top of page
Search

You’ll Pay For That! - The Shopping Model for Crime

  • Writer: Sam Cockbain
    Sam Cockbain
  • Nov 13
  • 11 min read

Updated: Nov 14

ree

Key Takeaways


  • Crime-as-a-Service (CaaS) has transformed cybercrime into a commercial ecosystem, lowering the barrier for anyone to commit complex attacks.

  • Ransomware-as-a-Service (RaaS) remains the most profitable and damaging CaaS model, driving record global and UK cybercrime losses.

  • CaaS markets thrive on anonymity, cryptocurrency, and specialisation, mirroring legitimate tech-industry dynamics.

  • UK law enforcement and policymakers are responding with proposed bans on ransom payments and mandatory incident reporting.

  • Disrupting CaaS requires international cooperation, stronger cyber hygiene, and cutting off criminals’ access to legitimate financial systems.


Add To Cart: Crime-as-a-Service


Crime-as-a-Service (CaaS) is transforming the criminal underworld into an online shopping-style subscription-based economy, where illicit tools and expertise are sold just like legitimate software. The concept refers to a criminal business model in which specialised actors package and sell illicit tools, expertise, or platforms to others. Much like legitimate software-as-a-service offerings, CaaS commoditises criminal activities – inexperienced offenders can ‘subscribe’ to or buy ready-made malware kits, ransomware programs, phishing platforms, money-laundering services, hacking tools, and more. In effect, CaaS democratises cybercrime.


Commentators note that it “involves the developers of hacker tools and apps charging via a subscription model” so that “just about anyone sitting behind a VPN can carry out a crime anonymously anywhere in the world”. The UK’s National Cyber Security Centre (NCSC) describes today’s environment as a “global, skilled, commercial cyber intrusion sector”. Advanced hacking tools are proliferating on criminal markets, lowering barriers to entry and putting sophisticated tradecraft “in the hands of a far wider range of relatively unskilled actors”.


In practice, CaaS providers resemble legitimate vendors. They advertise on dark web forums or encrypted messaging channels, sell “kits” (e.g. malware generators, phishing templates) often for a fixed fee or subscription, and may even offer customer support. For example, a ransomware developer might build and update encryption malware and then recruit ‘affiliates’ who pay a percentage of any ransom collected. One industry blog explains that ransomware-as-a-service (RaaS) operators “create and maintain malicious software, and ‘affiliates’ – the people launching the attacks – pay for access. In return, the developers often take a cut of the ransom profits”. Similarly, phishing-as-a-service offerings provide platforms for sending large-scale email scams or launching distributed-denial-of-service (DDoS) attacks without requiring technical skill. Customers simply pay the vendor (often in cryptocurrency) and the vendor handles the technical execution. In effect, CaaS vendors do all the ‘groundwork’ for a crime. As one summary notes, “with CaaS, a customer with criminal intent does not need to have any technical knowledge or coding skills to launch an attack. The CaaS vendor performs all the groundwork to launch a successful cyberattack (for a fee)”.


CaaS is also not limited to software. Organised crime groups also outsource other tasks via service models. For example, criminals lacking money-laundering expertise can hire specialists or legitimate business fronts to handle their illicit proceeds. Industry analysts note that “as legitimate business structures evolve… criminal groups turn to freelance specialists for money laundering, cyber-attacks, forgery and logistics,” creating a growing market of CaaS providers. Even long-standing illegal activities – such as financial fraud, corruption, or trafficking – now often incorporate digital tools offered as services. In short, any crime with a technical component can be packaged as a service. The EU’s 2025 Serious and Organised Crime Threat Assessment notes that this pervasive digital enablement of crime means that “nearly all forms of serious organised crime (SOC) have a digital footprint,” from trafficking to corruption.


CaaS’ Subscription Model


CaaS operates on underground markets and encrypted platforms. Criminals offering services may set up password-protected websites or dark-web marketplaces, advertise on crime forums or messaging apps, and accept payments in Bitcoin or other privacy-focused cryptocurrency. They often use ‘bulletproof hosting’ (servers in jurisdictions that ignore abuse complaints) to support illegal content. The typical value chain is:


  • Service Provider (Vendor): Vendors develop an illicit product or service (e.g. a ransomware strain, a phishing kit, a botnet). They then maintain the tool, offers updates, and may run a ‘helpdesk’ for affiliates. They also set prices (sometimes as low as a few dollars).

  • Affiliates/Customers: These are purchasers who lack skills to create attacks themselves. They buy or lease the service, then execute attacks on targets (companies, individuals, governments). Profits (e.g. ransom payments) are often split, or the affiliate pays a flat fee.

  • Infrastructure and Support: Many CaaS schemes include ancillary services. For example, a RaaS operation might offer cryptocurrency laundering services or a forum to sell stolen data. Vendors may recruit money mules (to transfer stolen funds), or provide training on exploiting the tools.

  • Criminals increasingly outsource specialisations via CaaS: Europol reports that services like Initial Access Brokers (who sell hacked network credentials) and Crypter-as-a-Service (tools to obfuscate malware) are now commonplace, helping even amateur criminals launch sophisticated attacks. Similarly, phishing kits (templates and email lists) can be obtained cheaply. Phishing-as-a-service has become a ‘pay-to-play’ industry enabling attackers to send mass emails with minimal skill. In short, CaaS vendors package complex crimes into user-friendly services. Tools and platforms range from simple (e.g. buy-an-attack apps) to highly structured schemes (multi-tiered affiliate networks with corporate-like hierarchies).


Key characteristics of CaaS include:


  • Commoditisation: Criminal tools are standardised products. Ransomware kits, for example, can be purchased off the shelf. The threat has become so commoditised that criminals can now launch ransomware attacks without writing a single line of code — all it takes is a subscription and access to a Telegram channel.

  • Low Barriers to Entry: Attackers often spend little for high impact. Phishing kits or basic malware tools can cost as little as $50, making crime accessible to novices.

  • Affiliation and Revenue Sharing: Many schemes use affiliate models. RaaS developers recruit affiliates on Telegram or forums and take a cut of each successful extortion, blurring lines between criminals.

  • Anonymity and Outreach: Encrypted communication and dark web markets let sellers and buyers stay anonymous yet global. They advertise their ‘brands’ on closed forums much like legitimate services.


Together, these features form an underground marketplace where crime is sold ‘as a service’ to anyone with money and ill-intent.


Buy One Get One Free: Types of Crime Enabled by CaaS


Crime-as-a-service applies most obviously to cybercrime, but its scope is broad. Major categories include:


  • Ransomware-as-a-Service (RaaS): RaaS is possibly the highest-profile CaaS model today. As mentioned above, developers create ransomware strains and rent them to affiliates. Victims’ systems are encrypted and data stolen; the affiliate negotiates payment (often via helpdesk support) and then shares profit with the developer. The NCSC warns that “ransomware remains one of the most acute threats facing the UK”, whilst the UK Government say that “the most common business model is RaaS”. RaaS success stories include LockBit and Black Basta: according to US intelligence, LockBit alone was responsible for 24% of global ransomware attacks in 2023. Analysts note that modern RaaS operations resemble corporate enterprises, complete with admin dashboards, support staff, and tiered pricing.

  • Malware-as-a-Service (MaaS): Beyond ransomware, any malicious software (trojans, spyware, botnets) may be sold or rented. Service providers offer botnet rentals (for DDoS or spam), credit-card-skimming code, keyloggers, and more. For example, booters (DDoS tools) can be bought on demand. Some reports estimate the total market for malware services is in the tens of billions of dollars.

    Phishing-as-a-Service: Phishing kits (webpage templates, mailing lists, credential-harvesting tools) are marketed to criminals. These ‘PhaaS’ offerings often come with automation and obfuscation, enabling large-scale email scams. Trends indicate phishing attacks are surging, in part driven by these services. Victims include businesses and individuals, with UK banks reporting hundreds of millions in losses from online scams.

  • Credential and Data Services: Stolen data (login credentials, personal identities) is sold on marketplaces. Attackers can simply purchase lists of breached usernames or credit-card numbers, or hire bots to generate synthetic IDs. This ‘data-as-a-service’ feeds into fraud and account takeover schemes, effectively outsourcing identity theft.

  • Infrastructure and Support Services: Beyond attack tools, CaaS includes infrastructure, including bulletproof hosting, dark web server rental, cryptocurrency laundering/mixing services, hacking tutorials, money-laundering services, and even helplines. For instance, some services advertise ‘mule networks’ to convert stolen funds into untraceable cash, or provide a safe place for illicit proceeds.

  • Physical Crimes Facilitated by Digital Tools: While less common, CaaS also touches traditional crimes. Reports exist of ‘contract killing’ sites or kidnapping-for-hire offers on the dark web, though these are rare and often sting operations. More prevalent are crimes like credit card cloning, phone-scamming, or travel fraud where online tools from CaaS are used. International criminal networks similarly outsource tasks such as smuggling logistics or document forgery to specialist providers.


In short, CaaS spans a wide spectrum. Any crime that can be aided by technology or specialist know-how is increasingly offered on a service model. Europol notes that corruption and sanctions-evasion services are even part of this ecosystem – criminals can act as ‘corruption brokers’ or help illicit actors bypass financial embargoes in exchange for safe haven or payoffs. Meanwhile, the same digital platforms also serve violent crime groups and espionage actors. In effect, the criminal market for ransomware, malware, and phishing “is growing and resembles the dynamics of the legitimate industry”, with sellers openly marketing to buyers on the dark web.


CaaS as a Trendsetter


Crime-as-a-service is a rapidly growing trend worldwide. Major intelligence and law-enforcement reports sound the alarm:


  • Global escalation of CaaS-driven cybercrime: While exact figures for CaaS-only cybercrime losses are scarce, the broader cybercrime economy is forecast to reach approximately $10.5 trillion annually this year, with double-digit year-on-year growth (approximately 15-22%) in recent years. Given that CaaS is a key growth driver (with underground vendor revenues estimated at upwards of $1.6 billion per year), it is reasonable to infer a similarly steep increase in CaaS-driven activity this year. Europol’s Internet Organised Crime Threat Assessment (IOCTA) highlights that malware attacks and ransomware remain the top cyber threats, and that criminals are increasingly selling cybercrime tools and services via underground markets. The NCSC forecasts that by 2030 a full “cyber intrusion ecosystem” will exist, making advanced hacking and surveillance capabilities available to new actors. Put simply, as high-end cyber-tools proliferate commercially, more attackers can afford them: cryptocurrency flows illicitly now top $51 billion annually, and the average ransomware demand in the UK is around £1.6 million. These figures underscore why governments classify ransomware and related cyber extortion as issues of national security.

  • UK trends – surging ransomware and fraud: The UK specifically has seen alarming increases in CaaS-facilitated crimes. Government data show that ransomware incidents reported to regulators hit their highest level since 2019 in 2023. Private-sector reporting to the National Crime Agency indicates the number of UK victims named on ransomware “data leak” sites doubled since 2022. SMEs have become prime targets: one industry report notes that smaller organisations often lack the cyber defences of large firms, and warns that 88% of SME breaches involved ransomware (compared to 39% in larger firms). These trends reflect CaaS realities – affordable ransomware kits let attackers hit more soft targets.

  • Fraud losses in general also underscore the problem. UK Finance reports that £1.17 billion was stolen through payment fraud in 2024, a number largely unchanged from 2023. Importantly, about 70% of authorised push-payment fraud (where victims are tricked into sending money) originated online. Law-enforcement analysis observes that organised groups are heavily involved as stolen funds often funnel into the pockets of serious criminals.

  • Service providers in UK organised crime: Government assessments note that Crime-as-a-Service is now embedded in the fabric of UK organised crime. In its 2024 strategic assessment, the UK’s National Crime Agency (NCA) reported that Serious Organised Crime (SOC) groups are diversifying across multiple illegal markets “enabled by online connectivity… and reliance on the specialist services offered by ‘crime as a service’ providers”. In other words, UK gangs are actively using CaaS to expand into areas like cyber fraud, financial crimes, and more. This diversification means criminals with traditional backgrounds can now easily access tech-enabled crime capabilities.

  • Global organised crime analysis: The EU’s 2025 Serious and Organised Crime Threat Assessment (SOCTA) and UN/Interpol reports similarly describe a shift to digital. Investigators see criminal networks recruiting younger, tech-savvy members and blurring lines between different crimes. Online markets have made crimes like drug trafficking or human smuggling more efficient by outsourcing tasks – for example, one report points out that even drug gangs now use cryptocurrency mixers to launder profits, rather than relying solely on cash networks. These trends are often interconnected: data breaches on major companies create troves of personal information sold on illicit markets, which fuel identity theft and financial fraud – again illustrating a broad CaaS ecosystem.

  • In summary, every indicator is rising. Cybercrime losses are higher than ever, the variety of CaaS offerings is expanding, and victims range from governments and hospitals (e.g. NHS, Royal Mail) to ordinary citizens (phishing and card fraud targets). Public awareness is growing – in 2024, 74% of Brits said they are concerned about ransomware and online fraud. Law-enforcement successes only highlight the scale of the problem: recent cross-border operations have arrested CaaS vendors and seized equipment enabling thousands of crimes, yet underground markets for malware and phishing services continue to flourish.


The Threat Landscape: Why It Matters


The rise of CaaS has profound implications. First, it expands the threat landscape as crimes once requiring technical skill can now be carried out by novices, dramatically increasing potential attackers. Criminal profits fuel more organised crime and even state-level operations (some governments outsource cyber-attacks for plausible deniability). The societal cost is high: ransomware can halt hospitals or infrastructure, fraud drains billions from the economy, and stolen personal data fuels further crimes.


To combat CaaS, experts emphasise a multi-pronged approach:


  • International Law Enforcement and Collaboration: CaaS is global, so police and intelligence agencies must cooperate. Joint operations targeting marketplaces, takedowns of CaaS platforms, and extraditions of top operators are crucial. For example, a recent Europol-coordinated raid (Operation SIMCARTEL) dismantled a network providing anonymising SIM-boxes for fraud, arresting seven suspects and seizing 1,200 devices. Europol’s IOCTA report underlines that disrupting CaaS markets is a top priority. The NCA continues to lead such efforts domestically and with international partners. Cross-agency task forces also share intelligence on crypto-cash flows and dark-web transactions.

  • Private-Public Partnerships and Cross-Sector Action: Banks, tech firms, and telecom companies play a key role. Financial institutions already block many fraud attempts (UK banks prevented £1.45 billion of fraud in 2024), but more is needed. The industry calls for “closer working together” and sharing of threat data with law enforcement. Telecom and hosting providers must cooperate in taking down CaaS infrastructure, while social media and email platforms should improve filtering to block malware and phishing tools.

  • Stronger Cyber Defences and Resilience: Organisations and individuals must adapt to the reality of CaaS. This includes:


o   Enforcing multi-factor authentication to thwart credential sales

o   Regular backups to negate ransomware impact

o   Network segmentation

o   Employee training to resist phishing


Even as criminals digitise, “it follows that law enforcement must too” – investing in threat hunting, OSINT and cyber forensics. Many agencies now use AI-driven monitoring to detect CaaS activity on the dark web or track criminal payments. Experts also stress cyber hygiene and awareness – with humans as the usual weakest link, educating staff and the public about common scams can reduce successful attacks.


  • Legal and Regulatory Measures: Legislation can help shrink CaaS markets. For example, the UK is considering rules to ban ransom payments and force prompt cyber-incident reporting, aiming to undermine criminals’ business model. Stricter regulations on cryptocurrencies and online anonymity (subject to privacy laws) could raise the cost of doing CaaS. Prosecuting customers of CaaS (not just the sellers) is also a deterrent, though attribution can be difficult.


  • Cutting Off Funding at the Source: A key insight from Europol and experts is to target the money flows that sustain CaaS. Freezing and seizing stolen assets can disrupt entire networks: the EU-SOCTA notes that cutting criminals off from integrating their profits into the legal economy is essential. This means intensified anti-money-laundering efforts, especially in crypto. Initiatives like the Financial Action Task Force (FATF)’s work on virtual assets and blockchain analysis tools help trace ransom payments back to perpetrators.


In conclusion, Crime-as-a-Service represents a major shift in the threat landscape. It lowers the technical barrier for crime, broadens organised-crime reach, and turns illegal skills into marketable products. Leaders in law enforcement emphasise that combating CaaS requires adapting strategies, including breaking up service marketplaces, working across borders and sectors, and building resilient systems. As UK economic crime experts warn, criminals are always looking for new ways to exploit victims, so a proactive and informed response is needed. Stakeholders from police to private industry and the public must recognise CaaS as a critical threat driver and collaborate to mitigate it. Vigilance, technology, and international cooperation will therefore determine whether crime-as-a-service will remain or can be contained in the coming years.

Contact Us

Work email address only.

Global Situational Awareness HQ
1 The Links, Links Business Centre,
Old Woking Road, Woking, GU22 8BF
gsoc@global-sa.co.uk
+44203 5760668
  • LinkedIn
  • X
bottom of page