The Changing Economics of Cybercrime-as-a-Service: What Defenders Need to Know
by Neeraj Singh
Strategic Threat Intelligence & Research Group (STINGR)
12/03/2026
Back in 2023, when we last wrote about Cybercrime-as-a-Service, we described cybercrime as an economy that had figured out how to scale. Ransomware-as-a-Service affiliates, Initial Access Brokers, Crypter-as-a-Service providers, Malware-as-a-Service developers - each of them owning a role in the kill chain and each handoff between them monetized.
It looked like a trend back then. Now it looks like the baseline, the foundation on which everything else is getting built.
How initial access has shifted
Initial Access Brokers (IAB) were already monetizing footholds and lowering the technical bar for operators who simply did not want to deal with the hard part of gaining initial access. What has changed is what the foothold often looks like. Across recent incident response investigations, we are increasingly seeing cases where IABs are not just trading stolen passwords. They are selling session tokens and cookie-backed authenticated login states, which means live, ready-to-use access where authentication has already happened.
Infostealers played a big role behind this shift. Deployed at scale across endpoints, they harvest active sessions from browsers, endpoint credential stores, and enterprise SSO environments. The resulting access sells fast because it is immediately actionable. It eliminates noisy behaviour that defenders used to detect, such as failed logins, brute forcing, MFA prompt flooding, and in some cases removes the need for privilege escalation steps, depending on what permissions the harvested session already carries.
This has downstream consequences that defenders are still adjusting to. The dwell time that defenders previously relied upon to detect intrusions before they escalated has shortened. It also changes what response playbook must look like. Password rotation is no longer sufficient when the active threat is a live session that survives credential changes. Defenders need to revoke sessions, invalidate tokens, and treat persistence in identity systems with the same urgency they apply to persistence on endpoints.
Artificial Intelligence is entering the attack chain
The window for treating AI in cybercrime as a future concern has closed. CERT-UA’s analysis of LAMEHUG, a python-based malware provides example of LLM integration inside an active attack chain. LAMEHUG calls the API at runtime, querying the model to dynamically generate system commands based on natural language descriptions, then execute those commands directly on compromised host. This is not a proof-of-concept or research finding. The campaign was directed at Ukrainian executive government authorities during an active conflict.
Malware capable of generating malicious code dynamically through API calls, instead of using a fixed payload, has also been detected. Signature-based detection, and even many behaviour-based detections, are built on the assumption that a payload has a consistent, identifiable structure. A payload that rewrites itself breaks that assumption.
In operational contexts, threat actors have been observed using generative AI to produce bespoke command-and-control scripts and custom malware on demand, reducing the time between gaining initial access and achieving their objectives. AI is also being used to automate earlier stages of the attack chain entirely, including reconnaissance, vulnerability scanning across target infrastructure, and deployment staging. These tools are now available commercially on underground forums with subscription pricing models and tiered features.
For defenders, the implication is to defend against faster attacks. When a single operator can automate reconnaissance, generate custom malware, and move through the entire kill chain with fewer external dependencies, there are fewer transaction traces, fewer inter-group communication patterns, and less time between access and impact.
The boundary between cybercriminal and state-aligned activity is narrowing
Earlier, state-aligned threat actors using criminal underground infrastructure to purchase access was described as an emerging and somewhat exceptional overlap. State actors hiding within the noise of commodity criminal tooling to maintain plausible deniability was a trend worth monitoring. That framing is no longer accurate for describing current trends.
We now routinely encounter operations where the same IAB infrastructure and relay networks appear in what could be classified as either a criminal extortion operation or a state-aligned espionage campaign. The early stages of the attack chain are often operationally indistinguishable. The same access and infrastructure can serve both criminal and state-aligned objectives, with different end goals emerging from the same initial footprint.
The shift from encryption to exfiltration as primary leverage
Ransomware has been the profit engine driving the professionalization of the criminal ecosystem for several years, but the mechanics of leverage have been shifting away from encryption and toward data theft. Organization-wide encryption is a slow, operationally complex process that generates significant noise across a network and regularly triggers alerts during execution. Some operators are skipping it as data theft alone achieves the same leverage faster and with less operational risk.
The logic from an attacker's perspective is straightforward. Steal sensitive data, threaten publication, and collect payment. There is no decryption key to manage, no negotiation complexity around proving that the decryptor actually works, and no risk that security software blocks the encryption process. For defenders, data staging, anomalous access to sensitive repositories and files, and exfiltration related traffic are now the indicators that should be triggering the same response priority as a ransomware alert.
Disrupting the infrastructure of trust
Two recent law enforcement operations gave us an insightful look at what it actually costs to attack the shared infrastructure layer of the cybercrime ecosystem rather than individual actors. Operation Endgame targeted dropper and loader ecosystems specifically, going after the distribution infrastructure used to deliver malware payloads at scale, infrastructure that was being shared across multiple operators from different threat groups simultaneously. Operation Cronos targeted LockBit directly, compromising the platform itself and taking down servers across multiple countries.
Neither operation ended the cybercrime economy, but what they demonstrated is that attacking shared services infrastructure creates multiplier effects, hitting multiple operators at once rather than taking down one group at a time. Moreover, they established that trust itself is a legitimate target. When operators cannot rely on the infrastructure they depend on, the cost-benefit calculation of participation changes.
Where most organisations are still behind
Many organizations still think that an intrusion is the work of a single unified group performing an attack;in a pre-defined technique. This produces defensive failures of detecting late, responding under pressure, and discovering during the incident that the attack involved multiple specialized operators each performing their role. If you want to reduce damage, you cannot start when the ransom note appears. You need to act earlier.
At the same time, defenders are also getting better at working together. Public-private partnerships are improving. Government agencies and security vendors are producing more operationally useful guidance. Law enforcement coordinates across countries more than before. The information sharing problem is not fully solved though. Legal constraints, conflicting disclosure policies, incompatible sharing formats, and institutional reluctance all of them slow down the sharing of threat intelligence between organizations. Threat actors do not carry these burdens. Cybercrime-as-a-service moves fast because it is built for profit, not compliance. Defenders are improving but often slower than the threat is growing.
How defensive priorities need to shift
Identity infrastructure is not just a supporting concern anymore. The shift toward session and token trading means endpoint security and perimeter controls are not enough if identities are not monitored. The ability to revoke sessions, detect abnormal authentication behaviour, invalidating tokens and killing persistence in identity layers quickly is now as important as the ability to isolate an endpoint.
Detection and response investment for many organizations has been inclined toward preventing malware from executing. Data staging activity, anomalous access patterns against sensitive repositories, and unusual outbound traffic are the signals that should be generating the same response urgency as a malware alert.
Third-party and supplier access needs to be treated in scope for review. Knowing exactly which suppliers hold privileged access to your environment, auditing that access on a regular basis, and being able to revoke it quickly when something looks wrong is no longer optional.
Continuous exposure management, keeping internet-facing asset patched, securing new SaaS adoptions means you are reducing the available entry points before any attacker has a chance to find them. IABs are running their own automated scanning continuously, so an exposed service that appears today can be listed for sale within days. When you can revoke access quickly, block lateral movement, and remove persistence fast, transferring the responsibility to new operators fail. Measure your response speed and treat it as a priority, not just a technical goal.
How the Cybercrime-as-a-Service is likely to develop
The service model will keep getting more modular because it's easier for new operators to join and the whole system becomes harder to take down. Operators who lack the technical depth or financial resources to build capability in-house will keep subscribing to these services. Through 2025, dozens of new ransomware and extortion groups emerged alongside hundreds of new ransomware variants.
AI is creating a different pathway. For operators with more technical capability or resources, AI tooling is reducing external dependencies. Generating obfuscated malware variants, automating reconnaissance, handling negotiation steps - these are capabilities that can now be built in-house using commercially available AI tooling without buying them from an underground marketplace. This is not the end of the service model though. What it is creating is different models where lower-capability operators who remain dependent on the marketplace and more sophisticated operators who are moving selected capabilities in-house to reduce their operational exposure. The underground marketplace for AI-enabled offensive tooling is also maturing with tiered pricing and features, leading to in-house capability getting commoditized at the tooling layer differently than traditional underground services.
The cybercrime economy has been refined, accelerated, and partially automated. The service model is still running. It has gotten faster, quieter, and more entangled with operators whose motivations extend well beyond financial gain.