Understanding Cybercrime-as-a-Service (CaaS)

Image of Guy Fawkes mask.

Hackers are for hire all around the world. 

To scale their business in the digital economy, they sell their skills and rent their weaponry to anyone willing to pay. 

These hacking syndicates provide what’s known as cybercrime-as-a-service (CaaS), a business model that has defrauded countless individuals and businesses.

Though a disconcerting subject, it cannot be ignored. After all, banks aren’t just battling against lone wolf hackers with an ax to grind. 

Instead, they’re engaged in an all-out cyber-war against hacking enterprises capable of breaching networks, stealing data, and selling it for a fortune on the dark web. 

In this article, we will reveal the stark reality of cybercrime-as-a-service.

After surveying the damages caused by CaaS and identifying its most prevalent forms, we will offer meaningful suggestions to help keep your bank safe from cybersecurity threats. 

What Is Cybercrime-as-a-Service?

In cybercrime-as-a-service, hackers sell their expertise under anonymous conditions

By mimicking software-as-a-service (SaaS) business models, CaaS transforms hacking into a subscription service available to individuals, groups, and even world governments.  

However, CaaS is much more than a digital marketplace. It’s a bridge for anyone to become a cybercriminal—with no experience required.

In fact, several members of the infamous hacking syndicate Lapsus$ are renegade teenagers who managed to breach tech giants like Microsoft and Nvidia. The former leader of the group was a 16-year-old living at his mother’s home in the English countryside.  

The hacking revolution has been democratized. 

Nevertheless, while hackers come from all age groups, nationalities, and experience levels, they’re willing to work together to maximize profit. Cybercrime-as-a-service offers strength in numbers. 

This begs the question, how can CaaS exist in a world dominated by online surveillance? 

As you might expect, most CaaS vendors leverage the dark web to anonymously advertise their inventory and connect with customers. They chat on incognito forums, use encrypted apps like Telegram, and make payments with untraceable cryptocurrencies.

Though hackers hide their identities, they flaunt their business offerings. 

Like your local diner, their menus are vast, listing their services, naming their prices, and highlighting add-ons—including customer service and tech support (just like SaaS fintechs).

While some CaaS tools are well-documented (like routine phishing and malware kits), others are cutting-edge. 

That’s why CaaS cartels are considered the home of emerging “zero-day” threats and why the FBI and other intelligence agencies study dark web browsers to better understand the next generation of attack vectors. 

Curious to catch a glimpse of the CaaS market? Search “hackers for hire” on Ahmia.

Hundreds of results will instantly populate on the first page alone. Keep in mind that Ahmia is considered safe to use, as it’s only a “surface” web search engine that reveals selected content from the dark web. 

CaaS by the Numbers

Describing the state of cybercrime-as-a-service is a bit like describing an iceberg. 

What we see is daunting enough, but whatever lurks beneath the surface is infinitely greater. 

The Industry

For example, we know that there are over 100 active CaaS groups on the loose, many of whom are being closely followed by U.S. intelligence agencies and third-party security analysts.

These dominant players are not only known, but in some circles, they’re ranked according to lethality. In 2023, CaaS gangs like LockBit, BlackCat, and cl0p took the top prizes, while emerging threats—including Trigona, HardBit, and ransomhouse—moved up the leaderboard. 

In fact, LockBit single-handedly dominated 25% of the ransomware-as-a-service market, with BlackCat coming in a distant second with an 8.5% market share. 

While such established groups have cornered the market, they are competing against a surfeit of disrupters. In fact, nearly 50% of globally-monitored CaaS groups were formed in 2023 alone. 

A changing of the guard might be underway. 

Indeed, industry leaders like LockBit are facing increased scrutiny from global law enforcement, including $15 million bounties from the U.S. Department of State for information on key associates.

Fortunately, the siege on LockBit offers us a closer look at the proverbial iceberg. 

On November 9, 2023, the infamous CaaS gang leveled China’s largest bank, the Industrial and Commercial Bank of China (ICBC). 

The attack not only took the bank offline, but it incurred the wrath of the United States by halting the settlement of over $9 billion in Treasury-backed securities. Before long, the U.S. revealed the extent of LockBit’s global plunder: over 2,000 individual attacks and $120 million in plunder

While LockBit has handsomely profited, their total haul is just a drop in the bucket of ransomware-as-a-service (RaaS) losses. In fact, total ransomware payments exceeded $1 billion in 2023.

These stories are the rule—not the exception—to cybercrime-as-a-service. 

The Extent of CaaS

Cybercrime-as-a-service is so lucrative that white-hat hackers (i.e., “ethical” hackers) are being paid millions of dollars to identify vulnerabilities in corporate networks. Not too long ago, Salesforce paid nearly $3 million to white-hat hackers

The logic is simple: since bad actors are constantly angling for a data breach, why not pay the “good guys” to beat them to the punch? 

After all, $65 an hour seems like a good trade-off to avoid incalculable reputational losses and embarrassing legal drama. 

It’s no secret that when hackers obtain bank data, they often try to sell it on the darkweb. This has happened to movie studios, municipalities, and major financial institutions. 

In the wake of the MOVEit hack, hackers allegedly put 60 GB of Deutsche Bank data on the dark web. 

While it may seem tempting for a bank to simply buy the data back, it’s not so simple. Even if an organization successfully retrieves its files, it can’t be certain that the data hasn’t been tampered with or injected with malicious code. 

They also can’t guarantee the data wasn’t duplicated, sold to a third party, or blended with a different company’s proprietary data—all of which could expose them to lawsuits and further reputational damage. 

As long as the financial incentives remain, CaaS groups will continue to proliferate. 

Even if domestic and international intelligence agencies disband the incumbents, disrupters will quickly fill the void and take advantage of lessons learned from the prior wave. 

Common Types of CaaS

There are many forms of cybercrime-as-a-service, and the list is constantly expanding.

Nevertheless, there are six main product offerings that individual hackers, organizations, and government agencies frequently leverage to deploy their cyber threats, including:

Ransomware-as-a-Service

Arguably the most notorious hacking tool, RaaS gives affiliates access to customizable ransomware strains.

In many cases, RaaS kits allow users to set their ransom amount, choose their preferred payment method, and access 24/7 customer service for as low as $40 a month.

The average ransom payment was $1.54 million in 2023—nearly double the amount from 2022. Such losses paid ransomware gangs over $1.1 billion last year.

Phishing-as-a-Service

A popular business model that delivers cloned login portals, email templates, and hosting services for spoofed websites.

While average phishing kits cost between $50 to $80 per month, more advanced platforms offer subscriptions starting at $250.

Considering the average cost of a phishing attack exceeds $4.91 million, these are comparatively negligible fees. 

DDoS-as-a-Service

In distributed denial-of-service attacks, hackers flood websites with fake internet traffic to take them offline.

Today, DDoS-as-a-Service commodifies these service outages by renting out “botnets” (i.e., vast quantities of compromised endpoints) to paying customers.

While costs vary depending on the size and duration of attack, DDoS services can be acquired for as little as $20.

Hacking-as-a-Service

Though it may sound redundant, HaaS is actually a more targeted form of cybercrime-as-a-service.

With HaaS, individuals can hire veteran hackers for highly specialized tasks—like gathering human intelligence, defacing a competitor’s website, planting malware to take a business offline at a crucial moment, or hijacking a rival’s social media account.

In most cases, hacking-as-a-service requires a one-time fee, rather than recurring subscriptions. 

Exploit-as-a-Service

A premium form of CaaS, exploit-as-a-service leases “zero-day” attacks to interested buyers.

Previously, many zero-day vectors sold for millions of dollars, as they targeted unknown (and therefore unaddressed) security flaws within a network.

By democratizing zero-day attacks, exploit-as-a-service can be utilized for more reasonable fees, often ranging between $600 to $25,000.

That’s why leading companies are paying ethical hackers such large salaries, and why global hacking competitions are underway—to exploit zero-day vulnerabilities before criminals can find them. 

Malware-as-a-Service

A business model that provides access to malicious software and deployment services via the dark web.

With malware-as-a-service, hackers can buy worms, viruses, spyware, bots, and Remote Access Trojans (RAT),  which allow attackers to remotely control a device without the victim’s knowledge or consent.

“Warzone,” one of the most famous RATs, has been in the news recently as two of its purveyors were arrested via an international sting operation in Malta and Nigeria. These men will be extradited to the U.S. and stand accused of selling Warzone RAT malware to thousands of customers for as little as $25 a month.

According to the U.S. Department of Justice, the Warzone RAT allowed buyers to “browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras.”

Unfortunately, Warzone RAT is only one of many trojans circulating the market. 

Emerging Trends in CaaS: AI and Cryptocurrencies

Artificial intelligence (AI) is rapidly changing the world. 

While it can be a force for good, it can also fuel devious criminal pursuits

In fact, AI is already helping hackers streamline their operations, automate their processes, and refine their victim-targeting skills. 

Thanks to artificial intelligence and machine learning, it’s easier than ever to analyze large password datasets and identify potential zero-day vulnerabilities.  

By leveraging AI, hackers can also enhance the intensity of DDoS attacks and recruit AI-driven botnets to create an unprecedented surge of traffic. 

Worse, algorithms can quickly generate convincing phishing email templates that target C-Suite executives or impersonate them in communications with unsuspecting employees.

While established hackers are already enjoying these benefits, AI continually lowers the barriers to entry for new criminals entering the fray. In other words, AI can justifiably be seen as a free recruitment tool for hacking syndicates. 

After all, no technical skills or expertise are required to become a hacker. In 2024, the only prerequisites are having a computer, maintaining internet access, and exercising a duplicitous moral code.

Of course, none of this conversation would be complete without addressing cryptocurrency:
the financial lifeblood of cybercrime-as-a-service

Cryptocurrencies not only promote a hacker’s anonymity, but they continually enhance their franchise. Indeed, the purchasing power of cryptocurrencies— especially Bitcoin—is ever on the rise. 

And while the U.S. Dollar remains at the mercy of inflation and the Federal Reserve, cryptocurrencies are less affected by macroeconomic factors and monetary policy. 

Cybercrime-as-a-service and cryptocurrency are truly intertwined. In fact, 95% of all ransomware payments are cashed out via Bitcoin. 

As long as cryptocurrencies retain their anonymous power, hackers will remain untouchable. And as Bitcoin continues its meteoric rise to $100,000, CaaS vendors will be laughing all the way to the bank. 

Combating Cybercrime-as-a-Service 

Taken in unison, these destructive forms of CaaS remind us why the global cost of cybercrime is expected to reach $10.5 trillion by 2025.

While financial losses are rising, so are the emerging threats. 

Even if Uncle Sam gets involved, the rules of the game will change, but the game won’t end. The 18th Amendment didn’t stop the sale of alcohol—it just drove the business underground. 

As a bank, your job is to guard your corner of the wall

While it’s certainly important to know what you’re up against—and which cyberattack methods are targeting banks—it’s more important that you take action. 

Now is the time to fortify your digital presence and secure your reputation. 

Hackers are always trying to do one simple thing: trick your customers and employees

They want to win their trust so they can steal their credentials, breach your network, and raid your resources.

They accomplish this via domain spoofing, where they create fake websites and emails that look real but are utterly counterfeit. 

By migrating to an exclusive domain name, you can stop spoofing in its tracks

.Bank: Defending Your Digital Domain

Healthy cybersecurity in banking is paramount to keep your business going and your name clean.

With a .Bank domain, you’ll remove the threat of spoofed websites or emails.

Unlike public domains, ours are built exclusively for banks—so you, your staff, and your customers always know what’s real (and what’s not).

After all, if it doesn’t say .Bank, it’s not your bank. 

Schedule a meeting to discover how we can help you defend your domain.

Don't miss out

Sign up for the .Bank newsletter and receive handpicked insights and ideas directly into your inbox.

Related Articles