Cybercrime is no longer a fringe activity carried out by isolated individuals. It has become a sophisticated, multi-billion-euro business sector that rivals legitimate industries in scale, structure, and adaptability. Most public reporting explains how an attack happened and what the consequences were once discovered. This is understandable, since victims only learn the full story after the damage has already occurred. Yet this narrow focus leaves major questions unanswered. How do criminals choose which organisations to target? To whom do they sell stolen data? Do they coordinate territories like the mafia of the twentieth century? Who controls the cyber underground?

To understand the modern business of hacking, you need to observe criminal ecosystems from within. Threat researchers infiltrate closed forums and marketplaces, trace transactions routed through anonymous networks, and continuously map how criminals innovate and communicate away from the public eye.

ITnation spoke with Vladimir Kropotov, Principal Researcher at Trend Micro and one of Europe’s leading analysts of global cybercrime operations. His work tracks the evolution of criminal infrastructure, financial flows, and the tactics used by the most advanced illicit hacking groups in the world. In this interview, he reveals how targeted cyber-attacks have become, how geopolitical conflict is reshaping the criminal landscape, and why artificial intelligence now sits at the heart of cyber extortion.

 

Are random cyber-attacks truly random?

Kropotov responds immediately.
“Over a decade ago criminals targeted organisations with a view to compromise infrastructure. This remains true today, the only difference is that criminals have specialised their approach.”

Instead of breaking into a system and discovering later whether anything valuable exists, cyber criminals now make much more informed decisions. Some focus on individuals described as “initial access”, meaning they specialise in breaching the first point of entry to an organisation. They collect and sell stolen passwords, credentials, browser cookies, or remote access tools to other criminal groups that want to monetise specific assets.

“The hacked final organisation is random and will only discover it after their exposed assets have been taken,” he explains, but the initial access broker often already knows the commercial value of what they are selling.

Clouds of logs, credential marketplaces, and big data analytics have changed the game. Criminals now possess millions of stolen logins and can enrich those data sets with contextual information to determine which accounts belong to a Fortune 500 bank or a large industrial manufacturer.

“They identify among the random millions of passwords they own which ones belong to the organisations with higher monetisation potential.”

 

The evolution of ransomware: extortion without encryption

The early era of ransomware was crude. Victims were instructed to send small payments via SMS or gift cards. Bitcoin transformed the business model overnight by enabling anonymous, cross-border payments. Ransom demands rose from hundreds, to thousands, and eventually millions of dollars. “Criminals now review individuals to identify at what level they are within the company, what is the revenue of the company and what are the best ways to monetise it.” Today, extortion groups no longer need to lock systems. Leaked personal or regulated data already places victims under severe pressure due to regulatory fines, contractual breaches, and reputational damage.

“Ransomware is still in fashion, but it is evolving,” Kropotov stresses.
“The extortion leverage could be created based on the potential charges for their publication of personal information.”

A crucial development is the use of large language models.
“LLMs capabilities to analyse new types of media have changed the playing field,” he says. Criminals can identify sensitive content in documents, recognise faces in images, and map relationships between employees. They can uncover evidence of tax evasion, internal disputes, or misconduct. When the attacker already has powerful leverage, encryption becomes unnecessary.

Software ransomware may decline, but extortion options are increasing.

 

Has the Russia-Ukraine conflict reshaped the hacking ecosystem?

Before 2022, hacker groups in Russia and Ukraine collaborated on underground marketplaces, although they did not trust each other. They built internal safeguards designed to protect their criminal enterprise from infiltration and betrayal.

During the conflict, some groups aligned with their respective governments.

“For example, we saw some groups like start to take sides since part of their members were Russians and Ukrainians. So the conflict did disrupt some groups, but for others it was business as usual.” Meanwhile, sanctions created unintended opportunities for cybercriminals.

“MasterCard and Visa left Russia,” Kropotov notes, “and many companies do not want to supply electronics.” Criminals stepped in to fulfil the demand. They use stolen credit cards to purchase goods such as MacBooks and iPhones in Europe or the United States, then smuggle them into Russia. Some advertisements show a premium of 30 or 40 percent being charged by sellers.

Cybercrime often thrives where legitimate trade collapses.

 

Are hackers in Ukraine government-backed?

Kropotov is cautious.

“I do not have direct visibility on this,” he says, although he acknowledges “aligned actions” that appear to support national objectives. However, without concrete evidence, attribution remains speculative. “There are a lot of indicators that at least part of the activities were matched government interests,” he concludes.

 

China and Russia: convergence or competition?

The Russian-speaking cyber underground remains the most advanced when measured by sophistication. However, Chinese hackers lead in mobile-focused attacks. Trend Micro analysts have discovered evidence of collaboration, such as criminal forum images containing Chinese characters. New AI translation tools remove language barriers entirely enables closer collaboration and LLMs enable criminals to understand one another with culturally accurate messages.

 

Should Europe fear Chinese hardware?

Governments across Europe have debated the risks of deploying Chinese-made telecom infrastructure or connected devices. Concerns include espionage and hidden vulnerabilities.

Kropotov urges a broader view. “The correctness of that conclusion is limited because the way the question is phrased suggests you have an issue with China,” he says. The central challenge is sovereignty and supply chain control. If it is not European hardware, some will raise the issue of sovereignty. But as long as the equipment is complying with the local regulations then this may be a false fear.”

He questions why certain countries are considered safe by default while others are categorised as a threat. The issue is dependency, not nationality. “Dependency is a leverage,” he states plainly.

 

AI and the future cyber imbalance

Europe lags significantly behind the United States and China in high-performance computing, energy affordability, and data availability. These constraints directly hinder AI progress.

“It is like a 100 meters sprint,” Kropotov says, “and everybody warmed up and right before the start Europe is getting a 20-kilo backpack on the shoulders before running and trying to run at the same speed.”

Strict GDPR protections make it difficult to use personal data to train competitive models. Meanwhile, consumer privacy is already limited through social media and smartphones. “You need energy and you need data,” he states. “Both are more expensive or more restricted in Europe.”

 

Do users overtrust AI?

Academic research confirms that people trust AI-generated medical and financial guidance. This is dangerous.

“Most advice is generated by statistical models which are the best effort answers to your questions based on the training data. Models generate plausible-sounding content even when they lack sufficient evidence. Silence is not an option, so they fabricate.”

“One of our researchers searched on a very narrow field about cybersecurity,” he explains. Only two academic publications existed. The AI system returned seventeen citations, fifteen of which “were non-existent articles which were never published.”

Hallucination is not merely a technical flaw, it creates new attack surfaces.

 

Connected vehicles: safety or surveillance?

Autonomous transport promises safety improvements, yet it also introduces unprecedented cyber exposure. “An automated car is like having a smartphone on wheels,” Kropotov notes. Cars record location histories, behavioural patterns, voice commands, and in some cases interior video. Smart assistants now integrate vehicle controls with home automation.

“If a connected car is compromised your sensitive data may also be accessed. It will be possible to trace the exact geolocation of the car. This creates physical security risks for public figures. Criminals can conduct espionage without leaving a trace. Police could be tipped off to staged incriminating evidence.”

“Nobody will consider the car as paparazzi,” he warns, “but the car has cameras which can record anything around technically.”

The attack surface extends far beyond the vehicle itself.

 

The dangers of premature conclusions

After years investigating major incidents, Kropotov draws one essential lesson about human behaviour. “In my experience when I was defending big organisations, around 95 percent of attacks from so-called state sponsored attackers or advanced persistent threats were very simple in terms of sophistication.”

“During the early stages of the Russian Ukrainian conflict, when the first sanctions were imposed in 2014-2015, a factory in Russia, which was running on western equipment, experienced power outages. The narrative aligned perfectly with geopolitical tensions. The reality was less sensational.

“We dedicated five days to this,” he says, “and we found the root cause was not related to cyber security.” An employee’s USB drive had introduced ordinary malware and the equipment shutdown resulted from a faulty electrical contact.

The moral is straightforward.
“As long as people get answers that meet their narrative they stop investigating the root cause.”

Cyber security requires curiosity, not assumptions.

 

Final Reflection

The business of hacking has matured into a globally organised economy that seeks maximum return on investment. It leverages the same AI technologies that power legitimate innovation. It adapts to geopolitical instability and supply chain disruption faster than most governments can legislate. Above all, it sees every piece of digital infrastructure as a potential asset to control or exploit.

Cybercrime thrives when organisations underestimate adversaries, overestimate technology, or allow ideology to shortcut investigation. Vigilance means understanding the criminal business model, not only reacting to its consequences.

Kropotov summarises it best.
“The current world is full of speculations.”
Only by pursuing evidence rather than assumption can defenders keep pace with a cybercrime industry that continues to grow in intelligence, collaboration, and ambition.