I have written on this blog before that the Internet is not everything it is cracked up to be. Here I will add another string to that bow: crime. Spam, scams, malware, keyloggers, viruses, hacking, identity theft, distributed denial-of-service (DDoS) attacks, stolen credit card details… the list goes on. Just as its offline counterpart, cybercrime encompasses a diverse array of misdeeds. But where its victims, both personal and corporate, regularly make headlines, the perpetrators remain a mysterious bunch. Based on a huge number of interviews, sociologist Jonathan Lusthaus here provides a peek behind that veil of anonymity. Next to showing that cybercrime has become an industry like any other, he also explores the paradox at its heart: how did this growth happen in an environment of mistrust and anonymity?
Lusthaus spends part of his first chapter, and the methodological appendix referenced therein, both explaining and defending his methodology. Although quantitative research is generally the preferred way to address research questions, he points out that the statistics on cybercrime are very scant. This book should, therefore, be seen as a first peek into the world of cybercrime on which future studies might hopefully build.
Lusthaus’s approach is no less impressive for it. Based on 238 interviews conducted over seven years with both current and former cybercriminals, cybersecurity experts, law enforcement agents, lawyers, civil servants, journalists, and many others, as well as published accounts, archived websites, chat logs, and legal documents, Lusthaus goes deep down the rabbit hole. The research involved going to cybercrime hotspots in Russia, Ukraine, Romania, Nigeria, Brazil, China, and other places to interview people in person. The blurb on the dustjacket bigs this up quite a bit, but this book is no memoir of Lusthaus’s adventures, staying firmly within the confines of an academic sociological treatise.
“Based on 238 interviews conducted over seven years, Lusthaus goes deep down the rabbit hole of cybercrime”
The aim of Industry of Anonymity is two-fold: to show that cybercrime has become a sophisticated, for-profit industry, and to understand how this could have happened in an environment riven with anonymity and distrust. That second question very much follows on from the first point, for the growth in cybercrime is not just more of the same – there has been a genuine change in complexity, scale, and organisation.
Though popular imagination still portrays hackers as lone-wolf teenagers working from their bedrooms, reality is different. Starting with a brief history of hacking, Lusthaus shortly chronicles the rise of carder forums, where stolen credit card details were being traded, and the series of crackdowns and arrests that fragmented and decentralised the cybercrime world, forcing it deeper into anonymity. What I found particularly eye-opening in these first two chapters was the evidence and testimony Lusthaus gathers of cybercriminals with specialised skill sets cooperating like cogs in a larger machine, sometimes loosely organising themselves in real-world, offline firms complete with physical premises masquerading as technology companies, while at other times plying their services in underground online forums.
“cybercrime has become a sophisticated, for-profit industry, [it] is not just more of the same – there has been a genuine change in complexity, scale, and organisation.”
This feeds into the remaining core of four chapters of the book, where Lusthaus explores how this rise in complexity has taken place in an anonymous environment. Nicknames are argued to function as a brand, with a tension between building up a reputation and the risk of eventually being unmasked by law enforcement. Offline, real-world violence in the form of abduction, beatings, or even murder discourages backstabbing amongst criminals. Cybercriminals – anonymous and often operating in different countries – have less to fear in this regard, so a certain amount of defection is almost taken for granted by the people Lusthaus interviewed. But he shows that there are strategies to prevent this, revolving around reputation, exclusion from forums, and the use of escrow services: third-party intermediaries in a deal.
Given the above it may come as a surprise that some cybercriminals give up their anonymity and reveal their identity to fellow criminals, sometimes even meeting them in person. As with nicknames, Lusthaus shows the tension between the benefits and drawbacks that anonymity brings in this environment, and how there are different pathways to success. Finally, another reason cybercrime has flourished is that it is being protected. Lusthaus breaks with the popular narrative that organised crime is taking over cybercrime. Although they have a role to play in it, Lusthaus contends that government corruption is a more powerful factor that prevents cybercriminals from being brought to justice. This seems to be especially true in Eastern Europe and Russia.
“it may come as a surprise that some cybercriminals give up their anonymity and reveal their identity to fellow criminals […] As with nicknames, [there is a] tension between the benefits and drawbacks that anonymity brings.”
Industry of Anonymity is a well-structured book that benefits from helpful summaries at the end of each chapter. It is not intended as a broad introduction to cybercrime, though, but has a particular, well-outlined focus. Lusthaus does not discuss the technical details of cyberattacks (other than a short explanation of what certain attacks entail), nor does he talk to victims. In contrast to previous popular accounts (next to Kingpin and DarkMarket, Lusthaus prominently mentions and draws from Fatal System Error and Spam Nation) this book aims to be a broader and more current survey. According to Lusthaus, the former have mostly been US or Europe-centric, focused on particular cases, and often have not looked beyond the 2000s when the drive for profit took over. Similarly, though the book provides plenty of colour in the form of passages from interviews (often faithfully transmitted here in the broken English of the participants) and the examples drawn from popular accounts, Lusthaus’s book is foremost an academic treatise. That said, for readers interested in sociology, criminology, or cybercrime, this book is a very valuable survey based on an incredible amount of work and perseverance.
Disclosure: The publisher provided a review copy of this book. The opinion expressed here is my own, however.
You can support this blog using below affiliate links, as an Amazon Associate I earn from qualifying purchases:
Other recommended books mentioned in this review: