You are on page 1of 26

Trends Organ Crim (2008) 11:270–295 DOI 10.

1007/s12117-008-9038-9

Organised crime groups in cyberspace: a typology
Kim-Kwang Raymond Choo

Published online: 11 July 2008 # Springer Science + Business Media, LLC 2008

Abstract Three categories of organised groups that exploit advances in information and communications technologies (ICT) to infringe legal and regulatory controls: (1) traditional organised criminal groups which make use of ICT to enhance their terrestrial criminal activities; (2) organised cybercriminal groups which operate exclusively online; and (3) organised groups of ideologically and politically motivated individuals who make use of ICT to facilitate their criminal conduct are described in this article. The need for law enforcement to have in-depth knowledge of computer forensic principles, guidelines, procedures, tools, and techniques, as well as anti-forensic tools and techniques will become more pronounced with the increased likelihood of digital content being a source of disputes or forming part of underlying evidence to support or refute a dispute in judicial proceedings. There is also a need for new strategies of response and further research on analysing organised criminal activities in cyberspace. Keywords Organised crime groups . Cybercrime . Technology-enabled crime . Digital evidence Introduction The declining importance of dial-up connections and the expansion of broadband services have created an environment in which connections are maintained continually. Investment in network expansion by telecommunications companies will see a further expansion in capacity that will result in an increase in bandwidth availability and greater adoption of wireless and mobile technologies. As businesses continue to engage in electronic commerce, they will become increasingly globalised and interconnected. Australia, for example, has experienced a considerable increase
The views expressed in this article are those of the author alone and not the Australian Government or the Australian Institute of Criminology. K.-K. R. Choo (*) Australian Institute of Criminology, GPO Box 2944, Canberra, ACT 2601, Australia e-mail: Raymond.choo@aic.gov.au

Trends Organ Crim (2008) 11:270–295

271

in electronic banking (APCA 2005). A correspondingly large increase in electronic banking has also been observed overseas. For example, in the first quarter of 2008, 1.8 billion plastic card purchases were reportedly made in the UK totalling £91.1 billion (APACS 2008) and in the calendar year 2007, more than 18 billion automated clearing house (ACH) payments were reportedly made in the USA (NACHA 2008). This is perhaps due to the cost of an internet-based transaction being a small fraction of a ‘bricks-and-mortar’ based transaction. The propensity for consumers to buy online is indicated in a recent report that online spending on retail websites in United States has exceeded US$100 billion (Ames 2007). These, and other developments, create not only benefits for the community but also risks of organised crime1 and terrorism. Although there have been questions raised about the existence of organised criminal activities in cyberspace, several studies have pointed out the synergy between organised crime and cyberspace in recent years. McCusker (2006: 257), for example, suggested that ‘cybercrime has become an integral part of the transnational threat landscape and conjures up pressing images of nefarious and increasingly complex online activity.’ The cyberspace provides organised crime groups a safe haven for the enhancement of their organisational and operational capabilities. A recent inquiry in Australia also suggested that “high-tech crime is an area of opportunity for organised crime groups to pursue new types of crime” (Parliamentary Joint Committee on the Australian Crime Commission 2007: ix). Undeniably, such (organised criminal) activities in cyberspace could have serious implications on national security (e.g. political, economic and social). Three types of organised crime groups2 are described: (1) traditional organised crime groups3 which make use of ICT to enhance their terrestrial criminal activities; (2) organised cybercrime groups4 which operate exclusively online; and (3) organised groups of ideologically and politically motivated individuals who make use of ICT to facilitate their criminal conduct. Traditional organised criminal groups Pursuit of financial gain has always been one of the main driving forces behind traditional organised criminal groups.5 A recent report by the Organised Crime Task
1

Interested reader is referred to a recent article of Galeotti (2008) for an excellent overview of the history of organised crime.

2 The definition of “organised criminal group” from Article 2 of the UN Convention on Transnational Organized Crime is adopted in this article: a group having at least three members, taking some action in concert (i.e., together or in some co-ordinated manner) for the purpose of committing a ‘serious crime’ and for the purpose of obtaining a financial or other benefit. The group must have some internal organization or structure, and exist for some period of time before or after the actual commission of the offence(s) involved. 3

In this article, traditional organised crime groups refer to crime groups known to be involved in traditional criminal activities that took place in the physical world (e.g. murder, extortion, money laundering and drug trafficking). Organised cyber crime groups refer to online crime groups that may exist only in cyberspace such as hackers groups. Although many organised crime groups now aim at making money, several traditional ones (e.g. Italian and Italian American mafia), as pointed out by one of the reviewers, may still aim at exercising political power as well.

4

5

In Singapore. Pakistani. Japan and Malaysia.g. Chinese. traditional organised criminal groups.g. are known to be involved in profit-generating criminal activities such as narcotics trafficking. With a large work force from their countries Indian. Globalisation and migration trends have blurred national borders and accelerated the transformation of crime. Associate Professor Ho Peng Kee. So the Korean. prostitution. transportation routes. moving it away from its domestic base. One such recent case involving ethno-nationality based criminal gangs preying on their own migrant community includes the arrest of ‘four Chinese nationals who own and operate a group of Asian massage parlors in the Johnson County (US DoJ 2007a). Sri Lankan and now increasingly Bangladeshi gangs are well organized in the gulf countries. The Organized Crime and Triad Bureau (2007:7). for example. The indictment alleged that the four accused ‘aided and abetted each other and others to transport at least one individual in interstate or foreign commerce to Kansas City. monopolising (e. In April 2007. Senior Minister of State for Law and Home Affairs in Singapore also pointed out that Singapore is [also] vulnerable to infiltration by triads and organized criminal gangs from countries such as Hong Kong. 2008). Vietnamese. Russian (meaning former Soviet Union). [L]arge-scale migration from the less developed countries to the western world has resulted in ethno-nationality based criminal gangs with links to the home country and preying on their own migrants especially illegals. movie production and entertainment industries). bouncership in licensed premises (e. members of traditional organised criminal groups (also known as secret societies—私会党) have also been known to be involved in profit-generating criminal activities such as unlicensed moneylending and collection of protection money from operators of KTV lounges and entertainment outlets. UK and Europe. These East Asian Gangs or “EAGs” are driven by profit and have no qualms about 6 Interested reader is referred to a recent article of Sein (2008) for an excellent overview of one major human smuggling case in the USA—the case involving “Sister Ping”. drug trafficking and illegal bookmaking. with the intent that such individual engage in prostitution at purported massage parlors in Kansas’ (US DoJ 2007a). MO. China. nightclubs). ACC 2007.272 Trends Organ Crim (2008) 11:270–295 Force (OCTF) also suggested that ‘[o]rganised criminals are motivated by profit and seek to increase their wealth by reinvesting in other criminal activities’ (UK OCTF 2007:19).g. (Singh 2007: 80). human trafficking6 and nuclear smuggling (e. often associated with established smuggling networks. reported that traditional organised criminal groups in Hong Kong (also known as triads—黑社会) are mainly involved in extortion targeting businesses. In the Second Reading Speech for the Criminal Law (Temporary Provisions) (Amendment) Bill. . Caribbean and South American groups are well organized in the USA. For example. seventeen members of an unlicensed moneylending (UML) syndicate in Singapore were arrested under the Moneylender’s Act (Cap 188) (SPF 2007).

trafficking corporate secrets and identity information. particularly the growth of the Internet. The Internet offers counterfeiters a cheap and easy way to publicise. either due to the high cost of prescription drugs. They have demonstrated the intent. The Internet has provided a new and much larger marketplace for those involved in the sale of counterfeit and pirated goods. the secret societies in Singapore and the Japanese Yakuza) is a generalised phenomenon although recent incidents suggest that traditional organised criminal groups are increasingly involved in technology-enabled crimes such as intellectual property offences. and using the internet as a marketplace to sell illegal counterfeit pharmaceutical products and drugs. to develop new crimes and transform traditional ones. A more recent incident involves the arrest of 12 members of a piracy syndicate in People’s Republic of China (PRC) for copyright infringement offences (Enforcement Bulletin 2007). difficulty in obtaining them. We must therefore be constantly on guard (MHA 2004) Despite governmental efforts in cracking down on organised criminal activities.7 They have adapted to the technological change and leveraged ICT to facilitate their profit-generating criminal activities such as drug trafficking. and to identify new criminal opportunities (SOCA 2006:10) The involvement of traditional organised criminal groups in technology-enabled crime now emphasises the importance of large-scale profit-driven incentives (Choo and Smith 2008). human trafficking. particularly well-known for pirated optical discs. The report released by the Officer of the United States Trade Representative also noted that: Harco Glodok (Jakarta. making it a lucrative business for organised criminal enterprises (UK OCTF 2007: 34). the triads in Hong Kong. committing extortion. Indonesia) [is] one of the largest markets for counterfeit and pirated goods. Examples of traditional organised criminal groups involved in technology-enabled crime include the highly structured and global criminal syndicates such as the Asian triads and Japanese Yakuza whose criminal activities have been known to include computer software piracy and credit card forgery and fraud (Canadian Security Intelligence Service 2000. A recent report also suggested that serious organised criminals have increasingly exploited advances in technology. distributing illegal materials over the internet. these criminal groups have recognised the value of leveraging information and communication technologies (ICT) to facilitate or enhance the commission of crimes and dynamic in identifying new opportunities and ways to overcome counter-measures. Enforce- 7 It is not the intention of this article to discuss whether the use of technology by traditional organised criminal groups (e. MSN—Mainichi Daily News 2006). market and distribute their product. Counterfeit drugs is one area which has seen particular growth through the Internet.g.Trends Organ Crim (2008) 11:270–295 273 committing cross-border crimes if the opportunity arises. money laundering using online payment systems. . imagination and ability to exploit IT security weaknesses. frauds and scams online. or due to the embarrassment of a patient in requesting a particular drug.

Other categories of technology-enabled crimes that organised crime groups (including organised cybercrime groups) are known to be involved in include: & Computer or network intrusions such as hacking and unauthorised access to obtain sensitive information. Malware includes Trojans.gov/answers/pumpdump. & & & Refer to the United States Securities and Exchange Commission on “Pump and Dump Schemes” for more information—http://www.g. phishing messages are increasingly targeting top executives at an organization or members of a group—also known as spear phishing or whaling (Garretson 2007. stocks of companies whose stock prices had been inflated8) they do not really want through oppressive or deceptive marketing techniques.274 Trends Organ Crim (2008) 11:270–295 ment officials are reportedly reluctant to conduct regular enforcement actions because of the presence of organized criminal gangs (Office of the United States Trade Representative 2007:8) Traditional organised criminal groups are also ‘increasingly using false and stolen identities to commit non-fiscal frauds’ (SOCA 2008:9). particularly if it does so in a way that may compromise the security of the computer. bank fraud and money laundering charges. viruses and worms. Money would then be transferred from those accounts to a bank account controlled by the defendants before transferring elsewhere. passwords. banking credentials). CipherTrust 2005.g. PIN numbers) as a precursor to various frauds and other deceptions’ (SOCA 2008:9). In recent years. wire fraud. McCombie 2007). Spam: unsolicited commercial e-mail that persuades email recipients to buy products (e. For example in May 2007. Phishing: online or internet scams that frequently use unsolicited messages purporting to originate from legitimate organisation in order to deceive individuals or organisations into disclosing their financial and/or personal identity information for the purpose of using it to commit or facilitate crimes such as fraud. bank account details.sec. The indictment alleged that the defendants acquired free network scanning software ‘for the purpose of finding unsuspecting individuals’ and/or entities’ computers which did not have proper security features in place in order to search for personal financial information such as financial account numbers and passwords’ and accessed internet banking accounts using these fraudulently obtained information (US DoJ 2007h). also known as malicious software. Malware9 creation and dissemination: The recent UK Threat Assessment report noted that ‘most new malware is designed to steal financial data (such as credit card details. members of a sixmember group were indicted on conspiracy. 8 . McMillan 2008). is designed to install itself on a computer without the computer owner’s informed consent. Several researchers and security practitioners have also suggested the involvement of organised crime groups in phishing scams (see Bequai 2001.htm 9 Malware. identity theft and stealing of sensitive information (e.

and Information. The defendant then allegedly encoded these fraudulently obtained credit card information onto plastic cards with magnetic strips and used the plastic cards to withdraw money from automated teller machines and automated cashier machines. Fraud in Connection with Access Devices. a defendant who is one of 17 individuals indicted on charges including Conspiracy to Commit Offenses Against the United States. hosting of phishing websites. Australia who was alleged to be a an international A$1 million internet scam syndicate (AAP 2008). Authentication Features. Choo 2007. Several other individuals were reportedly recruited by the defendant to repatriate the proceeds of crime overseas—money mules. the defendant was sentenced to 84 months in prison and was ordered to make restitution to the victim banks. and professional hackers are resources that can be employed by traditional organised crime groups to carry out technology-enabled crimes. Schrank 2007). and mounting denial of service attacks. Traditional organised crime groups have also been known to carry out extortion from online gambling and pornography websites by threatening to carry out denialof-service attacks using botnets13 (e. 10 In such scams. cybergangs. allegedly obtained stolen credit and debit card account information by visiting Internet Relay Chat rooms and forums run by cybercriminals. (2005)—centralised. distribution of malware.10 online auction frauds. the perpetrators often pretend to sell something that they do not have while requesting for the payment in advance. Out of 207. Among the three botnet communication typologies identified by Cooke et al. In recent years. Recent cases include the arrest of a group of 419 scammers by Dutch police in February 2007 (Libbenga 2007) and the February 2008 arrest of a Nigerian citizen in Perth. Recent statistics (NW3C/FBI 2007) indicate that online auction fraud is the most prevalent offence type reported to the Internet Crime Complaint Center. Aggravated Identity Theft. organised criminal groups use identity fraud to either conceal their identities in order to evade detection and protect their assets from confiscation or as an enabler to commit various frauds and other crimes.279 cases referred to US law enforcement agencies and 33% of the total reported dollar loss. This should come as no surprise to long-time political observers. and aiding and abetting these offenses. Building botnets requires minimal levels of expertise (Ianelli and Hackworth 2005). Hacking organisations. that in comparison with the total volume of online transactions the number of complaints remains relatively small. In countries such as Russia where the lack of economic and employment opportunities have forced many highly educated individuals with advanced computer and programming skills to work in the cyber underground. These compromised computers are also known as zombies or zombie computers. however. Fraud in Connection with Identification Documents. and serve a 3 year term of supervised release (US DoJ 2007g). traditional organised crime groups have been reported to recruit ‘a new generation of high-flying cybercriminals using tactics which echo those employed by the KGB to recruit operatives at the height of the cold war’ (McAfee 2006:2). A botnet is a network of individual computers infected with bot malware. distributed P2P and random—the most commonly used are the centralised and distributed P2P.g.492 complaints between 1 January and 31 December 2006. The zombies. Evron 2008.Trends Organ Crim (2008) 11:270–295 275 & & Internet frauds and scams include Nigerian advance fee scam (also known as 419 scam). can then be used as remote attack tools to facilitate the sending of spam. A brief two-step overview on how to build a botnet is outlined by Choo (2007). 13 .12 Identity fraud: As noted by SOCA (2008). Conspiracy to Commit Money Laundering. It is important to recognise. On 10 August 2007. 12 11 In a recent case. online auction fraud accounted for 45% of the 86.11 identity and credit card frauds. part of a botnet under the control of the botnet controller. forfeit property which represented both the means used to commit these offenses as well as the proceeds of the offenses.

or have a broken mind. Different criminal activities call for different organisational structures and the structure of organised cybercrime group is likely to incorporate an organisational structure in which individual members coalesce for a limited period of time to conduct a specifically defined task or set of tasks and. strength is in software. and the mailing or shipping of prepaid cards out of the country without regulators being aware (Choo 2008).’ Organised cybercrime groups Despite the synergy between traditional organised crime groups and cyberspace. so it’s easier for them to do it. Brenner explains this as follow: physical strength is insignificant [in the cyberworld]. go their separate ways. the founder and head of research and development of the Russian anti-virus Kaspersky Lab. and programming skills. understanding of file systems and operating systems. A recent example of individuals being recruited by organised crime groups to repatriate criminal proceeds includes the example case reported in the 2005–2006 Asia/Pacific Group on money laundering yearly typologies report (APG 2006:9). As Eugene Kaspersky. traditional organised crime groups should not be confused with organised cybercrime groups that operate exclusively online. ‘[o]rganised operations that make use of conventional technology-enabled crime methodologies. As Choo. . will also increase as the use of networked computers for criminal purposes develops. because they don’t feel their hand in someone else’s pocket (Infosecurity 2007). IT criminals don’t see their victims. observed: IT criminals are just IT people who change their mind.276 Trends Organ Crim (2008) 11:270–295 Traditional organised crime groups (and organised cybercrime groups) are also known to hire money mules14 in the money laundering process. In the cyberworld. not by summoning combined efforts of ten or twenty hackers. such as financial scams or piracy. professor of 14 Money mules are individuals hired by organised criminals to perform international wire fraud (AIC 2007) or to purchase prepaid cards. Smith and McCusker (2006:xxi) pointed out. Kshetri (2005:552) further suggested that “[while] minimal skill is needed for opportunistic attacks. It seems that traditional criminals are quite far away from that. automated techniques that enable one to bypass electronic defenses. having succeeded. transnational and tend to have smaller membership sizes.” Avi Rubin. but by using technology. a hacker surmounts a victim’s defenses. targeted attacks require more sophisticated skills. Organised cybercrime groups are also more loosely structured and flexible. not in numbers of individuals (Brenner 2002:27) Technically sophisticated members Technology-enabled crimes require the perpetrator to possess a minimum level of technical knowledge and computer skills such as knowledge of software and hardware vulnerabilities and how these vulnerabilities can be exploited.

All three were convicted at London’s Southwark Crown Court of a conspiracy to rape a girl under 16. An example includes the case involving three individuals who had never met in person and knew each other only online. Organised hacker groups such as cnxhacker and milw0rm have and will continue to publicise vulnerabilities they discovered. It is known that organisations generally do not patch their systems immediately when security vulnerabilities appear. and developed sophisticated hacking techniques. Subscribing to security bulletins and scholarly publications. Examples of technically sophisticated organised cybercrime group members include the case involving the arrest of the leader of a five-member computer hacker group in 2001. however. for example. so cybercriminals can take advantage of such vulnerabilities to compromise systems or to build viruses. Members who may know each other only online There have been increasing reported incidents of cybercrime groups comprising likeminded individuals who may know each other only online but are involved in the use of an organisational structure working collectively towards a common (criminal) goal as the internet makes it far easier to meet and plan activities—organised cybercriminal groups.or members-only hacking-oriented sites contain updated news alerts on system vulnerabilities including those discovered by members that have yet to be publicised and step-by-step instructions on how to exploit known vulnerabilities. allows cybercriminals to keep abreast of the latest security vulnerabilities and theoretical vulnerabilities (AIC 2006). The defendant was a former computer programmer at a Moscow institute (BBC News 2001).Trends Organ Crim (2008) 11:270–295 277 computer science at Johns Hopkins University. the conclusions sometimes cannot be widely generalised to other populations. Although this is often appropriate for in-depth qualitative case studies that are published in the computer science and criminology literature. one would need advanced technical knowledge of digital right management (DRM) mechanism and the ability to manufacture circumvention devices for such technological protection measures. Other examples include the underground criminal group. based on a discussion in an internet chat room (GB CPS 2006). also suggested that hackers are now using academic resources more frequently and are more technically inclined than traditional criminals (McGraw 2006).’ that reportedly trafficked more than 1. support the view that cybercriminals can be expected to have technically sophisticated skills and corresponding higher education. In a more recent case involving the arrest of a credit card skimming syndicate in Singapore. to circumvent access control technological protection measures in today’s commercial software. Moreover. written exploit code. Findings from both studies. Some subscription. it is important to note the small sample sizes involved in the studies. While both studies are academically robust in their methodology. two of the six-member syndicate were University undergraduates (CAD 2007). (2006) also indicated that a sizeable percentage of cybercriminals in Russia and Taiwan belong to the educated generation Y group (defined as people born after 1982). Studies by Kshetri (2006) and Jen et al. ‘Shadowcrew.7 million credit cards online (USSS 2004) and the .

a Calgary man was arrested for allegedly using the internet to sell concealed devices designed to illegally capture data from bank ATM users (van Rassel 2007). Hilton to one count of conspiracy to commit criminal copyright infringement and one count of criminal copyright infringement to face criminal charges in connection with operating “DrinkOrDie” (US DoJ 2007e).’ In the latter example. According to the indictment. was extradited from Australia to the United States in February 2007. compromised as a result of the data breach incident involving The TJX Companies Inc. in fact. failed to provide reasonable and appropriate security for sensitive consumer information. On 27 March 2008. the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing. PP VS Kelvin Leong Jia Wen and Lim Xiang Rui as cited in CAD 2006:24). a British national living in Australia who is alleged to have a leading role in the global activities of the ‘DrinkOrDie’ group credited with well-publicised activities involving circumventing technological anti-copying protections and distribution of commercial computer software. he was sentenced to 51 months imprisonment (US DoJ 2007b). Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued’ (US FTC 2008:unpaginated). The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years’ (US FTC 2008:unpaginated). taken together. Financially motivated cybercriminals Several cases of organised hacking groups stealing credit card information have also been reported. Such stolen credit card data can then be used to make fraudulent purchases (e. for their involvement in an international bank fraud ring in which Romanians obtained personal credit information and American-based confederates created bogus debit and credit cards that were used to fraudulently obtain millions of dollars in cash. it was alleged that ‘TJX.g. In May 2007. a hacker group allegedly involved in stealing credit card data from TJX15 were “selling it on the [i]nternet on passwordprotected sites used by gangs who then run up charges using fake cards printed with the numbers” (Pereira 2007). the US Federal Trade Commission announced that ‘discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that. In a more recent incident. failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.500 stores worldwide. . Vijayan 2007). as well as the personal information of approximately 455. He pleaded guilty in April 2007 before US District Judge Claude M. Several media articles further suggested that between 45 and 90 million payment card accounts were. The 65-count indictment returned by a grand jury on Thursday accuses 33 defendants of engaging in “phishing” and other surreptitious methods via the Internet to obtain personal data on thousands of victims. Goodin 2007. ‘DrinkOrDie. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores. with more than 1.278 Trends Organ Crim (2008) 11:270–295 underground software piracy group. In another case involving the indictment of 33 individuals in USA and Romania.’s (Abelson 2007. On 22 June 2007.3 million spam emails sent in one 15 In the Federal Trade Commission complaint.000 consumers who returned merchandise to the stores. with over 2.

stealing identities to purchase cameras and games consoles. Botnets can be leveraged to orchestrate concerted attacks against other computing resources. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. For example. Once directed to bogus websites.-based “cashiers” via Internet “chat” messages. Romanian “suppliers” collected the victims’ information and sent the data to U. The defendant created new variants of the ‘rxbot’ and distributed these variants to establish several botnets.S.Trends Organ Crim (2008) 11:270–295 279 phishing attack. The ‘Mpack’ gang18 that was allegedly behind the cyberattack that had successfully compromised the homepages of hundreds of legitimate Italian & & Bot malware. for example. and similar cards such as hotel keys. thus earning thousands of dollars. two Dutch members of a hacking ring were sentenced to imprisonment for their alleged roles in extortion of a company in the United States. It was also alleged that the defendant used the botnets to generate income from the surreptitious installation of adware on the zombies. a malicious program. A portion of the proceeds was then wire transferred to the supplier who had provided the access device information (US DoJ 2008d: unpaginated) Examples of known financially motivated cyber criminal groups include: & In January 2007. The ‘M00P virus-writing gang’: three suspected members of the gang were arrested by the London Metropolitan Police Computer Crime Unit. .-based cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards. Botnets can then be rented out to willing parties to facilitate other criminal activities such as spam. He then offered to hire out the botnets to others for the purposes of sending spam and launching distributed denial-of-service (DDoS) attacks17. a member of the ‘botmaster underground’ pleaded guilty to computer fraud and spam offences connected to his dealings in botnets. victims were prompted to enter information about their credit or debit cards. and distributing bot malware16 (Libbenga and Leyden 2007). The U. distributed denial of service (DDoS) attacks against targeted networks (Choo 2007). 17 16 Distributed denial-of-service (DDoS) attacks are targeted attacks against specific website(s) by flooding the web server(s) with repeated messages. tying up the system and denying access to legitimate users. The cards that were successfully tested. the Finnish National Bureau of Investigation and the Finnish Pori Police Department. allows attackers to remotely control vulnerable computers and form virtual networks of zombies—botnets. the defendant was sentenced to 57 months in federal prison (US DoJ 2006).S. in connection with a conspiracy to infect computers with malware to create a botnet (Jaques 2006). were used to withdraw money from ATMs or point of sale terminals that the cashiers had determined permitted the highest withdrawal limits.000 (Keizer 2007). as well as personal identifying information. known as “cashable” cards. 18 The MPack toolkit is allegedly being sold between US$700 (PandaLabs 2007) and US$1. In May 2006.

In another recent study. stolen credit card and other online credential information. Virus writers are individuals who write malicious software (malware) for profit. trade and exploitation of virtual assets. identified by VeriSign to be a criminal internet service provider of child pornography. Envelope stealers. an allegedly Russian-based group. Zhuge et al. (2008) identified six actors in the Chinese underground economy for the compromise. purchase login 19 Keyloggers (also known as keylogging programs) are designed to monitor user activity including keystrokes. Website masters/crackers: website masters are individuals who attract potential victims with freebies and redirect them to malware-infected sites and website crackers are individuals who compromise websites by exploiting vulnerabilities in these websites. for example. 1. organised cybercrime groups have been reportedly building their own encrypted instant-message (IM) programs such as CarderIM designed to establish a ‘secure’ channel to sell stolen financial and personal information including credit card numbers and e-mail addresses (Kirk 2007a)—an underground economy. 4. adware and rootkits’ (Goodin 2008). The ‘Russian Business Network’ (RBN). phishing sites designed to fool visitors into handing over their banking details. individuals with limited technical knowledge. University of California Berkeley and University of California San Diego (Franklin et al. it is likely that such services will become increasingly popular. individuals with limited or no technical knowledge but possess a good understanding of the underground market. 2. highlighted the emerging trend of underground economy for the buying and selling of security vulnerabilities. . To evade the scrutiny of law enforcement agencies. The botnet-for-rent Loads. Although there are no known published statistics involving monthly subscription-based services for malware updates being offered at such underground economy sites. which is reportedly ‘responsible for the distribution and installation of massive amounts of malware: Spambots. which can then be used for malicious purposes such as identity/online fraud. keyloggers. Symantec (2007) and the study by researchers from Carnegie Mellon University. Virtual asset stealers. typically buy ready-to-use malware and other malware kits from virus writers and/or website traffic from Website Masters/Crackers in order to steal login credentials and other account information. and repositories of Trojan code and other malware (Miller 2007). Keyloggers19 are then downloaded and installed on computers of unwitting users visiting these compromised websites.cc group. RBN also allegedly ‘runs a protection racket that extorts as much as US$2. The harvested login credentials and other account information are then resold to Virtual Asset Stealers for profits. 2007).280 Trends Organ Crim (2008) 11:270–295 & & websites. and the sale of compromised hosts established on public IRC servers. They can be used by cybercriminals to steal passwords or credit card details. DDoS bots. 3.000 a month in fees for “protective Web services” from borderline sites’ (Keizer 2008). The study suggested that the current market price is approximately 40 to 60 RMB per ten thousand visits.

g. who received a criminal sentence. As a shy. New information and communication technologies allow multiple images to be produced from one digital recording of abuse and the transfer of images from . QQ coins). He met other paedophiles. One of the perpetrators. introverted person. Paedophiles also shared information about how to ‘groom’ children for abuse (Adam 2002: 13–140).g. 5. reinforcing adult–child sex philosophies of offenders. an individual was recently charged in a United States District Judge who allegedly ‘admitted ordering images depicting the sexual exploitation of minors online during the summer of 2007. For example. but also the way that paedophiles had an easy way to contact each other and to reinforce their beliefs that sex with children was not wrong. Organised cybercrime groups can also operate subscription-based private (by invitation only) IRC rooms that involve the highly disturbing practice of live child sexual abuse videos being streamed to these rooms. and offer commercial sexual activities such as producing and selling child pornography materials over the internet (e. In a more recent incident. 6. described how easy it was to obtain images of child pornography on the Internet—within twenty-four hours of first going on-line he had found material. David Hines. with the actual perpetrator responding in real time to commands from other paying participants who can see the images. Virtual asset sellers are individuals who buy virtual assets from the underground market at a very low price before selling to other legitimate players on the public marketplaces at a profit. Online paedophile rings The enabling structure of the internet has resulted in new avenues for commercial child exploitation including online child grooming for sexual contacts. The availability of a market in which to trade child exploitation materials for financial gain will provide criminals with financial incentives to commit online child exploitation crimes. 90 individuals will reportedly be facing court in Australia for allegedly downloading child abuse images on a worldwide child pornography network following a 6-month nationwide investigation led by the Australian Federal Police (AFP 2008). and in so doing.’ The defendant is scheduled to be sentenced on 29 April 2008 (US DoJ 2007f). again similar to those who perpetrate cyberstalking crimes.Trends Organ Crim (2008) 11:270–295 281 credentials and other account information in order to steal valuable virtual assets such as online gaming accessories and online gaming currency (e. As with cyberstalking cases. Players are individual participants of online games. The internet has greatly facilitated the sharing of information and strategies for grooming children for sexual purposes. The problem was not just the trading of images. so they traded sexually explicit images of children and talked about them. The stolen virtual assets are then resold for profit. this group of people thought they were protected by the anonymity of the Internet. to promote the ghastly idea that somehow these children were ‘in relationships’ with adults. internet chat room). he had found an instant set of friends.

A recent press release by the 20 According to a recent media release by the FBI.g. The latter uses cryptography to obscure the data path and hence make it untraceable for law enforcement. there will be an increase in avenues for child sexual offenders and cybercriminals to engage in online child exploitation with little risk of being traced. or copyrighted digital files in a secure manner to avoid the scrutiny of law enforcement agencies. the number of images involved gives little indication of the number of children who are abused or the timescale over which the abuse has occurred . there has been a noted convergence between terrorism and organised crime where “two sides of the ‘organised’ debate may in fact find greater solace. These can create serious impediments to law enforcement and investigators in their efforts to combat online grooming of children and other acts of child exploitation. and there has been an increase in sexual exploitation of children (Harrison 2006: 368).. an ‘anonymising protocol’ that allows data to be routed through a network of servers. Ideologically and politically motivated cybercrime groups Prior to September 11 2001.g. reward and operational fluidity through a combination of their efforts” (McCusker 2006:266).” were arrested worldwide (UK CEOP 2007). and the sadistic images serving as currency.21 four in Germany and two each in Australia and the UK. Other online communications technologies such as Darknet (loosely related to peer-to-peer networks) could potentially be abused by cybercriminals to distribute propaganda. For example. profit). As of March 2008. In recent years. In a more recent case.org website designed for whistleblowers in authoritarian countries to post sensitive documents on the internet without being traced (Marks 2007). digital images (e. FBI 2008a). child sexual abuse images were downloaded from offender’s computers via P2P networks. making a political statement vs. The Onion Router is used in the Wikileaks. with various players handling different roles. images of child abuse. Peer-to-peer networks could also be abused by organised cybercrime groups to act as a consolidated marketplace for child sexual abuse images. For example. terrorism and organised crime were usually considered separate entities because they did not share the same motivating factor (e. direction coming from the top down. Cybercriminals can also hide their online communications. see US DoJ (2008a. “Kids. pictures chat room users placed in their profiles) and video files by using password authentication.282 Trends Organ Crim (2008) 11:270–295 other media. Anonymity of communication can be provided through the use of the Onion Router. 2008c). With advances in communications technologies. ‘[t]he ring. was run very much like a business. at least 22 individuals have been arrested (14 in America. 2008b. in fact. 21 . encryption and stenographic techniques. more than 700 suspects associated with the online paedophile ring20 operating the UK-based Internet chatroom.. in “Operation Peer Pressure” conducted by the FBI in 2003. the Light of Our Lives. Again. a sophisticated operation’ (FBI 2008a:unpaginated).

Terrorist groups rely upon organized crime for the weaponry and munitions they require for terrorist attacks and insurgencies. however. For example. foreign intelligence services. and illegal weapons procurement) are also precursor crimes used by terrorist groups to raise funds (e. and crimes in which technologies are the tool in the commission of the offence. It was alleged that Lodhi had downloaded information. and offences which are enhanced by technologies (i. In South Asia. identity and immigration crimes. they seem to have acquired ideological or religious predispositions that motivate. all with interests acutely adverse to those of U. The latter category incorporates two levels of reliance on technologies: offences which are enabled by technologies (i.e. including electricity grid maps. and foreign governments. The diffusion of information on the internet regarding dual-use research of concern has compounded this challenge. Todayonline 2007).’ Crimes commonly associated with organised criminal groups (e. scam and fraud schemes. A recent indictment involving a foreign narcotics kingpin (designated under the US Foreign Narcotics Kingpin Designation Act) alleged that the accused led an international heroin-trafficking organisation that channelled heroin proceeds in the U. To transport these goods. in which a computer is required for the commission of the offence). The use of global telecommunications technologies can also be used to mount attacks against key critical infrastructures. biological. Lodhi was sentenced to 20 years in prison on 23 August 2006 (Regina v Lodhi [2006] NSWSC 691 23 August 2006). who in return seek from the terrorist groups training in the use of guns and explosives and safe passage (for a price) through militant territory.g. And they have increasingly become involved in supporting terrorist activities. from the internet. not merely cover. an enabling tool Terrorist groups can also obtain information on and acquire chemical. their actions.e. Criminal organizations can become ideological over time.S. ICT. which increases the risk of terrorist groups possessing sufficient fissile material to develop their own nuclear weapon. Warren (as cited in Charlton 2005) also noted that ‘Al Qaeda has turned to organi [s]ed crime groups for their money laundering expertise. be drawn between crimes in which ICT is the object or the target of offending. they use routes that have been carefully constructed by the criminal gangs. in which computers make it easier to commit an offence). In 2007 it was reported that .S. the counterfeit of goods.Trends Organ Crim (2008) 11:270–295 283 FBI also noted that ‘[i]nternational organized criminals provide logistical and other support to terrorists. Faheem Khalid Lodhi was convicted of offences including plotting in October 2003 to bomb Australia’s national electricity grid in the cause of violent jihad. radiological materials via the internet.g. to financially support the Taliban between 1994 and 2000 (US DoJ 2007d). in July 2006. The two groups are further connected by the drug trade: both are financially dependent on narcotrafficking (Lal 2005: 294) A distinction should. national security’ (FBI 2008b: unpaginated).

posted messages glorifying jihad and talked about killing those he deemed enemies of Islam. jihadi websites are constantly posting enticing messages about the merits of the holy war against Crusaders and Zionists. lavatory blocks and where lightly armoured Land Rovers are parked (Harding 2007).284 Trends Organ Crim (2008) 11:270–295 terrorists might have used information obtained from Google Earth™ to facilitate their planning of (physical) attacks against British troops in Iraq. with a shallow understanding of Islam. could be easily misled by the propaganda posted on such sites and forums. Another posting warned about the misconceptions that paralyze jihad efforts. A recent report (IDSS 2006) highlighted the proliferation of jihad-oriented sites in Southeast Asia. allowing cybercriminals to coordinate their activities and to distribute propaganda.600 contributions to jihadi forums. Walters and several other members of the group were arrested in November 2004 for their alleged involvement in terrorist activities and murder of film director Theo Van Gogh (Vidino 2007). Such sites target the digital generation—the young and the internet-aware— particularly among the Muslim community. effective means of reaching an international audience. A posting that appeared in a pro-jihadi forum entitled “How to become a member of al-Qaeda” lays out the requirements needed to join the terrorist group while encouraging Islamists to join the jihad. who has over 3. publishing doctrines such as “The Global Islamic Resistance Call” on the internet and the website of the ‘Reformation and Jihad Front’ insurgent group). A forum participant nicknamed Wali al-Haq posted the requirements for joining alQaeda. In a study by Gerstenfeld et al. mostly in the field of jihadi propaganda.’ allegedly visited radical websites. Documents seized during raids on the homes of insurgents last week uncovered printouts from photographs taken from Google™. Members of terrorist groups include engineers and computer scientists and they have been known to use the internet as a medium for propaganda (e. (2003). which facilitate radicalisation among the Muslim community in the region. Such sites are. In a recent article. and also in recruiting new members. The latter. The recent report by NSTC (2006: 7) raises similar concerns. rather it’s an ideology and a mission calling on all Muslims to uphold God’s religion and rescue the weak monotheists. March–April) (Bakier 2008:3). recruitment and training of potential terrorists. Al-Haq argues that the accusations of terrorism commonly applied to any Muslim—whether affiliated with a jihadi group or not—who prays for the victory of Islam and the mujahideen is proof of the jihadis’ success in terrifying the Jews and Crusaders: “Al-Qaeda today is not only an organization seeking to fight the Jews and Crusaders. often.” Al-Haq. and transferring information. soliciting funding. For example. it was revealed that extremists’ and supremacists’ networking sites often contain external links to other sites of similar nature and materials or publications inciting extremists’ activities. a member of the Dutch-based ‘Hofstad group.net.g. Bakier also pointed out that to gather more recruits to the cause. Examples of . Jason Walters. The satellite photographs show in detail the buildings inside the bases and vulnerable areas such as tented accommodation. then proceeds to explain what a Muslim should do to join al-Qaeda (al-ekhlaas.

Trends Organ Crim (2008) 11:270–295 285 propaganda material include religious rulings (fatwa) declaring suicide terrorism to be legitimate within Islam: He who commits suicide kills himself for his own benefit.azzam. While someone who commits suicide has lost hope with himself and with the spirit of Allah. principally www.” (Simon Wiesenthal Center 2008:10) In March 2007.com <file:///\\ www. along with associated administrative email accounts. often alienated both from the majority culture in which they live and the traditional culture of their parents’ native lands. particularly the [i]nternet’ (Ahmad 2007). were hosted for a period of time on the servers of a Web hosting company located in the state of Connecticut (US DoJ 2007c). Singapore’s Deputy Prime Minister and Minister of Home Affairs told Parliament that the Internal Security Department of Singapore investigated internet-driven radicalisation cases involving ‘Singaporeans who had become attracted to terrorist and radical ideas purveyed in the mass media.0 (Simon Wiesenthal Center 2008). and other means. A recent example of how the internet has been used in terrorist planning activities includes the following case that has been brought before the district court of Connecticut in the United States. . while he who commits martyrdom sacrifices himself for the sake of his religion and his nation. He fights his enemy and the enemy of Allah with this new weapon. through an organization based in London called Azzam Publications. and others. the Mujahid struggler is full of hope with regard to Allah’s spirit and mercy. One of the means Ahmad and his co-conspirators are alleged to have used in this effort was the management of various Azzam Publications websites. The indictment alleged that: from approximately 1997 through at least August 2004. e-mail communications. This is seen as a purer and uncompromised version of the religion. so that they would fight against the evil of the strong and arrogant (Weimann 2006:634) The report by Simon Wiesenthal Center pointed out that [t]he aura of religious authority that sanctions such acts often finds its most receptive audience online. which destiny has put in the hands of the weak. British nationals Babar Ahmad. The attraction of this religiously-validated culture of death has been especially powerful amongst some young Western Muslims. which.com>.azzam. and thus strengthens its appeal by creating a strong demarcation between the moderate version and its more extreme manifestation. blogs and social networking sites. Internet-driven radicalisation includes cases of radical youths and other individuals linking up with like-minded people and making contact with extremists from overseas involved in terrorist recruitment and financing over the internet in chat rooms. This leads to a process of radicalization in which “the Internet provides access to a radical form of Islam that gives seekers the virtual environment that they are searching for. 8. are alleged to have conspired to provide material support and resources to persons engaged in acts of terrorism through the creation and use of various internet Web sites. Syed Talha Ahsan.000 websites espousing radical ideologies such as hosting hate and terrorism contents are reportedly identified in the recent report by the Wiesenthal Center’s Digital Terror and Hate 2.

Other well publicised hacktivism activities include the following incidents: & In 2006.’ . But the past few months have seen a noticeable spike in activity. Israeli and American companies and private citizens have also been defaced during that period. the future will see the increased likelihood of digital content being a source of disputes or forming part of underlying 22 Known politically motivated hacker groups include ‘Hacker Union for China’ and ‘ChinaHonker.. the object of offending Politically motivated hacker groups (hacktivists)22 have also carried out hacktivism activities such as bringing down government agencies’ websites and engaging in information warfare.286 Trends Organ Crim (2008) 11:270–295 ICT. from the central square of its capital city. with the vast majority occurring after the re-publication last week of the cartoons in European newspapers’ (Warner 2006). Taiwan and China regularly engage in low-level information-warfare attacks.S. Coordinated DDoS attacks by at least a million computers on several Estonian government websites were reportedly carried out in April 2007 (Kirk 2007c. A recent series of cyberattacks directed against targets in Taiwan and the United States may confirm that “those fears now appear justified. Tallinn. & Challenges ahead Digital evidence: possible evidentiary issues With increased digitisation of information.S.000 Danish websites were allegedly defaced by Islamic hackers protesting controversial cartoons mocking the Prophet Muhammad (Ward 2006).. “It’s almost like. U. MI5 reportedly wrote to several UK businesses warning them of the risk of electronic espionage posed by foreign state-sponsored hackers (Leyden 2007. government Web sites were hacked and defaced with slogans such as “Beat down imperialism of American. A well-known cyberwar between Chinese and American hackers erupted in April 2001 following the collision of a U.” (Curry and McGrane 2006: 93).com.” courtesy of a group calling itself the Honker Union of China (Kirk 2007b). a major cyberwar exercise. More recently in 2007. Pro-Islam messages and messages condemning the publication of the images were reportedly posted on the defaced websites. approximately 1. A cyber-crime observatory that tracks website defacements was also reported to have observed ‘[h]undreds more websites of European. to a cemetery on the city’s outskirts’ (Lesk 2007:76). Rodriguez 2007) in protest of the removal of ‘a memorial statue honouring Soviet World War II war dead ..” says a Taiwanese intelligence officer. says the Taiwanese security source. military spy plane and Chinese fighter.. Sophos 2007). “‘Blitz’ is an accurate description” of the recent attacks.

. For example. Digital evidence differs from traditional evidence. The reliability of a particular computer system or process can be difficult to assess. courts are not closely examining the reliability of computer systems or processes and are evaluating the reliability of digital evidence without considering error rates or uncertainty (Casey 2002) Given the likelihood of judicial scrutiny in a court of law. modified and damaged. and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data (NIST 2006). complex systems can have unforeseen operating errors. an understanding of fundamental characteristics underlying digital evidence is crucial in addition to traditional evidential procedures (e. collection. The ‘Presumption of Reliability’ (presuming that computer forensic23 software such as EnCase© reliably yields accurate digital evidence) might also be challenged by educated defendants and their counsel. deleted data and changed dates before returning the computer early the next morning” (AAP 2007). Also. Moreover. examination. copied. particularly if open source forensic tools that have not been cross-validated (cross-checking the results of one software tool against the results of another based on industrial baselines) were used to extract the digital evidence.Trends Organ Crim (2008) 11:270–295 287 evidence to support or refute a dispute in judicial proceedings. Possibly because of these complexities. The latter is by no means easy due to increased data storage capacities. A recent case in Australia illustrated how easily electronic data can be destroyed to prevent police from acquiring digital evidence where the defendant reportedly ‘took a laboratory computer home. and can easily be duplicated. Identification of data files containing information of interest is both time consuming and daunting. identified data files (of interest) may contain extraneous information that needs to be filtered. An acquired storage medium is also likely to contain hundreds of thousands of data files. With the advent of more complex data storage and dissemination technologies. The former is intangible and often transient in nature. it is imperative that any examination of the electronically stored data be carried out in the least intrusive manner. the amount of information gathered during the investigation in Operation Firewall is approximately 2 TB—the equivalent of an average university’s academic library (USSS 2004).. disseminated. .g. . shared. Data examination involves assessing and extracting the relevant pieces of information from the collected data. thorough documentation to ensure chain of custody). These developments (in data storage and dissemination technologies) can impede forensic investigators and 23 Computer forensics can be defined as the science of identification. forensic investigators face an increasingly difficult task. In order to ensure all elements of a proper (digital) evidentiary foundation are correctly established. Programmers are fallible and can unintentionally or purposefully embed errors in their applications. occasionally resulting in data corruption or catastrophic crashes.

be due to state and local law enforcement agents mainly focusing on traditional physical and/or document-based evidence because they have limited knowledge and resources to deal with digital evidence (Rogers et al. 667 US state and local law enforcement agencies selected from the National Public Safety Information Bureau’s database were contacted by mail and asked to answer a series of questions about digital evidence (Rogers et al. iPod. 2007).g. The demands of these investigations may exceed the resources available to a jurisdiction.’ Other organisations. cellular camera phone. various computer forensic tools and techniques have to be re-designed and re-engineered. A total of 279 agencies responded to the survey. large volume data sets) and more complicated data accessibility (e. communicates with Voice over Internet Protocol. This could. video instant messaging. perhaps. Enhanced data storage capacities (e. Examples include: & Different formats and platforms used to store digital content: Constantly evolving formats are independently being developed by different vendors according to different standards. may also record information. Therefore. approximately 80% of cases handled by the FBI involved some form of digital evidence). flash memory and USB memory sticks) and proprietary cryptographic algorithms used (e. for example. and text messaging in a computer slang that is foreign to most police officers and parents. such as logs of network activity on computers and email servers located in other countries. an in-depth understanding of how different technologies and applications operate is crucial in collecting digital evidence. using the same devices as today’s teenagers. Moreover in response to changing contexts.288 Trends Organ Crim (2008) 11:270–295 prevent police from acquiring digital evidence and analysing digital content forensically in terms of time and resources. 2007).g. The survey found that: & & 80% of the respondents reported that no more than 25% of their cases involved digital evidence Respondents from municipal departments reported that most of their cases did not involve digital evidence.g. The modern criminal. Armagh and Battaglia (2006: 7) also noted that ‘[i]nvestigating cases of child sexual exploitation in which computers were used is complex. encryption) could be incompatible (with one another) and compromise the integrity of the data during extraction or converting from incompatible proprietary formats.g. & In a recent National Institute of Justice-sponsored survey. contradicted the estimates reported by federal law enforcement agencies (e. as suggested by the authors.g. networks of interconnected computers located in different locations) will impede bit stream backup in terms of time and resources. The proprietary storage media (e. such as internet service providers (ISPs) and IRC operators. The trail to uncover this valuable investigative . In online child exploitation cases. evidence is likely to be stored on hundreds or thousands of computers and various ISPs and IRC servers located in various jurisdictions. The findings. Increased data storage capacities: The best form of immediate backup to make is a binary disk image (also referred to as bit stream backup or mirror image backup).

Only specially trained and authorised computer forensic examiners should process and examine electronic evidence.Trends Organ Crim (2008) 11:270–295 289 resource often starts with a forensic examination. procedures. but this trail quickly grows cold as Internet Service Providers overwrite logs and data retention periods expire. the digital forensics research community should focus its efforts on file system journal forensics and develop novel journal data extraction and analysis techniques that could be implemented in the next generation of computer forensic tools (Swenson and Shenoi 2007:243) Increasingly. could not be prosecuted in the Philippines because there was no law in that country at the time that prohibited the release of malicious code (Grabosky 2007: 208) Satisfying the criterion of dual criminality—the alleged misconduct must constitute an offence under both the laws of the extradition country and Australia— . each containing an immense volume of data. forensic analysis of computers for law enforcement purposes is being undertaken by well-organised groups of computer forensic examiners working in government facilities or private-sector workplaces. Police managers must find a way to examine an increasing number of digital devices. All police agencies are facing the same challenge when dealing with computer forensics. Australia. File system journals contain valuable evidence pertaining to cases ranging from child pornography and software piracy to financial fraud and network intrusions. as well as anti-forensic tools and techniques. cannot be prosecuted unless it is formally prohibited by law. Meanwhile. in a timely manner and with limited resources (Cohen 2007:unpaginated) This would require computer forensic investigators and incident handlers to have in-depth knowledge of computer forensic principles. as evidence not retrieved by a computer forensic expert may result in the reliability of the evidence itself being called into question and potentially be ruled inadmissible in court. tools. behaviour. guidelines. for example. The need for harmonisation of legislation Many of the wide-ranging activities and consequences resulting from (organised) technology-enabled crime attacks constitute offences under existing criminal laws in many countries including Australia. Digital forensic investigators should be aware of the data cached in file system journals and its use in digital investigations. Under this principle. may request the extradition from other countries of persons who have committed acts online that adversely affect Australian citizens or interests for them to be returned to Australia to face prosecution (as governed by the Extradition Act 1988 (Cth)). such as leading consulting practices. for example. Grabosky (2007) noted the relevancy of the nullum crimen sine lege principle in most legal systems. no matter how harmful. Legislation particularly laws with extraterritorial effect provides a valuable tool in the fight against cybercriminal activities. and techniques. The person who released the I LOVE YOU virus in May 2000.

It is unlikely that traditional organised crime groups will shy away from using cyberspace to facilitate and/or to disguise illicit proceeds of real world based crimes as organised crime groups are very market driven and reflect many of the features of contemporary commerce. such as occurs in the case of botnet prosecutions where evidence would need to be obtained concerning the thousands of computers that have been compromised. This is well illustrated by the financially motivated groups and the criminally motivated groups (e. Indeed. for example. may be practically impossible to use. Serious concerns have been expressed about the ways in which new technologies might be exploited for crimes such as money laundering. 2007:76–77) Conclusion As the internet and other forms of information and communications technologies (ICT) continue to advance. existing offences. online child exploitation and internet-driven radicalisation. Although the process of harmonisation of cybercrime legislation throughout Australia has been consistent.g. New offences of creating a network for illegal purposes and selling established botnets might need to be developed to deal with such emerging threats (Choo et al. organised in a very different sense. The UK threat assessment report. Achieving some measure of uniformity will also help to minimise the risk of so-called ‘jurisdiction shopping’ by organised crime groups in which offenders seek out countries from which to base their activities that have the least severe punishments or which have no extradition treaties current. In addition. One may even argue that cyber groups are. online paedophile rings). the various cybercrime groups may themselves represent a diverse number of types. the need for uniformity will become more pronounced as the number of technology-enabled crimes continues to increase. This article provided some indications of the ways in which emerging technological changes have been exploited by organised crime groups. Existing legislation may not be suitable or adequate within the context of developments in using new and emerging technologies to commit technologyenabled crimes. and those directing criminal activity find it easier to maintain their anonymity and reduce their risks (SOCA 2008:25) Key observations that can be drawn from the preceding discussion include cyber groups need not be circumscribed by national borders and there is no indication of cyber groups attaining the same level of sophistication in terms of hierarchical organisational structure as traditional organised crime groups (and law enforcement agencies). explains that global migration and ever more widespread information and communications technology (particularly the Internet) means that more and more criminals will have the contacts and capabilities to operate without boundaries. there is little incentive for financially motivated cybercrime groups to have a hierarchical . In fact. in fact. although technically adequate. the opportunities for criminal exploitation of online systems will increase.290 Trends Organ Crim (2008) 11:270–295 is invariably necessary in both extradition and mutual assistance requests.

organised crime groups operate online under the same free market principles.uk/media_ centre/documents/080515APACSquarterlystatisticalreleaseMar08final. For example. Computerworld. Avialable at: http://www. the notion that the internet has no geographic boundaries. violence. any errors remaining are solely attributed to the author. Ethics Inf Technol 4 (2):133–42 Ahmad R (2007) Slashing through the Web of terror. to leverage advances in ICT to operate in cyberspace. To counter these threats. The Boston Globe.org.08). These threats will be exacerbated by the increasing reliance which businesses and individuals place upon online systems for the functioning of their daily lives. 05 January APACS (2008). Quarterly statistical release (15. in spear phishing and whaling cases). alters the nature of the criminals encountered by law enforcement and continues to be a major challenge for law enforcement.boston. both in Australia and around the world. new strategies of response such as the need to amend and to strengthen the law to address new challenges that new technologies pose with the rapid advancement and convergence of ICT in the years to come will become more pronounced. There is also a need for further research on analysing organised criminal activities in cyberspace in order to complement and inform the priorities.g. while legislative and law enforcement endeavours launched against them suffer from geographical and cultural restrictions.au. the AusCERT (2006) survey and the DTI Information Security Breaches survey (PwC 2006) found an increase in the views held by the businesses surveyed that electronic attacks are more often motivated by illicit financial gain than in the past.Trends Organ Crim (2008) 11:270–295 291 organisational structure (or to be affiliated with traditional organised crime groups) since they are able to generate profits quite successfully on their own or in smaller task-specific or situation-specific groups. References Abelson J (2007) Breach of data at TJX is called the biggest ever. 29 March. Available at: http://www. focusing their attention particularly on financial institutions and top executives of an organisation (e.pdf . present a real danger to the economic and social stability of society.com/business/globe/articles/2007/03/29/breach_of_data_at_tjx_is_called_the_ biggest_ever/ Adam A (2002) Cyberstalking and Internet pornography: gender and the gaze.apacs.05. Acknowledgments The author is most grateful to the two anonymous referees and the editor-in-chief for their constructive feedback. Todayonline. The DTI Information Security Breaches survey (PwC 2006) further suggested that information security breaches cost British companies across several industry sectors £10 billion per annum. Financially motivated cyber attacks will also continue to be more targeted. Unfortunately. particularly cybercriminal groups. has driven the e-commerce revolution. Despite their invaluable assistance. The increasing use of technology and transnational connections particularly threats from organised ideologically/politically motivated cyber groups that aim to incite hatred.com. strategies and outcomes of law enforcement efforts—which is by no means easy. and intimidation through the internet. The ability of organised crime groups. 3 March Ames B (2007) Online spending tops US$100 billion. Extraterritoriality.

org/documents/docs/6/ APG%20Yearly%20Typologies%20Report%2005-06_PUBLIC.com/webform. uncertainty. Battaglia NL (2006) Use of computers in the sexual exploitation of children. doi:10. pp 35–44 Curry A.gov. detecting.apgml.au/content/publications/Other_Publications/080117_Organised_Crime_In_ Australia. Enforcement Bulletin Issue 33.pdf Australia Associated Press (AAP) (2007) Selim cleared over destruction of data.org. Available at: http://www. Asian J Criminol 3(1):37–59 Choo KKR. 6 March.nsf/WebPageDisplay/PUB_AnnualReport Bakier AH (2008) Jihadi website advises recruits on how to join al-Qaeda. Available at: http://www. BBC News.gov. US Department of Justice.ca/en/publications/perspectives/200007.gov. Available at: http://www.smh. p 5 Evron G (2008) Battling botnets and online mobs.aic. Available at: http://www. Comput Fraud Secur 2005(3):9 Choo KKR (2007) Zombies and botnets.pdf AusCERT (2006) Computer crime and security survey.asp?print_view=1 Casey E (2002) Error. Available at: http://www.afp. Office of Juvenile Justice and Delinquency Prevention. Smith RG.gov.au/publications/tandi2/tandi333. Available at: http://www. McPherson D (2005) The zombie roundup: understanding. Available at: http:// news.org/magazine/index. Washington. Police Chief 74(3). apca.co.cfm?id=102 Cohen CL (2007) Growing challenge of computer forensics.com. and loss in digital evidence. Available at: http://www.html Australian Crime Commission (ACC) (2007) Illicit drug data report 2005–06. html Australia Associated Press (AAP) (2008) Police unveil $1 million internet scam. 23 February. In: SRUTI’05 Workshop Proceedings. Terrorism Focus V(18):3–4 BBC News (2001) Russia arrests ‘grandfather of cybercrime’. 26 May. Research and public policy series no 78. September/October issue no. USENIX Association.au/news/national/selim-cleared-over-destruction-of-data/2007/04/18/1176696916796.gov. 19 April. Available at: http://www. Available at: http:// www. High tech crime brief no. DC Asia-Pacific Group on Money Laundering (APG) (2006) The Asia/Pacific Group on Money Laundering (APG) yearly typologies report 2005–2006.au/publications/htcb/htcb016.au/news/security/police-unveil-1-million-internet-scam/2008/02/23/ 1203467457719.au/ publications/rpp/78/ CipherTrust (2005) Phishing: organized crime for the 21st century. Georget J Int Affairs Winter/Spring 2008:121–126 FBI (2008a) Major child porn ring busted and 20 children rescued worldwide.gov/page2/march08/innocentimages_030608.gov.com.bbc. Available at: http://www.au/content/publications/iddr_2005_06/IDDR_2005-06.smh. policechiefmagazine. Smith RG (2008) Criminal exploitation of online systems by organised crime groups. 16.pdf Australian Federal Police (AFP) (2008) National child porn operation nets 90 people.aic. McCusker R (2007) Future directions in technology-enabled crime.html Australian Payments Clearing Association (APCA) (2005) Annual report 2005.1007/s11417-008-9051-6 Choo KKR. Media release 5 June. securecomputing. Comput Secur 20(6):475–478 Brenner SW (2002) Organized cybercrime? How cyberspace may affect the structure of criminal relationships. Available at: http://www.com. Available at: http://www.aic.html Choo KKR (2008) Money laundering and terrorism financing risks of prepaid cards instruments? Asian J Criminol (in press).cfm?fuseaction=display_arch&article_id=1136& issue_id=32007 Cooke E. Australian Institute of Criminology. Available at: http://www.gov.csis-scrs. crimecommission. Berkeley CA.aic. McGrane S (2006) China’s cyberwarriors. and disrupting botnets. 333.pdf Australian Crime Commission (ACC) (2008) Organised crime in Australia.html .gc. Trends & Issue.stm Bequai A (2001) Organized crime goes cyber. Australian Institute of Criminology.au/publications/htcb/htcb013.fbi. Press release. Available at: http://www.292 Trends Organ Crim (2008) 11:270–295 Armagh DS. Available at: http://www.uk/1/hi/world/europe/1353092.auscert. crimecommission. 93 Enforcement Bulletin (2007) Raid of a major pirate packaging facility in Guangzhou. 2nd edn.au/media_releases/national/2008/national_child_porn_operation_ nets_90_people Australian Institute of Criminology (AIC) (2006) Acquiring high tech crime tools. North Carolina Journal of Law & Technology 4(1):1–50 Canadian Security Intelligence Service (2000) Transnational criminal activity: a global context. Office of Justice Programs.au/images/ ACCSS2006. High tech crime brief no 13. Foreign Policy. Jahanian F.html Australian Institute of Criminology (AIC) (2007) Money mules. Int J Digit Evidence 1(2) Charlton J (2005) Al Qaeda buys cyber criminal expertise. Available at: http://www.au/Public/apca01_live.

Media release.uk/2008/03/13/loadscc_rises_again/ Grabosky P (2007) Requirements of prosecution services to deal with cyber crime. Hackworth A (2005) Botnets as a vehicle for online crime.co.au/index. Crime Law Soc Chang 46:257–273 McGraw G (2006) Interview: silver bullet speaks to Avi Rubin. May/June issue Institute of Defence and Strategic Studies (IDSS) (2006) Proceedings of the International conference on Terrorism in Southeast Asia: the threat and response. USA.theregister. Convictions for internet rape plan. New Sci 2586:13 McAfee (2006) Virtual criminology report: organised crime and the internet. PC world. computerworld. Crime Law Soc Chang 47(4–5):201–223 Great Britain Crown Prosecution Service (GB CPS) (2006).uk.php?id=610295694&eid=-255 Keizer G (2008) Researcher: Russian hosting network runs a protection racket.uk/2007/02/01/dutch_botnet_gang_sentenced/ Marks P (2007) How to leak a secret and not get caught.theregister.co.gov/pressrel/ pressrel08/ioc042308. 17 May Kshetri N (2005) Pattern of global cyber war and crime: a conceptual framework. October 28–31.co. di Vimercati SDC. Available at: http://www. Available at: http://www.uk/2007/12/03/tjx_settlement_agreement/ Goodin D (2008) Rent-a-bot gang rises from the DDoS ashes. The register. Telegraph. 1 February. Infosecurity.computerworld.channelregister. Available at: http://www.com. Australia. Orbis 49(2):293–304 Lesk M (2007) The new front line: Estonia under cyberassault. Available at: http://www. Channel register.com. 27 Jun Jen WY. Syverson PF (eds) Proceedings of the 14th ACM conference on Computer and communications security.edu. IEEE Security Privacy 4(3):11–13 McMillan R (2008) Criminals hack ceos with fake subpoenas. 18 May Kirk J (2007c) Estonia recovers from massive denial-of-service attack. Computerworld.fbi. In: Ning P.rsis. Paper to Workshop on Intelligence and Security Keizer G (2007) Porn sites serve up Mpack attacks. 23 April.au/index.com. CERT Coordination Center. The register. Grant DR.htm Franklin J. skills. Savage S (2007) An inquiry into the nature and causes of the wealth of internet miscreants. Available at: http:// www.computerworld. Available at: http:// www. ACM. 25 April. Available at: http://www.co. Presentation at the Technology Trends 2007 seminars. McAfee. Paxson V.Trends Organ Crim (2008) 11:270–295 293 FBI (2008b) Department of Justice launches new law enforcement strategy to combat increasing threat of international organized crime. theregister. Infoworld. Analyses of Social Issues and Public Policy 3(1):29–44 Goodin D (2007) TJX agrees to pay banks $41m to cover Visa losses.uk/2007/12/03/mi5_warns_over_chinese_hack_attacks/ Libbenga J (2007) Another 419 scam ring nicked. ACM CCS 2007. 16 November.sg/ Jaques R (2006) European police nab zombie hackers. The age.php?id=1342062697&eid=-255 Gerstenfeld PB. 3 December. New York. 12 February. Chang W. pp 375–388 Galeotti M (2008) Criminal histories: an introduction. Alexandria. Pittsburgh PA Infosecurity (2007) Interview: Eugene Kaspersky 2007. 14 April.com.channelregister. Virginia. 28 March Kirk J (2007b) Symantec: Chinese hackers grow in number. Available at: http://www.uk/2007/04/25/another_419_scamring_nicked/ Libbenga J. InfoWorld. Affilia 21(4):365–379 Ianelli N.com.html Miller N (2007) From Russia with malice: criminals trawl the world.php?id=1496227928&eid=-6787 Kirk J (2007a) Hackers build private IM to keep out the law.pcworld. Chiang C (2003) Hate online: a content analysis of extremist internet sites. 2007.com/businesscenter/article/144548/criminals_hack_ceos_with_fake_subpoenas. 25 June.co. Chou S (2006) Cybercrime in Taiwan: an analysis of suspect records. 13 March.csiro. Computerworld. Perrig A. Vnunet. The register. Channel register. Available at: http://www. 13 January Harrison C (2006) Cyberspace and child abuse images: a feminist perspective.com. 20 February. Press release. Leyden J (2007) Dutch botnet duo sentenced. IEEE Security Privacy 5(4):76–79 Leyden J (2007) MI5 warns over China hacking menace. J Internat Manag 11 (4):541–562 Kshetri N (2006) The simple economics of cybercrimes.ict.co. Computerworld. Available at: http://www. Computerworld.au/index. Available at: http:// www. Available at: http:// www.au/MU/Trends/ McCusker R (2006) Transnational organised cyber crime—distinguishing threat from reality. Santa Clara. 3 December. 24 July . CSIRO ICT centre. 1 December Harding T (2007) Terrorists ‘use Google maps to hit UK troops’. CA McCombie S (2007) Organised cybercrime & phishing: the godfathers of the internet. Global Crime 9(1–2):1–7 Garretson C (2007) Whaling: Latest e-mail scam targets executives. IEEE Security Privacy 4(1):33–39 Lal R (2005) South Asian organized crime and terrorist networks.

Available at: http://www. Available at: http://www. Available at: http://www. Rockville. NIST computer security special publications SP800-86.mha.294 Trends Organ Crim (2008) 11:270–295 MSN—Mainichi Daily News (2006) Inside the Yamaguchi-gumi: Ex-gangster’s life a history of Japan’s postwar underworld. 4 May PricewaterhouseCoopers (PwC) (2006) DTI information security breaches survey 2006.000 seized. wiesenthal. Available at: http://www.gov/media/annualreport/2005_IC3Report. IFIP Int Fed Inform Process 242:41–52 Schrank P (2007) Newly nasty. Frakes K..pdf Organized Crime and Triad Bureau (2007) Triad activities in Hong Kong.cfm/section/ publications/page/publicationList/viewArchives/true/category/5 . J Financ Crime 14(1):79–83 Sophos (2007) Businesses warned by MI5 of Chinese espionage threat. Media release. 13 April Singh S (2007) The risks to business presented by organised and economically motivated criminal enterprises.pdf Serious Organised Crime Agency (SOCA) (2008) The United Kingdom threat assessment of serious organised crime. Scarborough K.nist.com/atf/cf/%7BDFD2AAC1-2ADE-428A-9263-35234229D8D8%7D/IREPORT. Trends Organ Crim 11(2):157–182 Serious Organised Crime Agency (SOCA) (2006) The United Kingdom threat assessment of serious organised crime.com/extweb/pwcpublications.aspx Parliamentary Joint Committee on the Australian Crime Commission (2007) Inquiry into the future impact of serious and organised crime on Australian society. 29 May Rogers M. 30 May PandaLabs (2007) Cybercrime. Available at: http://www.symantec. Todayonline.soca. Media release. Available at: http://www. 19 May. 24 May Sein AJ (2008) The prosecution of Chinese organized crime groups: the Sister Ping case and its lessons. MSN—Mainichi Daily News. Available at: http://www.PDF Singapore Commercial Affairs Department (CAD) (2006) Money mules.nsf/docid/7FA80D2B30A116D7802570B9005C3D16 Rodriguez A (2007) Attacks on Estonia move to new front.com/pressoffice/news/articles/2007/12/ mi5-china-internet-spy.gov.uk/assessPublications/downloads/threat_assess_ unclass_250706.gov. IFIP Int Fed Inform Process 242:231–244 Symantec (2007) Symantec internet security threat report vol. Parliament House. Available at: http://app3. The Economist. Available at: http://www. XI. says official. 18 June United Kingdom Organised Crime Task Force (UK OCTF) (2007) Annual report and threat assessment 2007: organised crime in Northern Ireland. Available at: http://www.pwc. MD Available at: http://csrc.nacha.octf. ustr. Hong Kong Police.gov/assets/Document_Library/Reports_Publications/2007/2007_Special_301_Review/asset_ upload_file980_11122.com/ threatreport Todayonline (2007) Tigers have joined jihadi drug trade. 1 December. for sale (II).gov.pdf Simon Wiesenthal Center (2008) iReport: online terror + hate the first decade.uk/assessPublications/downloads/UKTA2008-9NPM.soca.sophos.pandasoftware.gov.aspx?nid=743 Singapore Police Force (SPF) (2007) Unlicensed moneylending syndicate busted—$130. Sophos offers advice.html Swenson P. Chicago Tribune. The Wall Street Journal. Available at: www.pdf National Science and Technology Council (NSTC) (2006) Federal plan for cyber security and information assurance research and development. Media release.uk/index.ic3. Arlington.htm Singapore Commercial Affairs Department (CAD) (2007) Case of 6-members credit card skimming syndicate. 11 June United Kingdom Child Exploitation and Online Protection (UK CEOP) (2007) Global online child abuse network smashed—CEOP lead international operation into UK based paedophile ring. Ministry Of Home Affairs—Speech by Associate Professor Ho Peng Kee. Shenoi S (2007) File system journal forensics. Available at: http://www. 21 May Singapore Ministry of Home Affairs (MHA) (2004) Second reading speech for the Criminal Law (Temporary Provisions) (Amendment) Bill.pdf National Institute of Standards and Technology (NIST) (2006) Guide to integrating forensic techniques into incident response.pdf Office of the United States Trade Representative (2007) 2007 Special 301 report. Canberra September Pereira J (2007) How credit-card data went out wireless door.cad. NIST.sg/news_details.gov. VA National White Collar Crime Center and Federal Bureau of Investigation (NW3C/FBI) (2007) 2006 IC3 annual internet fraud report. Media release. News release. Available at: http://blogs.gov/publications/nistpubs/800-86/SP800-86. sg/crimeprev/cpa_moneymules. 24 May NACHA (2008) NACHA reports more than 18 billion ach payments in 2007. Senior Minister of State for Law and Home Affairs on 1 September 2004. San Martin C (2007) Survey of law enforcement perceptions regarding digital evidence.com/blogs/ pandalabs/archive/2007/05/03/Cybercrime_2E002E002E00_-for-sale-_2800_II_2900_.org/News/news/pressreleases/2008/Volume_Final. NIST.

8 May United States Department of Justice (US DoJ) (2007a) Owners/operators of Asian massage parlors charged with transporting persons for prostitution. Stud Confl Terror 29 (7):623–639 Zhuge J.htm United States Department of Justice (US DoJ) (2008b) Second defendant pleads guilty in Pensacola in international child exploitation enterprise case.fbi. 22 June.html Weimann G (2006) Virtual disputes: the use of the internet for terrorist debates. Media release. 31 March.co. uk/1/hi/technology/4692518.htm United States Department of Justice (US DoJ) (2007d) Heroin kingpin—first defendant ever extradited from Afghanistan—sentenced in Manhattan federal court to over 15 years in prison.co.gov/usao/az/press_releases/2007/2007-182(Green-Bressler). Holz T. 31 May Vidino L (2007) The hofstad group: the new face of terrorist networks in Europe. PC Pro. Available at: http://losangeles. and Romania indicted in federal RICO case that alleges widespread computer fraud. 6 June.ftc. Media release. 19 May. 10 August.htm United States Department of Justice (US DoJ) (2007c) Former member of the US navy indicted on terrorism and espionage charges.gov/dojpressrel/pressrel08/childexploitation042808. Guo J. Media release.fbi.gov/ dojpressrel/pressrel08/childporn041708.S.htm United States Federal Trade Commission (US FTC) (2008) Agency announces settlement of separate actions against retailer TJX. Available at: http://sacramento. Available at: http:// www.htm United States Department of Justice (US DoJ) (2008c) Idaho man pleads guilty in international child exploitation enterprise case. 2008 . Calgary Herald. Media release. Media release. credit union bills TJX $590k for breach-related costs. http://www. 27 March. gov/dojpressrel/pressrel08/childexploitation_050608.gov/dojpressrel/ pressrel07/wfo062207.fbi.bbc. Press release. Available at: http://jacksonville. Han X.htm United States Department of Justice (US DoJ) (2007f) Fairfield man pleads guilty to attempted receipt and possession of child pornography.fbi. 17 April. Zou W (2008) Studying malicious websites and the underground economy on the Chinese web. New Hampshire.usdoj. and data brokers Reed Elsevier and Seisint for failing to provide adequate security for consumers’ data. 6 May. Media release. Media release. 11 May United States Department of Justice (US DoJ) (2007b) Extradited software piracy ringleader sentenced to 51 months in prison.fbi. Media release.gov/dojpressrel/pressrel08/la051908ausa.do?command=viewArticleBasic&taxonomyName= security&articleId=9023778&taxonomyId=17&intsrc=kc_top Ward M (2006) Anti-cartoon protests go online. Media release.fbi. 8 February. Media release. 7 February.shtm United States Secret Service (USSS) (2004) U.gov/ dojpressrel/pressrel08/sc022008.gov/dojpressrel/pressrel07/wfo042007b. 7 May.gov/ dojpressrel/2007/nh032107.pcpro. 20 April.co.pdf United States Department of Justice (US DoJ) (2007g) Tucson man sentenced to seven years for identity theft and fraudulent use of thousands of credit and debit card numbers.htm United States Department of Justice (US DoJ) (2008d) 33 individuals in U. Available at: http://jacksonville.Trends Organ Crim (2008) 11:270–295 295 United States Department of Justice (US DoJ) (2006) ‘Botherder’ dealt record prison sentence for selling and spreading malicious computer code. In: Proceedings of the 7th Workshop on the Economics of Information Security. 28 April.fbi.gov/dojpressrel/pressrel07/sc050707. Available at: http://computerworld. Song C. Hanover. BBC. Available at: http://sacramento. Media release.S. fbi.com/action/article. Available at: http://www. Stud Confl Terror 30:579–592 Vijayan J (2007) Mass. Media release 20 February.stm Warner B (2006) Muslim hackers blast Denmark in net assault. WEIS 2008. 28 October van Rassel J (2007) ATM skimmers seized in raid. Media release. Available at: http:// jacksonville.gov/opa/2008/03/ datasec. Computerworld.fbi. June 25–28.htm United States Department of Justice (US DoJ) (2008a) Third defendant pleads guilty in pensacola in global child exploitation enterprise case. 08 October United States Department of Justice (US DoJ) (2007e) Extradited software piracy ringleader pleads guilty.uk/news/83314/muslim-hackers-blast-denmark-in-net-assault. secret service’s operation firewall nets 28 arrests. Media release. Available at: http://news.pdf United States Department of Justice (US DoJ) (2007h) Six defendants indicted for stealing money from bank customers accounts through the internet.uk. Available at: http://newhaven. Available at: http://washingtondc. Available at: http://washingtondc.