Internet Organised Crime Threat Assessment (IOCTA) 2024

In 2023, ransomware attacks as well as online fraud remained the main threats in the world of cybersecurity in the EU. This picture included both lone actors and criminal networks, operating both inside and outside the EU. Although regulatory frameworks are strengthened, the human factor remains the weakest link. Multi-level scam models and emerging technologies like AI are improving social engineering and facilitating fraud. The use of deepfakes is also on the rise, especially in AI-generated fraud. 

Next, the most common types of threats in 2023 will be analyzed:

Cryptocurrencies and the dark web

In 2023, the criminal use of cryptocurrencies became more evident, with an increase in requests for investigative support received by Europol. Financial crimes, mainly investment fraud and money laundering, are the areas where cryptocurrencies are most found. Some stablecoins allow law enforcement to freeze suspicious funds, making investigations easier.

Ransomware operators typically demand Bitcoin as ransom, although they sometimes demand other cryptocurrencies such as Monero. Criminal use of altcoins is on the rise, with cases involving Bitcoin and altcoins almost evenly matched. New EU rules on fund transfers have expanded reporting obligations to crypto asset service providers (CASPs), which is expected to improve the amount of information available for investigations in the EU.

On the other hand, dark web forums are the main channels to advertise dark (illicit) markets, in which the currency is crytocoins. Administrators limit the size and lifespan of their marketplaces to avoid digital surveillance, while maintaining a good reputation to attract customers. On the dark web, cryptocurrencies continue to be attractive due to their difficulty in tracking this type of asset.

Cyberattacks

Ransomware groups operating under the Ramsonware-as-a-Service (RaaS) model have attempted to capitalize on the decline of their competitors to attract affiliates. Following the discontinuation of Hive services, BlackCat/ALPHV promoted its security and no-log policy to attract former Hive affiliates. However, the closure of BlackCat/ALPHV sites in December 2023 damaged their reputation, and in March 2024, they apparently ceased operations and defrauded their affiliates. Law enforcement actions against ransomware operators affect their reputation and operation, exposing affiliates and causing loss of resources. This susceptibility has led some affiliates to develop their own malware using AI tools. LockBit, one of the most famous RaaS providers, was dismantled in February 2024 through a coordinated action by LEAs, severely damaging its capacity. LockBit had released new variants such as LockBit Black and LockBit Green, and was developing encryptors for MacOS. A new RaaS group, Akira, associated with the dismantled Conti group, has emerged as a growing threat.

Ransomware groups have focused their attacks primarily on small and medium-sized businesses (SMBs), as large companies have improved their cybersecurity. Attackers choose their targets based on size, likelihood of payment, and the effort required to compromise systems, using stolen credentials or exploiting vulnerabilities in publicly accessible technologies. Ransomware operators employ initial access brokers (IABs) specialized in certain technologies to identify viable attack surfaces, influencing target selection. Operators continue to use multi-layered extortion tactics, where the threat of publishing or auctioning stolen data has become more effective, as many organizations now regularly perform backups.

In 2023, the malware-as-a-service (MaaS) landscape underwent several changes. Following the collapse of the Qakbot malware infrastructure, attackers quickly turned to other established or emerging dropper/loader providers, such as IcedID, SystemBC, Pikabot, DanaBot, and Smokeloader. Cobalt Strike was first used as a backdoor and command and control center (C2). AI-powered frameworks such as PentestGPT are also being used maliciously to facilitate the initial compromise of information systems.

Online and payment fraud schemes

In 2023, the threat of account takeovers (ATOs) has grown significantly, standing out as a key form of Criminal-as-a-Service (CaaS). Criminals continue to access online accounts, such as banks, emails and social networks, to take funds and obtain sensitive information that they then monetize. As banks are treating losses from 2FA/MFA credential scams as negligence of the legitimate holder, frauds targeting individual accounts remain a low-risk, high-profit activity for criminals.

Attackers use remote administration tools (RAT) and applications available in legitimate stores to generate these frauds. Business Email Compromise (BEC) attacks, particularly fraud targeting CEOs, remain common, with phishing emails becoming more convincing thanks to generative language models (LLMs). Targeted scams also remain a significant threat, with AI tools allowing scammers to contact more victims and refine their social engineering techniques.

What to expect in the future?

The widespread adoption of AI tools and services by attackers is generating new threats, including both the abuse of legitimate tools and services and the creation of ad hoc malicious versions. The proliferation of emerging unfiltered language models will multiply AI-generated fraudulent ads, attracting potential victims. Criminals will be able to use AI to improve criminal methods and overcome language barriers, facilitating manipulation in multiple languages.

By prioritizing criminal prevention, law enforcement and policymakers can address cybercrime at its roots, creating long-term, sustainable solutions to protect these environments. By focusing on the causes that lead people to engage in these types of activities, such as lack of awareness, financial incentives or socioeconomic factors, authorities can effectively reduce online crime rates. Investing in prevention not only mitigates immediate risks, but also fosters a culture of cybersecurity, creating a safer digital environment.