Charting the Future of Organised Crime – and the UK’s Response

Last month the National Crime Agency (NCA) published its National Strategic Assessment of Serious and Organised Crime (SOC). It highlights each of the threats the Agency is focused on tackling, from firearms and drugs to child sexual abuse, modern slavery, human trafficking and economic crime. For the first time ever, the top headline this year is not about criminal behaviour; rather, it is about how much more vulnerable we all are to becoming victims. Changes in organised crime are being driven, more than anything else, by our routine dependence – in our personal and working lives – on online services. Indeed, the majority of crime now occurs online or is enabled by online resources. We have all become more vulnerable to organised crime as a result of living more of our lives online.

Online serious and organised crime is causing increasing harm to people across the UK. Examples of how serious and organised criminals are taking advantage of this trend range from the disruption to public services caused by ransomware, with serious impacts to NHS services in Scotland and Southeast England over the last few months, to the life-changing financial and psychological impact of fraud committed online. A major fraud platform shut down by the NCA last month had an estimated 170,000 victims across the country; for those who reported to Action Fraud, the average loss was £9,400. The sexual abuse of children is not new, but has been fuelled by online connectivity facilitating offenders’ easy access to thousands of children, allowing them to share child sexual abuse material widely and normalising, enabling and radicalising abuse – including commissioning the rape of children overseas to watch live without leaving their home. Crimes not traditionally associated with the internet are also affected: social media connects human traffickers with their desperate victims, and enables direct sales of synthetic opioids, substances which have caused 300 deaths in the UK over the last 15 months as they are up to 300 times more potent than heroin; it also facilitates the sharing of blueprints for 3D-printed firearms which can evade physical border controls. Finally, beyond the core SOC arena, encrypted messaging is used to spread viral mis/disinformation, and social media apps allow trolls to egg each other on to greater levels of intimidating abuse, particularly against women and minorities.

The online revolution is also changing the fundamental business model of criminality. Data breaches may give criminals a person’s username, passwords or financial data, or key material for social engineering. Successful techniques are optimised more quickly and deployed at astonishing scale – at first by criminal participants, and then by larger numbers of coerced victims in places like West Africa and the Golden Triangle in Southeast Asia. We are now increasingly seeing criminals use technology and AI for automation, removing people as the limiting factor for scale. Online connections also enable laundering the proceeds of crime. Cryptocurrency is a critical enabler, linking cash-generating criminals such as drugs gangs with fraud outfits and ransomware operators looking to cash out their crypto gains. 

States contribute in many ways: by harbouring and in some cases inspiring cybercriminals as a semi-detached and deniable means to pressure their adversaries; by developing new tradecraft for cyber exploitation or concealing financial flows themselves and allowing these to proliferate to criminal groups; by permitting corrupt use of state-level tools by officials for criminal gain; and even, as the US cyber security agency revealed last month, by directly enabling ransomware attacks. The online world is likely to see the most significant development of further state–criminal connections in the coming years.

Four specific shifts will be needed in order for us to address these changing threats that are harming people across the UK. Together, these amount to a local to global response. First, being digital and online-savvy is now the price of entry in tackling crime for mainstream law enforcement throughout the world, not just specialist cybercrime units. This means the skills we require from our people are changing; our partnerships are powered by data sharing – both between governments and with industry; and our use of technology increasingly determines the scale of our success. Second, investigative capabilities will need to match the speed of cyber. Cumbersome international processes such as International Letters of Request will need to be supplemented by tipping between like-minded jurisdictions that is quick enough to seize and freeze criminal gains. Third, the companies that provide and profit from our new online world of course play a critical role – at their best, implementing inspired and thoughtful changes to design out vulnerabilities exploited by criminals. We need much more of this to keep society safe. And fourth, we must recognise that justice will not be achieved as often through a conviction in a UK court: a fraudster with victims throughout the world may be best dealt with in the country where they are apprehended, and so we must pay even more attention to asset freezing and recovery. For criminals in uncooperative jurisdictions, sanctions and travel bans need to be streamlined. And we can scale up cyber disruption, leveraging the same characteristics of the online environment that are at the root of the problem.

The reality is that rapid online innovation brings risks as well as benefits for criminals. Competition has always been fierce, and just as in other industries, online connectivity is opening markets to new entrants. But increasingly, groups that do not adopt the latest technology to connect and scale their enterprises risk becoming uncompetitive and falling prey to those that do. And often, that technology can be what leads to their downfall. Many serious offenders who flocked to a criminally dedicated, supposedly secure communications platform were exposed after law enforcement infiltrated the service in 2020. Over 12,800 years of sentences have been given in the UK alone from the evidence gathered from this system.

To optimise their use of online services, criminal groups have tended to specialise and become more dependent on other groups. The availability of ‘as a service’ offerings for ransomware and fraud, alongside AI adoption, has lowered barriers to entry and enabled harms at greater levels of sophistication, pace and scale. These two developments – forced adaptation and leveraging others – together give law enforcement a strategy which is being increasingly widely adopted. By infiltrating supposedly secure criminal services and marketplaces, undermining criminals’ trust and confidence in their online relationships, and dismantling key nodes in the stolen data ecosystem, we are turning cybercriminals’ tools and approaches against them. 

The infiltration and disruption of the LockBit ransomware group, led by the NCA in February, is both significant in its own right and a useful case study. Indictments against the group’s leader and joint UK/US/Australian sanctions have also followed. LockBit’s many ‘affiliates’, who carried out the actual ransomware attacks using the service, are subject to ongoing investigations, fuelled by the detailed technical data we retrieved on them. Other ransomware outfits have had to distance themselves from the discredited group, and for their own security tend to refuse membership to LockBit’s former affiliates, reducing their ability to do us all harm at scale. The result has been an increasingly fragmented ecosystem, limiting the scale, sophistication and harm of their attacks.

Ultimately, our increasing use of and dependence on online services is changing the face of crime and markedly increasing the potential for criminals we will never meet to do us significant harm. Addressing these issues will require us to rethink how we seek justice and partner both within the UK and internationally. The signs of potential future success are already there, but there is a lot to do.

The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.