I’ve been on the defender side of security my whole career.

I know in some markets crime pays more than legitimate work, but it never ceases to amaze me how much thought, effort, planning, and engineering goes into providing infrastructure IT services for cybercriminals. The people involved definitely have the skills to be profitable at legitimate work; it just puzzles me that they choose to support criminals.

I watched the downfall and eventual jailing of someone who had a great job, career, and family after he started getting involved in cybercrime.

As far as I can make sense of it, he enjoyed the thrill of feeling superior to others: Evading the law, exploiting people who viewed as stupid, and enriching himself in the process.

He got caught through a mistake that was really dumb in retrospect. I think he believed his intellectual superiority combined with the stupidity of others so much that eventually he couldn’t imagine anyone catching him.

It's not easy to go legit, especially in today's job market, depending on where you live in the world also.

The US is unique with its high salaries for tech work (on the lower end of those of high salaries is pure ops work like this though). If you're in a country where the average sysadmin salary is substantially lower (to pick on Eastern Europe for a minute, you're looking at the equivalent of ~$30-35k USD/year), it's not hard to see why its tempting to go the cybercrime route.

Imagine working for an organization where 1) cybersecurity is actually the #1 priority, ahead of "shareholder value" and all the other gobblygook, 2) you get to design systems where you actually have to assume that every other entity is malicious (not the usual carve-outs like "oh yeah we do zero trust.. but our entire management plane is Azure-managed it's unavoidable"), 3) your budget is effectively unlimited, and 4) you get paid several factors more than you would in private industry.

In a previous life I've employed contractors and software engineers to run a criminal website. Motivations for my guys were that it was well paid work that was technically challenging in order to evade enforcement agencies, and was 'fun' in that respect; they were "sticking it to than man (my service was regarded as moral by all my users & others); and there wasn't so much work about that they could pick and choose; lastly, I was a good employer because I had to be!!

I wouldn't advise thinking of it as "providing infrastructure IT services to cybercriminals", as if these people are primarily IT people, running primarily infrastructure, who just happen to favor this audience.

I would rather advise thinking of these efforts as various cybercriminal groups going through the schlep of setting up their own backend IT infrastructure for their own use (because they couldn't find anyone to host them); and then, with built infra in hand, either:

1. realizing that their own needs were emblematic of a more-general unmet market demand for "don't ask, don't tell" hosting, and so branching out into hosting as a secondary business;

2. taking the charade of a hosting company they made up when e.g. registering for an ASN, and deciding that the more real they make that charade, the more it protects them; and so slapping together a facade of a hosting site (that serves no real customers and has no real control-plane);

3. or deciding that having real customers with actual legitimate traffic coming from their ASN further legitimizes them (and makes other ASNs more wary to just block them wholesale), and so actually standing up the facilities of your average VPS provider on some single sad box somewhere — probably running some turn-key IaaS appliance (usually not OpenStack, more likely some shoddy old thing they bought on a cybercrime marketplace);

4. or (and I think this is the most common route) chatting with cybercriminal friends of theirs, and those friends hitting them up for hosting when they realize that they've actually built something out for themselves; and this gradually just evolving into a de-facto hosting arm of the business (as they accept more of these "high-touch" word-of-mouth customers; eventually begin to feel burdened by manually configuring their systems to accommodate these customers; and so begin to automate things.)

Because they cannot be profitable. Job market is not the same on both ends. If you are east European and you try to get a job in an international corporation, the in all cases offer salaries adjusted for regional averages, unless you are willing to reallocate. Only few startups and FAANG like companies, often compensation in line what is received in the western world.

And there is also a thrill of doing it, which other guys already mentioned.

> The people involved definitely have the skills to be profitable at legitimate work; it just puzzles me that they choose to support criminals.

I don't think it's that easy to go legit. having a tech job nowadays is already a luxury

If we use one of the comments from here that it was done at the behest of some government then its more like the offensive team of a legitimate government. Pretty much every thing can be colored grey that way and one just needs to find people that they can persuade or convince for their cause.

Some people are just born into it. Mafia families, etc. There were some very smart people in the American mob, running scams that were immensely profitable. Eventually they get caught though, and with the ease and pervasivness of electronic surveillance today, it's pretty much impossible to do it anymre at least if you're anywhere where the authorities care about it (edit to add: and aren't in on it).

Cybersecurity is always last on the budget list. It is not easy to make money working in cybersecurity.

The only upside here is that criminals will (through legislation) eventually force companies to invest more.

This black hat and white hat kind of thinking and the idea that everything is because of money... is a pretty outdated view of the world.

The people in question, for example, are technically not criminals in Russia. Hacking is specifically allowed except for former states of the Soviet Union (which technically includes Ukraine but anyways).

Then there's a lot of legitimate pentesters that did responsible disclosures, did everything correct, and still got sued by a stupid company. Because the law never ever protects whistleblowers. After the 10th lawsuit even the best pentesters with the best moral code are indebted so many human-lifetimes-worth that they eventually just sell their exploits.

So you saying "it's bad criminals" that do this is in itself a pretty luxurious perspective to begin with.

Everyone is the hero of their own story. Especially considering that there is a lot of ongoing (cyber/hybrid) wars, where people lost their families and everything they hold dear, and have only this option left as a means to do something about it.

Nobody is born a criminal. It's our fucked up justice system and economy that creates them.

You fail to take into account the ideological angle.

Some people are ready to die for their beliefs. Others just to run businesses supporting their causes.

3 of the 4 persons named have russian links (a large number of Moldovan citizens are ethnic russians).