Collaborations between industry experts and the public sector are disrupting cybercriminals. Here’s how

An estimated 25.5% of the world’s population was impacted by cyber-enabled fraud in 2023. The impact of the profits this generates for criminals goes further than the immediate victims. In 2023, the United Nations reported that at least 220,000 people had been trafficked in South-East Asia, some from as far away as Africa and Latin America, and forced to run online scams. A new white paper from the World Economic Forum, Disrupting Cybercrime Networks: A Collaboration Framework explores how to build on the success of existing partnerships to accelerate the disruption of cybercriminal activities. Here we examine some of its learnings and recommendations.

The convergence of cybercrime and violent organized crime has also led to a cultural shift among cybercriminals, with new entrants to the cybercrime market less concerned about causing physical harm at scale. In June 2024, a ransomware attack on a blood test provider prompted the United Kingdom’s National Health Service to urgently call for blood donations and rearrange more than 800 planned operations after it lost the service’s ability to match patients’ blood.

Cybercriminals have increased the volume and impact of their activities by collaborating and mimicking business strategies to make their operations more efficient. Now, it's time for cyber-defenders to join forces and work together to stay ahead in the fight against cybercrime. The World Economic Forum’s Centre for Cybersecurity has released a framework to support operational collaborations that disrupt cybercrime at scale.

2024 has seen a string of successful disruption campaigns targeting cybercrime groups that could be a blueprint for tackling the problem. Law enforcement in Thailand and the Philippines successfully rescued hundreds of people from forced labour in cyber-scam farms and worked with the private sector to recover criminal profits. In West Africa and Latin America, operations supported by INTERPOL have led to coordinated arrests. In Europe and North America, collaborations between industry and law enforcement have led to unprecedented success in the disruption of cybercriminals’ technical infrastructure, creating new levels of risk for cybercrime service providers and the criminals who use them.

Cybercriminal groups have evolved into highly lucrative transnational enterprises linked by complicated networks of commercial relationships and supply chains. This allows cybercriminals to operate at scale and creates opportunities to make cybercrime less attractive through disruption and arrest, significantly altering the risk-reward calculus for perpetrators.

Operational collaborations increase the difficulty, costs and risk associated with executing cybercriminal activities. Cross-sector partnerships allow for the pooling of resources, leading to enhanced capabilities that individual organizations might not achieve alone.

The research developed by the World Economic Forum’s Partnership Against Cybercrime highlights three main pillars to build and sustain this type of collaboration: incentives to collaborate, structure, and governance and resources.

Successful operational collaborations to counter cybercrime need a clear mission to keep participants involved and working towards shared goals. Feedback and public recognition are also core to keeping momentum, showing individuals, organizations and stakeholders how their contributions make a difference. Peer-to-peer learning is also a key factor, providing experts with the technical knowledge required to combat cybercrime and build trust and foster long-term, personal collaborations between stakeholders.

Additionally, the research shows that successful collaborations incorporate strict governance of data and risk, a sharp focus on measuring impact and considerable flexibility on how exactly experts interact. The art of supporting formal and informal governance structures requires that a collaboration’s leadership and management be sensitive to participating organizations’ risk appetites and each participant’s ability to adapt how they work to the needs of the collaboration. While some parts of governance will be rigid, others will need to have space into which the collaboration can grow. Building a community and shared work culture requires time and incremental development so that the participants have sufficient trust in each other to work effectively.

A good example of this dual structure is the Cyber Threat Alliance (CTA). CTA members share timely and actionable information about cyberthreats, allowing them to enhance their products, better protect customers and more effectively disrupt cyberattacks. The CTA uses a platform that allows members to upload and access data about cyber threats in a standardized format. This system organizes information around key patterns and techniques used by attackers, making it easier for members to understand them and act on them. An algorithm scores each submission, rewarding members for sharing valuable and timely intelligence. This scoring creates a healthy sense of competition, further motivating members to improve the quality of their shared intelligence. With over 12 million data points exchanged monthly, this collaboration ensures CTA members have timely information, collectively strengthening global cybersecurity.

This dual governance fork can also be seen at work in the Cybercrime Atlas initiative. Launched in 2023 and hosted at the World Economic Forum Centre for Cybersecurity, the Cybercrime Atlas fosters collaboration among participants who build a shared understanding of cybercriminal networks using open-source intelligence. This information is then used to support community members to create friction across cybercriminal activities and to support action by public-sector agencies.

The starting point for the information is that it is open-source and shareable. Information only becomes sensitive as assessments of criminal activity are built around it. Because the underlying information is not sensitive, the Cybercrime Atlas was in a position to start research while relying on already accepted standards for information classification, such as the Traffic Light Protocol. This enabled a rapid setup of anti-cybercrime activities alongside the development of standard operating procedures by the Cybercrime Atlas expert community. As a result, within just one year of its launch, the Cybercrime Atlas supported two cross-border disruption campaigns in 2024.

Finally, effective operational collaboration in the fight against cybercrime requires a well-coordinated deployment of resources. Data feeds create a common language that facilitates clear communication across different organizations and sectors, ensuring that data from various sources is harmonized into comparable formats. Information security protocols safeguard shared intelligence against unauthorized access, breaches and data corruption.

Additionally, the exponential growth of cyberthreat data has placed significant demands on data storage and processing infrastructures. As data streams are continuously generated and shared across collaborative ecosystems, the infrastructure supporting data storage and processing must ensure that insights can be derived quickly and efficiently. Legal protocols formalize relationships between entities, clarifying roles and responsibilities, while ensuring compliance with international privacy standards. These frameworks support the exchange of actionable intelligence without compromising the confidentiality or integrity of sensitive data.

Alignment on legal requirements mitigates challenges related to jurisdictional issues, ensuring that intelligence and resources can be mobilized swiftly and securely across borders. Finally, human expertise and the continuous development of skills are critical resources in combating cybercrime. Collaboration fosters a knowledge-sharing environment in which best practices, lessons learned and advanced strategies can be disseminated throughout the community, ultimately enhancing the overall capabilities of the collective defence. The complexity and global nature of cybercrime demand that all these diverse resources work together to ensure a cohesive response.

When these three pillars are enacted simultaneously, collaboration can be accelerated to ensure the systemic disruption of cybercrime. A clear example of this is Operation Trust No One. Supported by intelligence from the US Department of Homeland Security and private-sector partners, such as the cryptocurrency exchange Binance, the Royal Thai Police (RTP) dismantled a major online crime group responsible for high-value scams that targeted Thai residents. Posing as trustworthy individuals, scammers used social media platforms to engage victims in long-term deception before persuading them to invest in fraudulent schemes. Through collaboration, the authorities managed to search over 70 locations, seizing luxury vehicles, property documents, cash and other high-value items worth billions of Thai baht. In particular, the data shared by the private sector allowed the RTP to track the movement of digital assets linked to fraudulent activities and facilitated the eventual arrests.

Likewise, the takedown of the online criminal service provider LabHost highlights how cooperation can lead to systemic disruption. The origin of the disruption was a private-sector collaboration, the Cyber Defence Alliance (CDA). This group of cybercrime investigators, funded by UK financial services, aim to provide insights that disrupt cyberthreat networks and enhance cybersecurity. The CDA shared leads with UK law enforcement who, with support from Europol, were able to share the information with partners in North America and Europe, gather intelligence on criminal activities and then use it to take down cybercrime services and make coordinated arrests.

The LabHost operation had such a high impact because it used capabilities across the affected organizations. Private-sector expertise was pooled, enhanced and shared via the CDA. Law enforcement was able to use this at scale thanks to facilitation through an international organization, in this case, Europol. After the arrests and the take-down of technical infrastructure were made public, cybercriminals using LabHost were sent short personalized 'LabHost Wrapped' videos. This gave a summary of the evidence gathered by law enforcement against the individual criminals. Focusing on brand destruction builds a sense of distrust and uncertainty among criminals, severely affecting the group’s reputation and modus operandi.

By strengthening collaboration, stakeholders improve their own defences and increase the costs for cybercriminals to enter the cybercrime market. Effective operational collaborations between the private and public sectors raise the personal cost of cybercrime through disruption to technical infrastructure and can increase the personal risk to cybercriminals of being arrested. When effective, these collaborations impose real costs on cybercriminals, diminishing their ability to cause harm.

Looking ahead, it is clear that continued success hinges on further developing these partnerships, integrating new technologies and fostering a culture of trust and knowledge sharing. Operational collaborations are not merely 'nice to have.' They are essential to mitigating the growing cyber threats facing societies globally. The progress made thus far is a testament to the power of collective action. With sustained commitment, it is possible to create a more secure and resilient digital future.