Department of Computer Science and Technology

Cambridge Cybercrime Centre: Seventh Annual Cybercrime Conference, 10 June 2024

The Cambridge Cybercrime Centre's seventh one day conference on cybercrime will be held on Monday, 10th June 2024.



For details of the 2016 event see here.

For details of the 2017 event see here.

For details of the 2018 event see here.

For details of the 2019 event see here.

For details of the 2022 event see here.

For details of the 2023 event see here.


The one day event is being held in the 'Computer Lab' on the West Cambridge site.


09:00 Registration

09:30 KEYNOTE: Global Cyber Resilience using a Public Health Model of eCrime

L. Jean Camp Indiana University Bloomington

Abstract: Computer crime is a complex global phenomenon where different populations interact, and the infection of one person creates risk for another. Given the dynamics and scope of cyber campaigns, studies of local resilience without reference to global populations are inadequate. I propose that a public health model argues that coordinated global science is needed to address organized global ecrime. I then describe a set of minimal requirements for implementing a global epidemiological infrastructure to understand and respond to large-scale computer security outbreaks. I enumerate the relevant dimensions, the applicable measurement tools, and define a systematic approach to evaluate cyber security resilience. From the results of conceptualizing and implementing a cross-national coordinated phishing resilience evaluation, I describe the cultural, logistic, and regulatory challenges to this proposed public health approach to global computer assault resilience. I close with results illustrating that the methods for systematic evaluations of global attacks and the resilience against those attacks exist; and offer supporting results.

10:00 Beyond Borders: Exploring Security, Privacy, Cultural, and Legal Challenges in Metaverse Sexual Harassment

Gabriella Williams Royal Holloway, University of London

Abstract: My research area examines sexual harms in the metaverse & immersive technology, which examines our understanding of crime regarding security and privacy. The metaverse is a 3D virtual environment that is supposed to reflect our real life where we can shop, go to work, or attend virtual concerts. However, due to the immersive and haptic technologies, the way we currently understand crime as the experience of sexual assault in the metaverse can be more intense and traumatizing as they feel like physical experiences.

The inspiration behind my research is to converge a technological & criminological perspective to the ways we understand how criminalistic behaviour is understood in virtual reality; how the different types of security & privacy issues within cyberspace create new forms of criminality and how different types of people experience and consume technology devices. The three themes that my research investigates is the legality of crime -is sexual harassment a crime (the idea of digital assault in virtual reality not having a legal framework to define whether sexual harassment should be considered a crime and thus, should have the legal framework of a physical crime to make sure that the metaverse is a just space), moderating the metaverse -- security and privacy issues (this theme dictates how sexual harassment in the metaverse calls attention to the security and privacy issues of virtual reality). Finally, the last theme looks at cultural attitudes toward sexual harassment in the metaverse.

10:25 When Collective Hate Turns Violent: Collective Action Frames on Violence in Incel Online Communities Before and Throughout COVID-19 lockdowns

Bomin Keum University of Cambridge

Abstract: It remains uncertain whether incel online communities primarily serve as avenues for mutual support and community-building that mitigate radicalisation, or if they function more as platforms for inciting hate and facilitating radicalisation. Existing research also primarily focuses on identifying messaging patterns and less on how these patterns change over time, particularly concerning the communication of violence.

Drawing on Benford and Snows (2000) notion of collective action frames in collective identity-building, this study investigates the evolution of collective framing of violence in Incelsis and Incelsnet from May 2019 to May 2020. This period captures the peak of COVID-19 lockdown and the preceding year, which also corresponds with the start and peak of the overall incline in inceldom posting activity, providing crucial temporal contexts in understanding incel posting characteristics.

Through qualitative thematic content analysis, Cambridge Cybercrime Centre ExtremeBB forum data on Incelsis and Incelsnet will be deductively coded for collective action frames (themes) and associated discussion topics (subthemes) with these frames. Through dynamic social network analysis, this study will explore how collective action frames change and interact across sub themes and themes before and throughout the COVID-19 lockdowns. Findings will inform on the dynamics behind patterns of collective framing of violence for the incel community, including potential connections to COVID-19 conspiracies and grievances.

10:50 Coffee break

11:20 Ransomware Harms and the Victim Experience

Jason Nurse University of Kent

Abstract: Ransomware is a pernicious contemporary cyber threat, with ransomware operators intentionally leveraging a range of harms against their victims in order to solicit increasingly significant ransom payments. While much is known about the prevalence of the threat, there is limited focused research on the depth and breadth of harms experienced by victims. This presentation aims to tackle this gap in knowledge through two studies. First, we report on an interview- and workshop-based study with 83 individuals including organisations that have been the victim of ransomware attacks, incident responders, ransom negotiators, law enforcement and government. Second, we discuss a case study into eight significant and well-publicised ransomware attacks. Our findings provide new insights into the realities of ransomware attacks, and the significant financial costs faced by organisations, which in some cases can threaten their very existence. Interviews with victims and incident responders revealed that ransomware can also lead to physical and psychological harms for individuals and groups, including members of staO, healthcare patients and schoolchildren. The fact is that ransomware can -- and has -- ruin(ed) lives. Incidents discovered in our research have demonstrated that individuals can lose their jobs, often express feelings of shame and self-blame (sometimes extended to private and family life), and that these attacks can contribute to serious personal health issues. At a societal level, we also found that ransomware can lead to a loss of trust in law enforcement, reduced faith in public services, and the potential normalisation of cybercrime.

11:45 Operation Brombenzyl and Operation Cronos

Ethan Thomas Prevent Team, National Cyber Crime Unit , National Crime Agency

Abstract: The NCA's National Cyber Crime Unit are leaders with cyber crime prevention where the unit aims to deter, disrupt and educate to reduce cyber dependant crime offending. A particular problem for law enforcement is the proliferation of Cybercrime-for-Hire services which enable users to conduct attacks with little or no technical knowledge. DDoS-for-Hire services have been available for a significant period of time and have been a focus for international law enforcement usually through site take downs and arrests of admins. Although this traditional approach demonstrates the robust response as expected from law enforcement, the impact of this activity has questionable medium to long term results as evidenced by the continuing presence of these sites. NCCU Prevent sought a different approach by deploying deception and disruption techniques to undermine the confidence in the marketplace through the use of honeypot DDoS-for-Hire sites built and managed by the NCA. This presentation will outline the conception and legal considerations for the use of honeypots; the tactical and strategic impact of the operation and the role academia performed in their input to planning and success analysis. The use of careful communications will also be discussed and delegates will be invited to consider how such tactics could be used in other Cybercrime-for-Hire marketplaces. This presentation will also provide insight into the widely-publicised takedown of the LockBit ransomware by the NCA and international partners.

12:10 Sideloading of Modded Apps: User Choice, Security and Piracy

Luis Adan Saavedra del Toro University of Cambridge

Abstract: We present the results of the first large-scale study into Android and iOS markets that offer modified or modded apps: apps whose features and functionality have been altered by a third-party. We analysed over 300 000 Android apps obtained from 13 of the most popular modded app markets. Around 90% of apps we collect are altered in some way when compared to the official counterparts on Google Play. Modifications include games cheats, such as infinite coins or lives; mainstream apps with premium features provided for free; and apps with modified advertising identifiers or excluded ads. We find the original app developers lose significant potential revenue due to: the provision of paid apps for free (around 5% of the apps across all markets); the free availability of premium features that require payment in the official app; and modified advertising identifiers. While some modded apps have all trackers and ads removed (3%), in general, the installation of these apps is significantly more risky for the user than the official version: modded apps are ten times more likely to be marked as malicious and often request additional permissions.This talk also covers the results of our ongoing analysis of the 7 most popular modded iOS app markets out of almost 100 we found. We have found they have big user communities and big volumes of downloads. However, the possibility of sideloading apps in iOS (well before the new EUDMA legislation) is not yet common knowledge.

12:35 Lunch

13:40 Beneath the Cream: Unveiling Relevant Information Points from CrimeBB with Its Ground Truth Labels

Felipe Moreno-Vera and Daniel S. Menasché Federal University of Rio de Janeiro (UFRJ)

Abstract: In the realm of cybersecurity, identifying and mitigating vulnerabilities' exploitation is crucial. Continuing from prior research on analysing underground hacking forums, this study focuses on refining methodologies for detecting vulnerability exploitation already published in our previous work "Cream Skimming the Underground: Identifying Relevant Information Points from Online Forums". A machine learning approach was employed using the CrimeBB dataset to classify forum posts discussing Common Vulnerabilities and Exposures (CVE) into categories like Proof-of-Concept and Exploitation, achieving high accuracy rates. Building upon this, this new study integrates the PostCog extension into the dataset, allowing for enhanced labelling per post type, intent and crime type. Notably, terms like "fud" and "pm" emerged as significant indicators of exploitation. By addressing inconsistencies in labelling, particularly posts marked as non-criminal despite indicating criminal intent, dataset reliability is improved. Utilising the refined labels, the study advances methods for detecting exploitation, reaffirming previous conclusions while gaining a deeper understanding of hacking community dynamics. The presentation of these findings highlights the synergy between initial methodologies and new data, stressing the importance of continuous data refinement in bolstering cybersecurity threat detection and understanding.

14:05 The Guy In The Chair: Examining How Cybercriminals Use External Resources to Supplement Underground Forum Conversations

Jeremy D. Seideman, Shoufu Luo, and Sven Dietrich City University of New York

Abstract: Underground forums have been shown to be an important resource to the cybercriminal, providing education, support, and tools that can be used to train and enable attacks, exploits, and gain general knowledge. These forums are used to build communities. However, they only represent part of the story.

As we have been able to examine and classify the types of conversations that are being held on underground forums, we can now go a step further and see how the "support network" exists and is used. This involves looking past the original forum posts, and digging into the external resources that are discussed. Code, files, downloads, software -- all of these things are shared as part of the discussions, both to help new users expand their skills and to ensure that tools are widely distributed.

By examining the URLs within the text, we can attempt to separate them into categories, such as "downloads", "source code repositories", or "additional conversation channels". Aligning these categories with the topics that were previously discovered and assigned to conversation threads within the forums in CrimeBB, we can gain some insight into how cybercriminals are continuing to share information beyond simple discussion forums. Armed with this information, we can then advise cybersecurity professionals on where and how to look for these additional resources, in order to formulate and develop new defences and countermeasures.

14:30 Yet Another Diminishing Spark: Low-level Cyberattacks in the Israel-Gaza Conflict

Anh V. Vu University of Cambridge

Abstract: Since the Hamas attack on 7th October 2023, followed by Israel's declaration of war, hacktivists have targeted Israeli and Palestinian digital assets via various cyberattacks such as distributed denial-of-service and website defacement attacks. One DDoS victim appears to have been the Jerusalem Post. We report empirical evidence observed through our near-real-time monitoring system, finding that the Hamas-led attack and the subsequent declaration of war sparked an outbreak of low-level cyberattacks, with patterns resembling those seen in the aftermath of the Russian invasion of Ukraine. However, the scale of the attack and discussion within the hacking community were both notably less than those during the Russia-Ukraine conflict, and attacks have been mostly one-sided: while many pro-Palestinian supporters have targeted Israel, attacks on Palestine have been much less significant. The surges of attacks waned quickly, with a clear decline after a few weeks.

14:55 Coffee break

15:25 Relationships Matter: Reconstructing the Organisational Structure of a Ransomware Group

Dalyapraz Manatova Indiana University Bloomington

Abstract: This study investigates the organisational and social dynamics within the Conti ransomware group, a profitable Russian cybercriminal organisation. By analysing extensive chat logs leaked from the group, the study aims to understand the extent to which "organised" cybercrime is truly organised and how the groups structure contributes to its resilience. The research employs qualitative coding of conversations to identify roles, relationships, and operational processes within the group. A social graph is constructed to map the groupembership structure and evolution of such relationships over time. The study also empirically tests whether the group exhibits a hierarchical organisational pattern based on workflow, mentorship, and friendship relationships among members. The study aims to provide insights into the complex interplay of actors and their roles within the group's cybercriminal activities, ultimately informing strategies to target and disrupt similar clandestine organisations.

15:50 Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users

Marilyne Ordekian University College London

Abstract: Cryptocurrency wrench attacks are attacks where criminals physically target users in the real world to illegally obtain cryptocurrencies by conventional means. Wrench attacks vastly undermine the efficacy of digital security norms when challenged in the real world. Hence, we present the first comprehensive in-depth study on wrench attacks, providing a legal definition and a step by step anatomy of the attacks. We take an interdisciplinary approach and triangulate three data sources using a crime scripting approach. We use natural language processing approaches to detect posts relating to these attacks on 37 forums. Then, we conduct interviews with 10 victims and/or cryptocurrency/security experts. Finally, we analyse 144 incidents reported in the media. Although wrench attacks have existed since Bitcoinly days, they are underreported as victims fear revictimization. Moreover, unlike other cryptocurrency crimes, users with high-level security experience were not immune to these attacks. We identify diverse groups of attackers, various modi operandi, and a significant variation of acts ranging from verbal threats to committing murder. Finally, by identifying potential physical/digital security vulnerabilities amongst users, we present actionable recommendations for the security community and regulators to improve methods for crime prevention and user safety.

16:15 Investigating and Comparing Discussion Topics in Multilingual Underground Forums

Mariella Mischinger IMDEA Networks Institute and Universidad Carlos III de Madrid

Abstract: Underground forums are crucial for sharing knowledge and trading illegal tools and services. Analyzing these forums helps researchers and law enforcement to better understand the criminal landscape. Users in these forums often form communities based on shared interests, professional connections, or cultural backgrounds. For instance, a Russian hacker who is interested in social engineering may engage with peers in a specific subforum, which may differ from an English speaker seeking to buy an exploit.  Studying the characteristics of these groups enables cybersecurity professionals to assess the risks they pose to society by understanding their skills, focus, motivation, and operations. A significant challenge in analyzing these forums arises from language barriers, either because they blend different languages or because they use community-specific slang.

In this paper, we address this challenge through the use of a novel combination of unsupervised methods that group together semantically related conversational themes (i.e., topics) into clusters. Each cluster is then characterized by a list of its most salient words. We apply our methodology to analyze a prolific, invite-only, Russian-English criminal forum that has been operating for over 18 years. By doing so, we uncover pockets of knowledge, i.e., knowledge only shared in one sub-community. This knowledge is accessible only to those speaking a language (e.g., Russian), thereby showing that language barriers (e.g., for users that do not speak Russian) can create sub-communities of users with different knowledge and motivations. We further demonstrate how our method can identify the semantic meaning of dark jargon from its context, and discuss other potential applications of our approach.

16:40 The Cambridge Cybercrime Centre

Alice Hutchings Cambridge Cybercrime Centre

Abstract: A brief update as to what the Centre has been working on, and future directions.

16:55 Social event


...back to main page