Select an entity type:
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Accomplice
Label: Accomplice
rdfs:comment:
Describes roles within the ecosystem that knowingly and deliberately facilitates the criminal or malicious actions of other role players.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Botnets
Label: Botnets
rdfs:comment:
A botnet is a network of compromised devices infected with malware, remotely orchestrated by criminals to conduct cyberattacks such as DDoS, phishing, spamming, and distributing malware.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#CommonPatternPhase
Label: Common Pattern Phase
rdfs:comment: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#CompositePatternPhase
Label: Composite Pattern Phase
rdfs:comment: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Credential_and_Identity_Artifacts
Label: Credential and Identity Artifacts
rdfs:comment:
A specialized subclass encompassing illicit products derived from stolen authentication and identity data, including raw credential dumps, comprehensive identity sets, and ancillary services that augment the value of such data for cyber-enabled fraud.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Crimeware
Label: Crimeware
rdfs:comment:
A class encompassing products and services that encompass a range of commodities and offerings in the cybercrime underground that provide tmalicious tools and software designed to enable or automate various forms of cybercrime..
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dark_Platforms
Label: Dark Platforms
rdfs:comment:
A subclass of Platforms that are explicitly designed for or dominated by illicit activities, often operating on the dark web or through anonymizing technologies.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Deceptive_Platforms
Label: Deceptive_Platforms
rdfs:comment:
A subclass of Platforms that includes websites, apps, or other online services deliberately fabricated to appear credible, but which exist primarily to deceive and exploit unsuspecting victims.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Disruption
Label: Disruption
rdfs:comment:
Broad term covering activities that interfere with the normal functioning of digital systems or infrastructure.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Economic_Impact
Label: Economic Impact
rdfs:comment:
Harms that represent financial consequences (e.g., loss of money, fines, extra costs) experienced by victims.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Environmental_Impact
Label: Environmental Impact
rdfs:comment:
Harms that represent damage to the environment or natural resources (e.g., pollution, facility damage with ecological effects) caused by an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Extortion
Label: Extortion
rdfs:comment:
Broad term covering activities that are fundamentally a form of extortion
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Facilitator
Label: Facilitator
rdfs:comment:
A neutral term used in criminology to describe a role that enables or assists in the execution of a crime, unwittingly, unintentionally, or opportunistically.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Financial_Services
Label: Financial Services
rdfs:comment:
A class containing illicit operations that facilitate the movement, laundering, or monetization of stolen funds and assets.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#General_Victim_Groups
Label: General Victim
rdfs:comment:
Instances represent broad categories of victims (e.g., “employees”, “customers”, “financial institutions”) not tied to a single incident.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Geopolitical_Impact
Label: Geopolitical Impact
rdfs:comment:
Harms affecting government or international stability (e.g., tensions from a state-sponsored cyber attack) caused by an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Grey_Platforms
Label: Grey Platforms
rdfs:comment:
A subclass of Platforms to describe platforms that operate legally but are often unregulated, have weak compliance measures, or are intentionally permissive
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Harm
Label: Harm
rdfs:comment:
Instances represent specific kinds of damage or impact that victims may suffer. For example, an individual might denote a financial loss or system downtime caused by an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Illicit_Access_Products
Label: Illicit Access Products
rdfs:comment: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Informational_Impact
Label: Informational Impact
rdfs:comment:
Harms represent compromises to information assets (e.g., stolen or corrupted data, denied access) suffered by victims.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Infrastructure_Services
Label: Infrastructure Services
rdfs:comment:
A class encompassing products and services that encompass a range of commodities and offerings in the cybercrime underground that provide the technical backbone for malicious operations
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Legitimate_Platforms
Label: Legitimate Platforms
rdfs:comment:
A subclass of Platforms that describes Platforms that operate within legal frameworks, comply with regulations, and are not inherently designed for illicit purposes but may be exploited by cybercriminals.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Market
Label: Market
rdfs:comment:
A market is a structured ecosystem where buyers and sellers interact to exchange specific types of products and services via different platforms.
Market is a class of entities that represent informal or unstructured trading ‘market’ within underground ecosystems. A Market entity is linked to an arbitrary number of Role Players, Platforms, and Commodities that describe the market, which is interned to be linked to other Markets or Pattern Phases to indicate how it contributes to the creation of a given pattern.
Market has sub-classes for specific cases where the Market manifests as a service or managed service in the underground economy.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Market_or_Supply_Chain
Label: Market or Supply Chain
rdfs:comment:
This sub-class of Markets contains entities that are market places or supply chains for products or services in the underground
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Operational_Impact
Label: Operational Impact
rdfs:comment:
Harms represent disruptions to normal operations (e.g., service outages, workflow stops) caused by an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Pattern
Label: Pattern
rdfs:comment:
A Pattern is a structured model representing a recurrent, recognizable manifestation of illicit, harmful cyber-dependent or cyber-enabled activity, encompassing multiple, diverse Pattern Phases that collectively express a coherent operational or business model, without implying criminality or attribution.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Pattern_Phase
Label: Pattern Phase
rdfs:comment:
Pattern Phases describe a single, recognizable, illicit, adverse or exploitative cyber-dependent or cyber-enabled activity. In the Diamond Model of Intrusion Analysis, an Diamond Event is a discrete occurrence that connects at least two of the model’s core elements: Adversary, Capability, Infrastructure, and Victim. Each event represents a specific action or interaction, such as an adversary deploying malware (Capability) through a phishing email (Infrastructure) to compromise a victim’s system. Events are the building blocks of the model, enabling analysts to break down complex attacks into smaller, understandable components.
Events are not isolated; they are part of a larger sequence of actions that adversaries use to achieve their objectives. For example, an event might involve an adversary using a fake website (Infrastructure) to steal credentials from a victim, which is then followed by another event where the adversary uses those credentials to access the victim’s account. By analyzing these events, investigators can identify Pattern, infer adversary intent, and trace the progression of an attack.
Each event in the Pattern Phase is enriched with meta-features such as time, phase, and methodology, which provide additional context. These meta-features help analysts understand when the event occurred, how it fits into the broader attack lifecycle, and what techniques were used. By linking events together into activity threads, analysts can reconstruct the full narrative of an intrusion, enabling better detection, response, and prevention strategies.
USAGE NOTE: Some Pattern Phases (especially technical) occur commonly across diverse Patterns; they are labelled “Common” and can be re-used.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Payment_Instruments
Label: Payment Instruments
rdfs:comment:
This class contains mediums of exchange—such as cryptocurrencies, fiat currencies, gift cards, prepaid cards, electronic wallets, and other value‐transfer instruments—that actors acquire, trade, and launder within the cybercrime ecosystem.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Perpetrator
Label: Perpetrator
rdfs:comment:
Refers to a function within the ecosystem that contributes directly on a victim or directly or knowingly contributes to the commitment of a crime.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Physical_Impact
Label: Physical Impact
rdfs:comment:
Harms represent real-world damage or injury (e.g., destroyed hardware, physical harm to people) resulting from an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Platform
Label: Platform
rdfs:comment:
Contains generally-described technology services, applications or platforms that are used to facilitate a Pattern Phase, transaction, exchange of value or communication between role players.
Platforms can be linked to Markets and Pattern Phases.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Products_and_Services
Label: Products and Services
rdfs:comment:
Products and Services encompass tools, capabilities, goods, or services used within Pattern Phases to enable, facilitate, or support cybercrime activity. They are traded on Marketplaces and may be linked to both Pattern Phases and Marketplaces.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Psychological_Impact
Label: Psychological Impact
rdfs:comment:
Represent emotional or mental harm (e.g., anxiety, trauma) experienced by victims due to an event phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#ReconnaissanceAndOpenSourceIntelligence
Label: Reconnaissance and Open Source Intelligence
rdfs:comment:
Dual-use tools, platforms, datasets, and services that collect or organize publicly available technical, organizational, or personal information, enabling legitimate research and security work but also supporting adversary target discovery, profiling, and attack preparation.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Role_Player
Label: Role Player
rdfs:comment:
Super class for all roles that are performed within the cybercrime ecosystem, generally described.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Scams_and_Fraud
Label: Scams and Fraud
rdfs:comment:
The intentional act of deception or misrepresentation used to secure an unlawful gain, typically involving financial or material advantage.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#SpecificPatternPhase
Label: Specific Pattern Phase
rdfs:comment: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Specific_Victim_Groups
Label: Specific Victim
rdfs:comment:
Instances represent more concrete categories of victims (e.g., “data owners”, “trading firms”) who could be affected by a phase.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Tactic
Label: Tactic
rdfs:comment:
Mitre ATTACK or CAPEC threat action tactic. Linked to a technique to capture what stage in the killchain a technique is involved in.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Technique
Label: Technique
rdfs:comment:
Mitre ATTACK or CAPEC threat action technique. Linked to a Pattern Phase to describe the illicit actions role players would or could perform.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Theft
Label: Theft
rdfs:comment:
The unlawful taking of another person’s property with the intent to permanently deprive them of its use or possession.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Underground_Managed_Service
Label: Underground Managed Service
rdfs:comment:
This sub-class of Markets contains entities that act like businesses to deliver managed or continuous services (probably on a subscription basis) to other Role Players within the underground economy
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Underground_Service
Label: Underground Service
rdfs:comment:
This sub-class of Market contains entities that act like businesses to deliver specific services to other Role Players within the underground economy
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Victim
Label: Victim
rdfs:comment:
Instances represent entities targeted or affected by a pattern phase, such as an individual person, a specific organization, or a type of system.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Vulnerabilities_and_Exploits
Label: Vulnerabilities and Exploits
rdfs:comment:
A class encompassing products and services that encompass a range of commodities and offerings in the cybercrime underground that provide vulnerability information, exploits and associated tools
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BotnetOperator
Label: Botnet Operator
alsoCalled: Botmaster; Botnet Herder
shortDescription:
A botnet operator controls networks of compromised devices via command-and-control infrastructure, enabling accomplice cybercriminals to conduct attacks at scale , including disruption, malware delivery, or fraud, by renting or supplying distributed computing power.
longDescription:
A Botnet Operator is an accomplice role in the cybercrime ecosystem responsible for building, maintaining, and controlling a network of infected devices called a botnet. These devices, which may include personal computers, servers, or Internet-of-Things equipment, are compromised using malware and then remotely directed through command-and-control (C2) systems.
This role is typically carried out by technically capable individuals or small organized groups who specialize in maintaining reliable and scalable infrastructure rather than executing specific end-stage crimes. Their primary capability is providing distributed computing power and reach, which can be used to launch large-scale attacks such as distributed denial-of-service (DDoS), send spam or phishing campaigns, distribute malware, or support credential harvesting operations, etc.
Botnet operators act as service providers to other cybercriminals, renting access to their networks through underground forums or private channels. This allows less technically skilled actors like fraudsters, phishers or intrusion operators to conduct high-impact operations without needing to build their own infrastructure.
The supporting infrastructure includes infected “zombie” devices and resilient hosting environments for command-and-control servers.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Call_Center_Operator
Label: Call Center Operator
alsoCalled: —
shortDescription:
Facilitates scams by making deceptive phone calls or handling inbound communications to manipulate victims into providing money, information, or access.
longDescription:
In cybercrime operations, call center operators act as the human interface between the criminal network and the victim, using scripted interactions to execute scams or fraud schemes. These individuals may pose as representatives of legitimate entities, such as banks, government agencies, or technical support teams, to build trust or create a sense of urgency. Their primary objective is to persuade victims into taking actions that benefit the scammers, such as transferring funds, providing sensitive information, or granting remote access to devices.
Call center operators often work in organized setups, sometimes referred to as “scam call centers,” which are structured to handle high volumes of calls and support multiple fraudulent campaigns simultaneously. These operations may focus on specific scams, such as tech support fraud, tax collection scams, or lottery schemes, using psychological techniques and social engineering to exploit victims’ fears or desires. The operators follow carefully designed scripts, adjusting their approach based on the victim’s responses, to increase the likelihood of success.
While some call center operators are complicit members of the criminal organization, others may be unwitting participants recruited under the guise of legitimate employment. These roles are particularly prevalent in regions with lax enforcement, where large-scale call centers operate semi-openly. Their involvement is critical to many fraud operations, as they provide the direct interaction necessary to convince and exploit victims.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exploit_Developers
Label: Exploit Developers
alsoCalled: —
shortDescription:
Malicious coders who convert identified software weaknesses into functional attack scripts, enabling automated intrusion and privilege escalation against unpatched targets.
longDescription:
Exploit Developers are specialized threat actors devoted to crafting, refining, or repackaging exploit code. These individuals transform raw vulnerability data into precise, often modular payloads that can be integrated into broader cybercrime campaigns. While some exploit developers may reverse-engineer patches to produce reliable “N-day” exploits, the most valued among them focus on undisclosed “0-day” flaws that bypass existing defenses. In underground markets and private broker circles, Exploit Developers command high fees for their technical prowess, fueling cybercriminal ecosystems by providing the cornerstone of initial access and privilege escalation.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Fake_Profile_Creator
Label: Fake Profile Creator
alsoCalled: Catfisher; Face Fraud Factory; Impersonator; Social Media Fraudster
shortDescription:
An organized operation that produces and utilizes fake identities, often using sophisticated techniques to create convincing fraudulent profiles.
longDescription:
An organized operation that produces and utilizes fake identities, often using sophisticated techniques to create convincing fraudulent profiles, sometimes using real or synthetic photos, names, and personal information to create fake identities. These can be used for fraudulent activities such as opening bank accounts, applying for loans, or engaging in social engineering attacks.
These actors use advanced technologies like deepfakes, AI-generated images, and stolen personal information to make the fake identities more convincing and harder to detect, operating at scale to produce large numbers of fake profiles, which can be sold or used in multiple fraudulent schemes.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Insider_Corrupt_Employee
Label: Insider Corrupt Employee
alsoCalled: —
shortDescription:
A trusted individual inside an organization who knowingly abuses their access or position to facilitate cybercrime or theft.
longDescription:
An “Insider/Corrupt Employee” is someone within a legitimate organization, such as a financial institution, payment processor, or corporate environment, who intentionally participates in criminal activity. They may override fraud checks, approve unauthorized wire transfers, or leak sensitive data for a bribe or share of the proceeds. This role leverages legitimate privileges and knowledge of internal processes to bypass security controls or conceal suspicious transactions, making them a powerful asset in complex scams, including Business Email Compromise, money laundering, or large-scale data theft. Unlike an external attacker, this insider has pre-existing trust and authorized access, which significantly reduces the technical barriers to fraud and can complicate detection efforts for security teams.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Money_Mule
Label: Money Mule
alsoCalled: Cash Courier; Drop Account Holder; Financial Mule; Fund Transfer Agent; Payment Mule; Transaction Mule
shortDescription:
A money mule is an individual who transfers illegally obtained money between different financial accounts, often unknowingly, on behalf of criminals to obscure the source of the funds.
longDescription:
A money mule is a critical component in the process of money laundering and fraudulent financial schemes. These individuals are used by criminals to move and launder illicit funds through various bank accounts, digital payment systems, or cryptocurrencies to make the money appear legitimate and to hide the identity of the criminals and the origin of the money. Money mules may be recruited through various means, including deceptive job postings that promise easy money for work-from-home positions, direct contact via email or social media, or through relationships with the criminals themselves.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Payment_Platform_Exploiter
Label: Payment Platform Exploiter
alsoCalled: —
shortDescription:
Individuals or groups that manipulate digital financial systems to obscure, transfer, or facilitate the movement of illicit funds obtained through fraudulent schemes.
longDescription:
This role involves leveraging legitimate online payment systems, digital wallets, and bank accounts to process, conceal, or redirect unlawfully acquired assets. These actors exploit weaknesses in transaction mechanisms, authentication protocols, or regulatory oversight to ensure that proceeds from deceptive activities evade detection. By capitalizing on vulnerabilities in financial platforms, they serve as a critical bridge between fraudsters and the ultimate monetization of ill-gotten gains.
These contributors specialize in creating or accessing compromised accounts, linking fake or stolen identities to payment systems, and utilizing unregulated or lightly regulated digital exchanges. They may operate independently, renting out accounts for a fee, or as part of a larger criminal operation, assisting in the laundering and transfer of money across jurisdictions. Their expertise extends to the manipulation of cryptocurrency platforms, peer-to-peer transfer systems, and even remittance services to ensure their activities remain undetected.
Distinct from those orchestrating fraudulent schemes or transferring funds manually, these operators provide technical expertise and infrastructure to sustain the financial flow of cybercriminal ecosystems. Their actions often blur the line between service provider and accomplice, making them indispensable for ensuring the continuity of fraud operations, particularly in international scams.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Recon_Specialist
Label: Recon Specialist
alsoCalled: —
shortDescription:
Gathers intelligence on targets using OSINT tools, social engineering, and other methods to identify vulnerabilities for exploitation.
longDescription:
A Recon Specialist plays a critical role in the early stages of a cyberattack, focusing on gathering information about potential targets to identify weaknesses and opportunities for exploitation. These individuals leverage Open-Source Intelligence (OSINT) tools and techniques to collect publicly available data, such as employee names, email addresses, organizational structures, and technical details like IP addresses or software versions. Recon Specialists often scour social media platforms, company websites, and public databases to build a detailed profile of their target, which can then be used to craft highly tailored attacks.
In addition to OSINT, Recon Specialists may employ social engineering techniques to extract sensitive information directly from individuals within the target organization. This could involve pretexting (posing as a trusted entity), phishing, or even direct phone calls to gather details about internal processes, schedules, or access credentials. Their goal is to exploit human vulnerabilities and gain insights that automated tools cannot easily uncover. By combining technical and psychological methods, Recon Specialists ensure that subsequent attack phases, such as phishing or malware deployment, are more likely to succeed.
Recon Specialists are often part of larger cybercriminal operations, working in collaboration with other role players like malware developers, access brokers, or phishing operators. Their work is foundational to the success of the attack, as it provides the intelligence needed to craft convincing lures or identify exploitable systems. In some cases, Recon Specialists may sell the information they gather to other cybercriminals on underground forums or marketplaces, making them a key component of the cybercrime ecosystem.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Scriptwriter
Label: Scriptwriter
alsoCalled: —
shortDescription:
Individuals who craft persuasive narratives and dialogues that other role players use to deceive victims
longDescription:
Crafts persuasive narratives, pre-written dialogues, and scenarios designed to deceive, manipulate, or exploit victims. Their work often forms the backbone of social engineering schemes, such as romance baiting, phishing campaigns, or fraud operations, by creating emotionally or psychologically compelling content that drives the scam’s success.
Scriptwriters produce content tailored to exploit human vulnerabilities, such as trust, fear, or greed. For instance, in a romance scam, they may craft detailed stories about fictitious emergencies, long-distance love stories, or financial hardships to elicit sympathy and financial aid from victims. Similarly, in phishing attacks, they design emails or messages that impersonate trusted entities, leveraging urgency or authority to compel victims to disclose sensitive information.
These individuals or groups may operate independently or as part of a larger criminal organization, providing their services as a form of “deceptive content production.” Their scripts are often reusable and scalable, enabling other cybercriminals to replicate scams across numerous victims, highlighting their critical role in the ecosystem of organized cybercrime.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Vulnerability_Brokers
Label: Vulnerability Brokers
alsoCalled: —
shortDescription:
Intermediaries who buy and sell zero-day or N-day vulnerability information, bridging the gap between exploit developers, insiders, and high-paying criminal or state-backed buyers.
longDescription:
Vulnerability Brokers operate as go-betweens within the shadowy world of illicit vulnerability trade. They cultivate relationships with exploit developers, insider “bug poachers,” and financially motivated security researchers, amassing a portfolio of flaws across software categories—from widely used operating systems to specialized industrial platforms. These brokers then market or auction these vulnerabilities to dedicated threat actors such as ransomware affiliates, espionage groups, or advanced persistent threat cells. Often working through invite-only forums or specialized Tor-based broker portals, Vulnerability Brokers streamline transactions, ensure escrow services, and handle dispute resolution—thereby driving the underground economy of undisclosed exploits and patch-evading code.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Vulnerability_Researchers
Label: Vulnerability Researchers
alsoCalled: Bug Hunters
shortDescription:
Individuals skilled in discovering software and hardware security flaws, who may channel their findings into ethical bug bounty programs or choose to sell them on underground markets.
longDescription:
Vulnerability Researchers, colloquially called “Bug Hunters,” possess the analytical expertise to pinpoint coding errors, misconfigurations, and systemic weaknesses. In the legitimate security community, these researchers often participate in bug bounty initiatives, reporting their findings to vendors for recognition and financial rewards. However, a subset of these talents—sometimes dubbed “bug poachers” when they operate illicitly—prefers the potentially higher payouts of the criminal sphere, selling or privately auctioning their discoveries to exploit developers or vulnerability brokers. Their skill sets can tilt the scale between bolstering cybersecurity and fuelling the ongoing arms race in the cybercrime ecosystem.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BotnetServices
Label: Botnet Services
alsoCalled: —
shortDescription:
Acess to a network of malware-infected devices via command-and-control infrastructure to launch large-scale attacks against victims, enabling disruption, fraud, or data theft as an on-demand illicit service in underground markets.
longDescription:
An illicit service offering in the cybercrime ecosystem where attackers provide access to a botnet - a network of compromised computers, phones, or internet-connected devices controlled remotely through malicious software. These services are commonly marketed as “botnet-for-hire” or “booter/stresser” platforms and allow other criminals to carry out attacks without building their own infrastructure.
The role player is typically a botnet operator or service provider, ranging from individual hackers to organized cybercrime groups. Their capability involves maintaining control over thousands or even millions of infected devices and enabling customers to use that distributed computing power for malicious purposes. Common uses include launching distributed denial-of-service (DDoS) attacks, sending spam, spreading malware, or stealing sensitive information such as login credentials .
The infrastructure consists of compromised “zombie” devices, malware used to infect them, and command-and-control systems that coordinate activity across the network. Access to this infrastructure is often rented on a subscription or pay-per-use basis, making large-scale attacks accessible even to low-skilled offenders . Victims include businesses, public services, and individuals whose systems may be disrupted, exploited, or unknowingly used as part of the botnet. The impact ranges from service outages and financial loss to privacy breaches and enabling further cybercrime.
Botnet services are a key component of the broader cybercrime-as-a-service economy, often supporting multiple attack patterns including fraud, extortion, and unauthorized access operations.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Mobile_botnet_rental
Label: Mobile botnet rental
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DiamondCommonInfostealerDeploymentAndLogHarvesting
Label: Common Infostealer Deployment and Log Harvesting
alsoCalled: —
shortDescription:
An actor deploys infostealer malware through delivery infrastructure to infect victim devices, harvest credentials and session data, and produce logs for direct abuse, resale, or use in downstream cybercrime patterns.
longDescription:
This common phase involves the active use of infostealer malware to collect valuable data from victim devices. It may occur inside an Infostealer Malware-as-a-Service operation, as part of a log-production business, or as a supporting phase in broader patterns such as fraud, account takeover, IAB Operations, business email compromise, ransomware preparation, and data trafficking.
The result is typically infostealer logs: structured bundles of stolen personal data that may be used directly or sold through credential, identity, data, and access markets.
The adversary may be an infostealer affiliate, MaaS customer, malware operator, traffer, fraud crew, initial access broker, or downstream intrusion actor. Their capability is to deliver and run infostealer malware that extracts credentials, browser cookies, session tokens, autofill data, identity details, wallet information, files, screenshots, and system metadata. The infrastructure may include phishing pages, malicious ads, fake downloads, cracked software, loaders, compromised websites, traffic distribution systems, command-and-control servers, customer panels, proxy services, and hosted stealer platforms.
Victims include individuals, employees, businesses, and institutions whose devices or accounts are compromised. The immediate harm is digital identity compromise and information confidentiality loss.
This Event can be linked to markets such as Hosted Stealer Markets, Crimeware Supply Chains, Credential and Identity Marketplaces, and Data and Access Marketplaces. It often follows lure creation or malware delivery and precedes log validation, access packaging, account takeover, fraud, or resale.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Common_Phishing_for_Information
Label: Common Phishing for Information
alsoCalled: —
shortDescription:
A Pattern Phase in which an adversary uses phishing lures or social engineering to obtain credentials or sensitive financial data from the victim.
longDescription:
This Pattern Phase focuses on phishing as the primary means of gathering actionable information such as user credentials, payment card details, or other personal or financial data. The adversary typically crafts deceptive emails, messages, or websites to trick targets into submitting sensitive information or downloading malware. These lures may be distributed through social media, instant messaging apps, or email platforms. The victim, believing the content is genuine, enters credentials or payment data, which is then used or sold by the adversary.
The harm to the victim often includes compromise of digital identity, and privacy breaches.
Products or services involved may include phishing kits or deceptive content, with a supporting marketplace Market (e.g., Deceptive_Content_Marketplace) where these kits or stolen data are traded.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Common_Remote_Account_Compromise
Label: Common Remote Account Compromise
alsoCalled: —
shortDescription:
A general Pattern Phase describing how an adversary gains unauthorized access to an account on a platform by systematically guessing or reusing valid user account credentials through techniques such as password spraying or brute force attacks.
longDescription:
This common Pattern Phase captures a credential-based intrusion scenario where a technical infiltrator leverages automated methods to gain unauthorised access to a user’s account. The attack begins with reconnaissance to identify vulnerable or commonly used user accounts. Using techniques such as password spraying and brute force attacks, the adversary tests large volumes of credentials - either reusing known passwords or guessing weak ones - to achieve successful authentication. Once access is gained, the attacker can escalate privileges, exfiltrate sensitive data, or implant persistent malware, further compromising the target system.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Common_Remote_System_Compromise
Label: Common Remote System Compromise
alsoCalled: —
shortDescription:
A general Pattern Phase representing a remote cyber intrusion in which adversaries breach an online system by leveraging technical techniques - such as brute force attacks, or exploiting public-facing vulnerabilities - to gain unauthorized access and initiate further malicious actions.
longDescription:
This commonly-deployed Pattern Phase, encapsulates a multi-stage cyberattack in which a technically skilled actor breaches a target’s online system. The adversary may scan for weaknesses in public-facing applications or employ password spraying or brute force techniques to compromise weak credentials. Upon successful access, the attacker may exploit further vulnerabilities to maintain persistence, expand their access, or exfiltrate sensitive data. This common Pattern Phase sets the stage for subsequent actions that facilitate data exfiltration or further system compromise.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Common_Spear-Phishing_with_Malicious_Attachments
Label: Common Spear-Phishing with Malicious Attachments
alsoCalled: —
shortDescription:
A Pattern Phase representing the use of targeted spear-phishing emails containing harmful attachments to gain unauthorized access to a specific organization’s network.
longDescription:
This common Pattern Phase captures the technique employed by threat actors who send targeted spear-phishing emails with malicious attachments to individuals within an organization. The emails are crafted to appear legitimate, using social engineering techniques to entice the recipient to open the attachment. Once opened, the attachment executes malicious code, potentially installing malware such as a Remote Access Trojan (RAT) or ransomware on the victim’s workstation. This initial access allows the adversary to establish a foothold within the organization’s network, enabling further actions such as lateral movement, data exfiltration, or additional malware deployment. The event highlights the critical need for robust email security measures, user awareness training, and endpoint protection to mitigate the risks associated with spear-phishing attacks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_InitialAccess
Label: CyX Initial Access
alsoCalled: —
shortDescription:
The Initial Access phase of Cyber Extortion is where adversaries breach a target network using social engineering, vulnerability exploitation, or stolen credentials to gain a foothold.
longDescription:
During Initial Access, attackers employ a variety of techniques to infiltrate networks, such as spear phishing (with malicious attachments, links, or even voice calls), exploitation of public-facing applications, software or MSP supply chain compromises, or the abuse of valid credentials, which are often acquired via dark market channels or data breach repositories. These techniques provide adversaries with the means to bypass security controls and gain their first foothold in the target environment. Once inside the network, attackers establish command-and-control (C2) channels - typically using encrypted protocols, legitimate services, reverse shells or VPNs - to maintain persistent communication with compromised systems and receive commands from remote infrastructure. While initial access can be obtained by stable members of a ransomware group, it is sometimes provided by specialized brokers whose services are purchased by the main group. On other occasions, affiliates are responsible for gaining access to deploy ransomware that they have obtained from the core group via rental or profit-sharing agreements.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DiamondCompositeIABOperationInitialAccess
Label: Initial Access Broker Operation Initial Access
alsoCalled: —
shortDescription:
Unauthorized access into a network or system by a specialist role player, prior to establishing control and persistence, for the purpose of reselling access credentials or persistent footholds to third-parties.
longDescription:
This phase involves a technically skilled actor - often an independent operator or part of a loosely organized network who uses technical means to obtain access to a victim system - ultimately with the goal to sell that access. These actors are commonly motivated by profit and may operate alone, as part of a small crew, or as suppliers to other groups such as Initial Access Brokers or ransomware affiliates.
The core activity is gaining unauthorized entry into a target system. Initial access can be achieved using a wide range of common attack patterns, including remote compromise, phishing and spear-phishing. Rather than completing actions on the objective themselves, access is prepared so it can be reused or transferred to others.
Actors rely on a mix of infrastructure: rented servers, technical hacking tools, anonymization tools (such as proxies or VPNs), malware such as password stealers or remote access tools, and sometimes compromised devices or botnets. Access is often advertised and sold on underground marketplaces or private forums, either as one-time entry or ongoing access.
Victims include businesses of all sizes, public institutions, and sometimes individuals. The immediate impact may be invisible, but the real harm comes later. This access enables data theft, ransomware attacks, fraud, or espionage by downstream actors.
This phase is a unique element in the pattern of acquiring and selling initial access, but is technically achieved primarily by involving other common illicit actions.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ancillary_Credential_and_Identity_Services
Label: Ancillary Credential and Identity Services
alsoCalled: —
shortDescription:
Supplementary support functions that verify, enrich, and optimize stolen data—such as credential validation, data enrichment, and change-of-address services—to augment its operational value.
longDescription:
Ancillary Services encompass a suite of specialized tools and support mechanisms offered within the illicit Credential and Identity Marketplace. These services include automated platforms for validating the usability of stolen credentials, enrichment processes that append additional context or personal information to raw data, and change-of-address (COB) operations that adjust associated account or delivery details to improve the likelihood of successful fraud. By enhancing the quality and reliability of illicit data, these services play a critical role in enabling threat actors to achieve more effective account compromise and subsequent monetization of stolen information.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Comprehensive_Identity_Sets
Label: Comprehensive Identity Sets
alsoCalled: Fulls
shortDescription:
Enriched bundles of stolen personal data combining raw credentials with supplementary identifying information, yielding complete user profiles for advanced identity theft and fraud.
longDescription:
Comprehensive Identity Sets, commonly referred to as “fulls,” are curated packages that extend beyond mere credentials by integrating additional personally identifiable information (PII) such as names, addresses, social security numbers, and contact details. This amalgamation provides a holistic profile of the individual, significantly increasing the asset’s utility for executing identity theft, social engineering, and sophisticated fraud schemes. The enhanced detail within fulls facilitates higher success rates in bypassing verification processes during fraudulent transactions.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Cryptocurrency_related_customer_databases
Label: Cryptocurrency related customer databases
alsoCalled: —
shortDescription:
Stolen datasets holding customer records from cryptocurrency exchanges, wallet providers, or KYC vendors.
longDescription:
Cryptocurrency-related customer databases contain email addresses, identity documents, transaction histories, and Know-Your-Customer (KYC) files exfiltrated from crypto exchanges or service providers. Threat actors sell these datasets on underground markets to facilitate targeted phishing, identity theft, and direct account takeover of victims’ trading or custodial wallets.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Raw_Credential_Dumps
Label: Raw Credential Dumps
alsoCalled: —
shortDescription:
Aggregated collections of stolen user credentials—usernames, passwords, and authentication tokens—extracted from compromised systems without further contextual enrichment.
longDescription:
Raw Credential Dumps consist of unsanitized datasets containing user account identifiers obtained through methods such as data breaches, phishing, and malware attacks. These collections typically include login credentials in their most basic form, offering minimal additional information. As a primary resource within illicit markets, they are traded to enable subsequent automated validation and exploitation by adversaries, serving as the foundational building blocks for account takeover and financial fraud operations.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Antivirus_Tools
Label: Antivirus Tools
alsoCalled: AV Evasion Tools; AV Tools; Antivirus Evasion Tools
shortDescription:
Legitimate or pirated antivirus engines that criminals repurpose to test malware against detection and to bundle with illicit toolkits.
longDescription:
Antivirus Tools encompass full software suites, command-line scanners, and cloud-based analysis services—often obtained through cracked licences or resale. Threat actors use these tools in sandbox environments to confirm that custom malware, stealers, and payloads remain undetected by mainstream security products before deployment.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BEC-as-a-Service
Label: BEC-as-a-Service
alsoCalled: —
shortDescription:
Complete kits and infrastructure offered in underground markets to facilitate BEC attacks.
longDescription:
Provides everything from lookalike domain registration, email templates, and spoofing tools to laundering services, drastically lowering the barrier to entry for BEC campaigns.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Card_Validation_Bot
Label: Card Validation Bot
alsoCalled: —
shortDescription:
Automated software tool designed to systematically check and validate stolen payment card data for continued usability.
longDescription:
The Card Validation Bot is a specialized form of crimeware that automates the verification of compromised payment card details. Once loaded with large batches of credit or debit card numbers, the bot executes small “test” transactions or queries external validation services to confirm each card’s validity, balance, or available credit. By eliminating the need for manual checks, this tool significantly reduces the time and effort required for Carders to identify useful card data and proceed with large-scale fraudulent purchases or resale. Commonly found in underground forums or marketplaces, Card Validation Bots often include anti-detection features, proxy support, and integration with other illicit services, thereby playing a pivotal role in the cybercrime supply chain.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Crypters_and_Packers
Label: Crypters and Packers
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Crypto_wallet_brute_force_services
Label: Crypto wallet brute force services
alsoCalled: —
shortDescription:
Illicit service that rents GPU or ASIC power to brute-force encrypted cryptocurrency wallets and recover private keys.
longDescription:
Crypto wallet brute-force services provide customers with specialised hardware Markets and customised cracking software that systematically guesses pass-phrases, mnemonic seeds, or password files until a locked cryptocurrency wallet is opened. These services are marketed in underground forums to criminals who possess stolen wallet files or seed fragments and need high-throughput computing to extract the private keys and transfer the stored funds.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Infostealer
Label: Infostealer
alsoCalled: Credential stealer; Information stealer; Information-stealing malware; Password stealer; Stealer
shortDescription:
Malware that covertly harvests credentials, session data, identity information, and system details from infected devices, producing “logs” that cybercriminals trade or use for fraud, account takeover, initial access, and other downstream attacks.
longDescription:
Info stealers are malicious software used in the cybercrime ecosystem to collect valuable information from infected devices. They commonly extract usernames, passwords, browser cookies, session tokens, autofill data, cryptocurrency wallet details, files, screenshots, and system information. The stolen output is often packaged as “logs”: structured bundles of data tied to a particular infected device, user, or browser profile.
Info stealers are frequently developed and sold by malware developers or Malware-as-a-Service operators, who provide the malware, configuration tools, command-and-control infrastructure, and customer panels to criminal users. They are typically spread through phishing, fake software downloads, malicious ads, cracked software, compromised websites, or traffic distribution systems.
Their users include malware affiliates, fraud crews, initial access brokers, account-takeover actors, and ransomware-linked operators. Some use the stolen data directly, while others sell logs through underground shops, forums, marketplaces, or private channels.
Within cybercrime patterns, info stealers act as a data-production mechanism. They support credential harvesting, account takeover, identity fraud, cryptocurrency theft, business email compromise, and compromise-for-resale. Their outputs can also enable later activities such as unauthorized network access, privilege expansion, victim profiling, access packaging, and resale.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Malware-as-a-Service
Label: Malware-as-a-Service
alsoCalled: MaaS
shortDescription:
Subscription‑based distribution of commodity malware.
longDescription:
Malware-as-a-Service (MaaS) portals let low‑skill criminals rent stealer logs, bots, or loaders, paying per‑install or per‑campaign.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Phishing_Kits
Label: Phishing Kits
alsoCalled: —
shortDescription:
Pre-packaged tools and templates designed to simplify the creation and deployment of phishing campaigns.
longDescription:
Phishing Kits are widely available in the cybercrime underground and provide threat actors with ready-made resources to conduct phishing attacks. These kits typically include pre-designed email templates, fake login pages, and scripts to harvest credentials or other sensitive information. Many kits are tailored to mimic well-known brands, such as banks, social media platforms, or e-commerce sites, making them highly effective at deceiving victims.
In addition to templates, phishing kits often come with automation tools to streamline the attack process. These tools may include email-sending scripts, domain configuration instructions, and even dashboards to track stolen credentials in real time. Some advanced kits integrate anti-detection features, such as obfuscation techniques or IP filtering, to evade security measures and increase the success rate of the campaign.
Phishing kits lower the barrier to entry for cybercriminals, enabling even inexperienced actors to launch sophisticated attacks. They are often sold or rented in underground marketplaces, with some providers offering customer support or updates to keep the kits effective against evolving security measures. This commoditization of phishing tools has significantly contributed to the prevalence of phishing attacks worldwide.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ransomware-as-a-Service
Label: Ransomware-as-a-Service
alsoCalled: RaaS; Ransomware-as-a-Service Offering
shortDescription:
A pay-for-use cybercriminal offering that delivers end-to-end ransomware toolsets, enabling affiliates to launch extortion attacks with minimal technical expertise.
longDescription:
Ransomware-as-a-Service (RaaS) is a cybercrime offering in which malware developers supply turnkey ransomware and double-extortion packages, including malicious code, hosting, payment portals, and negotiation services, to criminal affiliates. The affiliates then execute intrusions and extortion attempts against chosen victims, typically sharing a portion of the ransom proceeds with the service’s operators. By outsourcing development and infrastructure, RaaS drastically lowers the skill threshold required to carry out disruptive ransomware attacks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Remote_Access_Trojans
Label: Remote Access Trojans
alsoCalled: RAT
shortDescription:
Malware that lets attackers control victim machines remotely.
longDescription:
Remote Access Trojans (RATs) provide interactive shells, file transfer, and surveillance, giving intruders a beach‑head for lateral movement.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Infostealer-as-a-Service
Label: Subscription-based Information Stealer
alsoCalled: Infostealer-as-a-Service; MaaS infostealer; Subscription-based Information Stealer
shortDescription:
An illicit managed service that provides cybercriminal customers with access to infostealer malware, control panels, collection infrastructure, and harvested logs, enabling credential theft, account takeover, fraud, and downstream compromise.
longDescription:
Subscription-based Information Stealer services are illicit cybercrime services that operate infostealer malware as a continuing business offering. Instead of simply selling a malware file, the provider may supply or maintain the wider service environment: malware builds, configuration tools, command-and-control infrastructure, customer panels, updates, support, delivery partnerships, and access to stolen data collected from infected devices.
The service is used by malware affiliates, fraud actors, initial access brokers, account-takeover crews, and ransomware-linked actors who want to harvest credentials and session data without building their own malware infrastructure. Its outputs commonly include infostealer logs: structured bundles of stolen credentials, cookies, session tokens, identity data, wallet details, files, and system information.
Within the cybercrime ecosystem, this service sits between crimeware production and downstream monetization. It enables recurring log production, credential theft, victim profiling, account compromise, and compromise-for-resale. The service may be traded through underground forums, private channels, or marketplace-like subscription arrangements, and it may feed credential, identity, data, and access markets.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dark_Market
Label: Dark Market
alsoCalled: Black Market; Darknet Marketplace; Shadow Market; Underground Market
shortDescription: —
longDescription:
A dark market, also known as a darknet market, is a type of online marketplace that operates on the dark web, a part of the internet that is not indexed by traditional search engines and is accessible only through special software like Tor, which anonymizes users.
These markets enable buyers and sellers to trade goods and services that are often illegal, such as drugs, firearms, stolen data, and other contraband, with a heightened degree of anonymity. Transactions on dark markets typically use cryptocurrencies to further maintain privacy and avoid tracking.
The secretive nature and use of encryption technologies make dark markets both controversial and difficult for law enforcement to monitor and shut down.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Forum
Label: Forum
alsoCalled: —
shortDescription:
A website on the darkweb dedicated to the discussion and sharing of information about different topics surrounding cybercrime.
longDescription:
A dark web cybercrime forum is a clandestine online platform where cybercriminals gather to exchange knowledge, tools, and services related to illicit activities such as hacking, data theft, and fraud. These forums operate within the encrypted and anonymized confines of the dark web, accessible only through specialized browsers and often requiring invitations or membership fees for entry. Within these forums, cybercriminals engage in discussions ranging from the latest hacking techniques to the sale of stolen credentials, malware, and hacking tools. These platforms also function as marketplaces for cybercriminal goods and services, facilitating transactions for stolen data, malware, and other illicit offerings. Despite efforts by law enforcement and cybersecurity experts to disrupt these forums, they persist as resilient hubs of criminal activity in the digital underworld.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Illicit_Service_Portals
Label: Illicit Service Portals
alsoCalled: —
shortDescription:
A clandestine online venue—typically on the dark web—that centralizes a broad spectrum of specialized support services for cybercriminal enterprises, ranging from technical assistance and operational security to transaction and logistical facilitation.
longDescription:
An Illicit Services Portal is defined as a covert digital platform that aggregates a variety of service-oriented offerings essential to the execution of cyber-enabled crimes. These portals provide adversaries with an array of specialized functions, including technical support for exploiting vulnerabilities, tools for anonymizing and laundering illicit funds, and logistical services to coordinate fraudulent transactions. By consolidating these diverse support services in one accessible marketplace, such portals enable threat actors to streamline operations and maximize operational efficacy. This category encompasses any covert service platform that delivers critical functions—be they automated verification, exploitation support, secure communications, or risk mitigation measures—to bolster the infrastructure of cybercriminal activities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Fake_Crypto_Trading_Platform
Label: Fake Crypto Trading Platform
alsoCalled: —
shortDescription:
A fraudulent platform or mobile application masquerading as a legitimate cryptocurrency exchange, designed to steal user funds and obstruct withdrawals.
longDescription:
These platforms are typically used in pig-butchering or romance scam scenarios, where perpetrators lure victims into investing in what appears to be a real cryptocurrency exchange or trading app. Victims may see convincing dashboards, false profit updates, and professional interfaces, all aimed at building trust and prompting larger investments. However, attempts to withdraw funds are usually blocked or require additional ‘fees,’ making it impossible for the victim to recover their money. By mimicking the look and feel of reputable exchanges, these fake platforms effectively bypass many user safeguards and exploit the victim’s belief in high returns.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Direct_Financial_Loss
Label: Direct Financial Loss
alsoCalled: —
shortDescription:
The immediate and unauthorized loss of monetary assets directly caused by a cybercrime incident.
longDescription:
Direct Financial Loss refers to the immediate reduction of a victim’s financial assets resulting directly from attacker actions, such as fraudulent transfers, theft of funds, or extortion payments. This harm occurs during the execution of a cybercrime and reflects money that is taken, diverted, or irreversibly lost without the victim’s consent.
It does not include any subsequent expenses related to responding to or recovering from the incident. Instead, it is strictly limited to the value of assets removed or destroyed as a direct outcome of the attack itself. This harm is typically quantifiable at the time of the incident and represents the most immediate financial impact experienced by the victim.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Post_Incident_Recovery_Costs
Label: Post-Incident Recovery Costs
alsoCalled: —
shortDescription:
The financial expenditures incurred by a victim to restore systems, investigate the incident, and return to normal operations after a cyberattack.
longDescription:
Post-Incident Recovery Costs refer to the expenses borne by a victim after a cyber incident in order to restore systems, recover data, investigate the breach, and re-establish normal operations. These costs are initiated and controlled by the victim as part of the response and recovery process. They include activities such as forensic analysis, system repair, data restoration, legal compliance, customer notification, and implementation of enhanced security measures. Unlike direct financial loss, these costs do not result from stolen or diverted assets, but from the effort required to remediate the consequences of the attack.
This harm captures the operational and financial burden of recovery, often extending over time and potentially exceeding the initial losses caused by the incident.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Cyber_Extortion
Label: Cyber Extortion
alsoCalled: Cy-X; CyX; Double Extortion; Ransomware
shortDescription:
Cyber Extortion (Cy-X) is a form of illicit cyber activity in which the security of a digital asset (Confidentiality, Integrity, or Availability) is compromised and exploited through encryption, exfiltration and/or disruption to extort financial payment.
longDescription:
Commonly known as ransomware, cyber extortion is when organized criminal groups and networks gain unauthorized access to digital systems, deploy malware that encrypts the victim’s files and system and / or steal sensitive data. The malicious actors then demand a ransom, coercing victims with the dual threat of permanent loss of access to systems and data, and the public release of stolen information. In some instances, further layers of coercion are added by launching disruption attacks, such as distributed denial- of- service (DDoS) attacks, or directly extorting victims whose data has been exfiltrated.
The primary role players are typically organised ransomware-as-a-service providers who often work through a network of affiliates. Experts in OSINT and social engineering are commonly involved in the reconnaissance phase. Initial access is often acquired from specialist brokers (IAB). Intrusion Operators can also play an important role in moving around systems, exfiltration, encryption and extortion. Infrastructure providers offer anonymising technologies such as VPNs, bulletproof hosting and proxy services that are used in multiple phases of the activity. Monetization involves money mules, cryptocurrency exchanges or other forms of payment platforms.
Direct victims can be public or private organisations and harms are wide ranging, including direct financial loss, reputational damage, business continuity impacts and the costs of recovery. Individual citizens can also be harmed by, for instance loss of privacy through the publication of sensitive data and by the resulting service disruption. Individuals may suffer emotional or psychological trauma, or in some cases even physical harm.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Data_Broker_Services
Label: Data Broker Services
alsoCalled: —
shortDescription:
Collect, aggregate, and sell personal or organizational data, which can be exploited by cybercriminals for reconnaissance, phishing, or other malicious activities.
longDescription:
Data broker services are entities that gather and compile vast amounts of personal, corporate, and technical data from various sources, including public records, social media, online activity, and third-party partnerships. While these services are often legitimate and used for marketing, analytics, or business intelligence, they can also be exploited by cybercriminals. In the context of cybercrime, attackers may purchase or access data from brokers to identify potential targets, map organizational structures, or obtain sensitive information such as email addresses, phone numbers, or job roles.
Cybercriminals use data broker services during the reconnaissance phase of attacks like Business Email Compromise (BEC) to refine their targeting. For example, they may acquire detailed employee lists, organizational hierarchies, or even breached credentials to craft highly convincing phishing emails or impersonation schemes. Some data brokers operate in a legal grey area, selling data with minimal oversight, while others on the dark web explicitly cater to malicious actors by offering stolen or leaked information.
The availability of data broker services lowers the barrier for attackers, enabling them to conduct precise and efficient reconnaissance without needing advanced technical skills.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Legitimate_Security_Company
Label: Legitimate Security Company
alsoCalled: —
shortDescription:
A trusted, law-abiding organization that delivers cybersecurity services—ranging from vulnerability research and threat intelligence to incident response and managed defense—aimed at protecting digital assets and strengthening overall security postures.
longDescription:
A Legitimate Security Company is a key role player in the cybercrime ecosystem that operates within the legal and regulatory framework to provide a range of security services. These organizations invest in advanced research to uncover vulnerabilities, monitor emerging threats, and deliver expert incident response. They often run structured bug bounty programs, coordinated vulnerability disclosure initiatives, and proactive threat-hunting operations, thereby helping clients patch weaknesses before adversaries can exploit them. Although their primary mission is to enhance security and resilience, the intelligence and research outputs they generate can sometimes intersect with underground markets—either through inadvertent leaks or by creating a benchmark that drives both defensive and offensive cyber activities. In essence, these companies act as a bridge between cybersecurity best practices and the evolving landscape of cyber threats, ensuring that the collective defense mechanisms of organizations remain robust while also contributing to broader threat intelligence that shapes the cybercrime market dynamics.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Cashouts
Label: Cashouts
alsoCalled: —
shortDescription:
Service that converts illicit digital funds into usable cash via money-mule withdrawals, payment-card cash-back, or high-risk exchanges.
longDescription:
Cashouts cover the downstream phase of cyber-crime monetisation in which stolen or extorted funds—whether held in online bank accounts, payment cards, or cryptocurrency wallets—are rapidly liquidated. Operators coordinate money-mule networks, prepaid cards, high-risk currency exchanges, and ATM withdrawals to move the proceeds outside traceable channels and deliver clean cash to the criminal organisers.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Crypto_currency_mixers
Label: Crypto currency mixers
alsoCalled: —
shortDescription:
Money‑laundering services that break the traceability of cryptocurrency.
longDescription:
Also called tumblers, mixers pool multiple users’ coins and return fresh ones, obscuring the transaction chain and helping criminals avoid blockchain analysis.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Escrow_Services
Label: Escrow Services
alsoCalled: —
shortDescription:
Third-party wallet or broker that temporarily holds funds to reduce fraud in underground deals.
longDescription:
Escrow Services act as neutral intermediaries in illicit online transactions: the buyer transfers cryptocurrency or digital assets to an escrow wallet; the seller delivers the goods (malware, data, access); only then does the escrow operator release payment—minus a commission. While intended to build trust between anonymous criminals, escrow wallets themselves are often controlled by or collude with one side, creating additional risks for participants.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Identity_verification_kits_and_templates
Label: Identity verification kits and templates
alsoCalled: —
shortDescription:
Ready-made sets of forged documents and selfie overlays that help criminals bypass KYC or proof-of-identity checks.
longDescription:
Identity-verification kits and templates bundle high-resolution scans of passports, driving licences, utility bills, and customised selfie frames. Buyers combine these assets with stolen personal data to trick automated Know-Your-Customer (KYC) processes at exchanges, banks, or payment platforms—opening mule accounts, cash-out channels, or fraudulent lines of credit while masquerading as legitimate users.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Monetization_of_the_wallets_with_limited_access
Label: Monetization of wallets with limited access
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Money_laundering_and_cashout_services
Label: Money laundering and cashout services
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Self-registered_accounts_in_the_financial_institutions
Label: Self-registered accounts in the financial institutions
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#ConnectedThirdParty
Label: Connected Third Party
alsoCalled: —
shortDescription:
An external organization with a direct operational, contractual, or technical relationship to a victim organization that may be impacted by or contribute to a cyber incident.
longDescription:
A connected third party is an external organization that maintains a defined relationship with a victim organization through business, service, supply chain, or technical integration arrangements. These relationships may include vendors, suppliers, contractors, partners, service providers, or affiliates that interact with the victim organization’s systems, data, or operations. In the context of cybercrime, connected third parties can play a significant role in both the propagation and impact of an incident.
Such entities may introduce risk through shared infrastructure, system access, data exchange, or dependency on services. A cyber incident affecting a connected third party can cascade to the victim organization, while a breach within the victim organization may also expose or disrupt connected third parties. These interdependencies are particularly relevant in supply chain attacks, managed service environments, and cloud-based ecosystems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#GeneralOrganization
Label: General Organization
alsoCalled: —
shortDescription:
A formally constituted entity, such as a business, government body, or nonprofit, that can be targeted or affected by cybercrime through its systems, operations, or data assets.
longDescription:
An organization is a structured and identifiable entity established for a specific purpose, operating within legal, administrative, or social frameworks. It includes private companies, publicly traded corporations, government agencies, non-governmental organizations (NGOs), and other formally recognized bodies. In the context of cybercrime, an organization is considered a victim when its information systems, networks, digital services, or data are compromised, disrupted, or exploited. This may involve unauthorized access, data theft, financial fraud, service interruption, or reputational harm.
Organizations typically maintain complex technological infrastructures and manage sensitive information, making them attractive targets for cybercriminals. Their roles, scale, and resources may vary widely, but they share common characteristics such as defined governance, operational processes, and accountability structures. The impact of illicit cyber activities on an organization can extend beyond immediate technical damage, affecting stakeholders, customers, and broader economic or social systems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Institutional_Employee
Label: Institutional Employee
alsoCalled: —
shortDescription:
An individual employed by an organization who experiences harms from cyber events impacting an institution for which they work.
longDescription:
The Institutional Employee victim entity represents individuals whose roles within an organization expose them to indirect harms following a cyber incident. Although these employees are not the primary targets of the attack, they can experience heightened stress, anxiety, diminished job satisfaction, and impaired performance. Moreover, the uncertainty and internal communication breakdown that follow such incidents can erode trust in management and adversely affect overall employee wellbeing.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Legitimate_Service_Provider
Label: Legitimate Service Provider
alsoCalled: —
shortDescription:
Third-party platforms (e.g., social media, online products and services, market places or company websites) or individuals that may be indirectly exploited in the execution of a Pattern
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Private_Individual
Label: Private Individual
alsoCalled: —
shortDescription:
A private person who can be directly affected by cybercrime through their personal accounts, devices, identity, or digital activities.
longDescription:
A Private Individual is a person whose everyday digital life, including their accounts, devices, communications, and personal information, may be targeted or harmed in the context of cybercrime. A private individual is considered a victim when their personal assets, online services, identity data, or digital communications are compromised, manipulated, disrupted, or exploited. This may involve unauthorized access, identity theft, financial fraud, account takeover, phishing, extortion, privacy breaches, or other forms of threat actions.
Private individuals often rely on digital services in their daily activities, making them vulnerable to a wide range of attacks. Their exposure may come from personal email accounts, social media profiles, banking services, mobile devices, or other connected platforms. The impact of cybercrime on a private individual may include financial loss, emotional distress, reputational damage, loss of access to personal accounts, and long-term misuse of personal data.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Policy_and_Regulatory_Impact
Label: Policy and Regulatory Impact
alsoCalled: —
shortDescription:
The effects of cyber incidents on laws, regulations, or governance practices, including the creation, modification, or enforcement of policies.
longDescription:
Policy and Regulatory Impact refers to changes in laws, regulations, or governance frameworks that result from cyber incidents. This harm captures how cybercrime influences public policy decisions, regulatory responses, and institutional rules at organizational, national, or international levels.
Cyber incidents may expose gaps in existing regulations, prompting new legislation, stricter compliance requirements, or revised enforcement mechanisms. Organizations may also introduce internal policies or governance controls in response to breaches or systemic risks.
This harm is distinct from operational or financial impacts, as it focuses on formal rule-setting and institutional responses rather than direct consequences experienced by victims. It reflects how cybercrime shapes the regulatory environment and influences long-term governance structures.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Societal_Effects
Label: Societal Effects
alsoCalled: —
shortDescription:
The broader social consequences of cybercrime, affecting communities, public behavior, and collective well-being.
longDescription:
Societal Effects refer to the wide-ranging impacts of cybercrime on communities, populations, and social systems. This harm captures how cyber incidents influence public behavior, social trust, and the overall functioning of society beyond individual or organizational victims.
Examples include increased public fear of digital systems, reduced participation in online services, or shifts in societal norms regarding privacy and security. Cybercrime can also contribute to misinformation, social disruption, or inequalities in access to secure technologies.
This harm operates at a collective level and is distinct from individual psychological effects or organizational impacts. It reflects how cybercrime shapes societal attitudes, behaviors, and resilience over time.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Strategic_and_Geopolitical_Impact
Label: Strategic and Geopolitical Impact
alsoCalled: —
shortDescription:
The effects of cyber incidents on national security, competitive positioning, or long-term strategic objectives.
longDescription:
Strategic and Geopolitical Impact refers to the influence of cyber incidents on high-level objectives such as national security, economic competitiveness, or geopolitical stability. This harm captures how cyber activities affect long-term planning, power dynamics, and strategic decision-making.
Cyber operations may disrupt critical infrastructure, enable espionage, or undermine competitive advantages, leading to shifts in strategic priorities or resource allocation. At a national level, cyber incidents can influence defense strategies, international relations, and security policies.
This harm is distinct from operational or societal effects, as it focuses on long-term, large-scale consequences that shape strategic outcomes rather than immediate disruptions or public reactions.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Illicit_Data_and_Access_Assets
Label: Illicit Data and Access Assets
alsoCalled: —
shortDescription:
Unauthorized or misappropriated information and system access traded within cybercrime ecosystems.
longDescription:
Illicit Data and Access Assets encompass a range of unauthorized or misappropriated resources that are valuable within the cybercrime ecosystem. These assets include personal identifiable information (PII), corporate data, breached credentials, and technical details such as IP addresses or system configurations. They also include access to compromised accounts, networks, or devices, as well as exploitable vulnerabilities or backdoors.
These assets are typically traded in underground marketplaces, forums, or private channels, where they are used to facilitate various malicious activities. Buyers may use them for purposes such as reconnaissance, phishing, fraud, or gaining unauthorized entry into systems. Sellers often acquire these assets through data breaches, phishing campaigns, malware, or scraping publicly available information.
The value of Illicit Data and Access Assets depends on their specificity, quality, and potential utility for cybercriminal operations. For example, high-value assets might include administrator credentials for corporate networks or detailed employee directories, while lower-value assets might consist of bulk email lists or outdated credentials. These assets play a critical role in enabling and sustaining cybercrime activities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#InfostealerLogs
Label: Infostealer Logs
alsoCalled: Logs
shortDescription:
Structured bundles of stolen credentials, session data, identity details, and system information harvested from infected devices by infostealer malware and traded as illicit data and access assets in cybercrime markets.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Unauthorized_Network_Access
Label: Unauthorized Network Access
alsoCalled: —
shortDescription:
Commercialized unauthorized access to compromised networks and systems, sold to facilitate further cybercriminal activities.
longDescription:
This entity represents unauthorized access to computer networks or systems, acquired through illicit means such as exploiting vulnerabilities, phishing, or credential theft. Initial Access Brokers (IABs) obtain such access and sell it to other threat actors, including ransomware operators and data exfiltration groups. The access sold can vary in form, encompassing Remote Desktop Protocol (RDP) credentials, Virtual Private Network (VPN) access, web shells, control panel access, Active Directory credentials, server root access, and remote monitoring tools. This commodity is a critical component of the cybercrime ecosystem, enabling threat actors to bypass initial intrusion efforts and directly engage in malicious activities.
Common forms of illicit access products include: • Remote Desktop Protocol (RDP) Credentials: Allow remote control over compromised systems. • Virtual Private Network (VPN) Access: Provides secure entry into targeted networks. • Web Shells: Enable command execution on compromised web servers. • Control Panel Access: Grants administrative control over systems or hosting environments. • Active Directory Credentials: Facilitate control over user accounts and permissions within a network. • Server Root Access: Provides full control over server environments. • Remote Monitoring and Management (RMM) Tools: Access to software used for managing IT systems remotely.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Data_Integrity_Loss
Label: Data Integrity Loss
alsoCalled: —
shortDescription:
The unauthorized alteration, corruption, or destruction of data, undermining its accuracy and reliability.
longDescription:
Data Integrity Loss refers to the unauthorized modification, corruption, or deletion of data, resulting in a loss of its accuracy, consistency, and trustworthiness. This harm occurs when data can no longer be relied upon to represent its intended meaning or value.
Unlike confidentiality-related harms, this category is concerned specifically with changes to data content rather than exposure. Integrity compromises may result from malware, unauthorized access, or system manipulation, and may not always be immediately detectable.
This harm can disrupt decision-making, operational processes, and system functionality, particularly in environments that depend on accurate and reliable data. Its impact lies in the loss of trust in the correctness of information, rather than its secrecy or availability.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Digital_Identity_Compromise
Label: Digital Identity Compromise
alsoCalled: —
shortDescription:
The unauthorized takeover, misuse, or manipulation of a victim’s digital identity, enabling impersonation or fraudulent activity.
longDescription:
Digital Identity Compromise refers to the unauthorized control, misuse, or manipulation of a victim’s digital identity, allowing an attacker to impersonate the victim in digital environments. This harm occurs when credentials, authentication factors, or identity attributes are stolen, forged, or otherwise exploited.
Compromise may involve account takeovers, credential theft, or the creation of fraudulent identities that appear legitimate. Attackers can use the compromised identity to access services, conduct transactions, or deceive other parties while acting under the victim’s identity. This harm is distinct from information confidentiality loss, which concerns unauthorized access to data, as it focuses specifically on the ability to act as the victim. It is also separate from direct financial loss, although such losses may result from identity misuse.
The primary impact lies in the loss of control over one’s digital presence and the potential for ongoing misuse, making it a persistent and highly consequential harm in cybercrime contexts.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exposure-BasedRiskIncrease
Label: Exposure-Based Risk Increase
alsoCalled: —
shortDescription:
An increase in a victim’s visibility, vulnerability and likelihood of exploitation.
longDescription:
This harm describes the adverse effect that occurs when attackers systematically identify, aggregate, and analyze publicly exposed information about a target during reconnaissance. The structured collection and contextualization of targeting information by adversaries transforms it into actionable intelligence that directly increases the likelihood of successful exploitation.
The harm is not a loss of confidentiality in the traditional sense, but a loss of protective obscurity and defensive advantage. By mapping attack surfaces, identifying exposed services, and correlating target attributes, attackers create prioritized target sets and reduce uncertainty in later attack phases.
This materially elevates the victim’s risk exposure, defined as the probability and potential impact of exploitation, even before any intrusion occurs.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Information_Confidentiality_Loss
Label: Information Confidentiality Loss
alsoCalled: —
shortDescription:
The unauthorized exposure or access of sensitive or personal information, compromising its confidentiality.
longDescription:
Information Confidentiality Loss refers to the unauthorized access, disclosure, or exposure of sensitive, personal, or proprietary information. This harm occurs when data that is intended to remain private is viewed, copied, or distributed without authorization, typically as a result of breaches, leaks, or social engineering attacks.
The defining characteristic of this harm is the violation of confidentiality, regardless of whether the data is subsequently altered or used. It does not include modification or corruption of data, which are addressed separately under data integrity harms.
This harm may lead to downstream consequences such as identity theft, fraud, or reputational damage, but is specifically concerned with the loss of control over who can access the information.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Bulletproof_Hosting
Label: Bulletproof Hosting
alsoCalled: —
shortDescription:
A type of hosting service engineered to resist takedown efforts, offering adversaries a resilient and discreet platform for hosting malicious content and command-and-control infrastructure.
longDescription:
Bulletproof Hosting refers to specialized server hosting services offered within the cybercrime underground. These services are designed to operate with minimal regulatory oversight, often from offshore locations, and employ techniques like rapid IP rotation and robust anonymity measures to thwart law enforcement takedown attempts. They provide a secure foundation for hosting phishing pages, malware distribution sites, and command-and-control servers, enabling threat actors to maintain persistent access and evade detection throughout their malicious campaigns.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Proxy_Services
Label: Proxy Services
alsoCalled: —
shortDescription:
Services that route internet traffic through intermediary servers to mask the origin of communications and facilitate anonymous online activity.
longDescription:
Proxy Services offer a layer of indirection by channeling an adversary’s network traffic through one or more intermediate servers. This not only conceals the attacker’s real IP address but also helps bypass geofencing and regional restrictions. In cybercrime, such services are crucial for evading detection, obfuscating attack origins, and enabling automated tools (e.g., for credential stuffing or brute forcing) to operate with a facade of legitimacy. Proxies can be configured as shared or dedicated services and may include both datacenter and residential options, contributing to the overall resilience and stealth of cyber operations.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Residential_Proxies
Label: Residential Proxies
alsoCalled: —
shortDescription:
Proxy services that route traffic through real residential IP addresses, offering enhanced legitimacy and lower detection risk compared to datacenter alternatives.
longDescription:
Residential Proxies (often abbreviated as RESIP) utilize IP addresses assigned to everyday households by Internet Service Providers. By channeling internet traffic through these genuine residential connections, adversaries can better mimic normal user behavior and bypass sophisticated anti-bot measures. In the cybercrime landscape, these proxies are prized for their ability to provide anonymity and geographic diversity, enabling activities such as data scraping, credential stuffing, and evasion of fraud detection systems. Their use complicates mitigation efforts because traffic originating from residential IPs is generally trusted and less likely to be blacklisted. Residential proxies are commonly traded in underground markets and are sometimes offered as part of a broader suite of infrastructure services, playing a critical role in the execution of covert operations and large-scale cyber-enabled scams.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Virtual_Private_Networks
Label: Virtual Private Networks
alsoCalled: —
shortDescription:
Encrypted channels that allow secure and anonymous communications over public networks, widely exploited to hide digital footprints.
longDescription:
Virtual Private Networks (VPNs) establish encrypted tunnels between a user’s device and the VPN server, effectively masking the user’s true IP address and encrypting data in transit. Within the cybercrime ecosystem, VPNs are frequently leveraged to secure malicious communications, obscure the geographic origin of attacks, and bypass network-level security controls. Adversaries may choose VPN providers that offer lax verification processes or operate from jurisdictions with minimal regulatory oversight, ensuring that their activities remain difficult to trace and disrupt.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Cryptocurrency_Exchanges
Label: Cryptocurrency Exchanges
alsoCalled: —
shortDescription:
A digital platform where users can buy, sell, and trade cryptocurrencies, often exploited in cybercrime for laundering illicit funds.
longDescription:
Online platforms that facilitate the trading of digital assets like Bitcoin, Ethereum, and other cryptocurrencies. They act as intermediaries, allowing users to convert fiat currency (e.g., USD, EUR) into cryptocurrency and vice versa. Exchanges can be centralized, where a company manages the platform and user accounts, or decentralized, where transactions occur directly between users without intermediaries.
In the context of cybercrime, particularly romance baiting schemes, cryptocurrency exchanges are often exploited to launder stolen funds. Scammers convince victims to transfer money into cryptocurrency wallets, which are then routed through exchanges to obscure the origin of the funds. Some exchanges, especially those with weak Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols, are more vulnerable to misuse by criminals.
Law enforcement and cybersecurity experts monitor exchanges to track illicit transactions, but the pseudonymous nature of cryptocurrency and the use of mixers or tumblers make tracing funds challenging. While legitimate exchanges implement strict compliance measures, criminals often turn to unregulated or offshore platforms to evade detection.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dating_Website
Label: Dating Website
alsoCalled: —
shortDescription:
An online platform exploited by scammers to identify, target, and manipulate victims under the guise of romantic relationships.; Dating websites are online platforms designed to connect individuals seeking romantic relationships, friendships, or companionship. These platforms typically allow users to create profiles, share personal information, and interact with others through messaging or other communication features. While their primary purpose is to foster genuine connections, they are often exploited by cybercriminals due to the inherent trust and emotional vulnerability of users seeking relationships.
In the context of Romance Baiting, scammers use dating websites as a key part of their infrastructure to identify and target potential victims. They create fake profiles with fabricated details, such as attractive photos and compelling backstories, to appear trustworthy and appealing. Once contact is initiated, scammers use social engineering techniques to build emotional connections with their victims, gaining their trust and setting the stage for financial exploitation. The anonymity and global reach of dating websites make them an ideal environment for such schemes, as adversaries can easily interact with multiple targets simultaneously.
For cybercriminals, dating websites provide a low-risk, high-reward opportunity to execute Romance Baiting schemes. The platforms’ design, which encourages personal sharing and emotional openness, makes users more susceptible to manipulation. From a cybersecurity perspective, dating websites represent a critical point of vulnerability, requiring increased awareness, user education, and platform safeguards to prevent exploitation. Understanding how these platforms are misused is essential for developing effective countermeasures against Romance Baiting and similar cybercrimes.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#eCommerce_Sites
Label: eCommerce Sites
alsoCalled: —
shortDescription:
Online marketplaces facilitating legitimate transactions, occasionally abused by cybercriminals for fraud and other illicit activities.
longDescription:
eCommerce sites are legitimate digital marketplaces that enable the buying and selling of goods or services through secure payment channels. Although their primary function is to conduct lawful commerce, these platforms sometimes become vectors of cybercrime, as adversaries exploit their high transaction volumes to test or monetize stolen credentials, launder funds, or conduct fraudulent purchases. Robust anti-fraud measures, payment monitoring, and user verification are typically employed to protect buyers and sellers, but large-scale and globally accessible eCommerce sites remain attractive targets due to their extensive user base and transactional complexity.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Messaging_App
Label: Messaging App
alsoCalled: —
shortDescription:
Private, semi-public or public messaging platforms like Telegram, WhatsApp, and Discord.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Money_Transfer_Mechanisms
Label: Money Transfer Mechanisms
alsoCalled: —
shortDescription:
Channels and services (bank wires, money orders, hawala) that enable cross-border or untraceable value movement, often used for laundering or paying intermediaries.
longDescription:
Money transfer mechanisms include formal and informal systems - such as SWIFT bank wires, Western Union or MoneyGram money orders, and hawala or chit-fund networks - that criminals use to send or launder funds without direct blockchain traces. After converting digital currency to fiat or purchasing transfer instruments, threat actors dispatch value across borders to third-party couriers, drop addresses, or mule accounts. Hawala conduits and escrow services can move large sums without electronic records, complicating law-enforcement efforts. These transfer methods underlie high-value extortion payouts, sophisticated fraud rings, and multi-stage laundering operations, connecting illicit revenue streams to frontline actors, conspirators, and shell entities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Open_Web
Label: Open Web
alsoCalled: —
shortDescription: —
longDescription:
Some transactions between cybercriminals, or in support of cybercrime activities, occur on regular, public, internet websites. These are actually quite apparent, for example the rental and management of virtual servers and hosting services, DNS domain registration services, email, business information services, and the like.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Social_Media
Label: Social Media
alsoCalled: —
shortDescription:
Private, semi-public or public social networking platforms like Facebook, Instagram, or LinkedIn.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Credential_and_Identity_Marketplace
Label: Credential and Identity Marketplace
alsoCalled: —
shortDescription:
A dedicated Market in the cybercrime ecosystem where threat actors acquire, trade, and monetize stolen user identities and account credentials. This marketplace facilitates the exchange of password dumps, full identity packages (“fulls”), and related verification services between data brokers, resellers, and carders.
longDescription:
The Credential and Identity Marketplace is defined as a specialized segment within the cybercrime ecosystem dedicated to the procurement, aggregation, and exchange of illicitly obtained user credentials and identity data. This Market encompasses activities whereby threat actors, ranging from data brokers to resellers, package stolen authentication artifacts, such as raw password dumps and comprehensive identity sets (commonly referred to as “fulls”), for subsequent monetization. Within this marketplace, sophisticated vendors offer verified and enriched datasets, while intermediary resellers facilitate the broader dissemination of these assets across various dark web forums and encrypted communication channels. The Market further includes ancillary services, such as credential validation, change-of-address (COB) operations, and other support functions designed to enhance the operational value of the stolen data. Collectively, these elements supply critical raw material to technical infiltrators who deploy the credentials in remote account compromise scenarios, thereby perpetuating a cycle of identity theft, financial fraud, and broader cyber-enabled criminal activity.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Crimeware_Supply_Chain
Label: Crimeware Supply Chain
alsoCalled: —
shortDescription:
The interconnected ecosystem of tools, services, and actors enabling the creation, distribution, and use of malicious software for cybercrime.
longDescription:
The Crimeware Supply Chain represents the full lifecycle of crimeware, encompassing its development, distribution, and operational support. This ecosystem includes a variety of products such as phishing kits, infostealers, Remote Access Trojans (RATs), and antivirus evasion tools, as well as services like bulletproof hosting, crypters, and malware-as-a-service (MaaS). These components are often modular, allowing cybercriminals to mix and match tools to suit their specific needs.
This supply chain is supported by a network of specialized actors. Developers create crimeware tools, infrastructure providers offer hosting and obfuscation services, and brokers sell stolen data harvested by these tools. Buyers, such as phishers, fraudsters, and ransomware operators, rely on these offerings to execute their campaigns. Transactions and negotiations typically occur on dark web marketplaces, encrypted messaging platforms, and hacking forums, with cryptocurrency serving as the primary payment method.
The Crimeware Supply Chain has commoditized cybercrime, lowering the barrier to entry for malicious actors and enabling scalable, sophisticated attacks. By outsourcing key components, even inexperienced threat actors can launch effective campaigns, while experienced operators can focus on high-value targets. This ecosystem is a cornerstone of the cybercrime economy, driving the proliferation of malicious activities worldwide.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Data_and_Access_Marketplace
Label: Data and Access Marketplace
alsoCalled: —
shortDescription:
A cybercrime ecosystem Market where personal data, corporate information, and system access are traded to enable malicious activities.
longDescription:
The Data and Access Marketplace is a critical hub within the cybercrime ecosystem, facilitating the exchange of sensitive data and unauthorized access to systems. This marketplace includes both legitimate data brokers operating in legal or grey areas and illicit actors on the dark web who sell stolen or breached information. Products traded in this marketplace range from personal data (e.g., names, email addresses, and phone numbers) to corporate information (e.g., employee lists, financial records) and technical data (e.g., IP addresses, credentials, or system vulnerabilities). Access to compromised accounts, networks, or devices is also a key commodity.
Buyers in this marketplace include a variety of cybercriminal roles, such as recon specialists, social engineers, ransomware operators, and fraudsters. These actors use the purchased data and access to conduct targeted attacks, such as phishing, Business Email Compromise (BEC), or ransomware campaigns. For example, recon specialists may buy employee lists to identify high-value targets, while ransomware operators may purchase initial access to corporate networks. The marketplace lowers the barrier to entry for cybercriminals, enabling even less-skilled actors to execute sophisticated attacks.
Sellers in the marketplace include data brokers, credential harvesters, access brokers, and exploit developers. These actors supply the raw materials for cybercrime, often profiting from stolen or aggregated data and compromised systems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Deceptive_Content_Marketplace
Label: Deceptive Content Marketplace
alsoCalled: —
shortDescription:
A cybercrime ecosystem Market where fraudulent materials, such as phishing kits and scam templates, are created, traded, and distributed.
longDescription:
The Deceptive Content Marketplace facilitates the trade of tools and materials designed to deceive victims, including phishing lures, fake websites, scam templates, and counterfeit documents. Sellers in this marketplace include content creators, graphic designers, and exploit developers, while buyers range from phishers to fraudsters and social engineers. These assets are used to enable cybercrime activities such as credential theft, financial fraud, and social engineering attacks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Infrastructure_Marketplace
Label: Infrastructure Marketplace
alsoCalled: —
shortDescription:
A Market dedicated to the trade of cybercrime infrastructure services such as residential proxies, VPNs, proxy services, and bulletproof hosting.
longDescription:
The Infrastructure Marketplace Market represents a covert, unstructured trading environment on the dark and open web where illicit infrastructure services are bought and sold. This Market aggregates providers of residential proxies, virtual private networks, proxy services, and bulletproof hosting, all of which are critical for concealing operational footprints and facilitating anonymity in cybercrime campaigns. Actors operating within this marketplace leverage these services to bypass detection, maintain persistence, and secure resilient channels for communication and data exfiltration. By linking these commodities to the broader cybercrime ecosystem, the Infrastructure Marketplace underscores the essential role of technical services in enabling sophisticated, low-risk cyber operations.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Initial_Access_Marketplace
Label: Initial Access Marketplace
alsoCalled: IAB; Initial Access Providers
shortDescription:
A clandestine digital marketplace facilitating the trade of high quality verified unauthorized access to compromised networks, systems, or accounts, primarily utilized by Initial Access Brokers and other cybercriminal entities.
longDescription:
The ecosystem where cyber threat actors, notably Initial Access Brokers (IABs), engage in the commodification of verified and high quality unauthorized access to compromised digital assets. These marketplaces operate within the dark web, underground forums, and encrypted communication channels, providing a platform for the advertisement, negotiation, and sale of illicit access credentials and footholds into targeted networks.
Transactions within these marketplaces often involve the sale of access obtained through methods such as phishing, exploitation of vulnerabilities, credential stuffing, and deployment of malware. The access sold can range from Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) credentials to web shell access and administrative privileges.
The Initial Access Marketplace serves as a critical node in the cybercrime supply chain, enabling threat actors to bypass initial intrusion efforts and directly acquire access to victim networks. This facilitates a range of malicious activities, including ransomware deployment, data exfiltration, and espionage.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Monetization_and_Laundering_Services
Label: Monetization and Laundering Services
alsoCalled: —
shortDescription:
Facilitates the conversion of illicit gains into usable assets through laundering, cash-out, and financial obfuscation techniques.
longDescription:
The Monetization and Laundering Services Market is a critical component of the cybercrime ecosystem, where stolen funds or assets are processed to obscure their origins and make them usable. Services in this Market include cryptocurrency mixing, money mule networks, cash-out services, and the sale of fraudulent financial infrastructure such as shell companies or fake invoices. These services enable cybercriminals to legitimize proceeds from activities like ransomware, fraud, and data theft.
Buyers in this Market include ransomware operators seeking to launder ransom payments, fraudsters looking to cash out stolen payment data, and phishers monetizing stolen credentials. Sellers consist of money launderers offering tumbling or mule services, cash-out specialists converting stolen funds into clean assets, and document forgers providing fake identities for account creation. This Market also supports the recruitment of money mules and the exploitation of financial systems to facilitate illicit transactions.
Operations in this Market are conducted through dark web marketplaces, encrypted messaging platforms, and cryptocurrency services like mixers and decentralized exchanges. Social media platforms are also exploited for recruiting mules or advertising services. The Monetization and Laundering Services Market plays a pivotal role in enabling cybercriminals to profit from their activities while evading detection and law enforcement.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Vulnerabilities_and_Exploits_Marketplace
Label: Vulnerabilities and Exploits Marketplace
alsoCalled: —
shortDescription:
A specialized underground trading hub where attackers exchange zero-day and N-day exploit code, as well as vulnerability intelligence, enabling rapid compromise of unpatched systems.
longDescription:
The Vulnerabilities_and_Exploits Marketplace is a focal point in the cybercriminal ecosystem where malicious actors deal in both unpublished (zero-day) and publicly known (N-day) vulnerabilities. Buyers include opportunistic Intrusion Operators, ransomware affiliates, and nation-state proxies looking for quick, high-impact ways to breach targets. Sellers range from exploit developers who craft custom attack code to insiders with firsthand knowledge of software flaws. These marketplaces exist on dark web forums, invite-only broker portals, and increasingly on private messaging channels. Law enforcement reports, such as Europol’s IOCTA and FBI public service announcements, note that these marketplaces significantly reduce the time-to-exploit gap, as they offer ready-to-use or easily integrated exploits for major software targets—browsers, web servers, VPN gateways, and more. While zero-day exploits command premium prices due to their stealthy nature, N-day exploits remain highly in demand, capitalizing on widespread “patch lag” in many organizations. Academic and security research consistently identify these underground “exploit bazaars” as critical accelerators for large-scale intrusion campaigns, from ransomware to cyberespionage.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Business_Continuity
Label: Operational Continuity Disruption
alsoCalled: —
shortDescription:
The interruption of an organization’s ability to maintain normal operations and deliver services due to a cyber incident.
longDescription:
Operational Continuity Disruption refers to the inability of an organization to sustain its core business processes and service delivery as a result of a cyber incident. This harm reflects the organizational-level consequences of disruptions, regardless of whether they originate from technical failures, data issues, or other factors.
Unlike system availability disruptions, which focus on technical access, this harm captures the broader impact on workflows, service delivery, supply chains, and organizational performance. It may include halted operations, delayed services, or reduced capacity to function effectively.
This harm emphasizes the effect on the organization’s mission and outputs, rather than the underlying technical cause, and represents a higher-level consequence of cyber incidents.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#System_Availability_Disruption
Label: System Availability Disruption
alsoCalled: —
shortDescription:
The loss or degradation of access to systems, services, or data due to a cyber incident.
longDescription:
System Availability Disruption refers to the inability to access or use systems, networks, services, or data as intended due to a cyber incident. This harm occurs when technical resources become unavailable, degraded, or unresponsive, often as a result of attacks such as denial-of-service or ransomware.
This harm is strictly defined at the technical level, focusing on the accessibility of systems rather than the broader organizational consequences. It does not include downstream effects such as business interruption or financial losses resulting from downtime.
System availability disruption is typically immediate and observable, affecting the functionality of digital infrastructure and preventing normal usage until access is restored.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Technical_Infrastructure_Degradation
Label: Technical Infrastructure Degradation
alsoCalled: —
shortDescription:
The damage, degradation, or compromise of technical systems, networks, or infrastructure components due to cyber incidents.
longDescription:
Technical Infrastructure Degradation refers to the impairment, damage, or compromise of hardware, software, networks, or other technical components resulting from cyber incidents. This harm captures the condition and functionality of underlying infrastructure rather than its availability or organizational impact.
Cyberattacks may weaken system performance, introduce vulnerabilities, corrupt configurations, or cause partial system failures that persist even after access is restored. Unlike system availability disruption, which focuses on whether systems can be accessed, this harm concerns the integrity and condition of the infrastructure itself.
This harm is also distinct from operational continuity, as it focuses on technical assets rather than business processes. It represents the structural and functional degradation of digital environments caused by cyber activity.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Alternative_Value_Stores
Label: Alternative Value Stores
alsoCalled: —
shortDescription:
Tangible or semi-liquid assets (e.g., precious metals, high-value gift vouchers) that serve as offline or hybrid value repositories in money-laundering schemes.
longDescription:
Alternative value stores encompass physical or voucher-based assets, such as gold bars, silver coins, luxury retailer gift certificates, and prepaid mobile top-ups - used by criminals to convert and conceal illicit proceeds. Rather than rely solely on digital channels, threat actors may exchange cryptocurrency or cash for precious metals or exclusive retail vouchers, then sell or redeem them in markets where financial regulations are weaker. These assets provide a discreet method to move high-value wealth without leaving telltale transaction logs. In some regions, mobile credit or SIM-top-ups function as pseudo-currency, enabling localised laundering and facilitating payments among small-scale fraud networks or dark-market resellers.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Cryptocurrency
Label: Cryptocurrency
alsoCalled: —
shortDescription:
Digital money secured by cryptography and recorded on a distributed ledger.
longDescription:
Cryptocurrency is a decentralised form of digital currency that relies on cryptographic techniques to secure transactions, limit the creation of new units, and verify the transfer of assets. It operates over peer‑to‑peer networks—most commonly public blockchains—without the need for a central issuing authority. Well‑known examples include Bitcoin, Ethereum, and Monero. In cyber‑crime, cryptocurrencies are frequently chosen for ransom payments, illicit marketplace purchases, and money‑laundering because they enable rapid cross‑border settlement and offer varying levels of pseudonymity.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Electronic_Wallets_and_Payment_Apps
Label: Electronic Wallets and Payment Apps
alsoCalled: —
shortDescription:
Online or mobile accounts (e.g., PayPal, Venmo, Alipay) used to move funds rapidly, often leveraging compromised or mule-controlled balances for illicit payments.
longDescription:
Electronic wallets and payment apps allow near-instant peer-to-peer transfers without cash, providing a semi-anonymous channel for criminal payments. Although major platforms impose know-your-customer (KYC) checks, threat actors exploit credential theft, account takeovers, or mule-networks to load and withdraw funds. Cyber-crime groups instruct victims to send ransoms or illegal proceeds to designated PayPal, Venmo, Cash App, or regional mobile-money accounts. These wallets then serve as stepping stones to purchase infrastructure services (VPNs, bulletproof hosts) or convert balances into cryptocurrencies. By leveraging multiple e-wallets and rapid withdrawal services, criminals evade banking controls and obscure their financial trails.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Fiat_Currencies
Label: Fiat Currencies
alsoCalled: —
shortDescription:
Government-issued legal tenders (e.g., USD, EUR) that cyber-criminals convert into cash or local payment methods through money-mule systems and informal networks.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#In-Game_Assets
Label: In-Game Assets
alsoCalled: Virtual Assets
shortDescription:
Digital items and in-game currencies (e.g., MMORPG gold, NFTs) that can be traded or laundered through third-party marketplaces, creating alternative conduits for illicit value exchange.
longDescription:
Virtual and in-game assets refer to non-fungible tokens (NFTs), digital collectibles, or in-game currency units used within online gaming ecosystems. Criminal actors monetize stolen credit cards, phishing gains, or cryptocurrency by purchasing high-value skins, rare items, or tokens, which they then resell on gray-market platforms for fiat or crypto. These assets provide anonymity and rapid conversion paths, as many marketplaces lack strict identity verification. Additionally, some ransomware groups accept NFTs or in-game currency as ransom demands. By diversifying beyond traditional payment forms, cyber-criminals exploit the burgeoning value of digital collectibles to mask money flows and evade financial oversight.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Stored-Value_Cards_and_Vouchers
Label: Stored-Value Cards and Vouchers
alsoCalled: Prepaid Cards and Vouchers
shortDescription:
Preloaded payment tokens (gift cards or prepaid debit cards) that can be exchanged for goods or sold at a discount, facilitating anonymous value transfer.
longDescription:
Prepaid and stored-value cards such as retailer gift cards, prepaid debit cards, and electronic vouchers serve as quick, semi-anonymised value stores in cyber-crime transactions. Criminals demand or accept these cards because they can be redeemed or resold on secondary markets with minimal identity checks. Underground vendors trade Amazon, iTunes, Walmart, and other branded gift cards. RaaS affiliates and money-laundering facilitators acquire bulk gift cards at a discount, cash them out using reshipping services or black-market exchanges, and funnel proceeds into wallets or local currencies. Because these cards are widely available and difficult to trace, they remain a staple in low-value extortion, phishing payouts, and smaller-scale fraud schemes.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BEC_Scammer
Label: BEC Scammer
alsoCalled: —
shortDescription:
A fraud-focused role player who conducts Business Email Compromise by impersonating trusted business contacts or abusing compromised email accounts to manipulate victims into sending money or sensitive information.
longDescription:
A BEC Scammer is a role player who carries out Business Email Compromise by exploiting trust in business communications. This actor typically impersonates executives, colleagues, suppliers, or other trusted contacts—or uses a compromised legitimate email account—to send convincing messages that appear routine and authentic. Their objective is to manipulate victims into authorising fraudulent payments, changing banking details, disclosing sensitive information, or enabling further compromise.
BEC Scammers rely primarily on deception rather than overt technical disruption. They often combine reconnaissance, social engineering, email spoofing, compromised accounts, and carefully timed requests to exploit normal financial approval processes and communication habits within an organisation. In some operations, they work alongside other specialised roles, such as phishers, scriptwriters, insiders, or laundering facilitators.
This role is central to the Business Email Compromise pattern because it connects the preparatory stages of information gathering and impersonation with the eventual fraud transaction and downstream laundering of proceeds. The harm caused by a BEC Scammer can include direct financial loss, exposure of confidential business information, operational disruption, and erosion of trust in legitimate communications.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Carder
Label: Carder
alsoCalled: Carding specialists; Credit card fraudsters
shortDescription:
A cybercrime specialist who acquires and exploits stolen payment card data - either using it for fraudulent transactions or reselling it on underground markets.
longDescription:
Within the payment card fraud domain, a carder functions as a key operative responsible for the procurement and exploitation of stolen credit and debit card data. Carders obtain such data through diverse means, including phishing, skimming, and acquiring information from underground data brokers - and subsequently validate its utility via nominal test transactions. Upon confirmation, they engage in unauthorized financial activities or monetize the data by distributing it to other criminal entities. Carders frequently interface with ancillary actors, such as money mules and laundering networks, to obscure financial trails and facilitate the seamless conversion of illicit gains.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#InfostealerOperator
Label: Infostealer Operator
alsoCalled: Stealer Operator
shortDescription:
A cybercrime service provider who runs subscription-based infostealer malware operations, supplying customers with malware builds, control panels, infrastructure, updates, and log-harvesting capability to steal and monetize victim data.
longDescription:
An Infostealer Operator is a role in the cybercrime ecosystem who operates infostealer malware as a managed criminal service. Rather than only writing malware, this actor maintains the commercial service environment that allows other criminals to deploy infostealers and collect stolen data.
The operator may provide malware builds, configuration tools, command-and-control infrastructure, customer dashboards, updates, technical support, evasion features, and access to harvested logs. Customers or affiliates use the service to infect devices and extract credentials, browser cookies, session tokens, identity details, wallet data, files, and system information.
This role is usually financially motivated and may operate alone, as part of a small criminal crew, or as part of a larger Malware-as-a-Service ecosystem. It supports multiple downstream cybercrime patterns, including account takeover, identity fraud, IAB operations, business email compromise, ransomware preparation, and data trafficking.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Initial_Access_Broker
Label: Initial Access Broker
alsoCalled: IAB; Initial Access Providers
shortDescription:
An Initial Access Broker is a specialized role player who secures unauthorized entry points into networks or systems, then sells or rents those compromised ‘footholds’ to other cybercriminals.
longDescription:
Initial Access Brokers (IABs) focus on acquiring unauthorized access victim organizations from other roles and reselling them on markets, thereby allowing other actors to launch attacks without needing to execute the initial breach. Rather than carrying out attacks themselves, these brokers monetize that initial foothold by selling it to other criminal actors, such as ransomware groups, data thieves, or espionage-focused adversaries. This division of labor has become a cornerstone of the modern cybercrime economy, allowing highly skilled Intrusion Operators to profit repeatedly from their infiltration capabilities while enabling a broader range of threat actors to launch attacks without needing to execute the more technically demanding initial breach.
variant: In many documented cases Initial Access Brokers also act as Intrusion Operators, performing the actual work of obtaining access to victim systems before reselling that access to other players for further exploitation.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Intrusion_Operator
Label: Intrusion Operator
alsoCalled: Cracker; Hacker; Intruder; Malicious Actor; Unauthorized Access Specialist
shortDescription:
An individual with the technical expertise to exploit system vulnerabilities for illicit access and other malicious activities.
longDescription:
A technically skilled role player who identifies and exploits flaws in hardware, software, or network configurations to gain unauthorized access or influence over targeted systems. Motives and objectives can vary, from obtaining initial access to resale, installing malware, maintaining persistent footholds, or conducting further malicious campaigns. Beyond mere intrusion techniques, Intrusion Operators may leverage reconnaissance, social engineering, and exploit development to compromise assets of interest. Whether operating alone or as part of an organized group, Intrusion Operators often collaborate with other criminal roles to monetize stolen information, expand their reach, or trade newly discovered vulnerabilities and exploit tools.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Malware_Developer
Label: Malware Developer
alsoCalled: Crimeware Author; Malware Engineer
shortDescription:
A technical actor responsible for designing, coding, or maintaining malicious software for use by other cybercriminals.
longDescription:
A Malware Developer is a highly technical role player within the cybercrime ecosystem who creates, modifies, or maintains malicious software. Their skillset encompasses software engineering, reverse engineering, and anti-detection capabilities, enabling them to produce crimeware offerings such as trojans, keyloggers, ransomware strains, and other stealthy malware variants. In many cases, Malware Developers either work in collaboration with other specialized roles—like Exploit Developers or Infrastructure providers—or operate as part of a Malware-as-a-Service business model, selling or renting their software to other criminal actors seeking to conduct data theft, fraud, espionage, or disruptive attacks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Phisher
Label: Phisher
alsoCalled: —
shortDescription:
A role player specializing in crafting and executing phishing campaigns to steal credentials, financial data, or other sensitive information.
longDescription:
A Phisher is a distinct role within the cybercrime ecosystem, focused on designing and deploying phishing campaigns to deceive victims into revealing sensitive information. Phishers often create convincing emails, messages, or websites that mimic legitimate organizations, such as banks, social media platforms, or e-commerce sites. Their primary goal is to harvest credentials, financial details, or personal data, which can then be used for fraud or sold to other cybercriminals.
Phishers typically rely on tools and services from the cybercrime underground to enhance their operations. They may purchase phishing kits, lookalike domains, or bulletproof hosting to create and distribute their campaigns. Some phishers also collaborate with other roles, such as malware developers or data brokers, to monetize stolen information or expand their attack capabilities. Advanced phishers may employ automation tools or integrate their campaigns with broader cybercrime operations, such as ransomware or business email compromise (BEC).
The role of a phisher is critical to the success of many cybercriminal schemes, as phishing remains one of the most effective methods for initial access and data theft. By exploiting human vulnerabilities through social engineering, phishers play a key role in the broader cybercrime ecosystem, enabling a wide range of malicious activities. Their adaptability and reliance on underground resources make them a persistent and evolving threat.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ransomware_Affiliate
Label: Ransomware Affiliate
alsoCalled: Affiliate
shortDescription:
A ransomware affiliate is a participant in a cybercrime model where individuals or groups distribute ransomware on behalf of its creators, earning a share of the ransom payments they generate from victims.
longDescription:
Ransomware affiliates can help in the distribution of malware and take a cut of the ransom amount when paid. Depending on the ransomware group’s business model, affiliates can pay upfront for or get free access to the ransomware software. Ransomware affiliates can be more than distributors but also bulletproof hosters, web developers, negotiators and more. A ransomware affiliate distributes ransomware on behalf of its creators, earning a share of the ransom payments they generate from victims.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ransomware_Operator
Label: Ransomware Operator
alsoCalled: Cy-X Affiliate; Cy-X Operator; RaaS Affiliate; Ransomware Affiliate
shortDescription:
A specialized cybercriminal who develops, deploys and manages ransomware attacks independently without leveraging RaaS ecosystems.
longDescription:
A Ransomware Operator is a threat actor (or group of actors) responsible for executing ransomware-based extortion campaigns. They typically control the entire attack lifecycle themselves, instead of outsourcing parts of the operation to affiliates like in the Ransomware-as-a-Service (RaaS) model. This means they select targets, deploy malicious payloads, conduct lateral movement, and perform data exfiltration, and encryption of critical systems to coerce victims into paying for decryption or preventing public disclosure of stolen data. Their central motivation is financial profit, although some operations may be aligned with state-sanctioned actors or other criminal enterprises. In some cases, they may develop into RaaS affiliate model at a later date.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ransomware-as-a-Service_Operator
Label: Ransomware-as-a-Service Operator
alsoCalled: Cy-X Brand; RaaS Brand; RaaS Maintainer; RaaS Operator
shortDescription:
A cybercriminal (or group) who establishes and maintains a Ransomware-as-a-Service model, supplying malware, infrastructure, and support while splitting profits with affiliates.
longDescription:
A Ransomware-as-a-Service (RaaS) Operator is a specialized organisational role player that provides an end-to-end ransomware framework and operational guidance to affiliates. These operators develop or integrate ransomware code, maintain hosting for command-and-control servers, and run payment portals or negotiation channels. Rather than targeting victims directly, they market their ransomware “service” on underground forums or invite-only channels, recruiting affiliates to carry out attacks in exchange for a percentage of ransom payments. Their profits come from licensing fees, revenue splits, and in some cases, parallel operations launched under their own brand of ransomware. This model of dividing technical tasks (development, infrastructure) from operational tasks (network intrusions, data exfiltration) significantly lowers the barrier to entry for cybercriminals and spurs rapid innovation within the ransomware ecosystem.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Romance_Scammer
Label: Romance Scammer
alsoCalled: —
shortDescription:
Creates a false romantic connection with victims online to manipulate and exploit them for financial gain, sensitive information, or other benefits.
longDescription:
Operates by crafting a fake identity, often using stolen or fabricated photos and personal details, to present themselves as an appealing and trustworthy individual. They typically establish contact through dating websites, social media platforms, or messaging apps, targeting individuals who may be emotionally vulnerable or seeking companionship. Over time, the scammer gains the victim’s trust and affection by engaging in frequent and emotionally charged communication, weaving a web of lies to create an illusion of a genuine relationship.
Once the victim is emotionally invested, the scammer introduces fabricated crises or urgent situations, such as medical emergencies, business failures, or travel problems, to solicit financial assistance. In some cases, they may also manipulate victims into sharing sensitive information or compromising materials, which can later be used for extortion or identity theft. These interactions are highly calculated, often following scripts or patterns designed to exploit common human vulnerabilities like empathy, trust, or fear of loss.
Their operations rely heavily on social engineering, utilizing psychological manipulation rather than technical hacking to achieve their goals. These scams cause severe emotional and financial harm to victims, making them a prominent focus for cybersecurity awareness campaigns and law enforcement efforts globally.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Skimmer
Label: Skimmer
alsoCalled: ATM skimmer operator; Card data harvesters; Credit card thieves; Data harvesters; POS skimmer; Payment card thieves; Skimmer Operator
shortDescription:
Individuals or groups who specialise in illegally collecting payment card information through physical devices (skimmers) or malware-based methods.
longDescription:
Data Thieves/Skimmers are role players within the carding ecosystem who focus on harvesting sensitive payment card details directly from victims. They may install physical skimming devices on ATMs, point-of-sale terminals, or gas pumps to capture card data and personal identification numbers (PINs), or employ malware-based tools to achieve the same objective in a digital environment. Acting as suppliers to the broader cybercrime market, they either use the stolen data themselves for fraudulent transactions or sell it to other criminals for further monetization. These operations frequently involve sophisticated concealment techniques, such as miniature hardware implants and encrypted data exfiltration, making them a persistent threat to both individual consumers and commercial entities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Direct
Label: Direct
alsoCalled: —
shortDescription:
Peer-to-peer channel where sellers and buyers transact directly, outside formal marketplaces or forums.
longDescription:
In some cases criminal groups and other actors may interact directly with each other via email, chat, phone and other channels that security researchers cannot observe.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Deceptive_Content
Label: Deceptive Content
alsoCalled: Social Engineering Artifacts; Social Engineering Content
shortDescription:
A generalized term to encompass roles or outputs like phishing templates, fake websites, deepfakes, and other content used in social engineering, scams and fraud.
longDescription:
Deceptive Content refers to any material or artifact intentionally crafted to mislead, manipulate, or exploit individuals, typically for malicious purposes such as fraud, theft, or cybercrime. This content can take many forms, including phishing emails, fake websites, fabricated documents, deepfake videos, or pre-written social engineering scripts. It leverages human psychology, technical vulnerabilities, or both to deceive victims and achieve the perpetrator’s objectives.
The creation of deceptive content is a critical component of social engineering schemes, where the content is tailored to exploit trust, fear, curiosity, or urgency. For example, phishing templates might mimic legitimate emails from trusted institutions to steal login credentials, while fake websites can impersonate authentic platforms to harvest sensitive information. Similarly, deepfake technology might produce convincingly altered audio or video to impersonate trusted individuals, enhancing the credibility of the fraud.
This type of content plays a central role in enabling various forms of cybercrime, from romance scams to large-scale fraud and disinformation campaigns. Its effectiveness relies on the combination of technical sophistication and psychological manipulation, making it a key tool for cybercriminals and other malicious actors in targeting individuals, organizations, and even entire communities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Fake_identity
Label: Fake identity
alsoCalled: —
shortDescription:
Illicit bundle of fabricated personal details—names, photos, documents—sold to impersonate real users and bypass KYC checks.
longDescription:
Enabling perpetrators to conceal their real identities while gaining the trust of victims or bypassing security measures. These identities may range from entirely fictitious personas to those built using stolen personal information, often blending real and fabricated data to appear authentic. Perpetrators leverage these identities to impersonate individuals, create fake accounts, or infiltrate systems for malicious purposes.
In social engineering attacks like romance scams, fake identities are meticulously constructed with convincing details, including names, photos, and backstories, often supplemented with stolen or AI-generated images. These personas are then used to establish emotional connections or trust with victims, ultimately leading to exploitation. Similarly, fake identities play a role in phishing campaigns, where they impersonate legitimate organizations or individuals to trick victims into sharing sensitive information.
On a broader scale, fake identities are also used in cyber-enabled crimes like money laundering, where they help obscure financial transactions, or in large-scale disinformation campaigns, where bots and trolls leverage these personas to spread misinformation. The creation and use of fake identities highlight the intersection of technical skill, psychological manipulation, and exploitation in cybercrime.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Behavioral_Changes
Label: Behavioral Changes
alsoCalled: —
shortDescription:
Observable changes in a victim’s actions or habits in response to a cyber incident, such as altered online behavior or reduced engagement with digital systems.
longDescription:
Behavioral Changes refer to observable modifications in a victim’s actions, habits, or decision-making following a cyber incident. These changes reflect how individuals or organizations adjust their behavior in response to perceived risk, prior harm, or increased awareness of cyber threats.
Examples include avoiding certain online activities, reducing use of digital services, adopting stricter security practices, or altering communication patterns. These behaviors may be temporary or long-term and can influence how victims interact with digital environments and other actors.
This harm is distinct from psychological distress, which concerns internal emotional states, and from erosion of trust, which relates to perceptions of systems or institutions. Instead, behavioral changes capture the outward expression of those internal or perceptual shifts through concrete actions. The impact of this harm lies in how it alters engagement, participation, and usage patterns, potentially affecting digital ecosystems, service adoption, and overall user behavior.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Erosion_of_Trust
Label: Erosion of Trust
alsoCalled: —
shortDescription:
The reduction in confidence in digital systems, organizations, or interactions following a cyber incident.
longDescription:
Erosion of Trust in Systems and Institutions refers to the diminished confidence that individuals or organizations have in digital systems, services, or entities after experiencing or learning about a cyber incident. This harm affects perceptions of reliability, security, and credibility.
Unlike psychological distress, which is internal and emotional, this harm is relational and outward-facing, influencing how victims interact with systems, organizations, or other actors. It may lead to reduced usage, avoidance of digital services, or changes in behavior based on perceived risk.
This harm operates at both individual and collective levels, potentially affecting customer relationships, institutional reputation, and broader participation in digital ecosystems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Psychological_Distress
Label: Psychological Distress
alsoCalled: —
shortDescription:
The internal emotional and psychological harm experienced by individuals as a result of cybercrime.
longDescription:
Psychological Distress refers to the internal emotional and mental effects experienced by individuals following a cybercrime incident. This includes feelings such as anxiety, fear, stress, embarrassment, or violation arising from events like fraud, identity theft, or data breaches.
This harm is strictly internal to the individual and concerns their psychological state, rather than external behaviors or system-level consequences. It does not include changes in trust toward systems or institutions, which are treated separately.
Psychological distress may vary in severity and duration, and in some cases can have lasting impacts on well-being and daily functioning. It highlights the human impact of cybercrime beyond financial or technical damage.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dual-UseIntelligenceOnBusinesses
Label: Dual-Use Intelligence on Businesses
alsoCalled: —
shortDescription:
Legitimate business-data and company-intelligence services that provide organizational details, which adversaries may misuse to profile victims, identify valuable targets, or support social engineering and intrusion planning.
longDescription:
Dual-Use Intelligence on Businesses refers to legitimate products and services that collect, organize, and provide information about companies, institutions, and their operations. These may include business intelligence platforms, company directories, sales-intelligence databases, corporate registry data, procurement databases, job postings, public filings, technology-profile tools, and relationship-mapping services.
Legitimate users use these services for sales, recruitment, due diligence, market research, compliance, and cybersecurity. For example, commercial platforms describe themselves as providing company and contact data, buying-intent signals, and workflow automation for business purposes.
For adversaries, the same information can support victim profiling and targeting. Adversaries may gather victim organization information such as divisions, business operations, roles and responsibilities, business relationships, and connected third parties. Such details can reveal targetable people, systems, partners, or supply-chain paths.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dual-UseIntelligenceOnIndividuals
Label: Dual-Use Intelligence on Individuals
alsoCalled: —
shortDescription:
Legitimate people-data and identity-information services that collect or provide personal or professional details, which may be misused by adversaries for targeting, impersonation, phishing, or social engineering.
longDescription:
Dual-Use Intelligence on Individuals refers to lawful data products and services that collect, aggregate, verify, enrich, or provide information about people. These may include professional contact databases, data broker services, people-search tools, public-record aggregators, social media intelligence, breach-notification sources, and identity-verification datasets.
Legitimate users may rely on these services for marketing, recruitment, fraud prevention, compliance, customer verification, or security investigations. Data brokers are commonly described as companies that collect personal information from public and non-public sources and resell or share it for purposes including identity verification, fraud prevention, and marketing.
In cybercrime contexts, the same kinds of information can be misused to identify employees, derive email addresses, craft convincing lures, support impersonation, or improve social-engineering success. Target identity information, including names, email addresses, personal data, credentials, and MFA-related details, are used during preparation, reconnaissance and targeting phases of multiple patterns.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Dual-UseInternetReconnaissance
Label: Dual-Use Internet Reconnaissance
alsoCalled: —
shortDescription:
Legitimate search, scanning, and exposure-mapping services that identify internet-facing systems, which defenders use to manage risk but adversaries may misuse to find exposed targets or vulnerable infrastructure.
longDescription:
Dual-Use Internet Reconnaissance Services are legitimate platforms, tools, and datasets that help users discover and analyze internet-facing systems, services, domains, certificates, ports, and exposed technologies. They include asset-search engines, scan databases, certificate-transparency tools, passive DNS sources, and attack-surface management platforms.
These services have lawful uses for cybersecurity, research, compliance, and asset management. However, they can also be misused by cybercrime actors during reconnaissance and target selection. Instead of directly probing a victim, an adversary can query existing public or commercial datasets to identify exposed VPN gateways, remote access services, web applications, cloud assets, or misconfigured systems.
Adversaries repurpose legitimate visibility tools to create target lists, prioritize victims, or prepare later compromise attempts. It commonly supports phases such as opportunistic target discovery, exposure mapping, vulnerability selection, and infrastructure profiling.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BulletproofHostingProvider
Label: Bulletproof Hosting Provider
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Legitimate_Service_Provider
Label: Legitimate Service Provider
alsoCalled: —
shortDescription:
Third-party platforms (e.g., social media, online products and services, market places or company websites) or individuals that may be indirectly exploited in the execution of a Pattern
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#ProxyProvider
Label: Proxy Provider
alsoCalled: —
shortDescription: —
longDescription: —
variant: Residential Proxy Provider
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Spear_Phisher
Label: Spear Phisher
alsoCalled: Targeted Phisher
shortDescription:
A role player specializing in executing highly targeted phishing attacks, often impersonating trusted individuals to deceive specific victims into revealing sensitive information or performing actions that compromise their security.
longDescription:
The Spear Phisher is an individual who conducts personalized phishing campaigns aimed at specific targets, typically within organizations. By leveraging detailed knowledge about their victims, such as personal information, job roles, and communication styles, spear phishers craft convincing emails that appear to originate from trusted sources. These emails often contain malicious attachments or links designed to install malware or harvest credentials. The spear phisher’s approach is characterized by meticulous reconnaissance, utilizing open-source intelligence (OSINT) and social engineering techniques to enhance the effectiveness of their attacks. The ultimate goal of a spear phisher is to gain unauthorized access to sensitive data, financial information, or systems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#VPNServiceProvider
Label: VPN Service Provider
alsoCalled: —
shortDescription: —
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Business_Email_Compromise
Label: Business Email Compromise
alsoCalled: BEC; CEO Fraud; EAC; Email Account Compromise; Man-in-the-Email Attack; VEC; Vendor Email Compromise
shortDescription:
A type of cyber fraud where attackers impersonate company executives or business partners in emails to trick employees into transferring money or sensitive information.
longDescription:
Business Email Compromise (BEC) is a targeted form of fraud in which threat actors gain access to a legitimate business email account or convincingly impersonate some entity in order to influence financial or sensitive communications. The activity typically begins with reconnaissance and social-engineering to understand internal roles, approval processes, language patterns, and payment routines. Attackers then compromise, spoof, or manipulate email communications, presenting fraudulent instructions that appear legitimate. The objective is to redirect payments, obtain confidential information, or authorise transfers under false pretences, while maintaining credibility and minimising detection.
BEC campaigns are carried out by organised threat actors who specialise in research-driven social engineering, credential acquisition, and manipulation of email. These actors may combine phishing techniques, credential theft, or account intrusion with infrastructure such as anonymous communication channels and covert financial movement services. Some operations involve multiple coordinated participants, including roles focused on initial compromise, language crafting, payment redirection, or laundering of illicit proceeds.
Victims include organisations of any size, as well as employees with authority to initiate or approve payments or share sensitive information. Impacts may include financial loss, exposure of confidential data, reputational damage, operational disruption, and loss of trust in normal communication processes. The harm can extend beyond the primary target if third-party information or funds are misdirected, creating additional indirect victims and further consequences.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Carding
Label: Carding
alsoCalled: Payment Card Fraud
shortDescription:
Carding is the illicit acquisition and use of stolen payment card data to commit financial fraud.
longDescription:
Carding is a form of financial fraud in which threat actors steal, trade, validate, and exploit payment-card and related personal data for profit.
This process often involves hacking or social engineering techniques - such as card skimming, web-skimming malware on e-commerce sites, phishing, or data breaches - to harvest credit or debit card information.
Once acquired, stolen credit cards can be used directly, but the compromised card data can frequently be posted for sale or traded on underground forums and dark markets, fuelling a complex ecosystem of buyers and sellers who specialise in the monetisation of stolen credentials. Threat actors use automated checker tools, scripted low-value purchases, and credential-stuffing against online merchants and digital-wallet providers to identify still-active cards and abuse them at scale.
Common monetisation strategies include loading cards into a digital wallets, purchasing prepaid cards , fraudulent online purchases, cash withdrawals from ATMs in other jurisdictions using cloned or compromised cards and money-mule networks, or converting assets via cryptocurrency exchanges. Carding not only leads to direct financial losses for businesses and consumers but also undermines trust in online transactions and digital payment systems on a global scale.
variant: In a variant based on social engineering, the attacker swaps the victim’s physical card with a fake card at an ATM and captures the PIN via shoulder surfing, later using the stolen card.
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Romance_Baiting
Label: Romance Baiting
alsoCalled: Pig Butchering (but use is discouraged)
shortDescription:
Romance baiting is a scheme in which perpetrators create fake romantic connections to emotionally manipulate victims, ultimately exploiting them for money, personal information, or other forms of gain.
longDescription:
Romance scams typically consist of a person being defrauded through the guise of a seemingly genuine romantic relationship. Potential victims are groomed through an extensive process involving charm and fabricated personal stories to gain their trust and create a sense of emotional connection. Once trust is established, the attacker introduces either an investment opportunity or a fabricated crisis, such as a medical emergency or a travel issue, to solicit financial assistance. Victims may also be manipulated into sharing sensitive personal information or compromising photos, leading to further crimes like identity theft or extortion.
Romance scammers often form part of organized criminal groups or networks that are geographically concentrated. Sometimes the scammers are employees of a criminal enterprise, but they can also be trafficked into the role and held as slaves. The plot-lines of the schemes are pre-prepared and scripted so that scammers can efficiently manage multiple victims simultaneously. The initial targeting phase involves setting up fake profiles on online platforms such as dating apps or social media. Once initial contact is initiated the interaction is typically moved to email or messaging applications. These interactions, which can continue for weeks of months, use a variety of social engineering techniques to exploit human emotions and bypass rational safeguards. Money mules may participate in the exploitation phase when financial transfers are conducted. When the exploitation phase is related to cryptocurrency investment scams, fraudulent platforms may be created or pre-existing exchanges and mixers are leveraged.
These scams target private individuals and can cause significant financial losses and emotional distress. Feelings of embarrassment and the psychological impact of being deceived in this manner can have a long-lasting impact on victims.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_Delivery
Label: BEC Delivery
alsoCalled: —
shortDescription:
The adversary sends the crafted email or message to the target organization or individual, often using phishing techniques or spoofed email domains to appear legitimate.
longDescription:
After creating and testing their BEC lures in the Weaponization phase, the adversary delivers the malicious or deceptive email to the intended recipient. This delivery may involve spoofed sender addresses, lookalike domains, or compromised email accounts to increase legitimacy. Delivery marks the point at which the victim first encounters the attacker’s crafted content, setting the stage for credential theft or fraudulent financial requests.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_Exploitation_AccountTakeover
Label: BEC Exploitation Account Takeover
alsoCalled: —
shortDescription:
The victim interacts with a malicious link or email, unwittingly providing credentials or enabling unauthorized access. The adversary then assumes control of the compromised mailbox or system, laying groundwork for further fraud.
longDescription:
In this combined stage, the attacker leverages social engineering or phishing lures to trick the victim into revealing credentials or granting access. The victim may click a spoofed link, log into a fake portal, or respond to an email requesting verification details. Once obtained, these credentials allow the adversary to log in to the victim’s email account (or other communications channels).
Having gained access, the attacker may set up mail-forwarding or auto-deletion rules to conceal their presence, monitor internal communications, or impersonate trusted personnel. By maintaining continuous visibility into the victim’s inbox, the adversary can plan well-timed fraudulent requests without raising suspicion. This stealthy account takeover often persists undetected until the attacker is ready to commit outright financial theft or extort the organization.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_Fraud_Transaction
Label: BEC Fraud Transaction
alsoCalled: —
shortDescription:
Attackers impersonate a trusted party (e.g., CFO or supplier) and instruct the target to transfer funds to attacker-controlled accounts, completing the core BEC fraud.
longDescription:
Having taken over a legitimate mailbox or established believable email dialogue, the attacker sends a payment request that appears urgently authentic. They often invoke business context (e.g., an invoice payment, a vendor’s new bank account, or a time-sensitive deal) and demand secrecy or prompt action. If successful, the victim transfers funds to the attacker. This transaction commonly triggers immediate laundering or further movement of stolen money, making recovery difficult. The Fraud_Transaction stage can cause serious financial losses and reputational harm to the victim.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_PostFraud_Laundering
Label: BEC PostFraud Laundering
alsoCalled: —
shortDescription:
After the victim’s funds are stolen, the adversary engages in multi-step laundering to obscure the stolen money’s origins and final destination.
longDescription:
This Pattern Phase represents the post-fraud phase of a BEC scheme, where the adversary (or associates) rapidly disperse or layer stolen funds to evade detection. Common techniques include splitting the funds across multiple bank accounts, recruiting money mules, converting fiat to cryptocurrency, and leveraging mixers or unregulated exchanges. The goal is to launder the proceeds so that they appear legitimate and minimize the chance of recovery or law enforcement identification.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_Recon
Label: BEC Recon
alsoCalled: —
shortDescription:
Attackers research the target organization to identify key personnel (e.g., executives, finance staff) and their roles, communication patterns, and relationships. They may gather information from public sources (e.g., LinkedIn, company websites) or through social engineering.
longDescription:
The Business Email Compromise (BEC) Reconnaissance Process involves gathering intelligence on a target organization to identify key individuals, communication patterns, and processes that can be exploited. Attackers typically begin by leveraging Open-Source Intelligence (OSINT) tools to collect publicly available information, such as employee names, job titles, email addresses, and organizational hierarchies. Social media platforms like LinkedIn, company websites, and public records are common sources for this data. The goal is to identify high-value targets, such as executives or finance personnel, and understand their roles and relationships within the organization.
In addition to OSINT, attackers may use social engineering techniques to extract more specific information. This could involve impersonating IT staff or vendors to trick employees into revealing internal processes, schedules, or login credentials. For example, attackers might call or email employees under a pretext, such as verifying account details or confirming payment procedures. These interactions help attackers refine their approach, ensuring their eventual phishing emails or fraudulent requests appear legitimate and align with the organization’s communication style.
The recon process is critical to the success of a BEC attack, as it enables attackers to craft highly targeted and convincing lures. By understanding the organization’s structure and communication habits, attackers can impersonate trusted individuals or entities with precision, increasing the likelihood of deceiving their victims.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_BEC_Weaponisation
Label: BEC Weaponisation
alsoCalled: —
shortDescription:
Involves crafting deceptive communications and tools to impersonate trusted entities and exploit victims.
longDescription:
The Weaponization phase of a Business Email Compromise (BEC) attack focuses on creating convincing materials and strategies to deceive targets. This includes crafting fake emails, messages, or documents that impersonate trusted individuals, such as executives, vendors, or partners. Attackers may also register lookalike domains or spoof legitimate email addresses to enhance credibility.
During this phase, attackers tailor their communications to align with the target’s organizational structure, business processes, or ongoing activities. They may use information gathered during reconnaissance to mimic writing styles, reference specific projects, or exploit time-sensitive scenarios, such as urgent payment requests. The goal is to make the communication appear authentic and bypass suspicion.
This phase is critical to the success of a BEC attack, as the quality of the crafted materials directly impacts the likelihood of victim compliance. By leveraging social engineering and technical deception, attackers prepare to execute their scam, whether it involves stealing credentials, redirecting payments, or extracting sensitive information.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Carding_Card_Data_Acquisition
Label: Carding Card Data Acquisition
alsoCalled: —
shortDescription:
An adversary uses phishing, skimming, or checkout malware via compromised payment infrastructure to obtain payment card details from victims.
longDescription:
The Card Data Acquisition phase is the initial stage of a carding scheme, in which financially motivated adversaries obtain payment card details from victims for later fraudulent use. The role players involved may include individual attackers such as carders or skimmers, organized carding groups, or users of carding-as-a-service ecosystems who rely on stolen or rented infrastructure to collect payment data at scale. They may target cardholders directly through phishing and smishing campaigns that direct victims to fake payment or login pages, or they may compromise merchant and payment environments through skimming at point-of-sale systems and ATMs, digital skimming malware injected into e-commerce checkout pages, or network intrusions that exfiltrate card databases. The infrastructure used in this phase can include compromised websites, fake payment portals, infected POS terminals, ATM skimmers, malicious scripts, underground phishing kits, and other commodity tools obtained through illicit markets. Victims are typically cardholders, merchants, processors, or financial institutions, and the immediate impact is the theft of sensitive payment card information. Once acquired, the data may be aggregated, packaged, and sold on underground card shops or other illicit marketplaces, or retained for validation and later monetization.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Carding_Monetization
Label: Carding Monetization
alsoCalled: —
shortDescription:
Once the stolen card data validation is completed, threat actors proceed with both fraudulent purchases and resale activities using multiple channels to generate direct financial gains.
longDescription:
The Monetization phase is the stage in which adversaries convert stolen and validated payment card data into financial gain. The role players may include carders, resellers, money mules, laundering networks, or other facilitators who help move the proceeds of card fraud. This phase may involve the use of merchant payment systems, ATM networks, bank or payment accounts controlled by mules, and sometimes cryptocurrency exchanges or alternative payment channels. By leveraging those, threat actors carry out fraudulent purchases (high-value goods, gift cards, digital assets), cash withdrawals, or transfers designed to extract value quickly and conceal the source of the funds. Victims include cardholders, merchants, and financial institutions, which suffer direct financial losses, fraud-related disruptions, and the costs of recovery and loss mitigation. In broader carding ecosystems, this phase may also connect to resale on dark markets and laundering chains that help distribute illicit gains across multiple accounts or payment channels.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Carding_Validation
Label: Carding Validation
alsoCalled: —
shortDescription:
After acquiring card data, adversaries use card-checking tools or low-value test transactions via payment systems to confirm stolen card validity and available funds before later fraudulent use.
longDescription:
The Validation phase is the stage in which attackers confirm that stolen payment card data is active and suitable for fraud before attempting larger-scale transactions. The role players involved are typically carders, fraud crews, or organized networks using carding-as-a-service providers to process stolen card data efficiently. They use tools such as “checkers”, card-checking bots, automated platforms, or small test charges to verify each card’s balance, validity, and fraud controls while blending into normal payment traffic. The infrastructure supporting this phase may include merchant payment systems, payment gateways, anonymization services, proxies, and other platforms that help the attacker make low-value transactions appear legitimate. Victims are usually cardholders, and in some cases merchants or financial institutions, who may see suspicious alerts, temporary account freezes, or other fraud-control responses. When the stolen cards have been confirmed to be active and usable, threat actors will separate valuable data from unusable data and move toward profitable fraudulent purchases or resale on underground markets.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Encryption
Label: CyX Encryption
alsoCalled: —
shortDescription:
Attackers deploy malware to encrypt critical files, rendering systems and data inaccessible without a decryption key.
longDescription:
During the CyX Encryption event, ransomware affiliates or core operators responsible for impact delivery execute the ransomware payload on compromised systems they have already prepared. Encryption is typically coordinated to occur simultaneously across multiple hosts in order to overwhelm response efforts and maximize business continuity disruption. Systems deemed high-value - such as domain controllers, file servers, backup repositories or critical workstations and virtual machines - are rapidly encrypted, halting normal operations and forcing the organization into crisis mode. By specifically targeting backups or high-priority data and systems first, attackers greatly reduce the victim’s ability to recover without paying the ransom. This disruption cements the adversary’s bargaining power in the subsequent extortion phase.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Exfiltration
Label: CyX Exfiltration
alsoCalled: —
shortDescription:
Actors copy and remove sensitive files before encryption, enabling ‘double extortion’ or blackmail. They employ exfiltration tools, command and control and storage infrastructure.
longDescription:
In the CyX Exfiltration event, attackers stealthily transfer data out of the victim’s environment to gain additional leverage for subsequent extortion. This Phase represents a transition from intrusion and positioning toward coercion, enabling extortion even if encryption is disrupted. Typically, they prioritize high-value data, such as sensitive business documents, intellectual property, customer or employee personal data, legal and financial records, and internal communications. Data is staged and then transferred over encrypted channels to rented or adversary-operated command-and-control servers or cloud storage. In ransomware-as-a-service models, exfiltration tools and storage may be partially standardized across affiliates.
This step underpins the ‘double extortion’ model, where adversaries threaten to leak or sell stolen data if victims refuse to pay, significantly increasing pressure on organizations to comply with ransom demands.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Extortion
Label: CyX Extortion
alsoCalled: —
shortDescription:
Having encrypted systems and possibly stolen data, attackers demand payment for decryption or nondisclosure.
longDescription:
Once the victim’s data or systems are encrypted and critical information potentially exfiltrated, adversaries deliver a ransom note specifying payment instructions often via a text file left on impacted machines. Communication channels, such as specialized websites or chat portals, are provided for negotiation. They often threaten to leak sensitive data if the ransom is not paid, intensifying the pressure as result of possible regulatory exposure, reputational harm, and downstream fraud risks. By merging encryption-based disruption with reputational blackmail, the Extortion event compels organizations to consider paying large sums to resume operations or prevent public disclosure of exfiltrated data. On occasions, attackers also threaten DDoS attacks to add a third type of extortion. Victims play an active role in this event because they have to decide whether or not to pay, to engage with law enforcement, or to disclose the attack, either publicly or to affected parties.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_LateralMovement
Label: CyX LateralMovement
alsoCalled: —
shortDescription:
Threat actors use a variety of offensive tools and living off the land techniques to pivot through the compromised network, escalating privileges and advancing toward key systems and data.
longDescription:
In the CyX LateralMovement event, attackers leverage compromised accounts, exploits, or misconfigurations to traverse the victim’s environment. They may perform credential dumping, privilege escalation, or even abuse legitimate administrative tools (e.g., PsExec, PowerShell, WMI) to propagate beyond the initially breached host, coordinating their movements through command-and-control infrastructure that issues commands and receives reconnaissance data. They actively avoid detection by disabling Endpoint Detection and Response systems or clearing logs. By systematically moving across endpoints and servers, threat actors gain broader control, positioning themselves to locate high-value data and critical systems, which enables adversaries to maximize impact in the subsequent stages.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Monetization
Label: CyX Monetization
alsoCalled: —
shortDescription:
Ransom payments are collected, laundered, or converted via cryptocurrency services and money mules.
longDescription:
During the CyX Monetization event, threat actors receive the ransom - usually paid in cryptocurrency - and immediately obscure its origin through mixers, multiple wallets, or mule accounts. As such, this phase overlaps with the same phase of other patterns, such as Business Email Compromise, because similar techniques and infrastructure are employed. By rapidly shifting stolen assets between various exchanges and accounts, adversaries reduce the likelihood of, and diffuse losses from, law enforcement or payment platforms freezing or recovering the funds. Given that ransomware attackers are profit orientated, when ransom payment is received, they tend to provide decryption keys, thereby encouraging future victims to pay quickly. This stage completes the ransomware kill chain, allowing criminals to profit from the extortion with minimal traceability.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Preparation
Label: CyX Preparation
alsoCalled: —
shortDescription:
Attackers identify, gather, and stage critical data for encryption or exfiltration, finalizing the groundwork for ransomware deployment.
longDescription:
In the CyX Preparation phase, adversaries capitalize on their expanded access to pinpoint vital assets and assemble them for imminent encryption or data theft. This includes locating sensitive files, disabling or deleting backups, and cataloging servers essential to the victim’s operations. Attackers may also install persistence mechanisms or schedule coordinated tasks to synchronize the ransomware’s deployment. Through careful preparation - such as mapping dependencies, neutralizing recovery options, and ensuring they understand the victim’s critical data - the adversaries guarantee that the upcoming ransomware detonation causes maximum operational disruption and pressure for ransom payment.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Cy-X_Recon
Label: CyX Recon
alsoCalled: —
shortDescription:
Early-stage intelligence gathering on potential targets, identifying vulnerable systems, potential entry points and suitability for extortion. Adversaries often employ Open-Source Intelligence to this end.
longDescription:
During the CyX Recon phase, adversaries focus on collecting information about prospective targets, such as infrastructure, personnel, security posture as well as their ability and need to pay a ransom to protect data and systems. They may use OSINT methods - such as scanning public-facing websites, social media, or leaked data repositories - to find weaknesses and clarify the best means of obtaining initial access. They may also employ automated tools to scan for known vulnerabilities in software, servers or systems.
Prospective targets can be public and private organizations of all types.
By mapping network assets, software versions, user account details, system and data dependency, and the financial situation of targets, attackers refine their approach to maximize the success rate of subsequent compromise. This initial reconnaissance sets the foundation for the entire ransomware campaign.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DiamondIABOperationPackagingValuationAndSale
Label: IAB Operation Packaging Valuation and Sale
alsoCalled: —
shortDescription:
A role player packages and prices compromised credentials and system access using anonymized infrastructure and illicit marketplaces to sell victim network footholds, enabling downstream actors to purchase and exploit access as part of cybercrime supply chains.
longDescription:
This Pattern Phase represents the stages in the IAB Operations pattern where illicit access is transformed into a tradable commodity and introduced into cybercrime markets. It follows access stabilization and marks the transition from technical compromise to economic monetization.
The adversary is typically an intrusion operator, initial access broker or broker, operating independently or within organized ecosystems. Their capability centers on packaging, validating, and valuing compromised access, including credentials, session tokens, or persistent footholds such as VPN, RDP, or domain-level access. They assess attributes such as organization size, sector, geographic location, and privilege level to determine pricing and attractiveness to buyers. Listings may include proof of access, screenshots, or system details to build buyer trust. Transactions are typically conducted using cryptocurrencies and may involve intermediaries.
To facilitate this, they rely on underground forums, darknet marketplaces, encrypted communication platforms, and escrow services, often accessed via anonymization tools such as VPNs or proxy networks.
Victims are primarily organizations and their associated users, whose systems and identities are commodified and exposed to further exploitation. The immediate impact is the loss of control over access pathways and increased likelihood of targeted attacks, including ransomware, fraud, or espionage.
This Phase is a critical link between intrusion and exploitation phases, connecting upstream compromise activities with downstream actors such as ransomware affiliates or fraud operators.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DiamondIABOperationStabilizationAndExpansion
Label: IAB Operation Stabilization and Expansion
alsoCalled: —
shortDescription:
A specialized role player uses compromised accounts and remote access tools via covert infrastructure to establish persistence and escalate privileges in victim networks, increasing the value of illicit access for resale within cybercrime markets.
longDescription:
This Pattern Phase represents the stage in the IAB Operations pattern where an adversary transforms an initial foothold into a stable, high-value asset suitable for monetization. The objective is to ensure continued, reliable access and enhance control over the compromised environment before offering it for sale.
The adversary is typically an initial access broker or intrusion operator, acting independently or as part of a small, profit-driven group supplying access to other cybercriminals. Their capability focuses on stabilizing and expanding access, including establishing persistence mechanisms, maintaining remote connectivity, and escalating privileges from limited user access to administrative or domain-level control. These activities increase both the durability and market value of the compromised access.
To achieve this, they leverage compromised accounts, remote access tools and command-and-control infrastructure, often hosted on rented servers, anonymized through proxy or VPN services, or embedded within legitimate system tools. Infrastructure may be attacker-controlled, leased, or covertly integrated into the victim environment.
Victims are typically organizations with networked systems, and the impact is the creation of a persistent, covert presence that undermines system integrity and security. While immediate disruption may be limited, this phase significantly elevates the risk of downstream harms such as data exfiltration, ransomware deployment, or fraud.
This Phase follows initial compromise and precedes access packaging and marketplace sale, forming a critical step in the production of illicit access assets within cybercrime ecosystems.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DiamondIABOperationTargetDiscovery
Label: Initial Access Broker Operation Target Discovery
alsoCalled: —
shortDescription:
An actor scans internet-facing systems via automated or open source intelligence tools to identify vulnerable organizations, generating a pool of exposed victims for potential compromise as the reconnaissance phase in access-for-resale operations.
longDescription:
This Pattern Phase represents the Targeting and Reconnaissance stage of the IAB Operations pattern, where adversaries identify potential victims by discovering exposed and vulnerable systems at scale. The purpose of this phase is not immediate exploitation, but the creation of a pipeline of viable targets for subsequent intrusion and monetization.
The adversary is typically an intrusion operator or initial access broker, often operating independently or within small, profit-driven groups. Their capability focuses on broad reconnaissance and exposure mapping, using automated scanning, enumeration, and indexing techniques to locate internet-facing services such as VPN gateways, remote desktop endpoints, web applications, and cloud assets. Rather than conducting deep pre-intrusion profiling, they prioritize breadth over precision, identifying systems with weak configurations, known vulnerabilities, or accessible authentication interfaces.
To perform this activity, they rely on commodity and rented infrastructure, including scanning tools, search engines for exposed assets, botnets, and anonymization services such as proxies or VPNs. Infrastructure may be self-operated or leased to avoid attribution and scale operations.
The victims are typically organizations or individuals with publicly exposed systems, and the immediate impact is increased risk exposure, as these systems are flagged and queued for potential compromise.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Romance_Baiting_Grooming
Label: Romance Baiting Grooming
alsoCalled: —
shortDescription:
A scammer uses emotional manipulation via a variety of ICT mediums to build trust and dependency with a victim, aiming to lower defenses for future financial exploitation.
longDescription:
The Grooming Phase is a key stage in a Romance Baiting scheme where the adversary establishes trust and emotional connection with the victim. Having typically initiated contact through social media or dating sites, during the grooming phase the attacker typically moves communications to general messaging apps, email or telephone to avoid romance scam detection algorithms. The scammer employs social engineering techniques such as sharing fabricated personal stories, expressing affection, giving gifts, and creating a sense of mutual commitment.
During this phase, the adversary may introduce fabricated vulnerabilities, like financial hardship or family emergencies, to elicit sympathy and foster a sense of obligation. They may also ask for small favors in order to set the scene for future larger requests or attempt to obtain compromising material (e.g. sexual images) to use in future exploitation. When the scammer is part of an organized group, the plotlines are scripted, and the individual scammers receive training and feedback on how to adapt to victim responses to build a relationship that can be exploited for financial gain.
Consistent communication, via daily messages, calls, or video chats, reinforces the illusion of a genuine relationship, deepening emotional attachment. The constant interactions aim to occupy the potential victim’s time and isolate them from friends and family. This deliberate process exploits the victim’s emotional vulnerabilities and trust, making them more receptive to future requests for financial assistance. It is a common, reusable step across multiple Romance Baiting patterns, as it systematically manipulates emotional bonds to facilitate the scam’s progression.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Romance_Baiting_Targeting
Label: Romance Baiting Targeting
alsoCalled: Engagement Phase; Initiation Phase; Victim Selection Phase
shortDescription:
A scammer sets up attractive fake personas on online platforms and either waits for potential victims to initiate contact or identifies vulnerable individuals and attempts to interact with them with the aim of establishing trust and setting the foundation for a romance baiting scam.
longDescription:
The Targeting Phase is the initial stage of a Romance Baiting scheme where the adversary identifies potential victims through online platforms such as dating sites, social media, or forums. The attacker searches for individuals who appear emotionally vulnerable, lonely, or receptive to romantic advances, often using specific criteria like age, relationship status, or interests. Once a suitable target is identified, the adversary creates a fake persona with fabricated details such as name, background, and profession, to appeal to the victim’s preferences and emotional needs. On other occasions, the attacker creates profiles that they believe will be attractive to potential victims and waits for them to make the first contact. This can be a useful strategy to make potential victims less suspicious at the moment of initial contact or to convince victims of the veracity of the relationship if they become suspicious further down the line. During the initial targeting, the scammer uses charm, flattery, and emotional manipulation to build rapport and trust. This phase is crucial for laying the groundwork for subsequent stages, as the success of later steps depends on establishing a credible and emotionally engaging connection. By exploiting the victim’s vulnerabilities early on, the adversary increases the likelihood of engagement and eventual exploitation. Scammers can work individually or form part of wider groups. When they form part of groups, they can be either employees freely working for a salary or victims of human trafficking who have been forced to participate in crime to earn their freedom.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Diamond_Romance_Baiting_Monetization
Label: Romance Victim Exploitation
alsoCalled: —
shortDescription:
The romance scammer uses emotional manipulation and fabricated emergencies or opportunities, leveraging infrastructure such as fake bank accounts and crypto platforms, to persuade the victim to transfer money or resources, resulting in financial loss and emotional harm.
longDescription:
In the Victim Exploitation Phase, the adversary leverages the emotional bond and trust established earlier to extract money or resources from the victim. After building rapport, the scammer fabricates urgent scenarios, such as medical crises, legal issues, or fake investment opportunities, to create a sense of necessity and pressure the victim into financial assistance. Utilizing social engineering techniques, the adversary employs their capability (e.g., persuasive communication, fake profiles) and infrastructure (e.g., fake bank accounts, cryptocurrency platforms and wallets) to facilitate the transfer of funds. The victim, convinced of the authenticity and urgency, often complies, believing they are helping a loved one or saving the relationship. The romance scammer may escalate the pressure through repeated crises or fabricated emergencies, leading to multiple transactions. If the victim becomes suspicious and threatens to stop any financial help, the scammer may manipulate them by, for example, threatening to end the relationship permanently if they do not help or to reveal secrets or potential compromising videos or images. This phase marks the culmination of the scam, resulting in significant financial loss, emotional distress, embarrassment and potential reputational damage for the victim with family, friends and colleagues. This is the monetization phase of the broader pattern and exemplifies how emotional manipulation is converted into tangible financial gains, often using unregulated payment channels or laundering services to obscure the illicit proceeds.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#ATM_Operators
Label: ATM Operators
alsoCalled: —
shortDescription:
Organizations responsible for managing and maintaining ATMs.
longDescription:
ATM operators and financial institutions that deploy and service automated teller machines are at risk of card skimming attacks. Compromises in these environments not only affect the institutions’ bottom lines but can also erode consumer confidence in banking systems and lead to broader financial fraud.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Card_Holder
Label: Card Holder
alsoCalled: —
shortDescription:
An individual who regularly uses credit or debit cards and may potentially suffer from indirect effects of card data theft, such as unauthorized transactions and financial disruption.
longDescription:
A Cardholder is a consumer who uses credit and debit cards for everyday transactions and, while not directly targeted by cybercriminals, may become adversely affected if their card information is compromised. Cyber-enabled crimes such as carding, phishing, or skimming can result in the unauthorized acquisition of card details. In such cases, these individuals face the potential of fraudulent transactions, the inconvenience of resolving disputed charges, and the broader challenge of restoring financial security. This classification emphasizes that while the cardholder is not necessarily specifically targetted, their regular card use makes them vulnerable to collateral damage via cybercrime activity. It underscores the importance of robust security measures both at the personal and institutional levels to mitigate these risks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Financial_Institutions_Serving_Victims
Label: Financial Institutions Serving Victims
alsoCalled: —
shortDescription:
Financial institutions serving victims are banks or payment providers that incur losses, operational burden, or risk exposure due to cybercrime affecting their customers, despite not being the direct targets of the attack.
longDescription:
Financial institutions serving victims are organizations such as banks, card issuers, and payment processors that experience indirect harm when their customers are targeted by cybercrime. Although the primary victim may be an individual or business, these institutions absorb secondary impacts through fraud reimbursement, chargebacks, dispute resolution, regulatory obligations, and reputational risk.
This may arise in crimes such as phishing, account takeover, payment fraud, and card-not-present fraud, where stolen credentials or manipulated transactions result in unauthorized financial activity. Institutions may be required to refund customers, investigate incidents, and implement additional controls, all of which create financial and operational strain.
These entities also act as intermediaries in the financial system, meaning they are exposed to systemic risk when criminal activity exploits payment infrastructure. Their involvement often extends beyond loss absorption to include detection, reporting, and prevention efforts, placing them at the intersection of victim support and cybersecurity defense.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Retail_Businesses_and_Merchants
Label: Retail Businesses and Merchants
alsoCalled: —
shortDescription:
Businesses that operate POS systems and process payment card transactions.
longDescription:
Retail businesses, ranging from small merchants to large supermarket chains, are frequent targets of carding operations. Their reliance on POS systems for everyday transactions makes them vulnerable to both physical and digital card data acquisition methods. Breaches can result in significant financial loss, customer distrust, and regulatory scrutiny.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Collection
Label: Collection
alsoCalled: —
shortDescription:
The adversary is trying to gather data of interest to their goal.
longDescription:
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Command_and_Control
Label: Command and Control
alsoCalled: —
shortDescription:
Adversaries establish communication with the compromised system.
longDescription:
In the command and control phase, the adversary establishes communication with the compromised system to issue commands, exfiltrate data, or control the attack remotely. This often involves using encrypted channels, remote servers, or botnets to avoid detection. For example, the compromised system might connect to a command-and-control server controlled by the attacker to receive further instructions.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Credential_Access
Label: Credential Access
alsoCalled: —
shortDescription:
The adversary is trying to steal account names and passwords.
longDescription:
Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Defense_Evasion
Label: Defense Evasion
alsoCalled: —
shortDescription:
The adversary is trying to avoid being detected.
longDescription:
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Discovery
Label: Discovery
alsoCalled: —
shortDescription:
The adversary is trying to figure out your environment.
longDescription:
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Execution
Label: Execution
alsoCalled: —
shortDescription:
The adversary is trying to run malicious code.
longDescription:
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exfiltration
Label: Exfiltration
alsoCalled: —
shortDescription:
The adversary is trying to steal data.
longDescription:
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Impact
Label: Impact
alsoCalled: —
shortDescription:
The adversary is trying to manipulate, interrupt, or destroy your systems and data.
longDescription:
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Impair_Defenses
Label: Impair Defenses
alsoCalled: —
shortDescription:
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
longDescription:
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Initial_Access
Label: Initial Access
alsoCalled: —
shortDescription:
The adversary is trying to get into a network.
longDescription:
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Lateral_Movement
Label: Lateral Movement
alsoCalled: —
shortDescription:
The adversary is trying to move through your environment.
longDescription:
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Persistence
Label: Persistence
alsoCalled: —
shortDescription:
The adversary is trying to maintain their foothold.
longDescription:
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Privilege_Escalation
Label: Privilege Escalation
alsoCalled: —
shortDescription:
The adversary is trying to gain higher-level permissions.
longDescription:
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Reconnaissance
Label: Reconnaissance
alsoCalled: —
shortDescription:
The adversary gathers information about the target to identify vulnerabilities, entry points, and opportunities for follow-on action.
longDescription:
In the reconnaissance phase, adversaries gather intelligence about their target to identify potential vulnerabilities or entry points. This can involve scanning networks, researching employees on social media, or collecting publicly available information about the organization. The goal is to understand the target’s environment and identify weaknesses that can be exploited later in the attack. Reconnaissance can be passive (e.g., gathering public data) or active (e.g., probing systems for vulnerabilities). For example, an attacker might use tools to scan for open ports on a company’s network or search for leaked credentials on the dark web.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Resource_Development
Label: Resource Development
alsoCalled: —
shortDescription:
The adversary is trying to establish resources they can use to support operations.
longDescription:
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Account_Discovery
Label: Account Discovery
alsoCalled: —
shortDescription:
Technique attackers use to enumerate local or domain accounts on a target system.
longDescription:
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).
Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.
For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default PowerShell and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Active_Scanning
Label: Active Scanning
alsoCalled: —
shortDescription:
Technique attackers use to probe target hosts and services in real time, identifying live systems, open ports, and potential vulnerabilities.
longDescription:
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#AI-Assisted_Carding
Label: AI-Assisted Carding
alsoCalled: —
shortDescription:
A threat technique using machine learning or other AI techniques to automate or enhance Carding activities, from large-scale credential validation to sophisticated anomaly detection or bypassing anti-fraud controls.
longDescription:
AI-Assisted Carding leverages advanced automation and machine learning to improve the effectiveness and scale of card fraud. Machine learning models may be trained on datasets of known valid card transactions to quickly identify which stolen payment cards are likely still active. AI-driven bots can also generate customized “test” purchases across multiple eCommerce platforms, detecting patterns in real-time (such as flagged transactions or merchant denial rates) to refine subsequent attacks. In some cases, these systems dynamically adjust transaction amounts, merchant categories, and even geolocation details to avoid typical fraud alerts or daily spending limits. By embedding AI models into their workflow, Carders reduce manual labor, expedite the validation and monetization of compromised card data, and counter basic protective mechanisms installed by eCommerce providers.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#BrowserInformationDiscovery
Label: Browser Information Discovery
alsoCalled: —
shortDescription:
Adversaries may enumerate information about browsers to learn more about compromised environments.
longDescription:
Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Browser information may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.
Specific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., %APPDATA%/Google/Chrome).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Brute_Force
Label: Brute Force
alsoCalled: —
shortDescription:
Technique attackers use to gain access by rapidly and repeatedly guessing passwords or keys until a valid credential is found.
longDescription:
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Command_and_Scripting_Interpreter
Label: Command and Scripting Interpreter
alsoCalled: —
shortDescription:
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
longDescription:
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Compromise_Accounts
Label: Compromise Accounts
alsoCalled: —
shortDescription:
Technique attackers use to seize control of user or service accounts through stolen credentials, password attacks, or session hijacking.
longDescription:
Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.
A variety of methods exist for compromising accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials. Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.
Adversaries may directly leverage compromised email accounts for Phishing for Information or Phishing.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#CredentialsFromPasswordStores
Label: Credentials from Password Stores
alsoCalled: —
shortDescription:
Adversaries may search for common password storage locations to obtain user credentials.
longDescription:
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Data_Encrypted_for_Impact
Label: Data Encrypted for Impact
alsoCalled: —
shortDescription:
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
longDescription:
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to unlock and/or gain access to manipulate these files. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Encryption malware may also leverage Internal Defacement, such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as “print bombing”).
In cloud environments, storage objects within compromised accounts may also be encrypted. For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#DataFromLocalSystem
Label: Data from Local System
alsoCalled: —
shortDescription:
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory.
longDescription:
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Develop_Capabilities
Label: Develop Capabilities
alsoCalled: —
shortDescription:
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house.
longDescription:
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.
As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exfiltration_Over_C2_Channel
Label: Exfiltration Over C2 Channel
alsoCalled: —
shortDescription:
Technique attackers use to move stolen data out of the victim environment by piggy-backing on their existing command-and-control traffic.
longDescription:
In this technique, adversaries blend outbound data theft into the same encrypted command-and-control (C2) stream that already maintains persistence on the victim network. File chunks, credential dumps, or database extracts are wrapped into normal beacon traffic—often over HTTPS, DNS, or custom TCP protocols—so the exfiltration is hidden inside ‘legitimate-looking’ C2 packets and bypasses perimeter inspection.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exploit_Public-Facing_Application
Label: Exploit Public-Facing Application
alsoCalled: —
shortDescription:
Technique attackers use to gain entry by exploiting vulnerabilities in internet-facing websites, APIs, or services.
longDescription:
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exploitation_of_Remote_Services
Label: Exploitation of Remote Services
alsoCalled: —
shortDescription:
Technique attackers use to gain unauthorised access by abusing exposed remote services—such as RDP, SSH, or VPN—to run commands or move laterally.
longDescription:
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#External_Remote_Services
Label: External Remote Services
alsoCalled: —
shortDescription:
Technique attackers use to log into exposed RDP, SSH, VPN, or Citrix services hosted outside the victim’s core network, establishing a foothold without phishing.
longDescription:
External Remote Services describes adversary abuse of legitimately deployed remote-access interfaces that sit on the public internet. Using stolen or brute-forced credentials, the attacker authenticates to RDP, SSH, virtual desktop, or VPN endpoints and gains an interactive session on internal systems. Because the connection appears as normal remote administration traffic, it can bypass email filtering and social-engineering defences while granting direct command execution, file transfer, and a launch point for lateral movement.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Financial_Theft
Label: Financial Theft
alsoCalled: —
shortDescription:
Technique attackers use to remove or transfer funds illicitly from bank, payment-card, or cryptocurrency accounts under their control.
longDescription:
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware, business email compromise (BEC) and fraud, “pig butchering,” bank hacking, and exploiting cryptocurrency networks.
Adversaries may Compromise Accounts to conduct unauthorized transfers of funds. In the case of business email compromise or email fraud, an adversary may utilize Impersonation of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.
Extortion by ransomware may occur, for example, when an adversary demands payment from a victim after Data Encrypted for Impact and Exfiltration of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary. Adversaries may use dedicated leak sites to distribute victim data.
Due to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as Data Destruction and business disruption.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Funds_Laundering
Label: Funds Laundering
alsoCalled: —
shortDescription:
Technique attackers use to move, layer, or convert illicit proceeds through intermediaries, mule accounts, or financial services to obscure origin and hinder recovery.
longDescription:
Funds Laundering is a series of steps taken by adversaries to obscure the origin of stolen assets or illicit proceeds. After obtaining funds (e.g., via BEC, ransomware, or other cybercrime), attackers may enlist money mules or specialized laundering services to split, bounce, or convert funds across multiple financial institutions or cryptocurrency platforms. This process, often known as layering, is designed to evade detection by law enforcement and anti-money laundering (AML) systems, making retrieval or attribution far more challenging.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Gather_Victim_Identity_Information
Label: Gather Victim Identity Information
alsoCalled: —
shortDescription:
Technique attackers use to collect personally identifying details—names, credentials, contact data—about the target for later exploitation.
longDescription:
Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about users could also be enumerated via other active means (i.e. Active Scanning) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames. Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Gather_Victim_Information_%28Behavioral%29
Label: Gather Victim Information (Behavioral)
alsoCalled: —
shortDescription:
Technique attackers use to collect a target’s routines, preferences, and online habits to refine social-engineering and follow-on exploits.
longDescription:
Adversaries may gather behavioral and organizational information about a target that can be used during targeting. This may include routines, preferences, working relationships, communication styles, responsibilities, and details about how the victim or organization normally operates. Such information helps attackers tailor social-engineering approaches, improve impersonation credibility, and identify the most effective route for follow-on actions such as phishing, account compromise, or fraudulent financial requests.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#GatherVictimNetworkInformation
Label: Gather Victim Network Information
alsoCalled: —
shortDescription:
Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.
longDescription:
Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#GatherVictimOrgInformation
Label: Gather Victim Org Information
alsoCalled: —
shortDescription:
Adversaries may gather information about the victim’s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.
longDescription:
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing or Trusted Relationship).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Inhibit_System_Recovery
Label: Inhibit System Recovery
alsoCalled: —
shortDescription:
Delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
longDescription:
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact. Furthermore, adversaries may disable recovery notifications, then corrupt backups.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Lateral_Tool_Transfer
Label: Lateral Tool Transfer
alsoCalled: —
shortDescription:
Adversaries may transfer tools or other files between systems in a compromised environment.
longDescription:
Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.
Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.
Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and ftp. In some cases, adversaries may be able to leverage Web Services such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Multi-factor_Authentication_Fatigue
Label: Multi-factor Authentication Fatigue
alsoCalled: —
shortDescription:
“Multi-factor Authentication Fatigue” is a social engineering tactic in which an adversary repeatedly bombards a user’s MFA-enabled device with authentication prompts or notifications, hoping the user eventually approves one out of confusion or frustration.
longDescription:
“Multi-factor Authentication Fatigue” (often called “MFA fatigue” or “push bombing”) exploits the reliance on push-based MFA notifications to gain unauthorized access. The attacker, having obtained valid credentials (e.g., via phishing or a previous breach), continually initiates login attempts. Each attempt triggers the target user’s MFA application to prompt approval. Overwhelmed or annoyed by endless notifications, the user may inadvertently tap “approve” or “accept,” thus allowing the adversary to bypass MFA protections. This approach underscores a significant human factor vulnerability in MFA systems, as it does not rely on technical exploits but on wearing down a legitimate user’s attentiveness or patience.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Native_API
Label: Native API
alsoCalled: —
shortDescription:
Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
longDescription:
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes. This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.
Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks. Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Obfuscated_Files_or_Information
Label: Obfuscated Files or Information
alsoCalled: —
shortDescription:
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
longDescription:
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Obtain_Capabilities
Label: Obtain Capabilities
alsoCalled: —
shortDescription:
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them.
longDescription:
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.
In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Phishing
Label: Phishing
alsoCalled: —
shortDescription:
Technique attackers use to send deceptive messages that induce victims to open malicious content, follow fraudulent instructions, or disclose information that enables compromise.
longDescription:
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules). Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools, or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., “thread hijacking”).
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer (i.e., User Execution).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Phishing_for_Information
Label: Phishing for Information
alsoCalled: —
shortDescription:
Technique attackers use to trick victims into disclosing credentials or other sensitive information through deceptive messages, websites, or electronic interactions.
longDescription:
Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means. Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools.
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Process_Injection
Label: Process Injection
alsoCalled: —
shortDescription:
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
longDescription:
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Remote_Services
Label: Remote Services
alsoCalled: —
shortDescription:
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
longDescription:
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP). They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain, or management platforms for internal virtualization environments such as VMware vCenter.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Search_Open_Websites%2FDomains
Label: Search Open Websites/Domains
alsoCalled: —
shortDescription:
Technique attackers use to gather publicly available information from websites, domains, and online sources to support targeting and impersonation.
longDescription:
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.
Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#SearchVictim-OwnedWebsites
Label: Search Victim-Owned Websites
alsoCalled: —
shortDescription:
Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.
Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).
In addition to manually browsing the website, adversaries may attempt to identify hidden directories or files that could contain additional sensitive information or vulnerable functionality. They may do this through automated activities such as Wordlist Scanning, as well as by leveraging files such as sitemap.xml and robots.txt.
longDescription: —
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Server_Software_Component
Label: Server Software Component
alsoCalled: —
shortDescription:
Technique attackers use to establish persistence by installing or abusing malicious extensions, modules, or components within legitimate server software.
longDescription:
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Service_Stop
Label: Service Stop
alsoCalled: —
shortDescription:
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
longDescription:
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible. In some cases, adversaries may stop or disable many or all services to render systems unusable. Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Social_Engineering
Label: Social Engineering
alsoCalled: —
shortDescription:
Adversaries manipulate human trust or behavior to deceive victims, prompting them to disclose information or perform actions that facilitate unauthorized access, data theft, or other malicious objectives.
longDescription:
Social Engineering exploits human vulnerabilities rather than technical flaws. Adversaries may impersonate trusted entities, craft compelling narratives, or create situations that invoke curiosity, fear, or urgency. These manipulations are designed to coerce victims into revealing credentials, transferring money, installing malware, or otherwise compromising security. By capitalizing on emotional or psychological factors, adversaries can bypass many technical defenses, rendering user training and awareness critical in mitigating social engineering attacks. Common examples include phishing emails, deceptive phone calls, and carefully orchestrated online personas targeting individuals or organizations.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Stage_Capabilities
Label: Stage Capabilities
alsoCalled: —
shortDescription:
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.
longDescription:
Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#StealWebSessionCookie
Label: Steal Web Session Cookie
alsoCalled: —
shortDescription:
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
longDescription:
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.
There are several examples of malware targeting cookies from web browsers on the local system. Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.
There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.
After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#System_Information_Discovery
Label: System Information Discovery
alsoCalled: —
shortDescription:
Technique attackers use to collect operating system, hardware, and configuration details from a target system to guide follow-on actions.
longDescription:
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version). System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Use_Alternate_Authentication_Material
Label: Use Alternate Authentication Material
alsoCalled: —
shortDescription:
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
longDescription:
Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.
Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#User_Execution
Label: User Execution
alsoCalled: —
shortDescription:
Technique attackers use to rely on victim interaction, such as opening a file or clicking a link, to trigger malicious code or unsafe actions.
longDescription:
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as:
Enabling Remote Access Software, allowing direct control of the system to the adversary. Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies. Downloading and executing malware for User Execution. Coerceing users to copy, paste, and execute malicious code manually. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Valid_Accounts
Label: Valid Accounts
alsoCalled: —
shortDescription:
Technique attackers use to gain or maintain access by abusing legitimate credentials for existing local, domain, cloud, or service accounts.
longDescription:
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.[2]
The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Windows_Management_Instrumentation
Label: Windows Management Instrumentation
alsoCalled: —
shortDescription:
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
longDescription:
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management. Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.[2] For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).
Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface. In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Initial_Access_Broker_Operation
Label: Initial Access Broker Operation
alsoCalled: —
shortDescription:
Unauthorized intrusion into organizational networks with the primary intent of monetizing access by selling it to third-party cybercriminals, facilitating subsequent malicious activities.
longDescription:
This Pattern encapsulates the modus operandi of Initial Access Brokers (IABs), cyber threat actors who specialize in breaching organizational networks to obtain unauthorized access. Unlike threat actors who exploit access for direct financial gain, IABs focus on monetizing the access itself by selling it to other cybercriminals, including ransomware operators, data exfiltration groups, and espionage actors.
The compromise often involves techniques such as spear-phishing, exploitation of unpatched vulnerabilities, credential stuffing, or deployment of malware to infiltrate target networks. Once access is secured, it is packaged - often including RDP credentials, VPN access, or web shell control - and sold on underground forums or dark web marketplaces.
Victim organizations may remain unaware of the breach until the purchased access is exploited, leading to potential data breaches, ransomware attacks, or other malicious activities. The impacts include unauthorized access to sensitive data, operational disruption, reputational damage, and financial losses associated with incident response and remediation efforts.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Ransomware-as-a-Service_Operation
Label: Ransomware-as-a-Service Operation
alsoCalled: RaaS
shortDescription:
A cybercriminal ecosystem that provides complete ransomware toolkits, negotiation services, and payment infrastructure to affiliates, enabling large-scale extortion campaigns.
longDescription:
A Ransomware-as-a-Service Operation represents a structured, often collaborative cybercriminal enterprise in which developers supply ready-made ransomware code, hosting services, payment portals, and negotiation support to their affiliates. By adopting a service-based approach, these operators lower the technical barrier to entry, allowing less-skilled threat actors to launch disruptive ransomware attacks against organizations worldwide. In return for access to robust tooling and infrastructure, affiliates share a percentage of successful ransom payments with the operation’s core developers. This highly profitable model accelerates global ransomware proliferation by systematically combining specialized skillsets—malware development, exploit research, money laundering—in a sophisticated, profit-driven supply chain.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Exploit_Kits
Label: Exploit Kits
alsoCalled: —
shortDescription:
Pre-packaged suites of malicious code designed to automatically scan for and exploit known software vulnerabilities, typically used to deliver additional malware or gain unauthorized system access.
longDescription:
Exploit Kits are structured bundles of exploits and payloads that allow cybercriminals to automate the process of compromising users who visit infected websites or malicious advertisements. Rather than manually selecting individual exploits, attackers rely on these kits—which often contain multiple vulnerability exploits for browsers, plugins, or operating systems—to identify and target unpatched systems. Once a victim’s device is successfully breached, the kit deploys malware, facilitates remote access, or otherwise advances the criminal’s objectives. Originally, Exploit Kits proliferated in “drive-by download” campaigns, but they continue to evolve, integrating zero-day or N-day exploits. Their accessibility and user-friendly interfaces have made them staples in the cybercriminal marketplace, lowering the technical bar required to launch sophisticated attacks.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#N-Days
Label: N-Days
alsoCalled: —
shortDescription:
Exploits targeting publicly known vulnerabilities that remain unpatched or underprotected in many systems, providing a cost-effective attack method.
longDescription:
N-Day Exploits refer to exploits for vulnerabilities that are already disclosed and possibly patched by the vendor—but remain exploitable because many users or organizations have not yet applied updates. While less exclusive and typically cheaper than 0-Day exploits on underground markets, they remain extremely useful to cybercriminals due to the widespread “patch gap.” Attackers can systematically scan for unpatched systems—often using automated tools—to achieve remote compromise. N-Day exploits are a mainstay in large-scale, opportunistic campaigns, underscoring the importance of timely software patching and vulnerability management.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Offensive_Security_Frameworks
Label: Offensive Security Frameworks
alsoCalled: —
shortDescription:
Offensive security frameworks originally designed for penetration testing but widely abused by cybercriminals for exploitation, post-exploitation, and command-and-control.
longDescription:
Offensive Security Frameworks refers to comprehensive tool suites (e.g., Metasploit, Cobalt Strike) that provide a full cycle of malicious capability, from discovering vulnerabilities and deploying exploits to establishing a foothold and managing infected systems. Originally intended for legitimate security assessments, these frameworks have sophisticated features (e.g., payload generation, automated exploit modules, stealthy command-and-control channels) that make them attractive to threat actors seeking to compromise targets more efficiently. Criminals often obtain cracked or illicitly licensed copies, integrate them with crypters/packers to evade detection, and leverage bulletproof hosting services to run their command-and-control servers, thus transforming these legitimate pen-testing tools into potent “crimeware” solutions within the cybercrime ecosystem.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Pirated_Vulnerability_Scanners
Label: Pirated Vulnerability Scanners
alsoCalled: —
shortDescription:
Legally developed scanning tools (e.g., Nessus, Acunetix) that have been cracked, re-packaged, or customized by cybercriminals to locate and exploit unpatched systems, rather than assist in legitimate security testing.
longDescription:
Encompass legitimate security-assessment applications that have been pirated, cracked, or altered to serve malicious purposes. Often circulated on dark web forums or private channels, these compromised versions remove licensing checks, embed additional exploits, or include stealth features that allow attackers to identify known vulnerabilities in web applications, networks, and operating systems. By repurposing these originally lawful tools, adversaries drastically reduce their development time and cost, while benefiting from the robust scanning capabilities and user-friendly interfaces created for professional penetration testers. The end result is a potent crimeware resource that automates vulnerability discovery and paves the way for remote exploits, privilege escalation, and deeper lateral movement within a victim’s environment.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Vulnerability_Intelligence
Label: Vulnerability Intelligence
alsoCalled: —
shortDescription:
Curated sets of vulnerability disclosures, exploit proofs-of-concept, and bug bounty findings—often leaked or illicitly procured—providing threat actors with a direct roadmap for discovering exploitable weaknesses.
longDescription:
Vulnerability Intelligence (Reports & Databases) revolves around the systematic collection and distribution of software flaws—whether documented through legitimate bug bounty channels or discovered by rogue insiders. These compilations may include confidential advisories, technical write-ups, or detailed proof-of-concept code that guides adversaries toward effective exploitation. Traded on closed forums, specialized broker portals, or even public code repositories (prior to takedown), such intelligence drastically streamlines attackers’ reconnaissance efforts. By purchasing or swapping these insights, malicious operators can rapidly pinpoint unpatched entry points or refine existing exploits, fueling the perpetual arms race between cybercriminals and defenders.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#Zero_Days
Label: Zero Days
alsoCalled: 0-days
shortDescription:
Exploits for software vulnerabilities not yet publicly disclosed or patched, enabling attackers to compromise systems with virtually no warning or available defense.
longDescription:
Zero-Day Exploits—often called “0-Day”—target unknown or undisclosed software vulnerabilities for which no official patch or public awareness exists. Because neither the affected software vendor nor the broader security community can defend against them preemptively, 0-Day exploits typically yield a high success rate for initial compromise. They often command premium prices on underground markets or in private broker circles, as they allow attackers to stealthily bypass common security measures. As soon as details become public or patches become available, 0-Days transition into “N-Day” territory, but in the interim, they can facilitate highly damaging, undiscovered intrusions.
variant: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#acceptsPaymentInstrument
Label: acceptsPaymentInstrument
rdfs:comment:
Specifies which payment instruments a marketplace or service provider accepts or arranges for its transactions.
appEdgeDescription: —
appEdgeDescriptionReversed: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#directlyCausesHarmToVictim
Label: directlyCausesHarmToVictim
rdfs:comment:
Links a pattern phase to a harm that it directly causes to the victim. Use this for immediate, primary damage resulting from the event.
appEdgeDescription: directly causes
appEdgeDescriptionReversed: is directly caused by
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#indirectlyCausesHarmToVictim
Label: indirectlyCausesHarmToVictim
rdfs:comment:
Links a pattern phase to a harm that occurs indirectly as a result of the event. Use this for downstream or secondary effects (harms that happen as a consequence of the initial impact).
appEdgeDescription: indirectly causes
appEdgeDescriptionReversed: is indirectly caused by
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#involvesPatternPhase
Label: involvesPatternPhase
rdfs:comment:
Links a Pattern or Market to the Diamond Model events that are used to execute that Pattern or Market. Patterns are always formed from Pattern Phases, but a Market that provides underground services may also conduct technical or other illicit operations in the delivery of those services.
appEdgeDescription: involves
appEdgeDescriptionReversed: is a component of
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#isBoughtByRole
Label: isBoughtByRole
rdfs:comment:
Indicates that the commodities in a Market are procured by the specified Role Player
appEdgeDescription: serves the buyer
appEdgeDescriptionReversed: buys through
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#isSoldByRole
Label: isSoldByRole
rdfs:comment: —
appEdgeDescription: serves the seller
appEdgeDescriptionReversed: sells through
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#linksToMarket
Label: linksToMarket
rdfs:comment:
Used to indicate that one Market may employ products or services from another Market.
appEdgeDescription: —
appEdgeDescriptionReversed: —
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#mitreKillChain
Label: mitreKillChain
rdfs:comment:
Links to the Mitre Tactic (kill chain) for a Technique
appEdgeDescription: is a technique of
appEdgeDescriptionReversed: includes technique
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseCouldInvolveCommodity
Label: patternPhaseCouldInvolveCommodity
rdfs:comment:
Used to link a Pattern Phase to an ecosystem product or service that is used in the event, but where the link is tenuous, not obvious or an edge case.
appEdgeDescription: could leverage commodity
appEdgeDescriptionReversed: could be leveraged as commodity in
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseCouldInvolveRole
Label: patternPhaseCouldInvolveRole
rdfs:comment: —
appEdgeDescription: could be carried out by
appEdgeDescriptionReversed: could carry out
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseCouldInvolveThreat
Label: patternPhaseCouldInvolveThreat
rdfs:comment:
Identifies the Threat Action could be a component in a Pattern Phase
appEdgeDescription: could be an action within
appEdgeDescriptionReversed: could include action
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesCommodity
Label: patternPhaseInvolvesCommodity
rdfs:comment:
Used to link a Pattern Phase to an ecosystem product or service that is used in the event.
appEdgeDescription: leverages commodity
appEdgeDescriptionReversed: is leveraged in
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesEvent
Label: patternPhaseInvolvesEvent
rdfs:comment:
This property is used to chain Pattern Phases to each other. In cases where one Pattern Phase is considered to incorporate other events, then this property is used to link them. This would most typically be done when incorporating “common” Pattern Phases,which may play a role in more specific Pattern-related events.
appEdgeDescription: encompasses
appEdgeDescriptionReversed: is encompassed in
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesPlatform
Label: patternPhaseInvolvesPlatform
rdfs:comment:
Identifies the Platform as the “Infrastructure” component in a Pattern Phase
appEdgeDescription: is executed from
appEdgeDescriptionReversed: is used to execute
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesRole
Label: patternPhaseInvolvesRole
rdfs:comment:
Identifies the Role Player as the “Adversary” component in the Diamond Model
appEdgeDescription: is carried out by
appEdgeDescriptionReversed: carries out
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesSecondaryVictim
Label: patternPhaseInvolvesSecondaryVictim
rdfs:comment:
Links a pattern phase to a secondary victim (an entity indirectly affected by the event). Use this for collateral or follow-on victims, not the main target.
appEdgeDescription: has indirect impact on
appEdgeDescriptionReversed: is directly impacted by
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesThreat
Label: patternPhaseInvolvesThreat
rdfs:comment:
Identifies the Threat Action component in a Pattern Phase
appEdgeDescription: includes action
appEdgeDescriptionReversed: is an action within
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseInvolvesVictim
Label: patternPhaseInvolvesVictim
rdfs:comment:
Identifies the PRIMARY Victim component in the Diamond Model; Links a pattern phase to its primary victim (the main target of the event). Use this when the event is directed at a specific entity.
appEdgeDescription: has direct impact on
appEdgeDescriptionReversed: is directly impacted by
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#patternPhaseProducesCommodity
Label: patternPhaseProducesCommodity
rdfs:comment:
Used to link a Pattern Phase that produces a commodity to an ecosystem product or service Market where that commodity is traded.
appEdgeDescription: produces the commodity
appEdgeDescriptionReversed: is produced by the phase
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#tradedOnPlatform
Label: tradedOnPlatform
rdfs:comment:
Property used to reflect where a given commodity is exchanged.
appEdgeDescription: operates on
appEdgeDescriptionReversed: is used to host
IRI: http://cosmos.cybercrime-atlas.org/project-cosmos#tradesCommodity
Label: tradesCommodity
rdfs:comment:
Associates a Market with the commodity or commodities that get traded within it.
appEdgeDescription: trades
appEdgeDescriptionReversed: is traded on