Experts call it the “cyber arms bazaar” — an Eastern European underground market in hacking tools, viruses and other forms of infiltration and cyber sabotage that has been developing with little Western attention for around 15 years.
“The most sophisticated shadow economy in the world as it relates to the deep Web services and hacking tools is by far in Eastern Europe,” said Tom Kellermann, chief cybersecurity officer at security research firm Trend Micro.
“This is a high-end market in malware,” said Hedi Nasheri, a criminology and justice studies professor at Kent State University who has studied the cyber crime world in Eastern Europe. “Basically they are professional guns for hire.”
“It’s exponential, exponential growth,” Kellermann added.
The rapid development has caught international policymakers and law enforcement officials off guard.
“This has become a sudden reality,” Nasheri said. “We’re not quite sure how to get our hands around this.”
Cyber crime has become an attractive field in many post-Soviet bloc states, in part because of the combination of elite math and science education programs, sometimes-minimal career opportunities and lax law enforcement.
Nasheri recalls over a decade ago visiting Hungary and Estonia, and noticing that German cars with advanced chip technology were getting “stolen left and right from the street.” She soon realized hackers in these countries “had crafted a system to crack into these chips.”
For many years, the burgeoning dark Web market — which mostly operates using anonymity software — remained niche, available only to those in-the-know or with deep pockets.
Then the bazaar’s prices started dropping — fast. In the last decade, the cost of “traditional cyber weaponry” has plummeted at least 90 percent, Kellerman estimated.
Today, you can penetrate almost any organization in the world for roughly $250 a month, he said. It used to cost thousands.
Suddenly, the most advanced malware in the world is available to anyone with a couple of hundred bucks and nefarious intent.
The various sites present just like any online store, with drop-down menus to choose quantity and colorful “Buy It Now” buttons to purchase.
Shoppers can browse hacking tools boasting their selling points: how antivirus software won’t catch the malware; how a tool hides your movements once inside a network; how it protects against your own underground site from being taken down.
Shoppers can even pay a monthly subscription for access to a start-to-finish hacking kit that is “regularly updated with the latest and greatest munitions and clandestine capabilities,” Kellermann said.
Sellers even have eBay-esque customer feedback scores.
But not just anyone with enough cash is allowed in, Kellerman explained.
To gain entry, aspiring cyber crooks frequently are asked to contribute to a forum’s upkeep costs and deliver stolen goods — credit card data, for instance — to show they’re not law enforcement officials.
Transactions are conducted in one of roughly 400 untraceable cryptocurrencies, Kellermann said.
The whole clandestine set-up has challenged intelligence agencies and frustrated law enforcement officials.
“I don’t think people really understand just how hard it is to be out in front of any event,” said Jasper Graham, a 12-year National Security Agency (NSA) veteran and current senior vice president of cyber technologies and analytics at security firm Darktrace.
And even if U.S. authorities can identify and track down a particular cyber arms dealer, there is only a narrow route to justice, explained Peter Toren, a cyber crime attorney and one of the Department of Justice’s (DOJ) original batch of computer crimes prosecutors.
“Close to impossible,” he said. “If their activity is really not directed toward the U.S., really there is significant doubt that they are violating some kind of U.S. federal law.”
But the pressure is mounting on the government to do something. Over the last year, hundreds of millions of Americans have had their personal information exposed through data breaches at Home Depot, Target, Staples, JPMorgan and Anthem, among many others.
Kellerman estimated that over 80 percent of financial sector cyberattacks could be traced back to the bazaar, while retail cyberattacks were not far behind.
Cyber thieves are recycling the data compromised in these hits, using it for myriad fraudulent activity, he said.
The DOJ and FBI are rearranging and rapidly changing strategies to staunch the flow of illicit digital activity.
Even if cyber arms dealers can’t be brought to justice, investigators and FBI officials say they are seeing positive results from calling out and filing charges against specific individuals.
The DOJ filed charges against five Chinese military hackers last May. Last month, the FBI issued a record $3 million reward for any information leading to the arrest of an elusive Russian cyber crook.
Indicting individuals “shines a light” on the issue, Toren said. It encourages other countries “to limit the movement” of these digital criminals.
“It’s important to show the U.S. is aware of this kind of conduct,” he added. “These people won’t be so brazen.”
But there are significant challenges, analysts say. The cyber arms bazaar operates out of countries with minimal interest — or ability — in stopping these operations.
“You have a very weak regulatory body,” Nasheri said. “You have hodgepodge legislation and ineffective laws when they exist.”
For some countries, these underground groups are even viewed as “national assets who will be called upon almost as cyber militias when necessary,” Kellermann said.
“We’re always reacting,” Nasheri said. “The right hand doesn't know what the left hand is doing.”