When most people think about cybercrime, they picture a hacker. While attackers certainly remain central to the story, this perspective overlooks a much larger reality. Modern cybercrime depends on an extensive infrastructure that resembles the logistical backbone of legitimate business operations.
Cybercrime is more than hackers
A successful ransomware group, phishing operation, or online fraud network cannot function without servers, domain names, communication platforms, payment systems, and technical support.
Behind every major cybercrime campaign lies an ecosystem of providers supplying the digital equivalent of warehouses, transportation networks, and office space.
In many cases, the individuals responsible for maintaining this infrastructure never participate directly in attacks. Their role is simply to provide services that others can use.
The rise of the underground service economy
Over the past decade, cybercrime has evolved from a collection of isolated actors into a mature underground economy. Specialisation has become the norm.
Some groups focus exclusively on developing malware, while others specialise in obtaining stolen credentials, laundering cryptocurrency, or selling access to compromised systems.
The emergence of ransomware-as-a-service illustrates this transformation particularly well. Groups such as LockBit built affiliate programmes that closely resembled legitimate software businesses.
Affiliates gained access to ransomware tools, infrastructure, and technical support in exchange for a share of the profits.The operators focused on maintaining the platform while others conducted the attacks.
This division of labour allowed the organisation to scale rapidly across multiple countries and industries.
Infrastructure is the product
This evolution has lowered the barriers to entry for aspiring criminals. An individual no longer needs advanced technical skills to launch phishing campaigns or distribute ransomware.
Instead, many can purchase ready-made tools, rent infrastructure, and outsource specialised tasks to experienced providers.
The result is a thriving service economy where cybercrime has become increasingly accessible to individuals who possess criminal intent but limited technical expertise.
The central role of infrastructure
Infrastructure sits at the centre of this ecosystem. Every phishing website requires hosting. Every botnet requires command-and-control servers. Every data theft operation needs storage and communication channels.
The 2021 attack against Colonial Pipeline highlighted how dependent criminal operations are on infrastructure. Although public attention focused on the ransomware itself, the attack relied upon a supporting network of servers, communications systems, and financial channels that allowed the perpetrators to coordinate activities and receive payment.
The attack demonstrated that ransomware is rarely a standalone tool. It is one component within a much larger operational framework.
Designing for survival
Sophisticated criminal groups understand that discovery is inevitable. Rather than assuming they can remain hidden indefinitely, many design their operations around resilience.
This became evident during repeated law enforcement actions against the malware network known as Emotet. Before its disruption, Emotet had developed a reputation for rapidly rebuilding portions of its infrastructure when servers were identified and removed. Redundancy, decentralisation, and rapid deployment allowed operators to recover from disruptions that would have crippled less mature operations.
Many legitimate businesses would recognise these practices as business continuity planning.
Targeting the ecosystem
One of the most important lessons for defenders is that infrastructure often represents a more valuable target than individual malware samples. Security teams can spend years analysing malicious code, but disrupting the services that support thousands of attacks can have a far greater impact.
The dismantling of the Avalanche Network Takedown demonstrated this principle. Rather than focusing on individual cybercriminals, investigators targeted an infrastructure platform that supported phishing campaigns, malware distribution, and money laundering activities. The result affected hundreds of criminal operations simultaneously.
Cybercrime is therefore best understood not as a collection of attacks, but as an interconnected system of services and providers that enable digital crime on a global scale.