Why is it so Hard to Catch Hackers?


Hackers are the elusive criminals of our day. It’s not that every hacker escapes, but one would think, given the total global impact, and the motivated efforts of governments, apprehension of hackers is as sure as the spam that just showed up in your email inbox.

Encryption, botnets, false trails, and hacker havens make it near impossible to catch and prosecute almost all global hacks. Hacker activities and identities are hidden beneath layers of technologies, the same technologies that make the current internet the internet. 

The hacker is the modern rogue shrouded behind a mist of anonymity, organized crime, and international red tape. Only the spectacular hacks seem to get prosecuted, the ones seen on newsreels around the world. This leaves everyone else wondering: who do I call for (cyber) justice?

Why are Hackers so Elusive

Thieves are elusive. Hacker’s as cyber criminals are more or less thieves, and the track record across the United States for capturing thieves is not good. According to a 2017 Pew Research Center article, the majority of theft crimes go unsolved. The 2019 FBI statistics (most recent available) have the following disheartening clearance rate numbers (successful prosecutions). The low clearance numbers would indicate a lack of resources, personal, technical, or otherwise, in the fight against crime.

CrimeClearance Rate
Robbery29%
Property Crime17%
Burglary13%
Larceny18%
2019 FBI Theft Closure Rate Statistics

To make matters worse for prosecuting cybercrime are the tiresome and useless cyber metrics driving bad policy (legal loopholes) and stifling real change. The Third Way has a wonderful research article explaining the current metric ton mess. The conclusion of the article has 3 recommendations:

  1. Establish a proper statistical baseline
  2. Reform crime reporting systems
  3. Evaluate success of law enforcement efforts against the threat

The same report from Third Way also indicates a less %1 closure rate of cyber criminals.

Third Way’s analysis of publicly available data estimates that less than 1% of cyber incidents see an arrest of the perpetrator, recognizing that this data is incomplete

Third Way

However, even with good metrics, which the author of the report does say is “the first step in the fight against cybercrime”, the hackers still have a few major advantages:

  • Operational Security (opsec)
  • Anonymity
  • Organized Crime

What is Cybercrime Operational Security (OPSEC)

Operational Security is about making sure your adversary isn’t able to reverse engineer everything you just did and duplicate it or track you down because of it.

OPSEC is the ability to deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive … activities

National Security Decision Directive #268

Cybercrime OPSEC is the application of those same techniques to protect hack activates from the surveillance techniques of law enforcement agencies around the world.

Every hacker worth weight in hyper pure silicon, and who has a functional desire to stay out of prison, takes steps to ensure their presence remains a mystery. And if their presence requires announcement, such as in a ransomware attack, the hacker needs to make sure their activates aren’t traced to such a degree those activates are forensically linkable to them.

Ultimately, Hackers use OPSEC techniques to confound the investigative and intelligence gathering efforts of the victim and to make sure other preparatory activities don’t “leak” out onto an internet under intense surveillance. The techniques range from creating false internet identities that never cross streams with their real identities (pre-pre attack) to anti-forensic techniques to confuse and bewilder.

Here is a list of OPSEC techniques hackers use to cover their tracks (or generate false tracks):

  • They keep their mouths shut. “Don’t talk about fight club”
  • Cover identities for the internet
  • Anonymity protections (explored more in the next section)
  • Mindfulness of data such as geophagy and weather
  • Anti-Forensic and extraneous data creation actions post compromise
  • Financial “scrubbing” to protect the flow of money

Most hackers who get nabbed and prosecuted failed to properly implement, or stick to, one or more of these operational security techniques.

Hackers who do not get caught, and that is statistically all of them, practice OPSEC from the run-up to the tear-down of a campaign. Other axioms like, “Don’t get greedy” and “Aim small miss small” help isolate each campaign into a small manageable box, requiring ever more creative investigative tools and techniques on the part of law enforcement.

Of course, it helps when 62% of breaches (in the US anyway), are against small business who don’t have the skills, resources, or money, to respond in any meaningful way. So, they have to report it and leave it to the authorities to run down. We see how that is going.

How Hackers Stay Anonymous and Difficult to Identify

OPSEC is the core concept behind anonymity on the internet. It doesn’t matter if you are a hacker, a missionary, a political dissident, or an investigative journalist, good OPSEC is what keeps someone unidentifiable. Maybe the most important OPSEC technique for hacker (after not talking about fight club) is anonymity protections: techniques and technologies used to mask their digital and physical location.

“Don’t get caught, and if you do deny, deny, deny, and if at all possible, blame someone else” is the essential life principle for any criminal. Hackers are no different. Putting that principle in practice is what anonymity and non-attribution look like.

The Onion Router (TOR) is a protocol designed to make tracing a connection back to its source, impossible. Think of TOR as a telephone game (only the message is never confused), and each person (relay) only knows the person who gave them the message, and the person who they are giving the message to. Add in a layer of encryption and it becomes (almost) impossible to connect the source with the target.

The attack doesn’t have go straight from the TOR exit relay to the intended target either. Instead, the TOR network is used to send commands to an army of zombie systems the attacker already owns and will now use as a jump off point for the attack. These zombie systems are called, botnets.

Botnets are diverse systems (home PCs, company servers, university computers, etc.) cobbled together from other successful hacks. The hacks meant to increase the size of the zombie army often don’t raise alarms because. The hack happens and the zombie sits dormant until called into action against a primary target.

The botnets (or a portion of the botnet) are often sold as a service from hacker to hacker. Regardless, once a botnet is activated, it is used for all sorts of attacks such as denial of service or credential stuffing.

Or some zombie system in the botnet is used as a final jump off point before hitting the intended target. Then, if the anti-forensic and extraneous data techniques were strong enough, it is quite possible any investigation of the attack stops at the location of a particular bot (say a Gleaming Teeth Dental).

Hackers Have Become the Darling of Organized Crime

Ransomware, digital exhortation, identify theft, and credit card theft from hacking have become the new number running. It’s not just for kids in their mom’s basements anymore. It hasn’t been that for at least a decade.

Depending on whose numbers to believe, cybercrime generates $1 Trillion US dollars a year for cyber criminals. The drug trade only generates about $600 Billion dollars a year. With $1 Trillion dollars on the table, it is a certainty traditional organized crime groups muscle in and hackers’ band together to form their own network of economic incentives.

Organized crime also, like any other business over the past two decades, has moved operations from the back office of the meat store to the raised floors of the data center. They also have a penchant for identifying “jurisdictional morass” to ensure its operations remain unhindered. Combine organized crime’s modernization with their logistical and legal prowess and that’s a recipe for a hacker haven.

It’s not that traditional organized crime syndicates are conducting all of these attacks, it’s that these groups are beginning to “assemble”, fund, equip, and protect, their own hacker segments. It’s just good business.

Many hackers can now work is relative protection against extradition from the countries they attack because host country’s see the hacker bases of operations, organized crime funded and furnished, as “revenue streams”. And many more can work under the protection of organized crime in countries where the laws and leaders don’t see those actives as “taxable”.

Recent Posts