Elusive Cybercriminals, Tractable Intermediaries

By Chris Hoofnagle

Posted on May 21, 2018


My most recent article, with JD-Ph.D. student Aniket Kesari and NYU Professor Damon McCoy, chronicles how enforcers are using the law to police cybercrime. In Deterring Cybercrime: Focus on the Intermediaries, we explain how intellectual property owners, technology companies attempting to curb botnets, and law enforcement agencies employ a deterrence by denial strategy. Simply put, these enforcers are pursuing cybercriminals’ intermediaries: domain registrars, web hosts, payment providers, banks, and even shipping companies. By forcing intermediaries to drop users or to seize their funds, enforcers impose costs on cybercriminals and deny them the benefits of their activities. Enforcers do this with surprising speed and with broad remedies, in ex parte proceedings, suggesting the need for discretion and professional candor towards courts.


To illustrate this, we chronicle a single 2016 case where Luxottica*, a company that owns many sought-after brands of eyewear, sued 478 defendants that were allegedly infringing marks on over 1,000 domains.

  • Luxottica argued successfully for an initial remedy without notice, as the defendants were likely to move their operations
  • Luxottica argued successfully for e-mail notice to the defendants after the TRO was obtained
  • Luxottica did not engage in test purchases, but rather used one of its own investigator reports to determine the infringing nature of the sites

Just two months after filing the complaint, Luxottica had a final, default judgement in the case for $200,000 per defendant (in theory, up to $95 million). The company also obtained broad court-ordered relief covering many kinds of businesses (“including, without limitation, any online marketplaces such as iOffer, eBay, AliExpress and Alibaba, web hosts, sponsored search engine or ad-word providers, credit cards, banks, merchant account providers, third party processors and other payment processing service providers, Internet search engines…” that were “providing services for any of the Defaulting Defendants.”

Image: Luxottica litigation

Luxottica’s need for special procedures was plausible, but when taken together, consider how the case presages automated justice that could trample the rights of online speakers. As enforcers recognize the utility of the deterrence by denial approach, we could see many more of these cases. We cannot assess the frequency of these suits but they appear to be quite common. A search in Bloomberg Law's Dockets search for civil suits where Chanel was a plaintiff and the keywords "trademark infringement" and "domain" were present returned 163 results. The cases date back to 2001 and were initiated in federal courts all over the country. Twenty-six of the cases were "open" as in 2017 when we did the search.


Cybercrime Narratives


This team work emphasizes themes from my earlier scholarship on cybercrime. Cybercrime is often presented as an intractable problem because it can be committed by users under a cloak of anonymity and committed from jurisdictions without effective rule of law. But in reality, much of cybercrime shares characteristics of ordinary businesses. Like ordinary businesses, financially-motivated cybercrime is an activity of scale, not a jackpot activity such as robbing a bank. It’s often boring and labor intensive, similar to the daily grind of licit businesses. For instance, my work on identity theft shows that it is easy to commit, yet criminals need teams of employees to make identities, obtain credit cards, purchase products, and then fence those products to convert credit into real dollars. One slip up in opsec can endanger the whole operation.


In addition to relying on many different intermediaries, within intermediary verticals, there is a large amount of concentration. For instance, co-author McCoy was part of a team that found three banks responsible for the processing of payments associated with 95% of all spam. Similarly, in a study of illegal online pharmacies, I found that top-ranked sellers of drugs online had many shared dependencies, such as a common shopping cart or phone number for customer service.

Image: Online pharmacy network

Adding to this is the growth of specialization in cybercrime. With specialization comes more actors, and more points where law enforcement can get lucky with a flipped witness.


Some Dependencies are More Critical than Others


Narrower gateways offer more powerful interventions. For instance, a prior study by author McCoy and collaborators found that payment platforms, because of their breadth and oligopoly status, have more power over cybercriminals than interventions in the DNS. There is more competition in domain name administration, and far too many top-level domains (e.g. .com, .net, and so on) to control the entire space. But even the payment field is complicated—author McCoy and collaborators have recently detailed the problem of bulletproof payment providers that ignore the counterfeiting activities of their merchants.


So what about cryptocurrencies? Won’t cybercriminals just shift to a less governed payment space? Not anytime soon, I predict. At least in the fields I have studied, cybercriminals need a broad consumer market, and so they must accept mainstream payment services (look at Backpage for an example—they were receiving millions in credit card purchases for “escort” services). Author McCoy and colleagues found that blocking DDoS-for-hire services from PayPal caused an almost immediate, short-term reduction in availability of such services. The McCoy team observed that a DDoS service that only accepted cryptocurrency Bitcoin had a two percent conversion to paid subscriber rate, while two competitors that accepted PayPal had fifteen percent and twenty-three percent conversion rates, respectively.




At Berkeley and elsewhere, investigators are performing interesting, provocative research into cybercrime. Often the investigations involve publicly-available data, because so much of the infrastructure of an illicit business needs to be spotlighted in order to attract customers. This research is shifting the popular narrative about cybercrime and elucidating interventions that are as troubling as they are effective.


*Luxottica Grp. S.p.A. v. The Partnerships and Unincorporated Associations Identified on Schedule "A," No. 1:16-cv-08322 (N.D. Ill. Aug. 25, 2016)