SOCRadar® Cyber Intelligence Inc. | Cybercriminal

Jun 25, 2026

5 Mins Read

What is a Cybercriminal? Types, Motivations, and Tactics Explained

A cybercriminal is an individual or group that uses computers, networks, or digital systems to commit crimes. Cybercriminals range from lone actors operating from home networks to organized criminal enterprises with dedicated development teams, customer support operations, and affiliate networks.

Cybercriminal Definition

A cybercriminal is any individual or entity that conducts illegal activities using digital technology. Cybercriminals may use IT systems as the means of carrying out traditional crimes such as fraud, theft, and extortion, or they may target IT systems themselves through attacks such as unauthorized access, data theft, and service disruption.

The legal definition of cybercriminal activity varies across jurisdictions, but common elements include unauthorized access to computer systems, theft of digital assets or data, and the use of digital infrastructure to facilitate crimes that cause harm to others.

Types of Cybercriminals

Hackers

The hacker category encompasses a wide range of actors. Black-hat hackers conduct unauthorized intrusions for malicious purposes. Grey-hat hackers operate without explicit authorization but may claim benign intent. Script kiddies use pre-built tools without deep technical understanding, focusing on volume rather than sophistication.

Ransomware Operators

Ransomware operators develop or procure ransomware code, identify and compromise targets, deploy the encryption payload, and negotiate ransom payments. Many operate through affiliate models, recruiting other cybercriminals to conduct intrusions while taking a percentage of ransom payments.

Identity Thieves

These cybercriminals collect, steal, and sell personal information. They may operate their own data theft campaigns through phishing and credential stuffing, or purchase stolen data from others and use it for fraud, account takeover, or resale.

Insider Threats

Employees, contractors, or other insiders who misuse legitimate access to cause harm. Insider threats may be financially motivated, coerced by external actors, or acting out of personal grievance.

State-Sponsored Actors

Nation-state-linked threat actors conduct espionage, intellectual property theft, infrastructure attacks, and disinformation campaigns. These actors typically have significant resources, long time horizons, and sophisticated toolsets. The line between state-sponsored actors and independent cybercriminals can be blurry, as some nation-states contract independent groups or provide protection in exchange for targeting restrictions.

Hacktivists

Hacktivists conduct attacks in support of political or ideological causes. Website defacement, DDoS attacks, and data leaks from targeted organizations are common tactics.

What Motivates Cybercriminals?

Financial gain is the dominant motivation across the cybercriminal landscape. Ransomware, fraud, data theft, and credential markets are all primarily financially motivated operations.

Espionage motivates state-sponsored actors seeking intelligence, intellectual property, or strategic advantage over adversaries.

Hacktivism drives groups motivated by political causes, environmental concerns, or social justice issues to conduct attacks against organizations they oppose.

Cyberterrorism involves attacks intended to cause fear or disruption at a societal level, often targeting critical infrastructure.

Revenge or personal grievance motivates some insider threats and some targeted attacks against specific individuals or organizations.

Notoriety and challenge motivate a smaller segment, particularly in the script kiddie and grey-hat categories, who are primarily motivated by recognition within hacker communities.

How Cybercriminals Operate: Tools and Tactics

Phishing

Social engineering emails that trick recipients into revealing credentials, clicking malicious links, or opening malicious attachments. Phishing is the most common initial access vector across all categories of cybercriminal.

Malware deployment

Custom or purchased malware provides persistent access, data exfiltration, and additional payload delivery capabilities after initial compromise.

Ransomware

Encryption of victim data combined with demands for payment. Modern ransomware operations add data exfiltration and threat of publication to increase pressure.

Social engineering

Beyond phishing, attackers manipulate people through phone calls (vishing), SMS (smishing), and in-person approaches to obtain access credentials or sensitive information.

Credential stuffing

Using large collections of previously leaked username/password pairs to attempt access across multiple platforms, exploiting password reuse.

Exploit kits

Automated toolkits that test visiting browsers and plugins for known vulnerabilities, deploying payloads against those that are unpatched.

Understanding TTPs (tactics, techniques, and procedures) is central to the threat intelligence discipline and enables defenders to anticipate and detect cybercriminal activity before damage occurs.

Cybercrime-as-a-Service and the Dark Web

The Dark Web has transformed cybercrime into a service industry. Cybercriminals with technical skills sell their tools and services to those without those skills, dramatically lowering the barrier to entry and increasing the volume and diversity of attacks.

On Dark Web markets and Telegram channels, buyers can purchase:

Malware-as-a-Service:

Ransomware, banking trojans, and remote access tools available on a subscription or profit-sharing basis

Ransomware-as-a-Service:

Affiliate programs that handle the ransomware development and payment infrastructure while affiliates conduct the intrusions

Stolen Credential Markets:

Databases of username/password pairs, session cookies, and complete account packages

Telegram-Based CaaS:

Fast-moving criminal services operating through encrypted Telegram channels, including phishing kits, money laundering services, and cashout operations

This infrastructure enables individuals with minimal technical skill to conduct sophisticated attacks by purchasing capability from the criminal service market.

How to Protect Against Cybercriminals

Multi-factor authentication

MFA prevents credential theft from being immediately converted to account access, the most common next step after phishing.

Patch management

Cybercriminals actively exploit known vulnerabilities. Automated patch management that minimizes the window between disclosure and deployment removes a significant attack surface.

Employee security awareness training

Phishing is the most common entry point. Training that includes realistic simulations reduces the likelihood of successful social engineering.

Threat intelligence

Understanding the TTPs of threat actors relevant to your industry allows you to prioritize controls and tune detection around the most likely attack patterns.

Zero trust architecture

Removing implicit trust from the internal network, requiring continuous authentication and authorization for all resource access, limits what attackers can do after initial compromise.

Incident response planning

Having a tested response plan reduces time-to-containment when an attack occurs.

How SOCRadar Threat Intelligence Tracks Cybercriminals?

SOCRadar monitors cybercriminal activity across Dark Web forums, Telegram channels, and paste sites. Threat actor profiles track the TTPs, infrastructure, and targeting patterns of known criminal groups. When a cybercriminal group announces targeting of a specific sector, releases new malware, or sells access to a compromised organization, SOCRadar surfaces this intelligence for the affected organization’s security team.

Frequently Asked Questions

What is a cybercriminal?

A cybercriminal is an individual or group that uses computers, networks, or digital systems to commit illegal acts including theft, fraud, unauthorized access, and extortion.