fbpx Skip to content

The Cybercriminal Hierarchy

5 minute read

We recently had the chance to sit down with Vincent D’Agostino, Head of Cyber Forensics and Incident Response at BlueVoyant, on The Cyber Crime Lab Podcast. BlueVoyant provides security services like third-party risk and digital rights protection, among many others.

Before Vincent brought his talents to BlueVoyant, he spent a number of years with the FBI, seven of these on the team dedicated to dealing with traditional organized crime. While the connection isn’t obvious between that world and the world of cybercrime, someone with Vincent’s experience has context most of us lack—and this was just one of the things we spoke about during our conversation.

Traditional Organized Crime

Whatever country a traditional organized crime syndicate is in, they are involved in for-profit illegal activity. Vincent notes that many of these activities are in sectors the government does not regulate—and those organizations also deal in corruption to make sure that status quo stays in place. These organizations may also practice:

  • Physical violence

  • Extortion

  • Blackmail

  • Early adoption (using the latest technology to their benefit)

  • A particular code of rules, both implicit and explicit

Cybercrime Syndicate Similarities

While you can’t commit physical violence on the Internet, cybercriminals can and do commit economic and financial violence against businesses and organizations.

They use ransomware, powered by the latest technologies, as a tool of extortion along with threats of data breaches as blackmail to add pressure to ransomware.

Cybercriminals also operate by a specific set of rules, which includes how they get paid (usually in a difficult-to-trace blockchain-based currency) and how long they give victims to pay.

Cybercrime Syndicates as Tech Startups

The twist many might not expect is that, in addition to emulating the structures of traditional criminal organizations, they also follow some of the best practices of rapidly growing tech startups.

Tech startups need to:

  • Fundraise — cybercrime syndicates do this through their criminal activities which can include speculating in and meddling in traditional and crypto currency markets.

  • Hire well — cybercrime organizations have “job postings” out on the dark web which follow a traditional process of reviewing CVs and interviewing candidates.

  • Know their customer — cybercriminals research specific niches and sectors in order to find out which organizations are most vulnerable and what they can pay in the case of a ransomware event.

  • Have a strong brand — employer branding can help with hiring in the legitimate business world; it also helps in the criminal one. A strong brand also puts victims on notice that they are dealing with serious threat actors, not just one hacker in a basement somewhere.

  • Deal with shifts in world events — because Ukraine and Russia have been bases for some of these organizations, the recent war and resulting sanctions have made it more challenging for cybercriminal syndicates to operate.

  • Schedule product launches — cybercriminals tend to pick vulnerable days (Fridays) or holidays (Christmas) to trap victims in particularly stressful and vulnerable situations.

  • Use social media well — cybercriminals can use bots on social media networks, which push out deep fake content to create pressure around their goals.

  • Use the latest technology — cybercriminals often use military-grade tools and packages to overwhelm their victims, triggering a surrender reflex that’s the mirror of the “buy” reflex when a traditional consumer sees dazzling technology.


During the podcast, Vincent frequently referred to Conti.

For those unfamiliar with it, Conti is ransomware focused on Microsoft Windows that has been observed since roughly 2020 and is believed to be distributed by a Russian-based group. The US government offered a $10M reward for information on the group in May 2022.

They use a website to leak documents copied by the ransomware. The technology and its implementation were shrouded in mystery until recently.

In a twist of poetic justice, the Conti Group (as it’s known) was subject to its own leak of 60,000 messages recently. This was done by an anonymous subcontractor of the group who was opposed to Conti’s unconditional support of Russia and its threat to launch cyberattacks against anyone who launched cyberattacks against the country.

The leak shared source code as well as the source of possible leaks to the Conti Group within the Russian government. Governments that are already sanctioned in some ways turn a blind eye towards threat actors in their territory, usually content to simply take a sort of “tax” on their activities.

Vincent thinks that this event will lead Conti to do something else that tech startups sometimes do: rebrand. Once an organization has been uncovered in any way, its power is weakened.

A Big Difference

While Vincent noted many similarities between traditional crime and cybercrime, there is one big difference: scale. Because of the Internet, and because of the medium of software, cybercriminals can commit hundreds or thousands of times the number of crimes that traditional criminals, constrained by such ‘old-fashioned’ restraints as time and space, can.

With that scale in mind, Vincent warns listeners that just as there are many businesses that serve a particular niche, cybercrime is its own growth industry—the “profit” involved attracts even those who would not consider themselves “criminals.” He adds that, over time, there will be organizations covering every niche, including small accounting firms in the middle of the USA, for example. It’s important for businesses to move to protect their assets now instead of waiting for these cybercriminals to build up their infrastructure.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!


Small-to-medium businesses that do not offer IT consulting services to assist in managing the technology and security of other businesses.


IT Consultant businesses (MSP, MSSP, etc.) that manage the technology and security of other businesses.