The stereotypical image of a cybercriminal is that of a brilliant but socially awkward individual, usually wearing a hoodie, operating out of a basement and surviving on energy drinks and Hot Pockets. The reality is far more … corporate.

While the “lone wolf” hacker cliché might have been accurate 20 years ago, today’s cybercriminals are likely to be part of buttoned-down organizations with a structure similar to that of most legitimate businesses. According to a recent CNBC report citing research from IBM and Google, many of the world’s most notorious hacking groups operate with a top-down organizational structure featuring a CEO-like leader who broadly defines the organization’s goals and turns much of the detailed work over to a layer of middle management.

Many of these groups have developed formal hierarchies in which individual departments are assigned specific duties, with some responsible for developing malicious code while others work on delivery mechanisms and still others handle the actual data theft. They often have training programs for new employees and service agreements with their customers.

Caleb Barlow, the head of threat intelligence for IBM Security, told CNBC that these groups even follow a typical corporate work schedule. He noted that “they are active during office hours, they take the weekends off, they work regular hours, they take holidays.”

IBM created a graphic illustrating how different departments within a cybercrime organization worked cooperatively during a 120-day campaign to steal and destroy data at a Fortune 500 company. One group initially infiltrated the network, then other groups began compromising individual accounts and stealing credentials. Finally, a “clean-up crew” used malicious code to hide their tracks and destroy company data.

The Cybercrime Economy

It’s only logical that cybercriminals would organize themselves in such a way. After all, cybercrime is a lucrative business subject to the economic forces that would affect any other business. In fact, analysts with the cybersecurity company Bromium say the “cybercrime economy” was worth an estimated $1.5 trillion in 2018 – equal to the gross domestic product (GDP) of Russia. In fact, if cybercrime were a country, it would have the 13th highest GDP in the world.

The Bromium report claims that cybercrime has been “professionalized” as organizations increasingly adopt the “platform capitalism” model currently used by companies such as Uber and Amazon. In this model, the organization provides the hardware and software foundation on which customers can operate. In other words, they simply connect individuals with services. You could go to a Dark Web site and order a DDoS attack just about as easily as you could go to Amazon’s site and order a new television.

In fact, some of these criminal sites seem to mirror the Amazon structure, offering ratings, descriptions, reviews, services and even technical and customer support. These platforms improve the criminal “customer experience” and allow easy access to services and products that support cybercrime on a global scale.

Turf Wars

Like legitimate businesses, professionalized cybercrime groups also depend heavily on aggressive sales teams to grow their customer base. Sometimes, that even involves stealing a competitor’s customers. For example, the cybersecurity firm Intezer recently reported about an ongoing turf war between two cryptomining groups for control of numerous Linux cloud-based environments. The Pacha Group and the Rocke Group are both identifying and removing versions of each other’s cryptomining malware strains.

Cybercrime groups mimic legitimate businesses in other ways. For instance, there are signs that hacker groups are increasingly diversifying into new markets and industries. Bromium found that cybercriminals are reinvesting roughly 20 percent of their profits — up to $300 billion — to branch out into other criminal enterprises such as drug manufacturing, human trafficking, firearms and counterfeit goods.

The escalating profits associated with cybercrime have forced cybercriminals to create a more business-like structure for their organizations. Legitimate businesses can no longer assume that lone wolf hackers are their chief threat. They need to acknowledge this new class of cybercriminal and take steps to defend themselves from increasingly sophisticated attacks.