COORDINATE: A model to analyse the benefits and costs of coordinating cybercrime

Recent leaks (such as Conti) have provided greater insights on the working of cybercriminal organ-isations. Just like any other business, these malicious actors strategically manage their processes in order to maximise their revenues. Coordinating different types of cybercrimes as part of a single attack campaign provides another opportunity to these criminal groups to improve the efficiency of their attacks. To investigate the promise of this “coordination” between cybercrimes in improving the financial gains realised by cybercriminals, we take a two-step approach. First, we perform a bibliometric analysis of past scientific literature discussing the concept of “coordination” w.r.t to cy-bercrime. Second, as a case study, analysing the attack chains of DDoS, phishing and ransomware attacks, we identify vantage points for potential coordination from an attacker’s perspective. Based on our findings, we propose a model (COORDINATE) to identify the types of potential cybercrime “coordinations”. COORDINATE considers three relevant types of coordination: direct collaborated coordination, indirect collaborated coordination, and opportunistic coordination. Given the advantages of coordinated attacks, our results suggest that one crime may provide opportunities for the next one. Coordinated attacks will become more prevalent, and that we may witness the development of a dynamic that leads to more online crime.


Introduction
Cybercriminals can achieve greater success in their endeavours by using a coordinated set of attack techniques in their strategy [1].Maastricht University in the Netherlands was struck by a serious ransomware attack which led to attackers gaining access to the computers on December 23 rd , 2019.The criminals obtained initial access by sending two phishing emails, where two employees clicked on the attachment [2].Subsequently, the university decided to pay a ransom of 197, 000 euros to get access to the data encrypted by criminals.However, not all victims of ransomware pay ransom when the demands are first made.For instance, when Glen Dimplex Home Appliances got attacked in October 2020 and they paid the ransom only when the attackers pressured the company by performing a Distributed Denial-of-Service (DDoS) attacks [3].These examples show that some attacks that at first sight may appear different attack events, but may be part of the same attack event.According to [4], these type of attack events are among the most aggressive and prevalent.We define coordination as the use of different attacks or crimes for a single attack event.Understanding coordination is essential to find effective and successful prevention strategies against cybercrime.
Most work on coordination of cyberattacks from a computer science perspective [5], focus on attack coordination and orchestration.To the best of our knowledge, this is mostly theoretical and does not Costs and Benefits Coordinating Cybercrime Meurs, Junger, Abhishta, Tews, and Ratia focus on specific cybercrimes.Another part of research literature focuses on the cooperation of criminal actors from an economical [6,7] or criminological [8] perspective.However, in our view, collaboration and cooperation are different from coordination.As suggested previously, coordination is the use of different attacks or crimes for a single attack event.On the contrary, collaboration is when a group of malicious actors work on a shared objective.For example, when malware developers and black-hat pentesters working together within a ransomware group [9].Cooperation is when a group of malicious actors are working together to help accomplish the goal of one of the groups.Cooperation is a subset of collaboration.For example, a phishing group helping a ransomware group to get access to a network to install their ransomware.Collaboration and cooperation focus on the relationship between actors, whereas we are interested in the relationship between crimes.Also, we would like to stress that collaboration and cooperation are not mutually exclusive: within a single attack event, both can occur independently of each other.
Although coordinated attacks have been described by cybersecurity companies and blogs [10,11,12], to our knowledge no previous scientific research has systematically investigated the coordinated attacks from an attackers perspective using specific cybercrimes.Additionally, in this study we will argue that coordinated attacks could be more beneficial for the attacker and more severe for the victim than regular types of attack, and that the evolving cybercrime ecosystem will facilitate coordinated attacks in the future.Therefore, this study will focus on coordinated attack events.
We explore coordinated attack events by performing a systematic literature review of coordinated cyberattacks using a bibliometric mapping.Subsequently, we use that information to perform a case study on the coordination of three relatively frequent cybercrimes: DDoS, phishing and ransomware attacks.Previous research has focused on the understanding and prevention of these individual crimes and not their interaction [13,14,15].We illustrate cases of coordination of DDoS, phishing and ransomware as described by the security industry and identify possible vantage points for attackers to coordinate these attacks.Subsequently, we propose COORDINATE: a model to describe different types of coordinated attacks and the benefits and costs for an attacker to decide to coordinate an attack.Overall, our work focuses on addressing the following research questions: (i) What is the current state of literature on the coordination and collaboration of cybercrimes?
(ii) What are the costs and benefits for an offender to decide to perform a coordinated attack or not?
The contributions of this work are twofold: 1.A bibliographic mapping of previous academic literature on coordination and collaboration of cybercrimes; 2. Second contribution can be divided into three parts: 2.a.Introduce a case study of coordinating DDoS, phishing and ransomware and identify potential vantage points for attackers to coordinate these attacks; 2.b.Identify recent developments in the cybercrime ecosystem and analyse, why they facilitate coordinated attacks; 2.c.Integrating points 1 and 2.a.into a conceptual model COORDINATE.COORDINATE describes four types of coordination and provides testable hypothesis of the pros and cons of coordination from the criminal's perspective.
The remainder of this paper is organised as follows.First, we elaborate in Section 2 on previous academic literature on coordination and cooperation of cybercrimes.We introduce in Section 3 a case study: the coordination of DDoS, phishing and ransomware.We explain in Section 4 how the evolving cybercrime ecosystem facilitates the coordination of cybercrimes in the future.Considering these points, we deduce a hypothetical model to describe different types of coordinated attacks and suggest testable predictions for future empirical studies.Finally, in Section 5 we summarise our key findings.

Bibliometric mapping
In this section, we discuss the results of bibliometric analysis of previous academic literature on "coordination" and "collaboration" in relation to cybercrime.First, we discuss the methodology used to perform the bibliometric mapping.Then we present our key findings.
To find the relevant keywords to search for academic literature that discussed "cooperation" and "coordination" with relation to cybercrime, we follow the method described by [16].They suggest a four step protocol: (i) Decompose the research question into individual elements.
(ii) Obtain key-words from primary studies.
(iii) Identify synonyms for the main terms.
(iv) Construct search strings using Boolean "AND" to join the main terms and "OR" to include synonyms.
Afterwards, the boolean search string was used to query the literature database Scopus.Subsequently, the literature from the field of mathematics, medical, physics and astronomy sciences were excluded as they are not relevant for studying cooperation and coordination of cybercrimes.We use VOS viewer [17] to identify clusters within resulting literature.We use bibliometric coupling (a measure that represents the number of references shared between two publications) to identify these clusters.Hence, publications within the same cluster, have a substantial overlap in the reference list.We analyse the abstracts of each cluster by using the wordcount of each word in the abstract.Using the top 20 most occuring words within the abstracts of a cluster we identify the clusters which are most relevant to concepts "coordination" and "collaboration" of cybercrimes and cybercriminals.If synonym of these concepts were present in these 20 words we further investigate the content of these clusters.The studies within these clusters were compared to our research objective as described in Section 1.
Using the methodology as described above, the main terms of our query were cybercrime and cyberattack, coordination, collaboration, business model and cooperation.We search Scopus database using the following query: ('cyber') AND ('crime' OR 'attack') AND ('coordinat*' OR 'collabora*' OR 'business model' OR 'cooperat*') Using the Scopus database we found 2341 articles as a result of this query.We excluded publications from the fields of mathematics, medical sciences, physics and astronomy and as a result obtain 1762 articles.The yearly distribution of these publications are shown in Figure 2.These 1762 articles were used for the bibliometric mapping in VOS Viewer.As described above, we used bibliometric coupling as a measure to identify clusters of publications related to a similar topic.All the identified clusters are shown in Figure 1.Table 1 shows the number of studies we found for each cluster.Using the 20 most occurring words of each cluster, we find the clusters most relevant to our study.We identify clusters 1, 7, 9, 10 and 11 as related to concepts of coordination and/or collaboration Meurs, Junger, Abhishta, Tews, and Ratia   of cybercrimes.We analyse the studies in each of these clusters to find the connection of these clusters with concepts of coordination/collaboration.
Cluster 1: Keywords: network, framework, attack, security, data.This cluster describes studies were defensive systems coordinate to deter cybercrime.For example, [18] studies the collaboration of different IDPS to detect botnets.[19] develops a honeypot for collaborative defense against distributed attacks of interconnected attackers.Unfortunately, in this study the authors do not explain what distributed attacks of interconnected attackers look like.
Cluster 7: Keywords: vehicle, system, attack, safety, communication.This cluster describes coordination of different systems in a vehicle or several (autonomous) vehicles to defend against cyberattacks.For example, [20] and [21] study cyberattacks against connected autonomous vehicles.
Cluster 9: Keywords: attack, system, power, based, grid.This cluster describes coordinated attacks on a power grid system.The focus is on coordination of the same type of cyberattack.For example, [22] explores distributed smart grid attack strategies to destabilise power system components.The  authors consider the objective of the attacker to disrupt the power system by taking control over breakers and coordinating attacks.Subsequently, a strategy is formulated for the opponent to leverage variable structure system theory to attack.
Cluster 10: Keywords: attack, network, model, security, attacker.This cluster describes different cyberattack models, coordinated and collaborated attacks.For example, [23] use a game theoretic approach to model the dynamic behaviour between attacker and defender.The authors argue that each actor adjust his strategy based on costs, potential gain and/or damage and effectiveness of participating the opponent's strategy.[24] develops a canonical model for cyberoperation by advanced attackers.They assume an isolated attack by an individual attacker of homogeneous group.
[25] constructs a detection method which can recognise coordinated attacks, by building a 'requires/provides' model.The authors test their model on the multi-stage attack of the Zeus botnet.[26] presents a high-level framework of defending against a cyberattack collaborated by interconnected attackers.The framework consists of five attributes of a coordinated attack: time-aspect, space-aspect, effect of an attack, information change during an attack and the privacy aspect.
Cluster 11: Keywords: system, attack, proposed, model, cyber-physical.Coordination of power grid systems.For example, [27] considers cyber-physical coordinated attacks against power grid and how to formulate a defensive strategy to defend.[28] develops a estimation-based anomaly detection method to defend against cyber-physical smart grid systems.With cyber-physical translates to both cyber as physical security of power systems.This cluster seems highly related to cluster 9.
We can conclude that cluster 10 is most interesting considering the objectives from Section 1.Most studies out of cluster 10 are theoretical or consider high-level frameworks of coordinated attacks [23,26], as for example the canonical model for cyberoperations by advanced attackers [24].In this study take a different approach: we focus on the costs and benefits of conducting coordinated attacks compared to isolated attacks from the attackers perspective.In the next sections based on a case study we argue the importance to not only consider how coordinated attacks are performed, but also why attackers have incentives to do so.

Case Study: Coordinating DDoS, Phishing and Ransomware attacks
In this section we present a case study of coordinating DDoS, phishing and ransomware attacks.First, we performed a small literature review on whether examples of coordination of these three crimes have been studied.In Section 3.1 the methodology of finding relevant literature is examined.On the basis of this literature, we present a brief description of DDoS, phishing and ransomware in Section 3.2.In Section 3.3 we examine possibilities of coordination of the specific crimes, based on the characteristics of the crimes themselves as described in Section 3.2.Finally, we consider the repetition of a specific crime as a specific case of coordination.

Methodology
To find specific use cases of coordination in combination with DDoS, phishing and ransomware in the academic literature, we use the following literature databases: Scopus and Web of Science.We have considered the articles/papers published in English language.Since the field of cybercrime is evolving very quickly and we were interested in the most recent modus operandi, we considered literature from the past four years (published since 2017).We also exclude any papers from the field of Medicine.For ransomware the keyword was 'ransomware', for phishing 'phishing' and for DDoS 'DDoS OR denialof-service'.The results of the search and filtering are shown in Table 2.This resulted in 1765 articles, 689 for DDoS, 563 for phishing and 513 for ransomware.After removing the duplicates we selected articles based on the abstracts which described the modus operandi, victims, offenders, infrastructure or coordination.Articles concerning machine learning models or other automated defense strategies were excluded.This resulted in 244 articles: 97 of ransomware, 94 of phishing and 53 of DDoS.These articles were fully read and used for describing DDoS, phishing and ransomware in Section 3 and understanding the cybercrime ecosystem in Section 4. If the article referenced to other articles with relevant information about coordination, these other articles were also read, even if the article has been published before 2017.Finally, we add grey literature about coordination based on industry reports related to 'coordination cybercrime', 'DDoS phishing', 'DDoS ransomware', or 'phishing ransomware'.The end date of these queries was 13 September, 2021.This resulted in 16 articles from the security industry used in this paper.Based on these findings we first give a short description of the modus operandi of the specific crimes in the following section.

Overview DDoS, Phishing and Ransomware
Distributed Denial-of-service (DDoS) is a denial-of-service attack where attackers keep users from accessing a networked system, service, website, application, or other resource [29,30].A DDoS attack works by using all available network bandwidth or resources on a target network.Often this is done by using a botnet -entire networks of computers which are infected by malware and under control of a command and control (C&C) server, which is controlled by a botmaster [7].Often, IoT devices are used for the botnet since they are hardly secured and available in abundance [31,32].Anyone with a website or network publicly accessible is prone to DDoS attacks.[30] indicate that 55% of DDoS attacks targeted financial services and web hosting companies.Other obvious targets are retail and e-commerce websites, whose revenue is highly dependent upon their website being available and responsive [33].For more information about DDoS attacks we refer to [34,33,29].
Phishing is the sending of messages with the main objective to gather personal data of users [35,36].It is a popular method for stealing credentials, committing fraud and distributing malware.Phishing is based on social engineering: by using methods of persuasion the attacker tries to circumvent a victim's critical thinking and let him perform the action which the phisher wants to accomplish, like giving credentials or installing malware [35].There are 3 types of targets for phishing: general/indiscriminate, semi-targeted and spear phishing [37].Different types of phishing target different types of victims [38]: Indiscriminate phishing is when the attacker targets many unrelated victims hoping at least some will take the bait.Semi-targeted attacks focus on a specific organization or group.With spear phishing a specific individual (often C-level or IT-administrator) is targeted.For more information about phishing attacks we refer to [39,40,41].
Ransomware is a category of malicious software that prevents users from accessing their computing device resources by encrypting them [14].Typically it prevents users from accessing their computing device or files, it shows a screen to provide a way for the victim to pay the ransom.Until the victim pays, the computing device is unusable.Often a deadline is mentioned and an anonymous payment method requested.Ransomware demands used to be typically between 300 to 2000 dollar per target, but is currently much higher [42,43].The attack targeting has shifted from individuals to companies [44,42].The reasons are twofold: First, targeting has shifted to the healthcare sector, government institutions, and education, because their data is most precious and they often pay high ransoms [45,46].Second, it is easier to infect a company than an individual.For more information about ransomware attacks we refer to [47,42,44].

Coordinating DDoS, Phishing and Ransomware attacks
(i) Coordination of ransomware and phishing: A first type of coordination is between ransomware and phishing.For ransomware to take place, an attacker has to gain access to a network or system.[46,48,42] indicate the importance of phishing to gain access to a network, which is than used to install ransomware and perform a ransomware attack.[42] mentions that email phishing accounts for 59% of initial access in ransomware attacks.[49] make the distinction between targeted and bulk ransomware.When the attack is indiscriminate, spam emails are a common way to attack.If the attack is targeted, (spear)phishing and the use of exploits are more typical.
Not only is phishing used to facilitate the installation of ransomware, also ransomware is increasingly used to indirectly steal credentials, which sometimes lead to more phishing [50,51].Another way ransomware leads to phishing is in which the content of the phishing email seems more credible by addressing a recent or on going ransomware attack.After the University of Maastricht faced a ransomware attack, it was targeted by a phishing campaign.The emails addressed the ransomware attack, and provided context and credibility to the malicious email [2].
A third way for ransomware to possibly lead to phishing was described by [50].[50] studied different factors contributing to maximizing profit of a ransomware attack.Their conclusion was that combining ransomware with data-stealing is in general more profitable than ransomware without stealing the data, and that selling the stolen data is always more profitable than threatening to leak the data.Leaked data is often used for semi-targeted and spear-phishing [51].Therefore this new method of stealing data during a ransomware attack provides additional opportunities for (targeted) phishing.
(ii) Coordination of ransomware and DDoS: A second type of coordination is ransomware and DDoS.Several studies indicate different ways to coordinate ransomware and DDoS.[52] mentions that DDoS is used as retribution for not being able to enter a network, to possibly install ransomware.Furthermore [53] and [54] mention that DDoS is increasingly used as leverage when victims of a ransomware attack decide not to pay the ransom, as was mentioned in the introduction.As example, ransomware gangs like Avaddon group and SunCrypt are mentioned [54].[55] actively scanned darknet forums and found ransomware actors to actively look for botmasters.This would suggest that ransomware actors do not use easy-to-buy booterservices, but want to possess their own infrastructure to conduct DDoS attacks.Additionally, REvil attackers told in an interview that they want to increase the use of DDoS during a ransomware attack, since victims are more willing to pay the ransom, according to the REvil actor [9].
DDoS is sometimes used to distract attention from a ransomware infection [56,57].In this context, an attack with the goal to distract from another attack will be defined as a smokescreen [11].[57] mentions these smokescreens are done by doing sub-saturating DDoS attacks: low-bandwidth and short in duration (less than 5 minutes).This is done to prevent detection by DDoS mitigation systems.During those 5 minutes, IT staff is busy dealing with momentary network outages, whereas the criminals do automated scanning or penetration techniques to map the network and install the ransomware [57].
Besides these specific forms of coordination of ransomware and DDoS, a more fundamental similarity is that both ransomware and DDoS are basically a denial of resource [49,58].This indicates that ransomware and DDoS would only be coordinated if they attack different parts of a network, computer or system.For example, it would not make much sense to perform a DDoS attack on a public-facing server if it is already encrypted by ransomware.
(iii) Coordination of phishing and DDoS: A third type of coordination is between phishing and DDoS.Several articles describe cases of coordination between phishing and DDoS.Phishing is sometimes used to increase a botnet, which could be used for DDoS [7].There are two ways phishing leads to an increased botnet.One way is to use credentials to automatically install malware [51].Another is to send a email containing phishing and malware at the same time.Another possible link is the use of DDoS to either hide a phishing campaign, or make phishing emails seem more genuine by using it as a storyline or context [15,59,60].
The role of context in a phishing email was analysed by [61].Students either got either an email about winning an I-Pad, or a course-related email.They found that 71.3 per cent of the participants who opened the course-related message also clicked on the simulated phishing link and 63.9 per cent submitted credentials.For the Ipad, these were respectively 5.9 and 3 per cent.They conclude that contextualized social engineering threats like course-related emails lead to victims overlooking cues of deception that normally would be caught in non-contextualized messages.The timing of phishing and DDoS was studied by [15].They found there to be relatively more phishing emails send before and after a DDoS attack, compared to the baseline without DDoS attack.The authors claim this indicates a coordination of DDoS and phishing, although it could not be established whether this coordination was intended.

Campaigns and repeated attacks
It is worth noting that a form of coordination already exists for a long time within these three types of crimes: (iv) Multiple DDoS/phishing/ransomware attacks: DDoS attacks often consists of multiple attacks.[29] analysed the probability of an attack.He found attacks to be relaunched on the same target less than 5 minutes after the end of the previous one is 58 %. 19 % of all attacks are part of a DDoS campaign of at least 5 consecutive attacks.These findings illustrate the effectiveness of coordinating several DDoS attacks, which is defined as repeating attack [29].This is also common for for many DDoS hacktivist, who work together to create a larger attack [62,63].
Multiple phishing attacks: Bulk phishing can lead to spear-phishing (more targeted) [64].An attacker sends the phishing emails first in bulk.When the attacker receives the credentials of the email-account, he or she will use this email-account to send new specifically targeted phishing emails to the contacts of the account.Since these emails originated from a trusted sender, more people are inclined to click on the link compared to phishing emails send in bulk [65].Furthermore, phishing emails are often send in campaigns.[36] defined campaigns as sending a similar phishing email several times over a certain time span.Using campaigns is a cost-effective way to attack from the offender's perspective, since the attacker only needs to change the URL where the victim needs to click.
Multiple ransomware attacks: Ransomware could lead to more ransomware because of worm-like capabilities [48,47,42].The ransomware could therefore infect an entire network automatically.This is the reason why WannaCry was so proliferate [42].Another way different ransomware attacks are linked is because some high-value targets might be of interest to multiple ransomware actors.It happens that companies receive multiple ransomware attacks, encrypting their files multiple time.The only way to decrypt the files is when the ransomware actors cooperate [9].
Although campaigns and repeats could be considered a specific type of coordination, further analysis is outside the scope of this paper.

COORDINATE: the Cybercrime cOORDINATion modEl
Internet presents a global ecosystem that offers, among many other things, the tools, e.g., botnets, CaaS, crypto currencies, and an anonymous communication infrastructure, that enables the development and execution of attack chains [66,67].In this section, we describe how the recent development of tools and infrastructure within that ecosystem facilitates coordinated attacks and help explain the rise of reported coordinated attacks in Section 3. Subsequently, we propose COORDINATE, a new model of coordination and testable predictions to help analyse the costs and benefits of coordination for cybercriminals.

Development Tools and Infrastructure in Cybercrime Ecosystem
[68] analysed the cybercrime ecosystem by considering malware, bitcoins and darknet.We extend this research by briefly describing the evolution of underground forums and markets, cryptocurrencies, online anonymity and botnets.In essence, a cybercriminal wants to anonymously communicate with other cybercriminals (through underground forums and markets), anonymously receive and send money (with cryptocurrencies) and perform anonymously cyberattacks (through online anonymity and botnets).
(i) Underground forums and markets: Cybercriminals need to communicate together if they want to collaborate.This might explain the proliferation of online cybercriminal communities on darknet forums [69].The rise of new and popular communication technologies is tied with the increasing problem of cybercrime [70].This is because darknet or underground forums promote the trade of attack tools and services, making cyberattacks accessible for actors with low level of technical sophistication [69].For a detailed examination of underground forums and markets we refer to [71].
(ii) Cryptocurrency: Cryptocurrency technically refers to a cryptographic string of numbers and alphabetic symbols, which together give a unique number and is considered a digital currency which can be exchanged for real-life currencies [72].It is a common way for cybercriminals to stay anonymous and conceal their money footprint [73].The first darknet market to accept cryptocurrency was Silk Road in 2011.Although the business model of Silk Road was very successful, in 2013 the FBI shut it down.Nevertheless, cryptocurrency enabled to receive money anonymously.Nowadays most Law Enforcement agencies around the world have different methods to attribute crypto wallets to individuals.Therefore, cybercriminals often use mix services to hide money traces [72].
(iii) Online anonymity: The Internet community over the world is interested in anonymity.This led to the development of various anonymous networks.The most important are proxies, virtual private network (VPN) and The Onion Router (TOR) [74].A VPN creates an encrypted connection over a less secure network, usually the internet, to send encrypted traffic [75].The use of these technologies improves anonymity of internet users, both normal citizens but also criminals who want to hide their online activities [69,76].
The types and attack patterns of botnets constantly change, due to a large increase since 2016 in IoT devices which have enough processing power to be part of a botnet [77].Botnets are most commonly used for DDoS attacks, but the infrastructure has also been used to spread phishing and malware [78], like for example the Emotet botnet.
Altogether, these developments led to the rise of: (a) Cybercrime-as-a-Service (CaaS): Cybercrime-as-a-service is the phenomena that cybercriminals not only perform attacks themselves, but also buy or sell the tools and knowledge to other criminals to perform attacks [79].Most criminal groups have become highly specialized in specific tools and methods to perform a specific part of an attack [80].According to [81], CaaS leads to commoditization, specialization and cooperation of cybercriminals.Consequently, we can deduct that cybercrime-as-a-service leads to more interdependence between different cybercrimes, because criminals conducting different types of crime can work together to maximize profit.
(b) Capabilities and resources: Offenders can expand capabilities by learning from others through darknet forums.The required capabilities are an important distinction between cybercrimes like DDoS, phishing and ransomware.Ransomware is highly technical, phishing is medium difficult (also depending on web-based or email based phishing) and DDoS attacks are less technical [82].This means that a non-technical actor could not use ransomware for a coordinated attack.One way to circumvent this problem is to buy tools and services from more technical actors, the phenomena CaaS.Nevertheless, not everything can be bought.For example, some actors who sell ransomware do not want to sell to newbies, because they might screw up and therefore get attention of Law Enforcement [42,56].
(c) Democratization of cybercrime: The dissemination of cybercrime has been noted with respect to offenders as well as victims.Several authors noted that the step towards online offending has become easier over time, during the past decades.One does not need to be technically skilled, but with CaaS everyone can buy a phishing kit [81,6] and start a phishing campaign or buy a DDoS attack and attack one's school [83].The commoditization of attacks has led to a democratization of offending, according to [84,85,86].A similar development is found with regard to victimisation.One of the consistent findings in traditional crime is that victims tend to be young and male, have a low educational level and are usually relatively poor [87,88,89] because it is strongly related to location and going out [90,91,92].With the digitalization of society, however, offending and victimization of cybercrime become much less related to location or being outdoors.Victims of online crime are both males and female, and for some crimes (online banking fraud, identity theft) of all ages or relatively old [84].In summation, offenders as well as victims of online crime tend to be more than before a random -or 'normal' -selection of society.
These developments either directly or indirectly influence the costs and benefits of coordinated attacks.Therefore, it also influences an attacker's decision to perform a coordinated attack.Based on the information gathered in this paper we propose COORDINATE, a model to evaluate the costs and benefits of coordination for cybercriminals.

COORDINATE
From the empirical observations of coordination of DDoS, phishing, ransomware described in Section 3 and the evolution of the cybercrime ecosystem we hypothesise four types of coordination based on the costs and benefits of coordination for cybercriminals: (i) Direct collaboration: One or multiple actors coordinate different attacks before performing the attacks.An example is when a ransomware group uses DDoS attacks to put pressure on a victim if he is not paying the ransom during a ransomware attack [9,54,53].
(ii) Indirect collaboration: One or multiple entities perform an attack and sell the end-product of that attack to other entities.For example: credentials gained from a phishing attack are sold to a ransomware group, who use the credentials to gain access to a system or network and install their ransomware [42,49,46].
(iii) Opportunistic coordination: One or multiple actors perform an attack.Subsequently, this becomes known to another actor.Subsequently, this actor uses this knowledge to enforce their own attack.For example: the media reports that a company is victim of a ransomware attack.A phishing group using this information as a context in their phishing email, sending them to the victim [2].
(iv) Random coordination: It might be that one or multiple offenders coordinate attack at random, and do not know their attack collides in some way with another attack.Then the attack looks like it is coordinated from a victim's perspective, although the offenders do not know this.A example is a bank who faces both phishing emails and DDoS attacks from two different entities, who do not know from each other an attack occurred [15].Random coordination is outside the scope of the proposed model.Meurs, Junger, Abhishta, Tews, and Ratia The three relevant types of coordination are depicted in Figure 4.Note that it seems that one attack happens after the other, but this is not necessarily what is happening.For example, a DDoS attack could be a smokescreen for installing ransomware at the same time [57,56].Nevertheless, the coordination types are applicable to both sequential and parallel coordinated attacks.Here we define a sequential attack as two attacks with no overlap in time and a parallel attack as two attacks with overlap in time.
The various types of coordination lead to different ways of decision-making by an offender compared to no coordination in attack.The literature we found in Section 2 mostly focuses on how coordinated attacks could be performed, but not why the attacker would be motivated to do so.From a Rational Choice Perspective [93,94], financially motivated cybercriminals try to maximize profits while minimizing costs and risks.Based on the use cases and developments presented in the previous sections, we hypothesize the following model, which we call COORDINATE: the CybercrimecOORDINATion modEl.

Benefits of coordination for cybercriminals
Performing a coordinated attack compared to a single attack leads to certain benefits.Based on Rational Choice Model of Crime [94], we argue that these benefits need to either increase profit, and/or decrease costs, risks and effort.
(i) Profitability: More profit per attack.Every successful attack will generate more profit.It can generate extra profit in two ways.1) Larger companies or public organizations can be more successfully attacked.Therefore more ransom could be asked during a ransomware attack, or more money could be obtained with phishing or DDoS [95,96].2) Every attack can generate revenue.For example, in a ransomware attack the attackers might gain the ransom, but also selling obtained credentials might directly provide in extra profits [81,51].Higher profit per attack could be most important in direct collaborated attacks, where offenders consciously collaborate, perhaps to go after a 'big fish'.It seems least applicable to opportunistic coordination, because they do not really apply specific targeting [97,44].
(ii) Success rate: Higher probability of success per attack.By putting additional pressure on the victim during a ransomware attack or providing credible context in a phishing email, victims might be more willing to pay ransom or click on the link in the phishing email [9].Sometimes the attack enables another attack, which means the probability goes from zero per cent (not possible) to a probability higher than zero per cent by coordinating the two attacks.
(iii) Diffusion of responsibilities: Coordination leads to diffusion of responsibilities: by performing a small part of the attack, the offender might feel less responsible for the attack [1].Therefore moral costs are reduced: the feeling of doing something wrong might be less during a coordinated attack.This seems most applicable to indirect collaboration, where the offender selling their services or products do not necessarily know what the other offender is doing with the bought services or products.Diffusion of responsibilities may occur less often with direct collaboration, where an actor is in charge of the entire attack.Decreased moral costs could also occur with opportunistic coordination, since the offender of the second attack does not feel responsible for the first attack.
(iv) Outsourcing: Outsourcing the most risky or difficult parts of attack.In coordinated attacks, offenders could decide to perform the parts of an attack which have least risk of being detected or chased by Law Enforcement [81].For example: they steal credentials or develop ransomware, but someone else deploy the ransomware [42,47].Law Enforcement tends to investigate the criminals behind the attack, and not the facilitators and enablers [98,82].Therefore, these have less risk of being caught and convicted.Advantages of outsourcing do not occur with direct collaboration, since the offenders have to perform all the aspects of the attack themselves.It most probably happens with indirect collaboration, since many offenders offering their products or services actually offer tools or services to support an attack, but not perform the attack themselves.Finally, opportunistic offenders might only try attacks were they do the less risky attack.For example: they might execute phishing after a ransomware attack.In general, ransomware attacks often attracts more attention than phishing from Law Enforcement, because impact and severity is often higher.So by phishing after the ransomware, they might receive less attention from Law Enforcement compared to a single phishing attack.
(v) Shielding: Repeatedly performing a small part of an attack-type might lead to specialisation [81,6].Specialization might lead to better shielding techniques.This does not seem likely for direct collaborated coordinated attacks, because they perform the entire attack chain themselves.On the contrary, better shielding might drive indirect collaboration, where offenders on darknet forums are highly specialised and therefore might have more knowledge how to shield themselves.Likewise, in opportunistic coordinated attacks actors also can not perform the entire attack themselves, and therefore have better shielding compared to actors who are responsible for the entire attack, as in direct collaborated coordinated attacks.(i) Transaction costs.If the coordinated attack is the result of a collaboration or cooperation of different actors, than this cooperation contains transaction costs [6,99].From Transaction Cost Economics these costs contain costs of working together, sharing profit, not knowing whether you could trust the other party, etc. [100,6].Since direct collaboration consists of the most intensive form of collaboration of all three, it follows that this would have the highest transaction cost, followed by indirect collaboration.Opportunistic coordination does not entail collaboration and therefore no transaction costs.
(ii) Timing.For some coordinated attacks timing is important.For example, when phishing for credentials to gain access to a network to install ransomware, the credentials might be invalid after a certain amount of time.Therefore the initial access broker can not wait too long for selling or using the credentials.Timing might be most important for opportunistic coordinated attacks, where they have to react to a another attack in time [15].For direct collaboration timing might also be important between attacks, but they can decide themselves when the different attacks will be performed.So they are more in control over timing than opportunistic actors.Finally, products and services sold online are probably less time-sensitive than the other two, because it takes time for a vendor to find a buyer.So if timing was important, he would probably be not able to sell it through darknet forums.
(iii) Extra effort.Time and energy are required to perform a second attack if done by the same actor.Time spent on the second attack could not be used to do another separate attack, which would have also gained money.This is most important for coordination as a result of direct collaboration, since attackers have to coordinate all the attacks and make sure they have all capacities and resources to perform the attack.For example, if they try to find their own exploits, there is the risk of not finding any.Therefore, it is easier to perform a coordinated attack with products and services bought on darknet forums, and therefore effort should be less for a coordinated attack than uncoordinated attack.This could even more so for opportunistic attacks, they do not need to put any effort in the first attack.So attackers probably do not need to make more effort than if they would perform an uncoordinated attack.
(iv) Financial costs.Resources or capabilities needs to be bought, also, if one develops one's own software, than this also directly costs money.These costs are highest for goods and services bought on the darknet market, so indirect collaboration.Financial costs seems to be less so for direct collaboration, since attackers only need to buy resources and capabilities they do not have themselves.However, buying resources should be less expensive then end-products.Opportunistic actors do not have to pay anything to perform their coordinated attack, they just react to another attack.
(v) Traces.Performing more attacks will lead to more possible traces during an investigation of Law Enforcement.Therefore, performing coordinated attacks could increase the probability of getting caught.This seems most applicable to direct collaboration, since the same group of actors perform the different attacks, and therefore all attacks could be linked back to the group.This seems less applicable for indirect collaboration, because the attacks of criminals are only linked by a purchase over darknet.Linking attacks through darknet markets might be harder than a group with the same modus operandi.Since opportunistic coordinated attack do not have a link with the actors of the first attack, there are no extra traces compared to a single attack.
The hypotheses discussed above are summarised in Table 3.We believe these hypotheses need to be tested in further empirical research on coordination of cybercrime.

CONCLUSIONS
Although coordinated attacks have been described cybersecurity companies and blogs, to our knowledge no scientific research systematically studied coordinated cybercrimes.This paper set out to identify various ways attacks can be coordinated, describe recent developments w.r.t.coordination/cooperation concepts in cybercrime literature and provide a model of understanding the decision to coordinate attacks or not.
Our first research question: What is the current state of literature on the coordination and coordination of cybercrimes?We addressed this question by analysing the bibliometric mapping of academic literature, we found a cluster of studies which focuses on coordinated cyberattacks from the attackers perspective.They mostly focus on how these crimes can be coordinated, but not on the incentives for the attacker to do so.Therefore, our second research question was: What are the costs and benefits for an offender to decide to perform a coordinated attack or not?We addressed this question by introducing a case study of coordinating DDoS, phishing and ransomware.From the case study, specific vantage points for coordination were identified.Furthermore, through describing the recent developments in the cybercrime ecosystem, we explained why coordination becomes more feasible for attackers than it did previously.Finally, we deduced a hypothetical model we named the Cybercrime Coordination Model, COORDINATE.From this model we made testable predictions about the importance of certain costs and benefits towards the different types of coordinated attacks.
The results of this study indicate that coordinated attacks result in more harm and are, consequently, more dangerous.We showed that one can already observe attack coordination.If our model is correct, coordinated attacks will be produce more rewards for offenders at lower costs and therefore will occur more often in the future.We are therefore in danger of observing a dynamic system where one crime will lay-out opportunities for new crime that may lead to more and more online crime.
This study was limited by the absence of empirical data on coordinated cybercrimes in order to investigate the severity of such attack events.Despite its exploratory nature, this study offers some insight into the importance of coordinated cybercrimes.We hope this study will be a stepping-stone for other researchers to conduct empirical research on coordinated cybercrimes.

Figure 1 :
Figure 1: Clusters of selected literature.The different colors represent the different clusters of academic literature on coordination of cybercrimes.

(a) 20
most occurring words in Cluster 10.(b) 20 most occurring words in Cluster 11.

Figure 3 :
Figure 3: Word cloud of 20 most occurring words in abstracts of Cluster 10 (a) en Cluster 11 (b).

Figure 4 :
Figure 4: The different coordination types examined in this study.

Table 2 :
Search results of DDoS (DDoS OR denial-of-service), phishing and ransomware on different databases.Hits are the total number of hits with the query.Unique is the amount of unique articles from Scopus and Web of Science, where duplicates are removed and only attributed to Scopus.

Table 3 :
Overview proposed hypotheses of relationships between different costs and benefits in COOR-DINATE.++ is a positive relationships, + is a small positive relationship, +/− no relationship, − is a small negative relationship, and −− is a negative relationship.