WACCO 2025




7th Workshop on Attackers and Cyber-Crime Operations

IEEE European Symposium on Security and Privacy 2025

June 30, 2025 - Venezia, Italy

The emergence and commoditization of cyber-criminal activities calls for new empirical methods, measures, and technologies to quantify and understand offender operations across all forms of cyber-crime: from malware engineering and attack delivery, to running underground operations trading illegal goods such as drugs and illegal pornography, to spreading disinformation and planning (cyber-)terrorism operations. Without appropriate scientific measures of cyber-offender and attacker operations, capabilities, and resources, it remains impossible to derive sound policies, strategies and technologies that appropriately address realistic and evidence-based attacker and offender models. WACCO calls for all contributions aiming at providing methods, measures, metrics, and technologies or tools to quantitatively or qualitatively evaluate cyber-offenders and attackers from technical and non-technical angles. The workshop invites contributions from, but not limited to, the fields of computer science and computer security, criminology, psychology, law, and economics addressing this issue.

WACCO welcomes (full and short) paper submissions, for publication in the EuroSP IEEE proceedings and presentation at WACCO, and Research talks, for presentation at WACCO (no proceedings). All submissions will go through the same review process, and receive feedback from the PC.  

Call for Papers

WACCO welcomes (full and short) paper submissions, for publication in the EuroSP IEEE proceedings and presentation at WACCO, and Research talks, for presentation at WACCO (no proceedings). All submissions will go through the same review process, and receive feedback from the PC.

Topics of interest include, but are not limited to:

  • Empirical studies on attacker operations and communities
  • Novel methods to perform attacker measurements at scale across several communities
  • Cooperation and trust as a source of attackers’ effectiveness
  • Attackers’ skill set
  • Attackers’ operational security
  • Measuring the spread of false information campaigns on social media
  • Quantitative and qualitative methods to measure, track, and counter cybercrime
  • Cybercrime measurement and networks
  • Cybercrime policy
  • Economics of cybercrime
  • Profiling of cybercriminals
  • Security metric design and evaluation
  • Security patch measurement
  • Statistical exploration and prediction of security incidents
  • Open Source INTelligence (OSINT) and digital footprints

The workshop is co-located with the 10th IEEE European Symposium on Security and Privacy (EuroS&P 2025).

Important Dates

All deadlines are Anywhere on Earth (AoE = UTC-12h).


Paper submission due Feb 20, 2025
Acceptance notice to authors March 24, 2025
Publication-ready papers submitted Apr 04, 2025
Workshop June 30, 2025

Program


Registration

08:30 - 09:15 (Timezone: CEST (UTC+02:00))

Welcome

09:15 - 09:30 (Timezone: CEST (UTC+02:00))

Keynote

09:30 - 10:30 (Timezone: CEST (UTC+02:00))

TBD

09:30 - 10:30

TBD

Coffee Break

10:30 - 11:00 (Timezone: CEST (UTC+02:00))

Session 1: Gathering Knowledge

11:00 - 12:30 (Timezone: CEST (UTC+02:00))

CTI-HAL: A Human-Annotated Dataset for Cyber Threat Intelligence Analysis

11:00 - 11:30

Sofia Della Penna, Roberto Natella, Vittorio Orbinato, Lorenzo Parracino and Luciano Pianese

Organizations are increasingly targeted by Advanced Persistent Threats (APTs), which involve complex, multi-stage tactics and diverse techniques. Cyber Threat Intelligence (CTI) sources, such as incident reports and security blogs, provide valuable insights, but are often unstructured and in natural language, making it difficult to automatically extract information. Recent studies have explored the use of AI to perform automatic extraction from CTI data, leveraging existing CTI datasets for performance evaluation and fine-tuning. However, they present challenges and limitations that impact their effectiveness. To overcome these issues, we introduce a novel dataset manually constructed from CTI reports and structured according to the MITRE ATT&CK framework. To assess its quality, we conducted an inter-annotator agreement study using Krippendorff’s alpha, confirming its reliability. Furthermore, the dataset was used to evaluate a Large Language Model (LLM) in a real-world business context, showing promising generalizability.

The Dark Side of the Web: Towards Understanding Various Data Sources in Cyber Threat Intelligence

11:30 - 12:00

Saskia Laura Schröer, Noè Canevascini, Irdin Pekaric, Philine Widmer and Pavel Laskov

Cyber threats have become increasingly prevalent and sophisticated. Prior work has extracted actionable cyber threat intelligence (CTI), such as indicators of compromise, tactics, techniques, and procedures (TTPs), or threat feeds from various sources: open source data (e.g., social networks), internal intelligence (e.g., log data), and “first-hand” communications from cybercriminals (e.g., underground forums, chats, darknet websites). However, “first-hand” data sources remain underutilized because it is extremely difficult to access or scrape their data. In this work, we analyze (i) 6.6 million posts from 22 underground forums, (ii) 3.4 million messages from over 3’000 chat channels (Discord and Telegram), and (iii) 120’000 darknet websites. We combine NLP tools to address several challenges in analyzing such data. First, even on dedicated platforms, only some content may be CTI-relevant, requiring effective filtering. Second, “first-hand” data can be CTI-relevant from a technical or strategic viewpoint. Thus, we demonstrate how to organize content along this distinction. Third, we describe the topics discussed. Thereby, we also highlight how “first-hand” data sources differ from each other. We adapt all our NLP tools to accommodate the domain-specific terminology. According to our filtering, 20% of our sample is CTI-relevant. Most of the CTI-relevant data focuses on strategic rather than technical discussions. Credit card-related cyber-crime is the most prevalent topic on darknet websites. On underground forums and chat channels, account and subscription selling is discussed most. Topic diversity is higher on underground forums and chat channels than on darknet websites. Our analyses suggest that different platforms may be used for activities with varying complexity and risks for criminals. Our primary contribution is a meta-analysis of several “first-hand” data sources based on the NLP pipeline we developed. We provide our NLP pipeline as an open-source tool for future research.

Is this your USB? No, but check this QR code for a free meal! Assessing awareness against dropped USBs and malicious QR codes

12:00 - 12:30

Johannes Nordskov, Tyge Tiessen and Emmanouil Vasilomanolakis

Anecdotal and preliminary work suggests that USB dropping attacks can be successful while the misuse of QR codes has been steadily making the news. In this paper, we attempt to shed light into how these two attacks are met in practice by performing a series of experiments against different types of target entities: a large university, governmental agencies, and an NGO. For this we dropped a total of 235 USB drives (that contained harmless honeytokens) and placed 110 posters (with harmless QR codes). Our results suggest that QR codes are superior (680.91% total scan rate) to USB dropping attacks, possibly due to their ability to blend more easily into the attack environment along with social engineering elements. We also notice a strong bias on the public perception with USB drives appearing more dangerous than QR codes. USB drops (8.51% total activation rate) may still work but require precise and limited placement. Furthermore, we analyze the browsers used for scanning QR codes to identify at least 130 devices with critical vulnerabilities. Lastly, we examine how the effectiveness of these attacks depends on the targeted environments.

Lunch Break

12:30 - 14:00 (Timezone: CEST (UTC+02:00))

Session 2: Understanding Offenders

14:00 - 15:30 (Timezone: CEST (UTC+02:00))

Decomposing Culture within Threat Actor Groups – A Case Study of the Conti Ransomware Collective

14:00 - 14:30

Konstantinos Mersinas, Aimee Liu and Niki Panteli

Cybercriminal profiling and cyber-attack attribution have been elusive goals world-wide, due to their effects on societal and geopolitical balance and stability. Attributing actions to a group or state is a complex endeavour, with traditional established approaches including cyberthreat intelligence and analysis of technical means such as malware analysis, network forensics, and geopolitical intelligence. In this paper, we propose an additional component for profiling cybercriminal groups through analysing cultural aspects of human behaviors and interactions. We utilize a set of variables which determine characteristics of national and organisational culture to create a “cultural footprint” of threat actors. As a case study, we conduct thematic analysis across the six dimensions of the Hofstede national culture classification and the eight dimensions of the Meyer classification on leaked internal communications of the ransomware group Conti. We advocate that systematic analyses of similar communications can serve as a practical tool for a) understanding the modus operandi of cybercrime and cyberwarfare-related groups, and b) profiling cybercriminal groups and nation-state actors. Our approach can, first, inform a new angle in cybercriminal profiling, second, if combined with additional cyber threat intelligence, can provide a level of confidence in nuanced cyber-attack attribution processes, and, assist with combating cybercrime.

(Research Talk) XP points to level up: gaming as a gateway to cybercrime

14:30 - 15:00

Yanna Papadodimitraki

This talk discusses how the gateway hypothesis is turned into a vehicle for the criminalisation of young people and tech communities. It notes a series of methodological and theoretical issues which contribute to the problematisation of the hypothesis in relation to its foundational studies in SUD, but also in relation to gaming and cybercrime. Moreover, it brings forward the position of law enforcement as captured by official law enforcement material and interviews conducted with police professionals. Finally, it relates this to the limitations of previous studies and their implications for young gamers.

An Experimental Design to Investigate Attacker Actions on an Access-as-a-Service `Criminal' Platform

15:00 - 15:30

Roy Ricaldi, Yasen Yalamov, Michele Campobasso, Luca Allodi, Hannah Kool, Asier Moneva and Rutger Leukfeldt

Access-as-a-Service (AaaS) has reduced barriers to cybercriminal activity, enabling less skilled offenders to execute sophisticated attacks relying on remote access to compromised systems. Despite the growing accessibility of these services, little is understood about the factors influencing criminal decisions in the selection of their targets and the ensuing attack process. This short paper outlines the design and implementation of a `criminal' AaaS platform aimed at attracting cybercriminal users to study their behavior. The platform, modeled after illicit marketplaces in the dark web, includes various market signals to assess their influence on cybercriminal decision-making and an `honeypot' setup to evaluate attacker actions. In this paper we describe the methodology and infrastructure we are building to this purpose. Our intent is to present our experimental design to the WACCO community to collect feedback on the experiment setup and run, and to foster discussion on the technical and ethical challenges of active attacker measurement.

Coffee Break

15:30 - 16:00 (Timezone: CEST (UTC+02:00))

Session 3: Global-Scale Attacks

16:00 - 17:00 (Timezone: CEST (UTC+02:00))

Port in a Storm: Iranian Cyber Operations and Chinese Strategic Interests in Middle Eastern Maritime Infrastructure

16:00 - 16:30

Cosimo Melella, Francesco Ferazza, Konstantinos Mersinas and Ricardo Lugo

This paper examines the strategic implications of Iranian cyber attacks targeting port facilities in the Middle East, focusing on their intersection with China's Belt and Road Initiative (BRI). Analysing six case studies involving Iranian Advanced Persistent Threat (APT) groups between 2022 and 2024, we investigate how these cyber operations reflect broader geopolitical tensions and reveal potential friction between Iranian and Chinese regional objectives. The research demonstrates that Iranian cyber campaigns combine sophisticated technical approaches—including custom malware deployment, spear-phishing, and SCADA system exploitation—with influence operations to achieve immediate disruption and longer-term strategic goals. While Iran and China maintain formal cooperation through their 25-year Comprehensive Cooperation Agreement, their divergent approaches to regional engagement—Iran's confrontational stance versus China's economic p ragmatism—create notable strategic tensions. Our findings suggest that, though technically sophisticated, Iran's cyber operations targeting maritime infrastructure may ultimately undermine China's BRI objectives of stable trade routes and regional economic integration. This research contributes to understanding how state-sponsored cyber operations against critical maritime infrastructure reflect and influence broader geopolitical dynamics while highlighting the complex interplay between physical and digital security in modern conflict.

Yet Another Diminishing Spark: Low-level Cyberattacks in the Israel-Gaza Conflict

16:30 - 17:00

Anh V. Vu, Alice Hutchings and Ross Anderson

We report empirical evidence of defacement and DDoS attacks carried out by low-level cybercrime actors in the Israel-Gaza conflict. Our quantitative measurement suggests an outbreak of such attacks following the Hamas-led assault and the subsequent declaration of war. However, the surges waned quickly after a few weeks, with patterns resembling those seen in the aftermath of the Russian invasion of Ukraine. The scale of attacks and discussions within the hacking community this time were both significantly less than those during the early days of the Russia-Ukraine war, and attacks have been mostly one-sided: many pro-Palestinian supporters have targeted Israel, while attacks on Palestine have been much less significant. Beyond targeting these two, attackers also defaced websites of other countries to express their war support. Their wider opinions are also one-sided, with far more support for Palestine and many objections expressed toward Israel.

End

17:00 (Timezone: CEST (UTC+02:00))

Review Model

Open reports

WACCO promotes an open and transparent review process. Reviews of accepted papers will be published together with the papers and archived in a public github repository associated with WACCO. A link to that repository must be included in all accepted submissions. The reasons why WACCO implements an open report model are the following:

  • It documents why the paper was considered positively to contribute to the larger scientific domain it pertains to;
  • It provides a critique useful to better delineate research limitations and scope, which can be of particular benefit to young researchers and students alike;
  • It provides a structural incentive for reviewers to write constructive and clear reviews;
  • It provides a structural incentive for authors to implement reviewer recommendations for the camera-ready version of their paper;
  • It provides a critical viewpoint for future work and research follow-ups;
  • It provides additional transparency to the quality of the adopted review process and its outcomes.

Submission

WACCO encourages submission of full papers and position papers from academia, industry, and government for appearance in the EuroSP IEEE proceedings. They should present interesting results for both theory and experimentation in the area of attacker and cyber-crime operations. We also particularly welcome independent reproduction of previous studies or experiments or negative results. We expect full papers to be of 10 pages in length (IEEE Format). Longer papers that document extensive experimentation are full in scope (which could be described in annex of the main body of the paper). Position papers of around 4 pages in length should present new open and interesting questions that the community should address or open questions that past research papers have not yet addressed. We expect position papers to be presented in panels or poster-platform sessions.

Additionally, WACCO welcomes submissions of Research Talks. Research Talk submissions will go through the same review process as full/short papers and will be evaluated on the same criteria of quality, but will not appear in the IEEE proceedings. We especially encourage the submission of multidisciplinary work looking for feedback from qualified experts in the domain. Research Talk submissions can be in any format, and of length commensurate to the contribution. Indicatively, Research Talks submissions are expected to be in the range of 7000-8000 words. To keep review loads acceptable, submissions of more than 10000 words may be desk rejected. Research Talk submissions should clearly state “Research Talk” in the title of the submission.

Anonymous submissions

Papers should be fully anonymized before review: author names or affiliations may not appear or be revealed in the text. Previous work of the authors should be referred to the third person. In the unusual case that an anonymous reference is not possible, the authors should blind the reference (e.g. “[x] Blinded citation to preserve submission anonymity”). Papers that are not properly anonymized may be desk rejected.
Submission of work that has been previously presented at conferences without proceedings, even if that work is associated with the names of the authors, or is published on online repositories such as ArXiv.org or SSRN, is allowed as long as the submission is fully anonymized. PC members that may recognize the work and its authors are asked to declare conflict on that paper and will not be assigned to it.

Publications

All papers will be published by IEEE CS and posted on the IEEE digital libraries. All authors of accepted papers are expected to present their paper at the workshop.

Submission site

Please submit your paper through EasyChair here.

Organization Committees

Program Co-chairs

Luca Allodi Eindhoven University of Technology l.allodi@tue.nl
Alice Hutchings University of Cambridge alice.hutchings@cl.cam.ac.uk
Sergio Pastrana University Carlos III of Madrid spastran@inf.uc3m.es

Publicity Chairs

Roy Ricaldi (Eindhoven University of Technology).

Program Committee



Registration

The workshop is co-located with the 10th IEEE European Symposium on Security and Privacy (EuroS&P 2025). To register please visit the registration page of the main event.