Cybercriminals are increasingly funneling their illicit earnings into legitimate ventures, according to a new analysis by cybersecurity experts at Sophos. From founding startups and opening restaurants to launching coding bootcamps, hackers are diversifying their portfolios. The State of Ransomware 2024 report found that the average ransom paid by companies this year reached a staggering $2 million—five times more than in 2023. These seemingly legitimate businesses allow criminals to launder large sums of money with minimal traceability.
Ransomware Profits Go Legit
Ransomware attacks, data theft, and phishing schemes are yielding millions in revenue—often in cryptocurrency. Sophos reports that 30% of ransomware demands now exceed $5 million. Until recently, little attention has been paid to how these criminals spend their windfalls. But Sophos researchers, after analyzing darknet forum discussions, corporate records, and cryptocurrency wallet activity, found that hackers are channeling funds into both criminal operations and legal business ventures.
“This isn’t just traditional money laundering anymore,” explains John Shier, Field CISO at Sophos. “We’re witnessing a new form of entrepreneurial crime—cybercriminals entering the market as legitimate businesspeople. As employers and investors, they’ve paradoxically become more invisible than ever.”
Hiding in Plain Sight
In many cases, cybercriminals use everyday platforms like Telegram or WhatsApp Business to build networks and manage investments. On the surface, these ventures look perfectly legal—complete with professional websites, investor-ready business models, and legitimate-looking documentation.
Following the Money: Real Estate, Gold, Restaurants, and NGOs
Hackers are investing in cybersecurity and IT startups—ironically gaining more tools and expertise to support future attacks. Sophos analysts have also identified investments in NGOs and educational institutions, which offer cover for founding coding schools and launching “non-profit” educational projects. Other popular channels for laundering include high-cash-flow businesses with minimal oversight, such as restaurants, bars, and tobacco or alcohol wholesalers.
Cybercriminal proceeds also find their way into real estate, equities, and precious metals like gold and diamonds—vehicles that enable stable, low-profile passive income. These transactions are typically executed in jurisdictions with strong financial systems, such as Switzerland, the U.S., or the UAE.
Beyond legal investments, cybercriminals still operate in the grey zone. They run casinos and gambling sites, often registered in offshore tax havens. They’re also involved in forging documents (particularly in Asian markets), hosting adult content platforms, and running counterfeit pharmaceutical shops. The investigation revealed global activity—including in the UK, Switzerland, the U.S., UAE, China, South Korea, and Gibraltar.
“The line between cybercrime and the real-world economy is increasingly blurred—and that’s the real danger,” says Shier. “The only way to combat this is through tighter collaboration between public and private sectors, particularly between cybersecurity firms and local law enforcement. Threat analysts must share findings with authorities who can track and dismantle potential criminal operations. After all, someone founding a legitimate-looking company today may be launching another cyberattack tomorrow.”
Source: ManagerPlus.pl Original Article
