Cambridge Cybercrime Centre: Ninth Annual Cybercrime Conference, 22 June 2026
The Cambridge Cybercrime Centre's ninth one day conference on cybercrime will be held on Monday, 22nd June 2026.
REGISTRATION LINK: https://onlinesales.admin.cam.ac.uk
PAST CONFERENCES
For details of the 2016 event see here.
For details of the 2017 event see here.
For details of the 2018 event see here.
For details of the 2019 event see here.
For details of the 2022 event see here.
For details of the 2023 event see here.
For details of the 2024 event see here.
For details of the 2025 event see here.
LOCATION
The one day event is being held in LT1 in the University of Cambridge Department of Computer Science and Technology on the University's West Cambridge site.
AGENDA
09:00 Registration
09:30 Opening Remarks
09:40 Session 1: Offender Behaviour
Mapping Cybercrime as a Service marketplace communication: even villains need tech support sometimes
Ema Mauko, Enrico Mariconti and Shane Johnson University College London
Abstract: Cybercrime as a Service (CaaS) represents a significant and evolving threat that mirrors legitimate 'as a Service' business models, providing sophisticated, user-friendly toolkits that lower the barrier to entry for malicious actors. To expand accessibility and reach more customers, CaaS operations have increasingly migrated from traditional dark web marketplaces to decentralised communication platforms. This work aims to further investigate the CaaS lifecycle and the engagement between service providers and their clientele. We map the acquisition process through a crime script analysis of 500 posts across Discord, Telegram, and dark web forums. Our analysis identifies key stages in the CaaS supply chain, identifying various types of communication, including service advertisements, performance updates, peer reviews, recruitment drives, and 'formal' Terms of Service. The findings highlight a reliance on specific digital enablers, such as direct messaging, external websites, and mainstream payment processors, including CashApp and PayPal. Furthermore, we identify distinct communicative strategies employed to maintain engagement while evading detection, such as coded emojis, platform-hopping, and the use of image-based materials to bypass automated text analysis. By identifying these technical and social enablers throughout the CaaS process 'in the wild', this work concludes by proposing targeted crime prevention strategies to disrupt the CaaS ecosystem.
How to behave in underground hacker forums: A sentiment analysis using machine learning
Tuva Heggen Thiis Holte Consulting, Emily Kate Marie Blakseth Bekk Consulting and Per Håkon Meland SINTEF Digital and Norwegian University of Science and Technology
Abstract: Underground forums serve as online communities where novice and experienced cybercriminals interact, trade illicit services and may be drawn into organised cybercrime. As global cyberattacks rise, understanding behaviour within these spaces is crucial for prevention. This study investigates how reputation is built in such forums, focusing on the traits of reputable users and the feedback they receive. After a literature review, exploratory work examined Hackforums' reputation system, followed by machine learning experiments using the CrimeBB dataset from the Cambridge Cybercrime Centre. The dataset includes over 33 million posts across ten years, of which roughly 45,000 were manually labelled for three tasks: classifying post types in cybercrime-related boards, analysing sentiment in user feedback, and comparing feedback patterns of high‑reputation users to others. Findings show that, despite their illicit context, high reputation is earned through respectful communication, knowledge sharing and helping others. Future high‑reputation users display these behaviours early, making them identifiable before their status rises. The study offers insights into the social dynamics of underground forums, enabling early identification of emerging influential actors in cybercrime. Interviews with the Norwegian Police support the findings and their relevance for preventive measures.
A situated learning approach to learning trajectories of criminal hackers in online hacker communities
Janina Eggers, Marleen Weulen Kranenbarg, Edward Kleemans and Rutger Leukfeldt Dutch Institute for the Study of Crime and Law Enforcement
Abstract: In this paper, we use a novel framework to identify learning trajectories through which tech-curious youth progress from playful experimentation with technical skills to the use of these competencies in criminal hacking, and, in some cases, other cyber-dependent offenses. Despite growing empirical attention to pathways into criminal hacking, research offering theoretically integrated and empirically grounded accounts of the potential trajectories through which such progression unfolds remains limited. To examine these trajectories empirically, we draw on 21 qualitative interviews with self-identified criminal hackers residing in the Netherlands. We provide a new perspective by applying situated learning theory (Lave, 1991; Lave & Wenger, 1991; Wenger, 1998) as an analytical framework to conceptualize online hacker communities as socially situated sites of learning and analyze the informal social learning dynamics that shape pathways into criminal hacking. The presentation will present and discuss the study’s empirically grounded findings. Preliminary results show that situated learning theory sheds new light on specific aspects of learning trajectories into criminal hacking. We will discuss the implications for theory, future empirical research, and for efforts to interrupt pathways into criminalization.
A School for Scoundrels? How newbies learn in the cybercrime ecosystem
Yasir Ech-Chammakhy and Anas Motii University Mohammed VI Polytechnic (UM6P), Oussama Azrara and Jaafar Chbili Deloitte Conseil
Abstract: Cybercriminals are often viewed as isolated actors, but they actually operate within a highly collaborative global ecosystem. Using the CrimeBB dataset, we analyzed 46 million posts spanning from 2005 to 2025 to understand how technical knoledge is shared. We applied natural language processing to map the operational structure of the underground and found that the ecosystem is organized into specialized departments with communities dedicated to specific trades like gaming, drugs, or hacking. Crucially, we found that the primary mode of interaction is hands-on problem solving. These forums function as reactive helpdesks where users work together to fix technical issues in real time rather than simply reading static tutorials. This system is remarkably efficient: the median time to receive a helpful solution on major platforms is just 31 minutes. Furthermore, this support is highly reliable, as over 80% of all technical questions receive a substantive, peer-contributed answer. These results suggest that a key strength of the underground is this interactive support network. To effectively stop cybercrime, we must move beyond targeting individuals and focus on disrupting the helpdesks that sustain the criminal lifecycle.
11:00 Coffee Break
11:20 Session 2: Online Communities
Crime online: Explaining global trends with theory
Jasmine McCain, John McAlaney, Andrew M'manga and Reece Bush Bournemouth University and the Defence, Science, and Technology Laboratory (Dstl)
Abstract: Psychological factors influence the behaviours and cognitions of cybercriminals, including the decision-making processes that lead them to select targets and attack vectors. Cyber-attacks driven by ideological motivations have risen in frequency, in which individuals engage in targeted attacks and information warfare to push social and political agendas. Ideologically motivated attackers can include hacktivists, patriotic hackers, and nation-state actors. This PhD project is a work in progress that aims to investigate how individuals within the cybercrime ecosystem perceive and become involved with ideological hacking, and it is comprised of two studies. This submission relates to the first study, which aims to examine how ideological hacking is discussed and represented on cybercrime-related Internet forums, as represented in the CrimeBB dataset. This is to better understand the narratives, motivations, and community norms surrounding this form of cyber activity. The proposed approach consists of two phases: Reflexive Thematic Analysis (RTA), and Large-Scale Thematic Resonance Mapping using BERT. Initial findings from the RTA will be presented and discussed.
Longitudinal investigation of autism and cybercrime offending in cybercrime forums using a large language model
Kavini Thisara Welarathne Charles Darwin University
Abstract: Autism Spectrum Disorder (ASD) has been increasingly discussed in the context of cybercrime, yet empirical longitudinal evidence on how autistic individuals engage within criminal online communities remains limited. This study utilises a subset of self-disclosed autistic users identified from the CrimeBB dataset to examine how their level of cybercrime involvement evolves over time. We employ a Large Language Model (LLM) to identify autism-related self-disclosures across forum posts, specifically detecting explicit diagnostic statements and disambiguating them from references to others, sarcasm, and general discussion distinctions that traditional keyword-based methods would fail to capture. To examine longitudinal patterns, the LLM framework analyses changes in posting frequency, forum category movement, and evolving cybercrime-related linguistic markers, including technical sophistication. Preliminary analysis indicates that autism-related terminology is associated with negative connotations within these forums. Results are expected to reveal context-dependent behavioural engagement patterns over time, allowing us to assess the level of cybercrime involvement among self-disclosed autistic users. This study highlights the significance of using a LLM to provide a unique interdisciplinary perspective on autism and cybercrime, offering novel tools to analyse large, noisy forum datasets.
Disposable accounts, persistent ecosystem: A cross-forum study of Initial Access Brokers
Towa Kaido, Shogo Ito, Yin Minn Pa Pa and Katsunari Yoshioka Yokohama National University
Abstract: Initial Access Brokers (IABs) sell unauthorized access to corporate networks, typically through compromised VPN or RDP credentials. Such access frequently serves as the entry point for ransomware and other intrusions, making IABs a critical component of the cybercrime ecosystem. While prior research acknowledges their role, IABs are largely treated as part of the broader ecosystem rather than as an independent market, leaving their large-scale dynamics insufficiently understood. We propose a scalable, privacy-conscious methodology for identifying and analyzing IAB activities across underground forums. Our approach combines a domain-specific pre-trained classifier with locally deployed large language models for refined classification and structured information extraction. We apply this pipeline to the CrimeBB dataset, spanning multiple forums over two decades, and identify a substantial corpus of IAB-related posts for analysis from both market-level and actor-level perspectives. Our findings reveal a resilient and adaptive IAB ecosystem. Activity persists despite major forum disruptions, with disposable seller accounts dominating the market. Escrow services, intermediaries, and external communication channels enable transactions independent of long-term account reputation. These mechanisms allow the IAB market to sustain operations despite law enforcement actions, highlighting its structural persistence within the broader cybercrime economy.
Characterizing external communication references in underground forums
Roy Ricaldi, Rodrigo Martín Núñez and Luca Allodi Eindhoven University of Technology
Abstract: Underground forums increasingly redirect users to external communication platforms (e.g., Telegram, Discord, Signal). While prior work has examined these platforms and how frequently they appear in forum posts, there is limited systematic support for interpreting their function and significance within the broader ecosystem. This gap limits our ability to understand how underground communities operationalize external platforms and to prioritize high-value references for threat intelligence. Using the CrimeBB dataset, this project develops a characterization framework to analyze External Communication References (ECRs) embedded in forum threads. We address two research questions: RQ1: How can we classify the roles ECRs have in supporting underground forum activities? RQ2: How can we characterize ECRs based on thread content and metadata to enable investigative prioritization? Such characterization is necessary to distinguish high-risk, operationally significant references from routine mentions, enabling more effective resource allocation. We sample threads containing ECRs (e.g., URLs, @handles, invite links) and conduct an iterative coding process to develop an ECR role codebook (e.g., private communication, marketplace, operational coordination, proof-of-credibility), which is used to train a multi-label classification model. Building on this functional layer, we introduce a flexible characterization framework grounded in prior literature, incorporating technical indicators, operational maturity, economic signals, and actor-level attributes.
12:40 Lunch
13:30 Session 3: Targets and Defences
AI-Enhanced email security: A novel pipeline for phishing campaign detection and profiling
Tarini Saka Max Planck Institute for Security and Privacy (MPI-SP), Kami Vaniea University of Waterloo and Nadin Kokciyan University of Edinburgh
Abstract: Phishing attacks have grown rapidly in scale and sophistication, increasing the workload on IT and SOC teams who must triage, categorize, and respond to large volumes of evolving emails. Attackers use obfuscation and increasingly AI-assisted social engineering to evade detection, and they often distribute emails as part of coordinated campaigns to maximize impact. In this talk, we present a hybrid pipeline that integrates AI to complement (not replace) human expertise in phishing mitigation. Using the Cambridge Cybercrime Centre phishing email dataset, our approach combines: (1) feature extraction, where fine-tuned language models derive contextual and behavioral indicators from email content; (2) campaign detection, using community-detection methods to cluster related emails and identify coordinated activity; and (3) campaign profiling, generating concise campaign summaries to support faster analyst decision-making and response. By grouping similar emails and producing actionable profiles, the framework aims to accelerate campaign-level understanding, improve blocking/containment, and streamline communication with end users.
An application of neutralisation theory on pro-Ukrainian and pro-Russian hackers
Sara Rubini, Brian Klaas and Paul Gill University College London
Abstract: Since Russia’s full-scale invasion of Ukraine in February 2022, cyberattacks perpetrated by pro-Russian and Pro-Ukrainian hackers have played an important role in non-kinetic conflict. We conducted a qualitative content analysis of 5,858 posts from a filo Russian hacking group and 5,567 posts published in a pro-Ukrainian hacking group made available by the Cambridge Cybercrime Centre. We explore four key questions: (1) Who are the individuals involved in this forum? (2) Who are the primary targets? (3) Which cyberattacks do Filo-Russian and Filo-Ukraine hackers carry out? (4) Do these actors employ neutralisation techniques to justify their actions? Findings reveal that hackers are self-organised, transnational, and frequently target both state and private entities, with a particular focus on critical infrastructure. We also found evidence of neutralisation techniques, including denial of victim, defence of necessity and appeal to higher loyalties, suggesting attempts to justify their actions within an ideological framework.
Who pays for payment fraud? Detection and liability rules under strategic fraudster adaptation
Vimal Balasubramaniam, Thomas Mosk and Antoine Uettwiller Queen Mary Univerity of London
Abstract: We develop a dynamic model of payment fraud detection in which fraudsters strategically adapt their methods in response to detection technologies, causing model performance to decay over time. Using a panel of 1.3 million underground forum participants, we estimate stacked event studies around 27 anti-fraud technology deployments and find that countermeasure discussion grows monotonically after deployment - reaching significance at 24-35 months - while discussion of vulnerable methods is unaffected. This asymmetric response provides micro-level evidence of the "Whac-A-Mole'' mechanism: technology deployment adds circumvention knowledge to the underground community without suppressing existing attack methods. Complementary evidence from Reddit and Twitter confirms fraud-type substitution and detection model decay. We characterize the socially optimal detection level and show that in competitive markets full liability induces overinvestment: each PSP ignores how its detection effort accelerates fraudster adaptation market-wide. When PSPs retrain models to counter decay, competition creates a ratchet effect. Optimal liability allocation sets full reimbursement for both sending and receiving PSPs, complemented by a regulatory fee that internalizes the social cost of fraud.
Consumer surveillance and financial fraud
Bo Bian University of British Columbia, Michaela Pagel Washington University, Devesh Raval Federal Trade Commission and Huan Tang University of Pennsyvlania
Abstract: In today’s digital economy, firms continuously collect, store, share, and sell personal data, exposing customers to risks of financial fraud. Leveraging Apple’s App Tracking Transparency policy as a natural experiment, we show that restricting data tracking and sharing significantly reduces consumer fraud complaints, particularly those involving personal information misuse. Effects are stronger in areas dominated by firms with risky data practices and coincide with a decline in dark web discussions and higher prices for sensitive data. By tracing effects along the fraud supply chain, our findings suggest that data regulations can benefit consumers by constraining the flow of exploitable information.
14:50 Coffee break
15:10 KEYNOTE: anonymous invited speaker
16:10 Update From The Cambridge Cybercrime Centre
Alice Hutchings Cambridge Cybercrime Centre
Abstract: An update as to what the Centre has been working on, and future directions.
16:40 Social event
REGISTRATION LINK: https://onlinesales.admin.cam.ac.uk