






















Cybercrime today operates less like isolated criminal activity and more like a globalized digital economy in which specialized actors provide services, infrastructure, and expertise that allow attacks to scale efficiently across borders. Ransomware groups rely on initial access brokers to obtain footholds into enterprise networks, malware developers package tools for sale in underground marketplaces, and money-laundering networks specialize in converting illicit gains into financial assets that can move through global financial systems. Taken together, these roles form an industrialized criminal supply chain that mirrors many characteristics of legitimate digital economies. More, the rise of shadow agents is poised to accelerate growth of the cybercriminal ecosystem.
Understanding cybercrime as an ecosystem rather than a series of individual attacks has important implications for defenders. Security teams can still mitigate incidents and reduce immediate harm, but meaningful progress increasingly depends on disrupting the systems that allow cybercrime operations to function and expand.
That perspective shaped the discussion during our RSAC Conference (RSAC) session, “Disrupting Cybercrime Networks, Successfully, Continuously, and at Scale.” The panel brought together leaders from the World Economic Forum, Microsoft’s Digital Crimes Unit, INTERPOL, and the Forum’s Cybercrime Atlas initiative to examine how sustained collaboration among industry, international organizations, and law enforcement can shift disruption efforts from episodic takedowns to coordinated campaigns that weaken entire criminal ecosystems.
The cybersecurity community has demonstrated the value of collaboration many times over the past two decades. A widely cited example is the Conficker Working Group, which mobilized technology vendors, researchers, and law enforcement agencies to contain one of the largest malware outbreaks of its time. The effort illustrated how shared intelligence and coordinated responses could significantly reduce the global impact of a rapidly spreading threat.
At the same time, however, Conficker also revealed a structural limitation that still affects many disruption efforts today. The collaboration was built around a specific threat and relied heavily on voluntary coordination, which meant that once the immediate crisis subsided, the mechanisms supporting that cooperation gradually dissolved.
Cybercriminal networks do not operate in that episodic way. Infrastructure is rebuilt quickly, affiliates migrate between criminal platforms, and malware toolkits evolve continuously as operators adapt to defensive measures. Because the adversary ecosystem operates without interruption, defenders cannot rely on temporary coalitions assembled in response to individual campaigns. Effectively disrupting cybercrime requires a persistent collaboration model that can analyze and target criminal ecosystems over time.
One initiative designed to support that shift is the Cybercrime Atlas, developed through the World Economic Forum’s Centre for Cybersecurity in collaboration with partners across industry, law enforcement, and academia. The Cybercrime Atlas focuses on mapping the relationships that define cybercrime operations, including the actors involved, the infrastructure they rely on, and the financial systems that enable them to monetize attacks.
By building a shared understanding of these ecosystems, the initiative allows participants to coordinate disruption strategies that target multiple layers of a criminal network rather than focusing on individual operators or isolated incidents. Threat intelligence teams provide visibility into malware campaigns and infrastructure usage patterns; technology companies identify malicious activity across platforms and hosting environments; financial institutions provide insight into the movement of illicit funds; and law enforcement agencies contribute investigative authority and the ability to pursue arrests and prosecutions.
When these perspectives are combined, disruption campaigns can address multiple points within the cybercrime supply chain simultaneously, increasing the likelihood that criminal operations will be meaningfully degraded rather than temporarily interrupted.
Although collaboration is widely recognized as essential in cybersecurity, operationalizing collaboration requires more than shared intent. Organizations must have mechanisms that enable intelligence to move securely across sectors and jurisdictions, and those mechanisms must support coordinated action rather than merely produce shared analysis.
Participants also need clearly defined operational roles so that once malicious infrastructure or actors are identified, organizations understand how and when to act. Technology providers may disable infrastructure used by threat actors, financial institutions may investigate suspicious transaction patterns, and law enforcement agencies may initiate investigations that lead to arrests and prosecutions.
Equally important, collaboration must be repeatable. Effective disruption cannot depend on a unique group of individuals or a one-time alignment of circumstances. Instead, it requires governance structures, operational processes, and trusted partnerships that allow coordinated campaigns to occur regularly and at scale.
The Cybercrime Atlas represents one attempt to provide this type of institutional framework, enabling partners to coordinate intelligence, investigations, and enforcement actions more consistently across the global cybersecurity community.
Cybercrime persists because it remains economically attractive. Criminal groups invest in attack infrastructure because the financial returns from ransomware, fraud, and data theft continue to outweigh the risks and operational costs associated with those activities.
For disruption efforts to have a lasting impact, they must focus on changing the economic model that sustains cybercrime. Repeated infrastructure takedowns force attackers to spend time and resources rebuilding their operational environments. Financial investigations and transaction monitoring can make monetizing attacks more difficult, particularly when illicit flows are traced across multiple jurisdictions. Arrests and prosecutions introduce uncertainty and erode trust within criminal networks that depend heavily on reputation and reliability.
Each of these outcomes introduces friction into the cybercrime supply chain. Over time, sustained disruption campaigns can raise the cost of operating criminal enterprises while reducing the reliability of the services those enterprises depend on.
Achieving meaningful disruption requires participation from multiple sectors, each contributing capabilities that others cannot easily replicate. Technology providers often have the earliest visibility into malicious infrastructure and platform abuse, while threat intelligence teams track adversary tactics and infrastructure relationships across campaigns. Financial institutions provide insight into illicit financial flows, and law enforcement agencies translate those insights into investigations and legal consequences.
When these capabilities operate in isolation, their impact is limited. However, when they are aligned through coordinated campaigns, the combined effect can significantly weaken the operational resilience of cybercrime networks.
The partnerships represented in the RSAC session illustrate how these alignments are beginning to mature, with organizations across the private and public sectors contributing intelligence, investigative authority, and operational capability toward a shared objective.
Cybercrime groups intentionally exploit jurisdictional boundaries, often hosting infrastructure in one country, operating from another, and targeting victims worldwide. This global operating model makes international cooperation essential to effective disruption.
Organizations such as INTERPOL play a critical role in coordinating cross-border investigations and enabling national law enforcement agencies to work together on cybercrime cases. At the same time, private-sector organizations frequently possess the technical visibility needed to identify malicious infrastructure and to understand how criminal ecosystems function.
Combining investigative authority with industry intelligence significantly increases the likelihood that disruption campaigns will reach the individuals responsible for operating cybercrime networks rather than merely dismantling pieces of their infrastructure.
Another important objective is to support the development of regional cybercrime-disruption communities. These groups bring together law enforcement agencies, cybersecurity companies, financial institutions, and academic researchers to address threats that are particularly relevant to their regions.
Regional collaboration allows participants to share intelligence more rapidly, coordinate disruption actions that reflect local threat environments, and build operational playbooks that can later contribute to global disruption campaigns. When these regional communities are connected through a broader international framework, the result is a networked approach to cybercrime disruption that mirrors the distributed structure of the adversary ecosystem.
The broader shift underway in cybersecurity involves moving from a model focused primarily on detection and response toward one that targets the structural foundations of cybercrime itself. Mapping criminal ecosystems, coordinating intelligence across sectors, and conducting sustained disruption campaigns against infrastructure and financial networks allows defenders to weaken the systems that allow cybercrime to scale.
No single organization can achieve this outcome alone. Cybercrime is a global challenge that requires coordination among governments, technology companies, financial institutions, international organizations, and cybersecurity researchers.
Conversations like that at RSAC demonstrate how collaboration can move from informal coordination to structured global action. As these efforts mature and expand, sustained disruption campaigns can gradually shift the economics of cybercrime toward higher risk, lower profitability, and greater accountability for those responsible.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。