Socwise logo
Lesku Gergely

It’s not just tech – How criminal hacker organizations really work

Lesku Gergely
When it comes to IT security, cybercrime prevention, or any other defensive measures organizations apply to protect themselves from hacker attacks, people usually think of firewalls, SIEM, SOAR, and XDR platforms, or even full-blown, high-tech security operation centers meticulously utilizing a combination of these pieces of technology. What’s interesting, however, is that hardly anyone thinks […]

When it comes to IT security, cybercrime prevention, or any other defensive measures organizations apply to protect themselves from hacker attacks, people usually think of firewalls, SIEM, SOAR, and XDR platforms, or even full-blown, high-tech security operation centers meticulously utilizing a combination of these pieces of technology. What’s interesting, however, is that hardly anyone thinks about the non-technological elements of these threats, as well as the fact that most attacks come from inside the company – which is a threat in itself. In fact, only about 30% of all hacker attacks are carried out in a technical way. The remaining 70% is all done by leveraging the human element. In this article, we’ll discuss how organized cybercrime really works, and what you can do to be better prepared to fend off an attempted hacker attack.

Meet the many faces of criminal hackers

One of the biggest misconceptions about criminal hacker organizations is that they consist of a handful of secretive, hooded hermits who reside in dimly-lit rooms, type very fast, and usually have poor social skills. Despite this wide-spread Hollywood image, criminal hackers work (and look) a lot like regular employees at regular companies. And cybercriminal organizations operate and manage their staff a lot like real companies. For example, it’s a known fact that one of the biggest criminal hacker organizations in Germany has established more than 30 companies which all have employees on payroll, albeit they’re all registered with fake IDs, fake passports, and fake addresses. Nevertheless, to the outside world, these companies create the impression of a professional business with professional employees. Let’s see a few examples of how these cybercriminal organizations and hackers work.

Blackheads – the real insider threat

One of the most frequent and sophisticated types of criminal hacker attacks are carried out by so-called blackheads, whose actions have quite the similarity with that of the famous Greek Trojan Horse. These special types of hackers are usually vastly knowledgeable in certain IT areas, especially in network technology. Blackheads are planted in companies by criminal hacker organizations using fake IDs, fake passports, fake proofs of residency, and perfect CVs. Without a thorough background check, these individuals seem like perfect candidates for any company, and are often quickly hired and given admin rights and complete access to everything within a short timeframe. However, the damages these cybercriminals can do have dire consequences. As part of the most recent blackhead attack in Saxonia, for example, two undercover hackers managed to take down a whole organization within a week, causing the company – and its 2,000 employees – long-term financial damage.

If you think these attacks at least probably don’t happen that often, think again. There are currently more than 6,000 such cases in court in Germany alone. Nevertheless, it’s rarely uncovered that the attacks were carried out by hackers planted in the company by a cybercrime organization.

So what can you do? One of the most important steps during the recruitment process, especially if it’s for an employee who’ll receive full access across the company IT infrastructure, is performing a thorough background check. However, as this might require specific skills resources, it best be done by a screening specialist firm.

The attack of former employees

Another type of inside threat occurs when an employee leaves a company with malicious intent. There can be several underlying reasons, but more often that you’d think the blame is with the management – after all there’s a common saying that goes: “good employees don’t leave companies, they leave leaders.” But what if the departure is so grim that the employee thirsts for revenge and wants to get back at their former employer for their mistreatment? On the dark web, there are more than 50 groups where ex-employees can provide hidden, confidential information about a company, which then can be used to launch a ransomware, malware, or any other type of cyber attack.

In this case, even though the attack doesn’t occur on the company perimeter, the threat originates from inside.

Social engineering and the importance of proper IT security education

Another insanely efficient type of hacker attack is called social engineering, a term used to describe a broad range of malicious activities accomplished through manipulating people to make security mistakes. A known social engineering scheme that’s unfortunately become quite common these days is finding people who struggle financially – despite working at a company – and recruiting them to sell certain products for extra income. When people apply – and more than 2 million people have fallen for this scam so far – they do actually get assignments and receive payments of €200, €300, or even €500 a month. After some time, when the trust is built, the ‘employees’ receive a USB stick which they are told to insert into their computer at a specific time (obviously when they’re predicted to be at their workplace) to complete a training that is going to earn them extra cash. Unsuspicious of being used as part of a coordinated cyberattack, they follow the instructions and inadvertently help the hackers get in. The last time it happened, 11 employees of the same company – who had no idea what they were going to do – shut down their headquarters and rendered 1800 people unable to work within 7 seconds.

Once again, the threat came from inside – even though there was no malicious intent on the employee’s part. They simply fell for a trick due to not having received proper education about cyberattacks.

A hacker’s career path

We’ve already established above that criminal hackers are not common street robbers – they’re mostly super intelligent, highly-skilled IT professionals with great experience. If you’re wondering how they get such competence and proficiency through ‘just becoming a criminal’, the answer may be simpler than you think: they go to university. As a matter of fact, 20% of all absolvents from the best IT, programming, and software development universities in the world don’t finish their studies to work for companies. Instead, they take on work in organized cybercrime. And if you’re asking why, the answer again is simpler than you think. While the average IT professional makes about €4000 a month, a criminal hacker organization easily pays a talented young hacker €2-3 million a year. The difference is shocking.

With €20-25 million damages per attack, one could argue that raising the salary of IT staff, even multiple times over, could make fewer IT graduates want to work in cybercrime and save companies millions of euros. While that’s true, the key take-away here is that there will always be extremely well-paid criminal hackers that companies must be able to fend off. And they need to accept the reality that more often than not, the threat cannot be averted by relying on technology only.


And that’s where we have a problem. To this day, the vast majority of companies only invest in SOCs, firewalls, and other pieces of security technology to protect themselves against cybercrime. However, hardly anyone recognizes that most attacks won’t happen using technology only. As complicated and sophisticated as criminal organizations are, they’ll always go for the easiest way to breach a company. And the easiest way is usually through the staff.

Businesses need to realize that they must put as much focus on the management and the employees as they put on the IT department. If the leadership only invests in its IT staff and technology to prepare for threats, they’ll only solve 30% of their cybersecurity problems. No matter how effective the firewall and the cloud platform security are, the remaining and overwhelming 70% will always find its way to do harm, and – one way or another – it’ll always come from the inside. And it doesn’t matter if it’s professional undercover hackers, financially unstable employees, or revengeful alumni – the prosecutor will always come for the CEO, not the IT department. Therefore, it’s in everyone’s best interest that a company fully understands how it can protect itself from all forms of criminal hacker attacks, be it through thorough background checks on newcomers, proper staff education on IT security, and even offering to help employees who struggle financially.

This article is based on a presentation by Robert Ehlert and Morgan Alexander from Quantum Cyber Lab AG. If you want to watch back, you can find it here :