Criminals commit crimes because, well, because by doing so, they can make a profit. And, shockingly, according to a recently released nine-month study from a criminology researcher in the UK and Bromium (a security product company) called Into The Web of Profit, threat actors are making and even reinvesting about $1.5 trillion worth of profits. If nothing else convinces you that cybercrime is a business, that information should.

The study by Dr. Mike McGuire at the University of Surrey and Bromium looked specifically at revenue flow and distribution of profits from it with respect to money laundering, data trading, and ransomware, along with other cybercrime activities. Interestingly, they found that the criminal organizations are using a combination of both illegal and legitimate activities (such as placing online ads) to rake in the dough.

Just How Much is $1.5 Trillion?

That’s a lotta loot, in anyone’s book. But for comparison’s sake, that is equivalent to the 13thlargest economy in the world in terms of gross domestic product (GDP). According to the CIA’s World Factbook, the United States is number 1 ($19.36 trillion) and Canada is number 10 on that list at $1.76 trillion, but 13 is very respectable. That’s about the same as South Korea, which is no slouch when it comes to its economy, and more than Australia, Spain, and Mexico.

How Much Do Each of the Crime Categories Make?

We are glad you asked! From illicit online markets, that would be about $860 billion. If they steal intellectual property or trade secrets, it’ll bring in $500 billion. Data trading? $160 billion. Ransomware and all kinds of cybercrime-as-a-service were at a much lower income bringing in a respective $1 billion and $1.6 billion. While it seems like small potatoes in comparison, the report also found that zero-day iOS exploits alone bring in about $250,000. And since cybercriminals tend to share work or use templates to bring in more bang for the buck, malware kits make the cybercriminals about $200-600 per exploit. Considering one person can do many attacks in one sitting, that’s not a bad payday.

It’s Just Business

Cybercriminal organizations are indeed working as businesses these days. Some of them even have customer service numbers and email addresses. According to the report’s author, Dr. McGuire, “this is creating a kind of ‘monstrous double’ of the legitimate information economy – where data is king.” Companies like Google, Facebook, and other social media platforms where reviews and ratings are offered make it easier for criminals to commit the crimes and not bother getting a “real” job. An individual hacker can make more than a newly graduated college student and “managers” in the world of cybercrime can even make millions per job.

What Can You Do?

Unfortunately, once your information is somewhere out of your control, it’s just that…out of your control. But, you can take preventative measures:

  • Check payment card charges often. It’s pretty easy to log in to your accounts these days. Make a quick check more often than monthly to address potential fraud much quicker. This reduces your cost and the costs for your financial organization.
  • Monitor your credit reports. All people with credit in the U.S. can get a free copy of their credit reports each year at The three credit bureaus will provide one each and unless you have a particular issue, stagger when you request them. Ask for one every four months to keep better tabs on potential fraud.
  • If you can freeze your credit, do so. As a result of the Equifax breach last year, about half the population of the U.S. was a victim of a breach that included social security numbers. Even if you weren’t in that list, consider freezing your credit. This will prevent anyone (including you) from accessing your credit reports. If you don’t need to get credit, find new housing, or are not looking for a new job, this may be an option for you. Remember that even if you do freeze it, you can unfreeze and refreeze as necessary. Just check the lead times and charges to do this for each of the bureaus.
  • Monitor your healthcare records too. The information from these is even more valuable than payment card details. It can be used to commit financial crimes as well as healthcare fraud. If you see something suspicious on your benefit statement, contact your provider immediately to get it resolved.
  • Remember to choose the “credit” option when using payment cards if you have an option. This provides more protection should there be a breach. If a hacker gets your card number and PIN, they can potentially recreate your card and drain your bank account.

And of course, always be on alert for phishing attacks. Email is still the primary way criminals get the information they seek. Even if your organization has security tools in place, it only takes one phishing email to arrive in someone’s inbox to set off a successful attack.