the canonical 2026 organizational map. Each role is a specialized commercial function; the market is efficient.
- OFAC sanctions have restructured the laundering layer. Tornado Cash (Aug 8 2022), ChipMixer (Mar 2023), and the per-individual designations against Bogachev, Yakubets, Khoroshev, and many others.
- The protected-jurisdiction problem is structural. Bogachev, Yakubets, Khoroshev, Park all live openly in jurisdictions with no realistic U.S. extradition path. Indictment + bounty + sanction is the modal U.S. response when extradition is unavailable.
- Persistence is the load-bearing operational difference from authorized work. Black hats invest in persistence; white hats remove it. Cleanup-as-obstruction is the black-hat analog of the authorized-engagement cleanup-as-restore-to-baseline.
- The day-in-the-life is reconstructed from public records. The Conti chat-log leak of February 2022 is the canonical primary source for what a tier-1 RaaS operation’s internal life looks like.
9. Resources
The footnoted bibliography for this volume. Sources organized by category for easier scanning.
9.1 Statutory and primary legal sources
9.2 Conti chat-log leak — primary source for §5.1
9.3 Threat-intel firms (IAB and criminal-economy market surveillance) — §5.2 and §6
9.4 OFAC sanctions designations and cryptocurrency-laundering enforcement — §6.4
9.5 DoJ press releases for named figures — §7
9.6 Threat-intel reports — APT taxonomy and operations
The following industry-reference reports are the load-bearing sources for the §4, §5.3, and §6.5 treatments:
- Mandiant (now Google Cloud), “M-Trends” annual report series (2011–present). https://www.mandiant.com/m-trends. The single most-cited annual threat-intel reference; the 2013 APT1 report (referenced in Vol 4 §4) is the canonical state-aligned attribution document. M-Trends 2024 covers the 2023 landscape; M-Trends 2025 covers 2024.
- CrowdStrike Global Threat Report annual series (2014–present). https://www.crowdstrike.com/global-threat-report/. The CrowdStrike adversary-naming taxonomy (Spider for criminal, Bear for Russian, Panda for Chinese, Chollima for DPRK, Kitten for Iranian) is the canonical alternative to the Mandiant APT-numbering taxonomy.
- Microsoft Digital Defense Report annual series (2020–present). https://www.microsoft.com/security/digital-defense-report. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) cover the broader threat landscape with substantial Microsoft-platform-specific depth.
- Kaspersky Global Research and Analysis Team (GReAT) reports. https://securelist.com/. GReAT covers state-aligned actors that other firms sometimes do not (Iranian, Russian, occasional DPRK), with a particular strength in technical-depth attribution.
- Recorded Future Insikt Group reports. https://www.recordedfuture.com/research. The criminal-economy market-surveillance reporting is the canonical complement to KELA and Group-IB.
- Trend Micro Research reports. https://www.trendmicro.com/vinfo/us/security/research-and-analysis. Notable for the Conti-leak analyses (§5.1) and broader RaaS coverage.
9.7 Books — context and historical reference
- Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (Bantam, 1992). Project Gutenberg full-text: https://www.gutenberg.org/ebooks/101. The canonical period-piece for the 1990 Operation Sundevil era; reused from Vol 3.
- Brian Krebs, Spam Nation: The Inside Story of Organized Cybercrime — from Global Epidemic to Your Front Door (Sourcebooks, 2014). ISBN 978-1402295614. Krebs’s narrative treatment of the Russian-language pharmacy-spam economy and the broader carder-economy ecosystem; the canonical mid-decade primary reference.
- Kevin Poulsen, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground (Crown, 2011). ISBN 978-0307588685. The Max Butler / CardersMarket narrative; cited above as 14.
- Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (Doubleday, 2019). ISBN 978-0385544405. The canonical narrative treatment of the Russian GRU Unit 74455 / Sandworm operations — BlackEnergy, Ukrainian power-grid attacks, NotPetya, Olympic Destroyer. Particularly load-bearing for the §4.7 false-flag-indicator discussion (Olympic Destroyer attribution).
- Nicole Perlroth, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (Bloomsbury, 2021). ISBN 978-1635576054. The canonical 0-day-market context; the 2020s reference for the exploit-broker ecosystem.
- Renee Dudley and Daniel Golden, The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime (Farrar, Straus and Giroux, 2022). ISBN 978-0374603304. The canonical narrative treatment of the volunteer ransomware-decryption community (the EmsiSoft / Coveware / individual-researcher network that has supplied free decryptors for many ransomware families across the 2010s and 2020s).
9.8 Mainstream press circuit
- Krebs on Security (Brian Krebs): https://krebsonsecurity.com/. The single most-cited individual reporter on criminal-economy operations; multi-decade coverage with substantial primary-source reporting.
- Wired cybersecurity coverage (Andy Greenberg, Lily Hay Newman, others): https://www.wired.com/category/security/. The canonical mainstream-press treatment of the major cases.
- The New York Times cybersecurity coverage (Nicole Perlroth historically; David Sanger; others). The Verini “Great Cyberheist” piece 12 is the canonical case study in long-form journalism on the criminal economy.
- The Washington Post cybersecurity coverage. The Cybersecurity 202 newsletter is the canonical industry-and-policy daily.
- BBC News Technology coverage. Particularly load-bearing for European cases and for the international perspective on U.S. enforcement actions.
- Reuters technology/cybersecurity coverage. Particularly load-bearing for breaking-news cases.
9.9 Industry-reference documents
- MITRE ATT&CK framework: https://attack.mitre.org/. The canonical taxonomy of adversary tactics, techniques, and procedures; the load-bearing reference for §4’s lifecycle treatment.
- CISA Known Exploited Vulnerabilities (KEV) catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. The canonical reference for actively-exploited vulnerabilities; the baseline for the patching-discipline defensive posture.
- DBIR — Verizon Data Breach Investigations Report annual series: https://www.verizon.com/business/resources/reports/dbir/. The canonical annual reference for the breach-investigation industry’s aggregated picture.
- FBI Internet Crime Complaint Center (IC3) annual reports: https://www.ic3.gov/. The canonical U.S. federal reference for the financial-loss aggregate picture (BEC is consistently the highest single category by reported loss).
- OFAC Specially Designated Nationals (SDN) list: https://sanctionssearch.ofac.treas.gov/. The canonical reference for the sanctions-designation landscape this volume’s §6.4 references.
- Rewards for Justice — Transnational Organized Crime: https://www.rewardsforjustice.net/. The State Department’s bounty-listing reference for the named figures in §7.
End of Vol 7. The next volume in the per-hat sequence is Vol 8 (Grey hat) — the unauthorized-but-constructive case, where the boundary against this volume’s content is at its most contested.
Footnotes
-
Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Current text via Cornell Legal Information Institute: https://www.law.cornell.edu/uscode/text/18/1030. Full statutory walkthrough planned for Vol 19 §2. The 1986 enactment history and amendments are covered in Vol 3 §4. ↩
-
Van Buren v. United States, 593 U.S. 374 (2021). Cornell LII: https://www.law.cornell.edu/supct/cert/19-783. Vol 4 §1 walked the decision; Vol 6 §1 treated the implication for white-hat work. ↩
-
U.S. Department of the Treasury, OFAC, “U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash,” August 8, 2022. Press release: https://home.treasury.gov/news/press-releases/jy0916. The Specially Designated Nationals (SDN) listing for the Tornado Cash addresses is in the OFAC SDN database. The November 2024 Van Loon v. Department of the Treasury Fifth Circuit ruling narrowed the original designation; OFAC re-issued narrower designations in March 2025. ↩ ↩2
-
The Conti chat-log leak of February 27, 2022 — approximately 60,000 Jabber messages from internal Conti operations spanning January 2020 through February 2022, released by a pseudonymous Ukrainian-affiliated leaker after Conti’s public alignment with Russia following the February 24, 2022 invasion of Ukraine. The principal analyses: Trend Micro Research, “Conti Team One Splinter Group Resurfaces” and the broader Conti-leaks coverage series, 2022; Check Point Research, “Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of,” March 2022 (https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/); Mandiant, “Industrial-Scale Cybercrime: Conti and the Ransomware Economy,” 2022 analyses; BBC, “How a Ransomware Gang Behaves Like a Tech Startup,” March 22, 2022 (https://www.bbc.com/news/technology-60697474); Krebs on Security, multi-part Conti coverage series starting March 2022 (https://krebsonsecurity.com/category/conti/). The leak is, in 2026, the most-cited primary-source dataset on the inside of an active tier-1 RaaS operation. ↩
-
KELA Cybercrime Prevention, “Initial Access Brokers Landscape” reports, ongoing series since 2020. KELA’s company page: https://www.kelacyber.com/. The IAB-tracking series is the canonical reference for IAB market structure and pricing. ↩ ↩2
-
Group-IB, threat-intel reporting on the IAB market across multiple annual reports; “Hi-Tech Crime Trends” report series. Company page: https://www.group-ib.com/. Group-IB founder Ilya Sachkov was arrested in Russia in September 2021 on treason charges and convicted in July 2023; the firm has subsequently relocated headquarters to Singapore. The IAB-tracking output continues. ↩
-
Recorded Future, Insikt Group threat-intel reporting on IABs and the broader criminal economy. Company page: https://www.recordedfuture.com/. The Insikt Group analyst-team’s published reports are the canonical reference for several criminal-economy structural questions. ↩
-
U.S. Attorney’s Office, Southern District of New York, “Tornado Cash Founders Charged With Money Laundering And Sanctions Violations,” August 23, 2023. Press release: https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations. Roman Storm and Roman Semenov indicted on conspiracy to commit money laundering, conspiracy to operate unlicensed money-transmitting business, and conspiracy to violate IEEPA. Storm’s trial began July 2025; Semenov remains at large. The case is the canonical 2020s test case for legal exposure of cryptocurrency-laundering-infrastructure developers. ↩
-
U.S. Department of Justice and U.S. Attorney’s Office, Eastern District of Pennsylvania, “Justice Department Investigation Leads to Shutdown of Largest Online Darknet Marketplace [ChipMixer],” March 15, 2023. Press release: https://www.justice.gov/opa/pr/justice-department-investigation-leads-shutdown-largest-online-darknet-marketplace. Joint U.S./German/Belgian/Polish operation; $46M in cryptocurrency seized; operator Minh Quoc Nguyen indicted. ↩
-
U.S. Department of Justice, “Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Exchange Hydra Market,” April 5, 2022. Press release: https://www.justice.gov/opa/pr/justice-department-investigation-leads-takedown-darknet-cryptocurrency-exchange-hydra-market. Joint U.S./German action; operator Dmitry Pavlov indicted (remains at large). ↩
-
U.S. Department of Justice, “Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers — More Than 40 Million Credit and Debit Card Numbers Stolen,” August 5, 2008 (TJX indictment), and “Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks,” August 17, 2009 (Heartland indictment). Press releases archived at https://www.justice.gov/archive/opa/pr/2008/August/08-ag-689.html and https://www.justice.gov/opa/pr/alleged-international-hacker-indicted-massive-attack-us-retail-and-banking-networks. ↩
-
James Verini, “The Great Cyberheist,” The New York Times Magazine, November 10, 2010. https://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html. The canonical mainstream-press narrative treatment of the Gonzalez operations and the modern card-theft template. ↩ ↩2
-
U.S. Attorney’s Office, District of Massachusetts, “Computer Hacker Sentenced to 20 Years in Prison for Massive Identity Theft Scheme,” March 26, 2010 (re March 25, 2010 sentencing). U.S. Attorney’s Office, District of New Jersey, Heartland sentencing March 25, 2010 concurrently. The 20-year sentence was the longest federal U.S. computer-fraud sentence at the time of imposition. ↩
-
Kevin Poulsen, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground (Crown, 2011). ISBN 978-0307588685. The canonical narrative treatment of the Max Butler / Iceman / CardersMarket consolidation; remains the load-bearing reference for the mid-2000s carder-economy literature. ↩ ↩2
-
U.S. Attorney’s Office, Western District of Pennsylvania, “Max Butler Sentenced for Wire Fraud,” February 12, 2010. Sentencing imposed 13 years in federal prison plus $27.5M restitution; at the time, the longest U.S. sentence for computer-hacking offenses (subsequently exceeded by the Gonzalez 20-year sentence the following month). ↩
-
U.S. Department of Justice, “U.S. Leads Multi-National Action Against ‘Gameover Zeus’ Botnet and ‘Cryptolocker’ Ransomware, Charges Botnet Administrator,” June 2, 2014. Press release: https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware. The June 2, 2014 unsealing of the August 2012 Bogachev indictment in the Western District of Pennsylvania and the simultaneous Operation Tovar takedown. ↩
-
U.S. Department of State, Transnational Organized Crime Rewards Program, “Reward Offer for Information Leading to the Arrest of Evgeniy Bogachev,” February 24, 2015 ($3 million reward — the largest U.S. cyber bounty at the time of issuance). The reward listing is at https://www.rewardsforjustice.net/english/evgeniy_bogachev.html. ↩
-
U.S. Department of Justice, “North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions,” September 6, 2018. Press release: https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and. Criminal complaint filed under seal June 8, 2018 in the Central District of California; unsealed September 6, 2018. The 179-page complaint is the canonical engineering-attribution document for the Lazarus Group operations. ↩
-
U.S. Department of Justice, “Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses,” December 5, 2019. Press release: https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens. Simultaneously: U.S. Department of the Treasury, OFAC, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” December 5, 2019, designating Evil Corp and 17 named individuals. ↩
-
U.S. Department of State, Transnational Organized Crime Rewards Program, “Reward Offer for Information Leading to the Arrest of Maksim Yakubets,” December 5, 2019 ($5 million reward — the largest single U.S. cyber bounty at the time of issuance). Reward listing: https://www.rewardsforjustice.net/english/maksim_yakubets.html. ↩