How the Mafia Is Pivoting to Cybercrime

Police in Europe announced Monday that they had arrested more than 100 people connected with Mafia organizations that were employing hackers to support traditional crimes such as extortion and drug trafficking.

The crackdown was led by Spain's Policía Nacional in collaboration with Italy's Polizia di Stato and Europol. The authorities said that the organized crime groups employed hackers who were using phishing, social engineering attacks, and SIM swapping, as well as sending malware to victims with the goal of taking over their bank accounts and stealing their money. 

This operation highlights a new trend: traditional organized crime groups, such as the Italian Mafia and Camorra, are now dabbling in cybercrime to support their traditional offline activities, according to Italian and Spanish police investigators involved in the crackdown who spoke with Motherboard. 

"We have always thought that the Mafia is violent, that it does beatdowns and homicides. In other words, traditional crimes," Beatriz Gómez Hermosilla, the head of the group that investigates fraud in the Cybercrime Unit of Spain's Policía Nacional, told Motherboard in a phone call. "Now they are transforming toward the digital world. They are using hackers within their organization."

Gómez Hermosilla said that in the course of the police investigation into an alleged organized crime ring in Tenerife, one of Spain's Canary Islands, they realized that the criminals were using phishing to take control of bank accounts and were tricking victims into giving up their passwords. 

"We had never seen the Mafia focusing on these cybercrimes," she said. "Clearly they are undergoing a transformation to the digital era."

As of now, she said, they have arrested three people whom they believe were working as hackers for the organized crime ring.

"We had to use all the tools at our disposal," Gómez Hermosilla said.

She explained that they put several phones under surveillance, as the alleged criminals were replacing SIM cards every two or three days, as well as changing their locations. The investigators, she added, also used traditional monitoring techniques and hacked suspects' phones to install surveillance software on them. 

Ivano Gabrielli, the vice director of the Polizia Postale (Postal and Communications Police), a unit of Italy's state police that investigates cybercrime, told Motherboard that the organized crime ring identified in Tenerife was led by fugitive members of Italian Mafia rings. Gabrielli said that the Italian investigators are still looking for more hackers involved in the organization. 

"There must have been a team of technicians that managed this digital evolution," Gabrielli said. "It's likely that these were Italian hackers that we are looking for right now, using the data found analyzing the devices seized in the operation."

Gabrielli said that Italian investigators believe this team was contracted by the Mafia members as a freelance unit. 

"I don't think we found the developers who compile and modify malware, who customize the infostealer, who customize the phishing email and so on," Gabrielli told Motherboard. 

The hackers were using SIM swapping to take control of victims' cellphone numbers and subsequently their bank accounts. They also called them pretending to be their bank's customer support, tricking targets into installing monitoring and remote technical support software such as TeamViewer with the excuse that they needed it to help them solve problems with the actual banking app, according to Gabrielli. Lastly, Gabrielli said, the hackers would also send malware to victims through malicious websites—in what are known as watering hole attacks—as well as phishing emails containing malicious attachments. 

Gabrielli said it was inevitable for the Mafia to go online. Cybercrime is attractive because it's less risky than other activities, and it allows for more anonymity, he said.  

Nunzia Ciardi, the director of the Polizia Postale said last year in an interview with La Via Libera, an Italian magazine that reports on organized crime and corruption, that transnational organized crime was behind a slew of ransomware attacks. 

Federico Varese, a Professor of Criminology at the University of Oxford who studies organized crime, told Motherboard that there have been some isolated cases in the past that suggested Mafia-like organizations were turning to cybercrime, particularly in Romania.

Varese said he suspects that there is still a division of labor between the mobsters and the hackers.

"Those who do the classic cybercrime, trojans, entering into computers to steal money from online banks—I think those kinds of people will be different from the ones who actually commit extortion and homicides," he said. 

But in the future, he added, "there will be opportunities to have synergies."

"In order for cybercrime to thrive you need an offline dimension," Varese told Motherboard in a phone interview. "So it's not surprising that you have some convergence of traditional organized crime and cybercrime."

Subscribe to our cybersecurity podcast CYBER, here.