Notes from Intentional Disintegration of Cybercriminal Networks

Approaches in Network Strategic Security Modeling

fitness can be understood as a service (or services) of some kind that a

node provides, which is appreciated by the other nodes over comparable services that other nodes


Arquilla and Ronfeldt (2001) give an

interesting description of what robustness of distributed and scale free network means from a security


“The network as a whole (but not necessarily each node) has little to no hierarchy; there may be

multiple leaders. Decisionmaking and operations are decentralized, allowing for local initiative and

autonomy. Thus the design may sometimes appear acephalous (headless), and at other times

polycephalous (Hydra-headed).” (Arquilla & Ronfeldt, 2001:9)

this research considers networks foremost as technological 

networks where social actors are involved as the organizers ‘behind’ the technology


Cares conceives security organizations as networked organizations. Hierarchical organizations that

take decisions and distribute commands in a top down fashion represent methods of intervention that,

according to Cares, represent an outdated ‘centralized industrial age approach’. Contemporary

security organizations adjust to the network topology of security treats and become networked

organizations themselves. Security organizations become hubs in a security network that are able to

detect, observe, take decisions and organize interventions against threats themselves.

Security organizations that adjust to distributed network principles gain flexibility and effectiveness in a

way that Cares associates with a wolf pack, a set of relatively autonomous units that is able to attack a

target from all sites where it shows beneficial.

It would be interesting to find out what more attempts security organizations have undertaken to lure

suspected criminals into territory where the security organizations can exert juridical power and what

techniques have been used for the trickery. Interesting question would also be how effective and

structural techniques like this can be

, a distinction was made between manual

(hacking) and automated interventions (worms).

nodes (hosts) and edges (infrastructure)

The fitness of a node was earlier in this paper defined as the ability of a node

to provide a service of some kind that is appreciated by other nodes. This definition should be

extended with the condition that a node must be able to protect its services to a level that security

issues don’t cause the other nodes to withdraw from the use of the services.

One of the

successful branches of cybercrime that the Center has to counter, according to Het Parool, is that of

criminal gangs that produce and deliver infected computers to the hardware market. The computers

are supposed to become part of a botnet as soon as they come on line.

Het Parool mentions botnets, but it is not hard to envision other cybercrime and cybersecurity

applications for in advance prepared computers

The idea that computer devices are systematically prepared for serving criminal networks in the

assemblage process – instead of on line software contamination – is new to this research.

The case of Shadowcrew illustrates how security organizations infiltrated a hub where cybercriminal

networks were active in selling and purchasing black market products and services, but the security

activities were directed at information gathering on operators so that they could be legally prosecuted

A problem in designing strategic models for fighting cybercriminal networks with rhizome like

properties is – and this is actually a very fundamental problem – that the full topology of the network is

not known, because it has not appeared at the surface of the internet yet. So how then can security

organizations determine 15% of crucial hubs or the order of clusters that have to be deleted to

disintegrate a network? The rhizome perspective on cybercrime poses a bit of a dark, at least

pessimistic view on the possibilities of security organizations to be – especially in the long term –

effective in taking down cybercriminal networks. The volatile distilled, hydratic rule if one node is down,

another will arise seems to predict and endless loop of cybersecurity actions that only generate new

cybercriminal initiatives.

4.6 Fear as a side effect of interventions

Another remark has to do with this research’s impression that fear for prosecution and security

intervention stimulated the disconnection of other hubs in the network after the closing of The hubs itself (FileSonic, RapidShare) did not malfunction; the operators refrained

from serving the public. And this is not the sort of effect the Barabási model predicts. The model states

that a network will disintegrate because its internal robustness is broken and exchange cannot take

place any longer due to failing connectivity, not because the spirit of the remaining operators is flawed.

Fear for prosecution or interventions otherwise does seem to be a real side effect of security

interventions, independent of the time span it takes in effect.

-editor’s note fraud triangle corner ^^

4.7 The relative ease of disintegrating a star network

Esthost Botnet can be

considered a success in the light of the security organizations efforts, but the disintegration does not

really make a case for involvement of the strategic models. Yes, the security organizations fully

disintegrated a cybercriminal network by taking out the major hubs. And no, the network was a relative

simple star network that lacks the robust complexity that the strategic models are designed for.

4.8 Luring into the unknown


greatest effect of this operation on the hacker scene is probably that hackers think twice before they

accept an invitation for a job interview in the US.

4.9 Targeting Communication

How interventions in communication networks can be organized and what techniques can be used –

and are in use – other than exposing personal information on the internet, seems a terrain to explore.

Kott (2007) for example mentions the cascading failure that was discussed in previous chapter as an

overloading technique for a router network can also be applied in organizational decision making.

“When one decision-maker is overloaded, the effects spill over to other decision-makers in the

organization (particularly through an increased number of erroneous decisions made by the

overloaded element) and cause the deterioration of their performance as well.” (Kott, 2007:125)

If and how network calculations can be applied in communication interventions, and if and how the 5-

15% rule or the Girvan Newman apply to communicative interventions can be considered too

The reflection on the cases did not find any convincing ‘proof’ of the use and presence of strategic

models. The next chapter will try to find an explanation for it. What the reflection did find though are

some interesting questions on network interventions and cybersecurity, that will summarized here.

 Can the distribution of protection techniques (firewalls, antiviruses) be understood from a

network structural perspective in which the size of a hub corresponds with its protection level?

If so, how does the size of a node translates into its security level? If not, from what kind of

(business) logic does the security level of organizations spring?

 How do commercial sales and distribution processes of computer equipment contribute to the

formation of cybercriminal networks?

 How are professional hacker-squads organized? Is the phenomenon of hacker squadrons that

are employed in government service on the rise?

 How can network analysis be deployed in Stuxnet like cyberweapons?

 How does a discipline for Psychological Warfare look as sub discipline of cybersecurity?

 How do rhizome features of cybercriminal networks contribute to its persistency?

5 Resilient, resistant Networks

network analysis is indeed not used directly in interventions in a way

the strategic models suggest, that is, by calculating and recalculating an order of nodes or bridges that

should be targeted in order to disintegrate the network.

The use of network analysis seems to be restricted to research of cybercriminal networks in a variety

of ways. Thread identification, exchange pattern analysis and monitoring of cybercriminal product and

service development are suggested.

The respondents seem to consider the benefits of network analysis as a complementary tool to other

research tools and techniques. One of the respondents sees a complementary use for network

analysis and computer forensics. Other respondents consider network analysis more like a kind of

meta-tool that provides a general overview of hostile networks. One professional brings out: “It gives

an essential overview of the working area in order to conduct proper investigation.” Or as another puts

it more practical: “You can’t detect and fight the threat if you do not possess a proper picture of the

network and its components.”

5.1 Ways of resistance

5.1.1 Endurance

Endurance of an attack seems to be the most basic form of resistance and resilience against a

security intervention. When devices, connections and operators are not paralyzed or destroyed, they

can simply draw back activities, hide, sit still, and wait until the attacks are over.

5.1.2 Recovery

After enduring an attack networks can start recovering the damage that has been done to a network

post-attack recovery regimes to recover as smooth as possible from


as follows

 Study the network to learn its vulnerabilities and better understand cascading failures

 Undertake efforts to monitor and detect network breakdowns in real time

 Build up stock replacement parts for critical facilities to reduce offline time in case of attack

 Develop and test contingency plans for cases of network breakdowns

 Improve the network architecture to produce subnets and clusters

 Encourage the research and production of backup systems

5.1.3 Disconnect

5.1.4 Putting up defenses

As discussed firewalls and virus scanners form the most basic defense against intrusions and attacks

in a network on a technical level. Another type of defense system is made up by the so called Intrusion

Detections Systems (IDS)

Human operators that are physically attacked by security organizations (interventions by arrestment

teams for example, or black ops) can involve physical defenses against security teams. The amount of

physical violence that participants are willing to use is at stake

5.1.5 Counterattack

Networks may protect themselves against security interventions by counterattacking the organizations

that are targeting them. Counterattack can be directed at the edges, the machines or the human

operators and the communications of the intervention teams. In short, hostile networks that are under

attack can use all intervention techniques that are discussed until so far to counter attack – and

probably more.

5.2 Resources of Resilience

When resources lack, resilience will drop and the network is likely to be more sensitive for security

attacks and disintegration

Or to put it differently,

networks depend for the resources on the connections they maintain with other networks.

The following works out this idea by considering two types of network relations that enable resources

5.2.1 Rhizome topology as resource feature

Anonymous network by simply intending or declaring themselves as nodes

to the hacktivist network. Anyone can become a participant in the hacktivist collective anytime,

anywhere. The only condition for nodes to gain a practical sense of connectivity to the collective

seems the ability to connect to other nodes and hubs that represent and contribute to the

communication of the network collective. Any world citizen with a computer device, an internet

connection and a basic understanding of the operations of discussion fora, IRC chat, network

browsing, and software installation can meet this condition.

5.2.2 Operation Payback

This ease of connection provides a hidden pool of resources within the network for counterattack is

illustrated by the historical operations of internet collective Anonymous against PayPal, Visa and

Mastercard in December 2010

5.2.3 Connections between networks

Besides the hidden parts of a network that provide resources for a network’s resilience, a network is

strengthened by the connections it maintains with other networks. A network does not stand alone; its

viability and self-defense depends on the connections it is able to successfully build and maintain with

other networks

The case of WikiLeaks can be taken a bit further to illustrate the weight and the diversity of the

interconnectedness of a network with other networks. Not so much that this research considers

WikiLeaks a criminal organization without reservations, but because WikiLeaks is an organizations

that keeps a lot of security organizations busy.

5.2.4 The Networks of WikiLeaks

Several interconnected networks can be detected in and around the organization of WikiLeaks. The

networks do not stop for physical and organizational borders; they enclose nodes from countries and

organizations worldwide.

“We need people of all colours, creeds and stripes. We need people from all over the world. We need

people with local knowledge for every locality. We need speakers of all tongues, jacks of all trades,

friends and supporters, writers and readers, creators and critics, artists and coders, builders and

teachers, architects and preachers, financiers and promoters, lawyers and advocates, journalists and

editors, thinkers and activists, coordinators and leaders, the proud and the humble, dreamers and

pragmatists, online and offline. We need citizens who are prepared to act as citizens of the world.”

(Wikileaks, Portal:Volunteers, 2012)

The Call to Arms makes clear that the volunteer network embraces volunteers of all kinds of functions

and expertise, or at least, that they are welcome

Next to its publication and volunteer network the financial network that was already mentioned makes

up for resources of WikiLeaks.

The donation network of WikiLeaks seems to span a worldwide network

A network that can finally be detected as constituent to WikiLeaks is the technical network that makes

up for its website and digital communications

5.2.5 A model for interconnected networks

, to invoke the

formulation at the beginning of this paragraph: to convey an impression how networks provide

resources for each other and how they contribute to each other’s resilience.

The case of WikiLeaks illustrates how networks that are structured around different types of exchange

(publications, money, webhosting, et al) interact with each other and over that interaction constitute

the full scope of the network

5.3 Concluding remarks: towards a multilayered re-conception of networks

The theoretical perception of a network’s resilience as a function of the interconnectedness of different

networks has consequences for both network theory and research. On a theoretical level the most

important consequence seems to be that a network can only be understood as a well-defined and

bordered entity up to a certain level.

The proposition of this thesis is to consider all involved networks as ‘the’ network and to perceive the

different socio-technological subnets as different layers that make up for that network. A multi-layered

approach in which networks are represented as kind of ecological entity in which different networks

grow on top of each other and ‘feed’ each other seems to provide a theoretical framework that can be

elaborated to systemize this network conception

One of the consequences of this multilayered re-conception of a network is that for effectively fighting

cybercrime an understanding of networks is needed that extends beyond the digital realm of the


Who are the people that contribute to the network? In what


Two ways have actually come forward in which metric calculations are undermined

First, in the case of a rhizome network only parts of a specific layer are known and

involved in the calculation.

Second, if nodes retrieve resilience from exchange from different layers in the network, the nodes gain

qualities that are not well represented in the initial topology and the metrics that are used to express it.

*Hostile nodes can gain strength or be replaced during an intervention; and these dynamic features are

not adequately taken in by the strategic models.

1. Security organizations use strategic models to disintegrate a cybercriminal network;

2. A networks resilience interacts with and resists disintegration attempts;

3. Interconnected resource networks provide resilience to a network;

4. The actual delivery and enablement of resilience depends on the condition of the links that

provide resilience;

5. To increase the success of attempts to network disintegration, interventions can aim to affect 

the conditions of resource exchange.


Post moved from Tumblr


UMB Tech Anomaly

English: United Business Media offices

English: United Business Media offices (Photo credit: Wikipedia)

For about a month, I have noticed that when I try to comment on certain articles across the web, I have not been able to because DISQUS will not load :

“Disqus seems to be taking longer than usual. Reload?”

I reload, but it never loads. So today, I made an extra effort and signed in at DISQUS dashboard.

I notice that my last post was :

“The US Intelligence Agencies are destroying America’s reputation. 😦 ”

I thought that was interesting & wanted to share that with other folks. I created the post, then decided to do a brief research.

I thought for a while not being able to post to DISQUS was a cookie related block. However, there was a cookie related block that would interrupt when I attended That issues has since been cleared up. Which, also would have cleared up the DISQUS issues, if it was cookie related.

So today when I tried to comment on I decided to do some research & fix the glitch.

What I found was very interesting.

When logging into comments section a login screen appears, It is not DISQUS it is UBMTech. Note the close connection of names to UMB, a financial services company and bank. It is common that a fraudster will create a shell company to hide activities in and simply switch around his or her initials. I have not followed the paper trail. However, I would consider this a red-flag enough to follow the paper trail of both companies and persons of interest in connection.

While researching UBMtech, I came across this press statement from UBMTech CEO:

While reducing legacy costs, UBM Tech will invest in its new strategy, particularly in analytic tools and dashboards that provide real-time intelligence on audiences’ activities and preferences, Miller said. “We are making these changes from a position of strength because we think this is the right direction for the future,” he said.

It is only mildly note-worthy that he used the word intelligence, instead of a more common and marketing friendly word, but it is notable.

If real-time intelligence with the focus “from a position of strength” includes disrupting access to the global discussion by way of comments on (obscure) articles from selected folk in a real-time position of strength, then UBMTech is doing a rummy of a job.

Disclaimer: Though I could be wrong. 🙂

Data used: