This document examines the cybercrime economy through verified incidents and their documented consequences. The focus is on confirmed facts from major attacks that demonstrate how cybercrime operates as a structured, profitable enterprise.
For information on how cybercrime personally affects you, visit this link.
The Mirai Botnet Attack (2016)
The Mirai botnet demonstrated how compromised Internet of Things (IoT) devices could be weaponized for large-scale attacks. Mirai infected devices by scanning for open Telnet ports and attempting to log in using a list of 62 common default usernames and passwords.
Attack Timeline and Scale
In September 2016, security researcher Brian Krebs reported that his website was targeted by a distributed denial of service (DDoS) attack reaching 620 Gbps. This was among the largest attacks Akamai, his cloud security provider, had seen at that time. Following this attack, the Mirai source code was released publicly on a hacking forum by a user calling themselves "Anna-senpai."
On October 21, 2016, three consecutive DDoS attacks targeted Dyn, a domain name system (DNS) provider. The attacks used tens of millions of requests from the Mirai botnet to overwhelm Dyn's infrastructure. OVH, a French hosting provider, reported that attacks in this period exceeded 1 terabits per second (Tbps), which was described as the largest on public record at that time.
Affected Services
The attack on Dyn resulted in major internet platforms becoming temporarily unavailable to users in North America and Europe. Affected services included Twitter, Netflix, Reddit, Amazon, PayPal, Spotify, Pinterest, SoundCloud, GitHub, and several major news websites. Dyn was able to mitigate the first wave of the attack in approximately two hours, though additional waves occurred throughout the day.
Botnet Composition
At its peak in November 2016, Mirai had infected over 600,000 IoT devices. Research analyzing the infected systems found that most appeared to be routers and cameras. The devices were compromised because they ran default credentials or had not received security updates.
Legal Outcome
In December 2017, three individuals pleaded guilty to crimes related to the Mirai botnet. Paras Jha and Josiah White, both college students, were identified as creators of the botnet. Court documents indicated that the original operators used the botnet for DDoS attacks and click fraud operations. The Mirai source code remains publicly available, leading to numerous variants that continue to appear.
The Equifax Data Breach (2017)
In September 2017, Equifax disclosed a data breach that affected approximately 147 million people in the United States. The breach resulted from failure to patch a known vulnerability in the Apache Struts web application framework.
Vulnerability Details
The vulnerability was CVE-2017-5638 in Apache Struts. A patch for this vulnerability became available in March 2017. The breach occurred from mid-May through July 2017. Equifax discovered the breach on July 29, 2017, and publicly disclosed it on September 7, 2017.
Compromised Data
The breach exposed the following information:
- Names: 147 million records
- Social Security numbers: 147 million records
- Birth dates: 147 million records
- Addresses: 147 million records
- Driver's license numbers: 10.9 million records
- Credit card numbers: 209,000 records
Financial and Corporate Consequences
Equifax agreed to a settlement of up to $700 million to resolve federal and state investigations. The company's stock price dropped 35% in the weeks following the public disclosure. CEO Richard Smith resigned in September 2017, and multiple other executives departed the company.
Victim Impact
Affected individuals were offered free credit monitoring services. The settlement allowed eligible victims to claim up to $20,000 for documented identity theft losses plus compensation for time spent on recovery efforts. The compromised data creates lifetime exposure to identity theft risk for affected individuals.
The Colonial Pipeline Ransomware Attack (2021)
In May 2021, Colonial Pipeline Company, which operates the largest fuel pipeline in the United States, was hit by a ransomware attack that disrupted fuel supplies across the East Coast.
Attack Details
The attack was carried out by the DarkSide ransomware group operating under a ransomware-as-a-service (RaaS) model. The initial access was gained through a compromised VPN account that lacked multi-factor authentication. Both billing and operational technology networks were affected.
Colonial Pipeline shut down operations for six days as a precautionary measure to contain the attack. The company paid a ransom of approximately $4.4 million in Bitcoin (75 BTC).
Impact
The shutdown resulted in fuel shortages across the southeastern United States, leading to panic buying and price increases at gas stations. The federal government issued an emergency declaration, and multiple states declared states of emergency.
Recovery and Investigation
The FBI recovered approximately $2.3 million of the ransom payment through Bitcoin transaction tracing. The DarkSide group announced it was shutting down operations following the law enforcement attention generated by the attack.
Investigations revealed that the VPN account lacked multi-factor authentication, and a single compromised password provided the initial access. The network lacked proper segmentation, allowing lateral movement from the compromised system to the operational technology network.
The Kaseya VSA Ransomware Attack (2021)
On July 2, 2021, the REvil ransomware group executed a supply chain attack against Kaseya, a company providing IT management software to managed service providers (MSPs).
Attack Mechanism
The attackers exploited a vulnerability (CVE-2021-30116) in Kaseya's VSA software. The vulnerability allowed authentication bypass and remote code execution. The Dutch Institute for Vulnerability Disclosure (DIVD) had reported the vulnerability to Kaseya, and a patch was being developed when REvil launched the attack.
The attackers used the compromised VSA servers to deploy ransomware to downstream customers of the affected MSPs. The attack was carried out through a malicious update that appeared to be a legitimate Kaseya hotfix.
Scale of Impact
According to Kaseya CEO Fred Voccola, between 50 and 60 of the company's customers were directly affected, but approximately 70% of these were managed service providers. Multiple sources estimated that between 800 and 2,000 downstream businesses were affected by the attack.
Security researchers reported that REvil was demanding ransoms ranging from approximately $45,000 for smaller victims to several million dollars for larger targets. REvil initially offered a universal decryption key for $70 million, later adjusting this to $50 million.
Resolution
On July 13, 2021, REvil's websites and infrastructure disappeared from the internet. On July 23, 2021, Kaseya announced it had obtained a universal decryption key from a third party and was helping affected customers restore their systems. Kaseya stated it did not pay a ransom to obtain the key.
Legal Action
In November 2021, the U.S. Department of Justice unsealed indictments against Yaroslav Vasinskyi (Ukrainian national) and Yevgeniy Polyanin (Russian national). Vasinskyi was arrested in Poland and later extradited to the United States. In May 2024, Vasinskyi was sentenced to 13 years and seven months in prison and ordered to pay over $16 million in restitution.
In January 2022, Russian authorities arrested 14 individuals connected to REvil operations.
Genesis Market Takedown (2023)
Genesis Market was a cybercrime marketplace that operated from 2017 until its disruption in April 2023. The platform specialized in selling stolen digital identities, including browser cookies, saved passwords, and device fingerprints.
Marketplace Operations
Genesis Market sold access to data stolen from infected computers, allowing buyers to impersonate legitimate users of various online services. The marketplace provided a custom browser based on Chromium that loaded stolen cookies and credentials, enabling criminals to bypass security measures including multi-factor authentication.
The platform facilitated access to accounts on services including PayPal, Amazon, eBay, Facebook, Netflix, banking institutions, and cryptocurrency exchanges.
Scale
At the time of the takedown, Genesis Market offered:
- Data from over 1.5 million compromised computers
- Over 80 million account access credentials
- Approximately 460,000 packages of stolen information available for sale
The FBI reported that Genesis Market had generated at least $8.7 million from the sale of stolen credentials, with total victim losses estimated to exceed tens of millions of dollars.
Operation Cookie Monster
In April 2023, an international law enforcement operation dubbed "Operation Cookie Monster" disrupted Genesis Market. The operation involved 17 countries and resulted in:
- 119 arrests worldwide
- 208 property searches
- Seizure of Genesis Market domains and infrastructure
- Interviews with 97 individuals
The operation was led by the FBI and Dutch National Police, with participation from law enforcement agencies across Europe, Australia, Canada, and other jurisdictions. The U.S. Treasury Department's Office of Foreign Assets Control also announced sanctions against Genesis Market.
Cost Asymmetry in Cybercrime
The documented incidents reveal significant asymmetry between attacker costs and victim losses.
Attacker Advantages
Ransomware-as-a-service models allow attackers to operate with minimal technical infrastructure. In the Colonial Pipeline case, a single compromised password without multi-factor authentication provided access that led to a multi-million dollar ransom payment.
The Mirai botnet demonstrated that publicly available source code and default device credentials could create attack infrastructure affecting millions of users. The initial development costs were relatively low compared to the scale of disruption achieved.
Victim Costs
Colonial Pipeline paid $4.4 million in ransom and experienced six days of operational shutdown affecting fuel supplies across multiple states. Equifax's settlement reached $700 million, with additional costs including stock price decline and executive departures.
Organizations affected by the Kaseya attack faced costs ranging from thousands to millions of dollars depending on their size and the extent of the disruption. Recovery efforts required significant time and resources beyond the potential ransom payments.
Individual victims of Genesis Market faced account compromises, financial losses, and the time required to secure their accounts and resolve fraudulent transactions.
Security Implications
The documented incidents reveal common patterns:
Preventable Vulnerabilities
The Equifax breach resulted from an unpatched vulnerability for which a fix had been available for months. The Colonial Pipeline attack succeeded because of a VPN account without multi-factor authentication. The Mirai botnet compromised devices using default credentials.
Supply Chain Risk
The Kaseya attack demonstrated how a single vulnerability in widely-deployed management software could cascade to affect thousands of downstream organizations. The supply chain model amplified the impact from approximately 50 direct victims to potentially 2,000 affected businesses.
Persistent Markets
Genesis Market operated for approximately six years before disruption, demonstrating the longevity of cybercrime marketplaces. Even after takedown operations, similar marketplaces often emerge to replace those that are disrupted.
Cryptocurrency and Attribution
The Colonial Pipeline investigation recovered a portion of the ransom payment through Bitcoin transaction analysis, demonstrating that cryptocurrency transactions can be traced despite common perceptions of anonymity. However, attribution and prosecution remain challenging, particularly when attackers operate from jurisdictions that do not cooperate with international law enforcement.
The Return on Investment for Security Controls
IBM's annual Cost of a Data Breach Report provides quantified evidence for the financial value of security investments. The 2024 and 2025 reports analyzed hundreds of real-world breaches to measure the impact of specific security controls.
Global Breach Costs
According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million, representing a 10% increase from the previous year. This was the largest yearly increase since the pandemic.
The 2025 report showed a decrease to $4.44 million globally, a 9% decline attributed to faster breach detection and containment. However, costs in the United States increased significantly. The average cost of a data breach for U.S. companies reached $10.22 million in 2025, a 9% increase and an all-time high.
For specific industries, costs are substantially higher. Healthcare organizations saw the costliest breaches for the 14th consecutive year, with average breach costs reaching $9.77 million. Financial industry enterprises faced average costs of $6.08 million, which is 22% higher than the global average.
AI and Automation Cost Savings
The IBM reports document significant cost savings from deploying AI and automation in security operations.
Organizations not using AI and automation had average breach costs of $5.72 million, while those making extensive use of AI and automation had average costs of $3.84 million, a savings of $1.88 million according to the 2024 report.
The impact varied by where AI and automation were deployed. When AI and automation were deployed extensively across preventative workflows, organizations realized cost savings of $2.2 million compared to organizations that did not use these technologies in prevention.
Organizations that used AI and automation extensively identified and contained breaches nearly 100 days faster than other organizations, directly contributing to reduced costs.
The 2025 report showed continued benefits. Organizations using AI and automation extensively saved $1.9 million per breach, with costs of $3.62 million versus $5.52 million for non-users.
Incident Response and Identity Management
Specific security controls showed measurable cost reductions in the financial industry.
Companies with incident response teams and robust security testing saved $248,000 per year on average, while those with identity and access management solutions saved up to $223,000 each year according to the 2024 report.
Financial firms using AI and automation saved an average of $1.9 million compared to those that did not.
Detection Speed and Cost Impact
The time required to identify and contain a breach has direct financial consequences.
On average, it took organizations 241 days to identify and contain a breach through the one-year period ending in February 2025, a nine-year low.
The 2024 report found that 42% of breaches were detected by an organization's own security team or tools compared to 33% the prior year. Internal detection shortened the data breach lifecycle by 61 days and saved organizations nearly $1 million in breach costs compared to those disclosed by an attacker.
Security Staffing Impact
Understaffing creates measurable cost increases. Organizations that faced severe staffing shortages observed an average of $1.76 million in higher breach costs than those with low level or no security staffing issues according to the 2024 report.
Additional Security Controls
Other security measures showed cost reduction benefits in the 2025 report. DevSecOps approaches reduced costs by $227,000, while SIEM implementation saved $212,000.
Conclusion
The cybercrime economy operates with established infrastructure and creates substantial financial incentives. The documented incidents show that basic security measures (patching known vulnerabilities, implementing multi-factor authentication, changing default credentials) prevent many common attack vectors.
The cost asymmetry between attackers and victims creates persistent incentives for cybercrime. Low initial investment and operating costs contrast with multi-million dollar victim impacts.
However, IBM's research demonstrates that security investments provide measurable returns. Organizations that deploy AI and automation extensively in security operations save nearly $2 million per breach. Incident response capabilities and identity management systems each save hundreds of thousands of dollars. Faster breach detection through internal security teams saves approximately $1 million compared to breaches disclosed by attackers.
Organizations that implement fundamental security controls reduce both their exposure to threats and the costs when breaches do occur. Those that do not face measurable financial and operational consequences, as demonstrated by both the attack incidents and the IBM cost research documented here.