WACCO 2019

First Workshop on Attackers and Cyber-Crime Operations

IEEE European Symposium on Security and Privacy 2019

June 20 - Stockholm, Sweden

The emergence and commoditization of cyber-criminal activities calls for new empirical methods, measures, and technologies to quantify and understand offender operations across all forms of cyber-crime: from malware engineering and attack delivery, to running underground operations trading illegal goods such as drugs and illegal pornography, to spreading disinformation and planning (cyber-)terrorism operations. Without appropriate scientific measures of cyber-offender and attacker operations, capabilities, and resources, it remains impossible to derive sound policies, strategies and technologies that appropriately address realistic and evidence-based attacker and offender models.

The first Workshop on Attackers and Cyber-Crime Operations (WACCO 2019) aims to provide a venue for research and discussion on cyber-criminal activities. WACCO 2019 is co-located with the 4th IEEE European Symposium on Security and Privacy (EuroS&P 2019) in Stockholm, Sweden on June 20, 2019.

Call for Papers

WACCO 2019 calls for all contributions aiming at providing methods, measures, metrics, and technologies or tools to quantitatively or qualitatively evaluate cyber-offenders and attackers from technical and non-technical angles. The workshop invites contributions from, but not limited to, the fields of computer science and computer security, criminology, psychology, law, and economics addressing this issue.

Topics of interest include, but are not limited to:

  • Empirical studies on attacker operations and communities
  • Novel methods to perform attacker measurements at scale across several communities
  • Cooperation and trust as a source of attackers’ effectiveness
  • Attackers’ skill set
  • Attackers’ operational security
  • Measuring the spread of false information campaigns on social media
  • Quantitative and qualitative methods to measure, track, and counter cybercrime
  • Cybercrime measurement and networks
  • Cybercrime policy
  • Economics of cybercrime
  • Profiling of cybercriminals
  • Security metric design and evaluation
  • Security patch measurement
  • Statistical exploration and prediction of security incidents
  • Open Source Intelligence and digital footprints

The workshop is co-located with the 4th IEEE European Symposium on Security and Privacy (EuroS&P 2019).

Important Dates

All deadlines are Anywhere on Earth (AoE = UTC-12h).

Paper Submissions Due February 25, 2019 March 10, 2019 11:59 pm [EXTENDED]
Acceptance Notice to Authors April 5, 2019
Camera ready for accepted papers April 22, 2019
Workshop June 20, 2019

Accepted Papers

Full Papers:

  • Master of Sheets: A Tale of Compromised Cloud Documents

    Jeremiah Onaolapo, Martin Lazarov and Gianluca Stringhini

  • Beneath the Dark Web: Excavating the Layers of Cybercrime's Underground Economy

    Jonathan Lusthaus

  • A Qualitative Evaluation of Two Different Law Enforcement Approaches on Dark Net Markets

    Cerys Bradley and Gianluca Stringhini

  • Machete: Dissecting the Operations of a Cyber Espionage Group in Latin America

    Veronica Valeros, Maria Rigaki and Sebastian Garcia

  • Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack

    Maria Grazia Porcedda and David Wall

  • CARONTE: Crawling Adversarial Resources Over Non-Trusted, High-Profile Environments

    Michele Campobasso, Pavlo Burda and Luca Allodi

  • Characterising cybercrimes committed inside and outside the workplace

    Alice Hutchings and Ben Collier

  • Iniquitous Cord-Cutting:An Analysis of Infringing IPTV Services

    Prakhar Pandey, Maxwell Aliapoulios and Damon McCoy

Short Papers:

  • Youth Hackers and Adult Hackers: Who Are They?

    Sinchul Back, Jennifer LaPrade, Lana Shehadeh and Minju Kim

  • Geost Botnet: Operational Security Failures of a New Android Banking Threat

    Sebastián García, Maria Jose Erquiaga, Anna Shirokova and Carlos Garcia Garino



08:45 - 09:00

Please get a new badge for the workshop


09:00 - 09:15


09:15 - 10:00

Criminal activities are a fundamental part of our economies - Abstract

Dr. Victoria Wang, Institute of Criminal Justice Studies (ICJS), University of Portsmouth

In 2011, the Telegraph reported that one in ten banknotes was contaminated with cocaine. In 2012, the Telegraph reported that Mafia was Italy’s biggest business with a turnover of £116bn – equivalent to over 20% of their economy in the same year. In 2015, the Independent reported that the proceeds of money laundering invested in London properties are pushing up UK house prices. Criminal activities have always been a fundamental part of our economies. Today, cybercriminal activities are fast-replacing traditional ones in almost every single nation, because they are harder to trace, far more profitable and with infinite possibilities to evolve. We, in the cyber security industries, are left playing catch-up against criminal gangs and nation states with almost unlimited resources, and thus the criminals are setting the agenda. But it is not just the public that is not educated about cyber security, it is also company boards, even governments, who simply do not understand the scale of the security threats and risks that we face. This is no longer just about crime; it is about national security, democracy, and everything that we think that we believe in. It is a truly Darwinian struggle of survival of the fittest and we need to make sure that we are not the dinosaurs. Workshops like this cannot just be about the details. We must keep sight of the bigger picture and, perhaps more importantly, keep reminding those who control the purse-strings of the scale of the threats we face and the need for the resources to fight. There are a number of interesting research papers being presented today and I look forward to hearing them. I would also urge you all to be part of the wider conversation, and build the co-operative and cross-disciplinary research teams that we need to fight these threats. Enjoy your workshop!

Coffee Break

10:00 - 10:30

Poster Session

10:30 - 11:15

Geost Botnet: Operational Security Failures of a New Android Banking Threat - Abstract

Sebastián García, Maria Jose Erquiaga, Anna Shirokova and Carlos Garcia Garino

Effective operational security is difficult to maintain due to an increase in the costs of work and a decrease in the performance of actions. This is true both for security analysts and malicious attackers. It is tedious, and errors are easy to make. This paper describes the rare discovery of a new Android banking botnet, named Geost, from the operational security failures of its botmaster. They made many mistakes, including using the illegal proxy network of the HtBot malware, not encrypting their Command and Control servers, re-using security services, trusting other attackers with less operational security, and not encrypting chat sessions. The Geost botnet has hundreds of malicious domains, thirteen IP addresses for C\&C servers, approximately 800,000 victims in Russia, and potential access to several million Euros in the bank accounts of the victims. More importantly, the operational security mistakes lead to the discovery of members of an underground group that develop and maintain the C\&C of Geost. It is seldom possible to glimpse into the decisions taken by the attackers due to failures in their operational security. This research presents the finding of a new Android banking botnet from operational security mistakes, creates an overview of the botnet operation, analyses the victims, and study the relationships with the discovered groups of developers.

Youth Hackers and Adult Hackers: Who Are They? - Abstract

Sinchul Back, Jennifer LaPrade, Lana Shehadeh and Minju Kim

Modern Societies across the globe rely more on technology every day. While such advances have made some aspects of life easier, there is an increasing risk of cybercrime that can jeopardize national security and economic vitality. The purpose of this study is to build cybercriminal profiles in order to better predict future cyber-threats and create a more targeted prevention strategy for South Korea. The FBI's criminal profiling analysis is employed. Data were derived from court records and new media documents reporting computer hacking incidents in South Korea between 2010 and 2019. Our analysis shows that there are differences in motivations, attack methods, and accomplices in computer hacking incidents between youth and adult hackers. Policy implications are discussed.

Cyber Security Risk as an Experimental Discipline: a Proposal Building upon Capture the Flags - Abstract

Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi and Jelena Mirkovic

Characterizing the Redundancy of DarkWeb .onion Services - Abstract

Pavlo Burda, Coen Boot and Luca Allodi

Criminalising anonymity - a study of the Tor Project - Abstract

Ben Collier

Your research with our cybercrime data! - Abstract

Alice Hutchings

Session 1: Cybercrime Measurements

11:15 - 12:30

Master of Sheets: A Tale of Compromised Cloud Documents - Abstract

Jeremiah Onaolapo, Martin Lazarov and Gianluca Stringhini

As of 2014, a fifth of EU citizens relied on cloud accounts to store their documents according to a Eurostat report. Although useful, there are downsides to the use of cloud documents. They often accumulate sensitive information over time, including financial information. This makes them attractive targets to cybercriminals. To understand what happens to compromised cloud documents that contain financial information, we set up 100 fake payroll sheets comprising 1000 fake records of fictional individuals. We populated the sheets with traditional bank payment information, cryptocurrency details, and payment URLs. To lure cybercriminals and other visitors into visiting the sheets, we leaked links pointing to the sheets via paste sites. We collected data from the sheets for a month, during which we observed 235 accesses across 98 sheets. Two sheets were not opened. We also recorded 38 modifications in 7 sheets. We present detailed measurements and analysis of accesses, modifications, edits, and devices that visited payment URLs in the sheets. Contrary to our expectations, bank payment URLs received many more clicks than cryptocurrency payment URLs despite the popularity of cryptocurrencies and emerging blockchain technologies. On the other hand, sheets that contained cryptocurrency details recorded more modifications than sheets that contained traditional banking information. In summary, we present a comprehensive picture of what happens to compromised cloud spreadsheets.

Iniquitous Cord-Cutting: An Analysis of Infringing IPTV Services - Abstract

Prakhar Pandey, Maxwell Aliapoulios and Damon McCoy

Large scale, subscription based, Internet Protocol Television (IPTV) media piracy is occurring despite current copyright enforcement efforts. Cybercriminals are abusing legitimate services to setup and maintain illegitimate business operations offering pirated media content on a subscription basis. Due to the underground aspect of these pirated IPTV operations, these services are not well understood and so current enforcement action against them appear to not be effective. In this paper, we empirically measure the network infrastructure, payment, and order intermediary services that are used by a subset of the infringing IPTV ecosystem. We demonstrate how the measurements we make in this paper give insight into the business behind subscription based pirated media. Lastly, we show how these measurements can lead to potentially more informed policy decisions and intervention measures against subscription based IPTV piracy.

CARONTE: Crawling Adversarial Resources Over Non-Trusted, High-Profile Environments - Abstract

Michele Campobasso, Pavlo Burda and Luca Allodi

High-profile underground communities are charac- terised by high costs of entry and are known to monitor user activity, usually with the goal of discerning ‘desirable’ users from users whose only intent is to observe the community (e.g. law enforcement, or researchers). Further, the adoption of anti- robot server-side solutions may not only disrupt the researcher activities by blocking their crawlers, but may also jeopardize their access to the community entirely. This is particularly undesirable as large amounts of data from the underground are often a pre-requisite to transversally and automatically gather data from several communities (e.g. to train ML-aided crawlers unaware of forum structures). In this paper we present CARONTE, a tool to semi-automatically learn virtually any forum structure, while maintaining a low profile for the data collection and avoiding the requirement of collecting massive datasets to maintain tool scalability. We showcase CARONTE against four underground forum communities, and show that from the adversary’s perspective CARONTE maintains a profile similar to humans, whereas state-of-the-art crawling tools show clearly distinct and easy to detect patterns of automated activity


12:30 - 14:00


14:00 - 14:15

Session 2: Cybercrime operations

14:15 - 15:30

Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack - Abstract

Maria Grazia Porcedda and David Wall

Big data and cybercrime are creating ‘upstream’, big data cyber-dependent crimes such as data breaches, DDoS attacks and spamming. They are essential components in a cybercrime chain which forms a cybercrime ecosystem that cascades ‘downstream’ to give rise to further crimes, such as fraud, extortion, etc., where the data is subsequently monetized. These downstream crimes have a massive impact upon victims and data subjects. The upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream’s cascade effect creates unprecedented societal challenges that need addressing in the face of the advances of AI and the IoT. This phenomenon is explored here by unpacking the TalkTalk case study to conceptualize how big data and cloud computing are creating cascading effects of disorganized but escalating data crime. Part of the larger CRITiCal project, the paper also hypothesizes key factors triggering the cascade effect and suggests a methodology to further investigate and understand it.

A Qualitative Evaluation of Two Different Law Enforcement Approaches on Dark Net Markets - Abstract

Cerys Bradley and Gianluca Stringhini

This paper presents the results of a qualitative study on discussions about two major law enforcement interventions against Dark Net Market (DNM) users extracted from relevant Reddit forums. We assess the impact of Operation Hyperion and Operation Bayonet (combined with the closure of the site Hansa) by analyzing posts and comments made by users of two Reddit forums created for the discussion of Dark Net Markets. The operations are compared in terms of the size of the discussions, the consequences recorded, and the opinions shared by forum users. We find that Operation Bayonet generated a higher number of discussions on Reddit, and from the qualitative analysis of such discussions it appears that this operation also had a greater impact on the DNM ecosystem.

Machete: Dissecting the Operations of a Cyber Espionage Group in Latin America - Abstract

Veronica Valeros, Maria Rigaki and Sebastian Garcia

Reports on cyber espionage operations have been on the rise in the last decade. However, operations in Latin America are heavily under researched and potentially underestimated. In this paper we analyze and dissect a cyber espionage tool known as Machete. Our research shows that Machete is operated by a highly coordinated and organized group who focuses on Latin American targets. We describe the five phases of the APT operations from delivery to exfiltration of information and we show why Machete is considered a cyber espionage tool. Furthermore, our analysis indicates that the targeted victims belong to military, political, or diplomatic sectors. The review of the almost six years of Machete operations show that it is likely operated by a single group, and their activities are possibly state-sponsored. Machete is still active and operational to this day.

Coffee Break

15:30 - 16:00

Session 3: Offenders and their ecosystem

16:00 - 16:50

Beneath the Dark Web: Excavating the Layers of Cybercrime's Underground Economy - Abstract

Jonathan Lusthaus

The Dark Web or DarkNet has attracted both considerable media and scholarly attention. While some use either term as a catchall for online malfeasance in general, others take a narrower view. If the Clear Web is the Internet of the average user, the Dark Web is hidden from view by way of anonymity platforms like Tor or I2P. Even by limiting the scope of what is considered part of the Dark Web, it occupies increasingly large amounts of academic investigation. This forms part of a broader tradition of analyzing relatively open cybercriminal marketplaces and forums. With the aid of data collected over a 7-year period, the focus of this paper is to help demarcate - beyond the Dark Web alone - all the layers within the world of profit-driven cybercrime. These include: 1) the top layer, which is the most open forums and marketplaces, whether Dark Web or otherwise; 2) the middle layer of more closely vetted forums; 3) the bottom layer of even smaller and more closed groupings; 4) the molten core, which is centered on the offline organization of cybercrime. The purpose of this analysis is to identify key aspects of the underground economy which warrant further scholarly attention, and to suggest possible approaches to engage with these subjects going forward.

Inside out: Characterising cybercrimes committed inside and outside the workplace - Abstract

Alice Hutchings and Ben Collier

This comparison of cybercrime offenders within and outside the workplace reveals they display very different types of offending behaviour, involving different demographics, initiation pathways, and types of offence. The Cambridge Computer Crime Database (CCCD) is a database of open source information about cybercrime arrests and prosecutions in the United Kingdom. This study analyses data from the CCCD spanning nine years, from 1 January 2010 to 31 December 2018. Insiders are more likely to be older, and commit less-technical offences, primarily data and system breaches. They are less likely to offend with others, the offences are less likely to be international in nature, and they are less likely to receive a custodial sentence. Most alleged offenders are men, but women are more likely to offend within their occupation than outside the workplace. Of those that offend in the workplace, the largest group consists of police officers or police staff. This is likely to reflect differences in the type of organisations that pursue criminal action against insiders. We draw on a strain theory framework to argue that these findings accord with different kinds of strain and differing reactions to strain. The data for crimes outside the workplace support a 'subcultural' pattern of adaptation to strain, with offenders tending to be younger, male and linked to co-offenders. The findings relating to insiders support an opportunity model of crime, with inter-workplace variation in opportunities, working cultures and sources of strain present in different workplaces.

16:50 - 17:00


Papers should be written in English and formatted following the IEEE guidelines for Euro S&P 2019 reported here. WACCO welcomes full as well as position papers for submission. Length limits are of 8 pages 10 pages and 4 pages respectively. Position papers should present new open and interesting questions that the community should address or open questions that past research papers have not yet addressed. We expect position papers to be presented in panels or poster-platform sessions.

Anonymous submissions

Papers should be fully anonymized before review: author names or affiliations may not appear or be revealed in the text. Previous work of the authors should be referred to the third person. In the unusual case that an anonymous reference is not possible, the authors should blind the reference (e.g. “[x] Blinded citation to preserve submission anonymity”). Papers that are not properly anonymized may be desk rejected.


All papers will be published by IEEE CS and posted on the IEEE digital libraries. At least an author for each accepted paper is expected to present their paper at the workshop.

Submission Site

Please submit your submission through EasyChair here.

Program Committee Co-chairs

Luca AllodiEindhoven University of Technology
Serge EgelmanUniversity of California, Berkeley
Alice HutchingsUniversity of Cambridge
Fabio MassacciUniversity of Trento
Marie VasekUniversity of New Mexico


Publicity-ChairGiorgio Di TizioUniversity of Trento
Publicity-ChairVincent HarinamUniversity of Cambridge

Program Committee

Venue and Registration

The workshop is co-located with the 4th IEEE European Symposium on Security and Privacy (EuroS&P 2019). To register please visit the registration page of the main event.