eCrime 2025 Accepted Peer-Reviewed Submissions

Quantum-Enabled Cybercrime: A Portfolio Analysis of Cryptocurrency Theft and Double-Spending
Zhen Li (Albion College) and Qi Liao (Central Michigan University)
Research suggests that practical quantum computers capable of breaking current cryptographic systems may emerge within the next decade, posing a significant threat to cryptocurrencies. Quantum-capable adversaries could exploit this advantage to perform theft (by breaking digital signatures) and double-spending (by breaking hashing functions) attacks. This study examines the economically optimized strategies of such adversaries by modeling a portfolio of Bitcoin theft and double-spending attacks. We propose a novel quantum threat model and conduct simulations to evaluate the financial motivations of attackers and the resulting equilibrium prices under various threat scenarios. Our findings indicate that while early-stage quantum attackers may have short-term incentives, these incentives decline as their actions erode market confidence and cryptocurrency value, ultimately reducing future profitability. This self-defeating dynamic creates a natural economic threshold that helps stabilize the network in a post-quantum era.

Family Ties: A Close Look at the Influence of Static Features on the Precision of Malware Family Clustering
Antonino Vitale (EURECOM), Kevin van Liebergen (IMDEA Software Institute), 
Juan Caballero (IMDEA Software Institute), Savino Dambra (Gen Digital), Platon Kotzias (BforeAI), Simone Aonzo (EURECOM), and Davide Balzarotti (EURECOM)
Malware family clustering plays a crucial role in many security tasks, including malware analysis, classification, labeling, triage, threat hunting, and lineage studies. This work takes a close look at the influence on malware family clustering of 11 popular static similarity features, including whole-file fuzzy hashes (e.g., SSDeep, TLSH), structural hashes (e.g., PE Hash, Import Hash, VirusTotal's VHash), certificate-based features, and icon-based features. Our goal is not to propose new features or clustering approaches. Instead, we aim to measure how often these 11 features make clustering errors, i.e., cluster together samples belonging to different malware families. We also investigate the root causes behind those errors, which often lead to misinterpretations of malware relationships, hinder effective threat detection, and propagate inaccuracies in downstream analyses. To study this phenomenon, we leverage three public datasets comprising 79,993 labeled Windows malware samples. We cluster those samples by using each of the analyzed features, measure their accuracy with a focus on their precision, and examine the reasons that caused some clusters to contain samples from different families. Our analysis identifies intrinsic limitations of some of the features and highlights the severe impact of EXE-building tools (like software protectors, installers, and self-extracting archives) on malware clustering. Finally, we discuss mitigations and evaluate potential improvements to address the problems we observed. Our findings provide a critical foundation for improving static malware clustering methodologies by emphasizing the importance of dataset curation and feature refinement for robust and precise clustering outcomes.

Catch Me If You Scan: A Longitudinal Analysis of Stalkerware Evasion Tactics
Anahitha Vijay (University of Cambridge), Luis A. Saavedra (University of Cambridge), Alice Hutchings (University of Cambridge)
Stalkerware—mobile software that enables covert surveillance, especially in intimate partner relationships—persists as a significant threat on the Android ecosystem despite platform-level policy and security enhancements. We present the first multi-application longitudinal analysis of the stalkerware ecosystem. We analyse 82 APKs from four prominent stalkerware brands sourced from official, third-party, and modded marketplaces, mapping their technical evolution against key policy and OS updates from 2012 to 2025. We find a strategic dichotomy in developer behaviour based on distribution channels. Applications distributed on third-party channels, away from Google Play, consistently target older, less-secure APIs to preserve invasive functionality, effectively ignoring platform policies. In contrast, developers on the Google Play platform respond reluctantly, often employing malicious compliance (e.g., obfuscated notifications) or strategic re-architecting (e.g., ‘split-app’ models) to circumvent rules while maintaining a market presence. Our findings suggest that platform policies displace rather than eliminate abusive functionality. By systematically documenting how stalkerware developers navigate and subvert platform governance, we provide a nuanced understanding of their adaptive capabilities, offering critical insights for developing more robust, future-proof detection and mitigation strategies.

”Send to which account?” Evaluation of an LLM-based Scambaiting System
Hossein Siadati (Cybera), Haadi Jafarian (University of Colorado Denver), Sima Jafaikhah (UNCW)
Scammers are increasingly harnessing generative AI (GenAI) technologies to produce convincing phishing content at scale, amplifying financial fraud and undermining public trust. While conventional defenses, such as detection algorithms, user training, and reactive takedown efforts remain important, they often fall short in dismantling the infrastructure scammers depend on, including mule bank accounts and cryptocurrency wallets. To bridge this gap, a proactive and emerging strategy involves using conversational honeypots to engage scammers and extract actionable threat intelligence. This paper presents the first large-scale, real-world evaluation of a scambaiting system powered by large language models (LLMs). Over a five-month deployment, the system initiated over 2,600 conversations with actual scammers, resulting in a dataset of more than 18,700 messages. It achieved an Informa- tion Disclosure Rate (IDR) of approximately 32%, successfully extracting sensitive financial information such as mule accounts. Additionally, the system maintained a Human Acceptance Rate (HAR) of around 70%, indicating strong alignment between LLM-generated responses and human operator preferences. Alongside these successes, our analysis reveals key operational challenges. In particular, the system struggled with engagement takeoff: only 48.7% of scammers responded to the initial seed message sent by defenders. These findings highlight the need for further refinement and provide actionable insights for advancing the design of automated scambaiting systems.

Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire
Felipe Castaño (Vicomtech), Constantinos Patsakis (University of Piraeus), Francesco Zola (Vicomtech), Fran Casino (Rovira i Virgili University)
LockBit has evolved from an obscure Ransomware-as-a-Service newcomer in 2019 to the most prolific ransomware franchise of 2024. Leveraging a recently leaked MySQL dump of the gang's management panel, this study offers an end-to-end reconstruction of LockBit's technical, behavioral, and financial apparatus. We recall the family's version timeline and map its tactics, techniques, and procedures to MITRE ATT&CK, highlighting the incremental hardening that distinguishes LockBit 3.0 from its predecessors. We then analyze 51 negotiation chat logs using natural-language embeddings and clustering to infer a canonical interaction playbook, revealing recurrent rhetorical stages that underpin the double-extortion strategy. Finally, we trace 19 Bitcoin addresses related to ransom payment chains, revealing two distinct patterns based on different laundering phases. In both cases, a small portion of the ransom is immediately split into long-lived addresses - presumably retained by the group as profit and to finance further operations - while the remainder is ultimately aggregated into two high-volume addresses before likely being sent to the affiliate. These two collector addresses appear to belong to distinct exchanges, each processing over 200k BTC. The combined evidence portrays LockBit as a tightly integrated criminal service whose resilience rests on rapid code iteration, script-driven social engineering, and industrial-scale cash-out pipelines.

Uncovering the Trust Signals Supporting Telegram’s Cybercrime Economy
Roy Ricaldi (Eindhoven University of Technology, Tina Marjanov (University of Cambridge), Luca Allodi (Eindhoven University of Technology), Alice Hutchings (University of Cambridge)
Telegram has become a central hub for cybercriminal activity, favored for its perceived privacy, user anonymity, ease of use, and the many features it offers. Unlike traditional markets on underground forums Telegram lacks many structural elements of trust, such as stable identities and reputation within a community. This raises important questions about whether and how trust is built in these newer, more fluid marketplace environments. In our work, we characterize the Telegram cybercrime ecosystem by identifying key market segments and developing a framework of trust-building mechanisms that support trade within those segments. We apply this framework at scale across 1,116,071 messages from 167 Telegram cybercriminal communities. Our analysis shows that although trust signals are fewer than on forums and are often sparsely distributed, cybercriminals on Telegram still actively signal trust using various strategies, from proof-of-delivery and vouching messages to pinned rules and automated bots. To estimate how frequently these signals are actually encountered by users, we implement a Monte Carlo simulation that models cybercriminal browsing behavior across different market segments. Our results reveal that users in different segments are exposed to different levels and type of trust signaling, and that exposure varies significantly with time. Together, our findings suggest that Telegram differs substantially from cybercriminal forums in supporting cybercriminal activities, offering a fragmented but evolving economic ecosystem for threat actors to operate in.

ScanWars: (A Multi-network Approach to Detecting and Analyzing) The Rise of Scanning Activity
Beliz Kaleli (Palo Alto Networks)* corresponding author, Fang Liu (Palo Alto Networks), Oleksii Starov (Palo Alto Networks), Tony Li (Palo Alto Networks), Manuel Egele (Boston University), Gianluca Stringhini (Boston University)
Scanning is a prevalent method used by threat actors to identify vulnerabilities in networks or systems for subsequent exploitation. Prior research has focused on signature or anomaly-based methods for detecting malicious traffic on limited datasets. However, there is a gap in the comprehensive understanding of scanning activity, particularly in the context of the Web. Our scanning detection system, DVader, leverages a unique vantage point that provides visibility over nearly 100,000 networks to monitor scanning patterns. We identify that scanning activity often causes sudden bursts in traffic that are distinct from typical user behavior. To detect scanning in mixed traffic (benign and malicious), we track unusual spikes in volume-based features, such as the total number of requests, and employ a machine learning model. We conduct the first large-scale longitudinal study of the scanning activity leveraging our multi-network approach. By analyzing the detections of our system, we provide insights into scanning activity. We detect 316 million scanning and exploiting requests between May 1, 2023 and May 1, 2024, 58% of which are directed at router vulnerabilities. We show that our system detects malicious URLs embedded in exploit requests before they were detected by VirusTotal vendors. We show that our system effectively detects emerging threats within mixed traffic through case studies of recent and notable vulnerabilities, such as those in Ivanti Connect Secure, Log4j, and Zyxel router Web UI.

Lost in Translation: Analyzing Non-English Cybercrime Forums
Mariella Mischinger (IMDEA Networks and Universidad Carlos III de Madrid), Jack Hughes (University of Cambridge), Fedor Vitiugin (University of Turku), Sergio Pastrana (Universidad Carlos III de Madrid), Alice Hutchings (University of Cambridge), Guillermo Suarez-Tangil (IMDEA Networks)
Cybercrime analysis and Cyber Threat Intelligence are crucial for understanding and defending against cyber threats, with online underground communities serving as a key source of information. Classification tasks are popular but demand significant manual effort and language-specific expertise. Prior work focuses on English-language forums, as non-English languages require fluent domain experts. We evaluate machine translation tools for suitability in preserving contextual information in posts and find GPT-4 is most reliable. We leverage existing underground forum post classification pipelines to compare their performance on translated text and original language text. We find classification performed on translated underground forum data is as effective as on original language text, enabling researchers to reuse existing pipelines. Finally, we investigate a fully machine-generated few-shot and zero-shot classification to reduce reliance on manual labeling, followed by a two-step machine-based classification, combining machine-generated labels with the existing classification pipeline. We find machine-based labeling causes errors to propagate downstream. For tasks requiring high-quality label creation, human expertise remains essential. Finally, we provide a qualitative evaluation of disagreements in annotator labels of the original language and the translations, as well as disagreements between annotators and machine labeling.

Just in Plain Sight: Unveiling CSAM Distribution Campaigns on the Clear Web
Nikolaos Lykousas (Data Centric), Constantinos Patsakis (University of Piraeus)
Child sexual abuse is among the most hideous crimes, yet, after the COVID-19 pandemic, there is a huge surge in the distribution of child sexual abuse material (CSAM). Traditionally, the exchange of such material is performed on the dark web, as it provides many privacy guarantees that facilitate illicit trades. However, the introduction of end-to-end encryption platforms has brought it to the deep web. In this work, we report our findings for a campaign of spreading child sexual abuse material on the clear web. The campaign utilized at least 1,026 web pages for at least 738,286 registered users. Our analysis details the operation of such a campaign, showcasing how social networks are abused and the role of bots, but also the bypasses that are used. Going a step further and exploiting operational faults in the campaign, we gain insight into the demand for such content, as well as the dynamics of the user network that supports it.

Beaver: Estimating Future Risks at Scale in Real-World Deployments
Marco Balduzzi (Trend Micro Research), Roel Reyes (Trend Micro Research), Jessica Balaquit (Trend Micro Research), Ryan Flores (Trend Micro Research)
Malware continues to pose a significant threat to organizations worldwide, with various forms of malicious software enabling criminal activities. To protect against these threats, security solutions such as anti-malware and intrusion-detection-systems have been introduced over the years. However, while these solutions work well, especially when combined, they tend to detect attacks only when they are already happening. In this paper, we adopt a proactive strategy aimed at anticipating threats before they occur. Building on previous work, we introduce a system that leverages the activities of users on their machines and over the Internet to predict future malware outbreaks. Our solution estimates the risk for different classes of malware, enabling organizations to proactively implement mitigation strategies tailored to their risk profiles. We deploy our implementation in a real-world setting and conduct a large-scale risk study across 10.7 million endpoints collected over a period of one month. Our empirical study provides insights on the behaviors that most significantly put users at risk, the categories of endpoints that are most vulnerable to specific malware, the distribution mechanisms used to operate malware campaigns, among other findings we share with the community.

The Dark Art of Financial Disguise in Web3: Money Laundering Schemes and Countermeasures
Hesam Sarkhosh Sarkendi (University of Waterloo), Uzma Maroof (University of Waterloo), Diogo Barradas (University of Waterloo)
The rise of Web3 and Decentralized Finance (DeFi) has enabled borderless access to financial services empowered by smart contracts and blockchain technology. However, the ecosystem's trustless, permissionless, and borderless nature presents substantial regulatory challenges. The absence of centralized oversight and the technical complexity create fertile ground for financial crimes. Among these, money laundering is particularly concerning, as in the event of successful scams, code exploits, and market manipulations, it facilitates covert movement of illicit gains. Beyond this, there is a growing concern that cryptocurrencies can be leveraged to launder proceeds from drug trafficking, or to transfer funds linked to terrorism financing.
    This survey aims to outline a taxonomy of high-level strategies and underlying mechanisms exploited to facilitate money laundering in Web3. We examine how criminals leverage the pseudonymous nature of Web3, alongside weak regulatory frameworks, to obscure illicit financial activities. Our study seeks to bridge existing knowledge gaps on laundering schemes, identify open challenges in the detection and prevention of such activities, and propose future research directions to foster a more transparent Web3 financial ecosystem—offering valuable insights for researchers, policymakers, and industry practitioners.

Short Path to Phishing: Identifying Misused URL Shortening Services in the Wild
Zul Odgerel (Université Grenoble Alpes / KOR Labs), Yevheniya Nosyk (KOR Labs), Jan Bayer (KOR Labs), Sourena Maroofi (KOR Labs), Louis Bedeschi (KOR Labs), Andrzej Duda (Université Grenoble Alpes), Maciej Korczyński (Université Grenoble Alpes) 
URL shortening services (USS) are commonly used to share long links, which avoids the limits on the number of characters imposed by online platforms. However, cybercriminals exploit these services to obscure link destinations, bypass security filters, and deceive users. Consequently, short URLs involved in phishing often appear on popular blocklists, which may trigger abuse notifications to registrars or top-level domain (TLD) registries. This misattribution forces them into manual investigations and consumes valuable time on abuse that is not under their direct responsibility. If the role of a domain as a shortening service is not recognized, it risks mistaken suspension despite most links being benign. We argue that addressing such abuse requires tailored mitigation strategies and that maintaining an accurate and up-to-date list of URL shortening services is essential. In this paper, we propose a classification model to determine if a given domain name belongs to an URL shortening service. We manually curate a ground truth dataset of 211 URL shorteners and collect three groups of features to further train two ML models. Our random forest classifier achieves the 98.4% precision. We next apply our method to 1.5M unlabeled phishing URLs reported to APWG, OpenPhish, and PhishTank. Our model identifies 177 new USS in the wild, not previously seen in our ground truth. Finally, we measure the lifetime of malicious short links from the ten most abused USS, showing that the median mitigation time is within 48 hours. We commit ourselves to release the list of inferred URL shortening services to the community.

Is Ransomware an Economically Distinct Attack Type? An Event Study of Market Reactions
Ambarish Gurjar (Indiana University Bloomington), Dalyapraz Manatova (Indiana University Bloomington), Benjamin Staples (Indiana University Bloomington), Spencer Chambers (Indiana University Bloomington), Jean Camp (Indiana University Bloomington)* <ljcamp@iu.edu> Corresponding author
Ransomware attacks have emerged as a significant threat, but has this new mode of attack transformed the economic calculus of cybersecurity? Before the emergence of ransomware, vulnerabilities could be characterized largely as having high negative network externalities while also creating risks for vulnerable parties. However, with ransomware's rise, attackers can more directly extract payments. Such a shift may change negative externalities into directly tangible and quantifiable costs for affected firms.
To investigate whether ransomware victims internalize these costs, we compute Cumulative Abnormal Returns (CARs) around ransomware announcements. Specifically, we leveraged an Event-Study methodology to analyze CARs across various time windows for publicly traded firms that have been affected by ransomware. We examine the market responses and compare these with the previous work. Our results show a slightly significant positive CAR and only for the Information Technology and Communications industry firms. Additionally, the results show limited immediate market reaction and no significant response in other sectors.
Alternatively, it is possible that these findings imply that standard market valuations may understate the full economic impact of cybersecurity breaches, failing to incentivize adequate investment in risk remediation. Even though ransomware attacks combine loss of availability (from encryption), confidentiality (from data exfiltration), and potential integrity (from loss of control), we cannot conclude that ransomware as a whole is more than the sum of its parts in terms of market response.

Defense of the Clones: Securing Web Applications with Automatic Honeypot Generation and Deployment
Billy Tsouvalas (Stony Brook University), Nick Nikiforakis (Stony Brook University)
In this paper, we introduce Parallax, an automatic, application-agnostic, and resource-efficient web application honeypot generation and deployment framework. Parallax can generate honeypot clones of any live LAMP stack, without interfering with the availability of the web application, and deploys the clones alongside the original web application. In the Parallax-based network deployment, all attackers are seamlessly and covertly redirected to the honeypot clone, while benign visitors may continue their interaction with the original web application, same as before. Alongside Parallax, we introduce three independent sensitive data detection schemes, which we employ to isolate and replace the sensitive data of the original web application on the honeypot clone. As we allow attackers full interaction with all parts of the honeypot clone, we replace the sensitive data on the honeypot with realistic, context-aware, synthetic data using an LLM to ensure that none of the sensitive data of the original web application are compromised by attackers. To evaluate Parallax, we deploy it in the wild for five open-source web applications, and we examine the honeypot generation and deployment performance, as well as the interaction of attackers with the honeypot clones. Lastly, to evaluate the deceptive capability of the synthetically generated data, we conduct a large-scale user study and evaluate how well humans are able to differentiate between real and synthetic sensitive data.

SHADOWBOX: A Low-Artifact Framework for Analyzing Evasive Cyber Crimes
Javad Zandi (Florida International University), Lalchandra Rampersaud (Florida International University), Amin Kharraz (Florida International University)
Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing a robust analysis framework to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce SHADOWBOX, an open-source, low-artifact and portable analysis framework that can provide system-wide monitoring capabilities while satisfying contemporary checks that are used by modern malicious code. We designed multiple deployment scenarios, showing SHADOWBOX's potential in evidence gathering and threat reasoning in a real-world setting. By making SHADOWBOX and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.

Infrastructure Patterns in Toll Scam Domains: A Comprehensive Analysis of Cybercriminal Registration and Hosting Strategies
Morium Akter Munny (California State University San Marcos), Mahbub Alam (Texas A&M University), Sonjoy Kumar Paul (Texas A&M University), Daniel Timko (Emerging Threats Lab / Smishtank.com), Muhammad Lutfor Rahman (California State University San Marcos / Smishtank.com), Nitesh Saxena (Texas A&M University) 
Toll scams involve criminals registering fake domains that pretend to be legitimate transportation agencies to trick users into making fraudulent payments. Although these scams are rapidly increasing and causing significant harm, they have not been extensively studied. We present the first large-scale analysis of toll scam domains, using a newly created dataset of 67,907 confirmed scam domains mostly registered in 2025. Our study reveals that attackers exploit permissive registrars and less common top-level domains, with 86.9% of domains concentrated in just five non-mainstream TLDs and 72.9% registered via a single provider. We also discover specific registration patterns, including short bursts of activity that suggest automated, coordinated attacks, with over half of domains registered in the first quarter of 2025. This extreme temporal clustering reflects highly synchronized campaign launches. Additionally, we build a simple predictive model using only domain registration data to predict which scam domains are likely to be suspended---a proxy for confirmed abuse---achieving 80.4% accuracy, and 92.3% sensitivity. Our analysis reveals attacker strategies for evading detection---such as exploiting obscure TLDs, permissive registrars, and coordinated registration bursts---which can inform more targeted interventions by registrars, hosting providers, and security platforms. However, our results suggest that registration metadata alone may be insufficient, and incorporating features from domain URLs and webpage content could further improve detection.

Unicorns in the Wild West: Empirical Analysis of Cybercrime Facilitated by Cryptocurrencies
Tyler Moore (The University of Tulsa), Arghya Mukherjee (The University of Tulsa)
The explosion of cryptocurrencies has created countless opportunities for abuse by cybercriminals. In theory, thousands of newly minted coins and tokens could offer miscreants the chance to hide illicit activities from view. In practice, most crypto-facilitated cybercrime transacts in Bitcoin and Ethereum, the two most popular cryptocurrencies. This paper seeks empirical answers to questions about which types of cybercriminal activities are undertaken at different cryptocurrencies. We focus on 406 widely traded cryptocurrencies, with a special focus on the 54 ``unicorns'' that have achieved market capitalizations exceeding $1 billion. Using summary statistics and regression analysis, we confirm that more popular coins are used in crimes more often. Ethereum is more likely to be used for cryptocurrency-enabled cybercrime, whereas Bitcoin is used more for legacy cybercrimes. We also present evidence that utilization in cybercrimes vary based on coin characteristics and popularity.

Department-Specific Security Awareness Campaigns: A Cross-Organizational Study of HR and Accounting
Matthias Pfister (University of Liechtenstein), Giovanni Apruzzese (University of Liechtenstein), Irdin Pekaric (University of Lichtenstein) 
Many cyberattacks succeed because they exploit flaws at the human level. To address this problem, organizations rely on security awareness programs, which aim to make employees more resilient against social engineering. While some works have, implicitly or explicitly, suggested that such programs should account for contextual relevance, the common praxis in research is to adopt a ``general'' viewpoint. For instance, instead of focusing on department-specific issues, prior user studies sought to provide organization-wide conclusions by treating all participants equally. Such a protocol may lead to overlooking vulnerabilities that affect only specific subsets of an organization, and which can be (or are) exploited by real-world attackers.
    In this paper, we tackle such an oversight. First, through a systematic literature review encompassing over 1k papers, we provide factual evidence that prior literature poorly accounted for department-specific needs. Then, building on this (worrying) finding, we carry out a multi-company and mixed-methods study focusing on two pivotal departments of modern organizations: human resources (HR) and accounting. We explore three dimensions: what specific threats are faced by these departments; what topics should be covered in the security-awareness campaigns delivered to these departments; and which delivery methods would maximize the effectiveness of such campaigns for these departments. We begin by interviewing 16 employees of a multinational enterprise, and then use these results as a scaffold to design a structured survey through which we collect the responses of over 90 HR/accounting members of 9 organizations of varying size. We find that HR and accounting departments face distinct threats: HR is targeted through job applications containing malware and executive impersonation, while accounting is exposed to invoice fraud, credential theft, and ransomware. Current training is often viewed as too generic, with employees preferring shorter, scenario-based formats like videos and simulations. These preferences contradict the common industry practice of lengthy, annual sessions. Based on these insights, we propose practical recommendations for designing awareness programs tailored to departmental needs and workflows.
        
Contextual Classification of Cybercriminal Posts Using Large Language Models: A Comprehensive Study on Tech Support Scam Marketplaces
Raghavendra Cherupalli (The University of Tulsa), Yi Ting Chua (University of Tulsa), Weiping Pei (University of Tulsa), Tyler Moore (University of Tulsa), Gary Warner (UAB - the University of Alabama at Birmingham)
In a tech support scam (TSS), cybercriminals impersonate legitimate service providers by mimicking the interactions consumers routinely have with companies. We conduct a comprehensive analysis of the supply side of the TSS ecosystem on Facebook, where groups operate as informal marketplaces that lack traditional trust or reputation metrics. The study utilizes an AI-driven technique to classify posts into different categories, based on labels derived from manual classification, using Gemma original and Gemma-3-12B large language models. In total, we categorized 381,843 posts across 90 groups made between April 2015 and March 2024. The results highlight different user types and their characteristics. We analyze the resulting posts to shed light on the various types of products and services offered by the groups. We also investigate the extent of specialization and generalization among cybercriminal participants. It is hoped that the detailed study on such ecosystems can aid law enforcement and policy efforts to identify suitable intervention points and effective countermeasures against the TSS ecosystem.

From Lamborghinis to Ladas: Empirical Analysis of LockBit's Business Operations
Ian Gray (New York University), Dalyapraz Manatova (Indiana University Bloomington), Kris Oosthoek (Delft University of Technology), Damon McCoy (New York University)
Since 2020, LockBit has operated as a ransomware-as-a-service (RaaS) platform, leasing their malware to affiliates who conducted attacks on their behalf. LockBit emerged as one of the most prolific ransomware groups globally. However, the operation faced significant law enforcement disruptions on February 20, 2024, and May 7, 2024, during Operation Cronos. On May 7, 2025, an affiliate panel database from LockBit 4.0 leaked, providing an opportunity to better understand the latest iteration of the ransomware operation. The leak occurred one year after the second phase of the law enforcement disruption, "Operation Cronos," which included a seizure of servers and infrastructure from LockBit 3.0.
    In this paper, we present an empirical analysis of LockBit 4.0 business operations observed through the compromised affiliate panel data. Based on the leaked data, we construct an operational workflow of LockBit 4.0. Our financial analysis found that post-Cronos interventions LockBit 4.0 was operating in a degraded state. LockBit 3.0 affiliates achieved a 54% compromise-to-payment rate while LockBit 4.0 had an 11.5% rate, which represents a 4.7-fold decline.
    The leaked LockBit 4.0 affiliate panel offers empirical insights into a major ransomware operation's post-disruption phase, highlighting both the effectiveness of coordinated law enforcement action and the challenges facing cybercriminal groups attempting to rebuild after takedown operations. Our analysis reveals that while LockBit appeared to resume their operations unabated, it was severely hampered by Operation Cronos. Given their downscaled operation, LockBit 4.0's affiliate recruitment slogan, "Want a Lamborghini" is more appropriately "Want a Lada," a cheaper Russian brand of Soviet-era automobiles.