Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
As the speed of technological uptake and evolution has increased, the opportunities those technologies provide and our reliance on them have increased as well. Our capacity to engage in difficult tasks rapidly, to automate simple but tedious tasks, and to innovate has expanded significantly as the costs of those technologies have plummeted. This development has been a boon for entrepreneurs and individuals, licit and illicit alike, who have been able to harness technology to improve their prospects. Documenting progress among either group is difficult; technological innovation occurs so quickly that it is impossible to completely document its progress in an accessible way. However, Geoff White admirably takes on this burden in the context of cybercrime in his book, CrimeDotCom: From viruses to vote rigging, how hacking went global.
It likely is not possible to provide a comprehensive overview of cybercrime over any era. Technology, and with it, cybercrime, move quickly. In CrimeDotCom, White predominately considers a twenty-year snapshot of malicious cybercriminal activity from 2000 to 2020, and provides a good overview of some of the most notable cybercrimes and cyberattacks that occurred over that span. The period chosen exemplifies how criminal entrepreneurs have exploited a vast array of technologies to extract or generate profits and cause destruction. These technologies range from consumer electronics that average people possess, to the hardware and software that keep power grids operating. Importantly, CrimeDotCom never pretends to be more than what it is (or could be) — correctly telling the reader that these cases are indicative of larger trends. White does feature undoubtedly important themes in his book: the breaching of computer systems, illicit commerce, theft, extortion, the role of data, adversarial attacks, and the use of communication to influence people.
What is particularly admirable about this book is that White nearly always recounts complete stories. Readers may be familiar with several of the cases discussed in the book. However, given the speed at which the news cycle changes, readers may not be familiar with the conclusions of these events, which occur long after the initial news stories break. The complete and centralized accounts of these cybercrimes are of great value to students interested in these issues. Perhaps the availability of a complete story was a guiding principle in White’s selection of stories; certainly, some notable attacks which are missing. But by covering complete stories, rather than pointing out unknowns, White offers the reader an understanding of how these cybercrimes likely unfold, even when attributing criminal actions is impossible.
White uses contrast to illustrate the most powerful point of his book: as technology evolves, so does cybercrime. Although several early cyber-enabled crimes did occur prior to and during the dawn of the internet, the author only briefly harks back to the early adopters of the internet to feature stories that are not likely commonly known, such as the role of Grateful Dead lyricist John Perry Barlow in early bulletin boards, and the bulletin boards’ role as a gathering point for individuals in a pre-email era. Some of these early technology users could be deemed the original “hackers,” people who sought kudos over monetary gain in their efforts to identify exploits in computer systems. At first, discovering exploits was often an exercise in seeing just how far one could enter a computer system; eventually, some mischievous gamesmanship occurred as hackers exploited systems of government and non-government organizations. These were, however, a far cry from the professionalized, state-sponsored hackers who operate today.
Bringing the reader back to the twenty-first century, White chronicles several people along the spectrum of hackers and other cybercriminals. He begins with Onel de Guzman, who, as a computer science student in Manila, developed and unleashed the Love Bug (ILOVEYOU) computer worm in May of 2000. Although Guzman designed the worm to steal passwords to log on to the internet, it went on to infect corporate email systems throughout the world. While Guzman was no criminal mastermind—the Love Bug did not make him any money, his work was an indication of how destructive malicious activities in cyberspace could be.
White goes on to discuss various cybercriminals who attacked computer systems’ vulnerabilities for varying ends, including, inter alia, defacing websites, stealing credit card numbers, and stealing personal identifying data. He documents the emergence of cryptomarkets and their role in selling drugs and stolen data. He describes the role of social engineering as a cyber-enabled crime that has devastating and often irreversible impacts on victims. In doing so, the author presents the technologies that undergird some of these actions, providing, for instance, reasonable accounts of the development of TOR and Bitcoin. White also chronicles the behaviors of considerably better resourced actors, who are able to engage in larger attacks against higher-value targets. He presents notable incidents, such as the Bangladesh Bank Heist, the attack on the Ukrainian power grid, and the organized disinformation campaigns that have been deployed to influence election results.
Perhaps the single greatest strength of CrimeDotCom is White’s focus on recounting how cybercrime is ultimately human: people trigger the attacks, and people are the victims of the attacks. White clearly shows that while some attacks do require a degree of technological acumen, others simply leverage technology. Ultimately, the book makes the implicit argument that the internet provides a massive attack surface through which billions of people can be touched, with thousands, if not millions, impacted by a single event, piece of malware, or disinformation campaign. Moreover, understanding what cybercrime is and the threats it poses are inherently human. White, importantly, describes how journalists, government, and the public consume information and make decisions regarding its veracity and importance. He shows how skilled cybercriminals are not only those with technological expertise, but also those with the ability to manipulate the emotions, perceptions, and understandings of an audience. This latter point is not overstated, and perhaps it is the scariest lesson the book provides.
All that said, there are three notable shortcomings in CrimeDotCom. First, while the stories of the actors featured are often complete, their impacts are not always presented. For instance, Guzman’s developing and unleashing of the Love Bug were not considered criminal activities in the Philippines at the time, and he was never charged; his activities, however, did trigger the development of cybercrime legislation. The vulnerabilities of credit card numbers misused in “card-not-present” frauds led to the development of Card Verification Values (CVV) numbers in a largely successful effort to reduce the volume of these crimes and losses. Similarly, after the SWIFT attacks, SWIFT improved its security, and as far as we know, no similar attacks have been successful since (Gundur et al. 2021). All these developments were known at the time the book was published and could have been included in the text with just a few sentences. Their omission leaves the impression that these types of nefarious activities are omnipresent and persistent.
Second, while cybercrime continues to be a problem, it continues to evolve both in terms of complexity, the actors responsible, and the resources needed. White, however, does not explicitly discuss the financial and technical requirements needed to conduct the various activities he chronicles in the book. He rightly describes the exploits of early hackers and the single-person efforts to set up early cryptomarkets, and presents the skills and capacity needed to undertake certain activities, but CrimeDotCom never gives the reader an unambiguous, explicit account of the financial and technical resource requirements for each attack and how the cost to engage in impactful criminal activity has changed over time. Some cybercrimes do not cost a lot to commit; these include engaging in phishing attacks, buying and selling illicit wares online, conducting crowdsourced DDoS attacks using out-of-the-box software solutions. Others only require expertise that an individual or small group of individuals can possess, and maybe only hundreds of dollars or less to establish. However, the most damaging cyberattacks are professional, and involve teams of several highly-skilled people and millions of dollars of investment. A clear accounting of these resource demands would have painted a more accurate picture, for the intended generalist audience, regarding the future of cybercrime and cyberattacks.
Finally, White focuses on the bad digital behavior of North Korea and Russia, boogiemen of the West, highlighting their misdeeds forcefully. He only tips his hat to the notion that Western actors engage in digital malevolence (e.g., in his coverage of Stuxnet), which is perhaps defensible since his intended audience may not have accepted such a position or been receptive to those stories.
Despite these criticisms, CrimeDotCom is, at its heart, the story of how cybercrime’s reach, impact, and possibilities, have fundamentally changed as internet speeds and penetration rates have increased around the globe. In that, it achieves its goals with clear and accessible prose, making it a book that will be of interest to those who wish to look back at the patterns of cybercriminal activity and understand its evolution over the course of the early twenty first century.
Gundur, R. V., Michael Levi, Volkan Topalli, Marie Ouellet, Maria Stolyarova, Lennon Yao-Chung Chang, and Diego Domínguez Mejía. 2021. Evaluating Criminal Transactional Methods in Cyberspace as Understood in an International Context.
R. V. Gundur is a criminologist based in Australia. He is the author of Trying to Make It: The Enterprises, Gangs, and People of the American Drug Trade. He can be found online at ravejudgerun.com.