Cybercrime has matured into a supply chain, not a lone-genius-in-a-hoodie hobby A criminal service ecosystem (also called crime-as-a-service / cybercrime-as-a-service) is the marketplace of specialist services criminals buy, rent, swap, or outsource to carry out attacks. Instead of one “gang” doing everything, cybercrime is broken into roles, tools and platforms that plug together. The UK’s own NCSC/NCA white paper describes ransomware attacks as relying on a “complex supply chain” of “enabling services, platforms, distributors and affiliates”. It also notes that ransomware-as-a-service means advanced computing knowledge is “no longer needed” to cause serious disruption, because criminals can access software that does “much of the hard work”. Europol describes the same phenomenon at EU level: tools and services (including AI/ML) are now prominent commodities in the crime-as-a-service market, and the number of entrants grows as technology lowers barriers to entry. What services they use to commit cybercrime against English networks and government bodies 1) Initial Access Brokers Initial Access Brokers (IABs) sell access to compromised systems (logins, RDP access, web shells, VPN creds). In plain English: someone else breaks in, then sells the keys. Europol notes that ransomware targeting is influenced by the specialisation of Initial Access Brokers involved in operations. Europol’s IOCTA material and related reporting also describe forums where RDP access sales and similar “starter access” services are traded. Why it matters for England/UK targets: it turns targeting into shopping. Attackers don’t need to compromise a business directly if they can simply buy access to one that already got popped. Advertisement Bestseller #1 Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity (Rheinwerk Computing) £48.49 Buy on Amazon Bestseller #2 Linux Basics for Hackers : Getting Started with Networking, Scripting, and Security in Kali £25.23 Buy on Amazon 2) Ransomware-as-a-Service and affiliate networks This is the franchise model: a “core” ransomware brand provides malware, payment infrastructure, leak sites and guidance; affiliates do the intrusion and deployment. The NCSC/NCA white paper explicitly highlights the growth of ransomware-as-a-service, and the way specialisation and “easily-used tools, online marketplaces and forums” have lowered entry barriers. Europol similarly describes RaaS providers competing for high-level affiliates and developers. Why it matters for English government bodies: even where core government networks are well-defended, the supply chain (contractors, MSPs, niche software providers) offers more places for an affiliate to get a foothold and then pivot. 3) “Stealers”, loaders, botnets and malware-as-a-service These are the plumbing services of cybercrime: stealers harvest credentials/tokens/cookies loaders establish persistence and pull down additional payloads botnets provide scale (spam, brute force, DDoS, distribution) Europol’s IOCTA 2024 highlights that widely used malware alternatives and malware-as-a-service remain readily available, and that improvements (including AI tools) can accelerate development of new variants. 4) Phishing kits, “hackers for hire”, and criminal forums/marketplaces A lot of cybercrime is enabled by markets and communities selling: phishing templates/kits credential lists exploit services “hackers for hire” tutorials and support Europol’s IOCTA notes forums with huge user bases and describes marketplaces offering services such as access sales and “hackers for hire”. Why it matters for English targets: it industrialises fraud and intrusion attempts. If you can rent capability, you can run more attacks faster, even if you’re not particularly competent. 5) Bulletproof hosting and “resilient” criminal infrastructure Bulletproof hosting provides infrastructure designed to be hard to remove or slow to disrupt, giving criminals somewhere to host phishing, malware, and control servers. The UK (with allies) sanctioned a bulletproof hosting service in 2025, and UK statements described bulletproof hosting as a “key component of the cyber crime ecosystem” providing a “digital safe haven”. Expert quote you can publish: NCA deputy director Paul Foster (head of the NCCU) is quoted describing bulletproof hosting as “a key component” providing a “digital safe haven” for cyber criminals. (Yes, even cybercrime needs hosting. Capitalism finds a way.) 6) Money laundering and cash-out services This is where stolen value becomes usable money: crypto cash-out, mixers, mule networks stolen card trading invoice fraud “cash out” accounts Europol’s IOCTA reporting repeatedly frames cybercrime as enabled by dark-web markets and financial ecosystems that help criminals hide proceeds. Are these criminals mostly based overseas? Largely, yes, especially the serious enabling infrastructure and top-tier operators There are UK-based offenders, but many of the most damaging services and groups are transnational. Europol notes that some cybercriminals targeting the EU are EU-based, while others operate from abroad, concealing operations and funds in third countries. The NCSC/NCA white paper explicitly describes law enforcement strategy shifting “upstream, overseas and online” to target the top of the chain and key enablers. UK sanctions action in 2025 targeted a Russian cybercrime-linked bulletproof hosting provider, which is an example of key enabling services being based outside the UK. So the practical answer is: Yes, much of the ecosystem is overseas, because jurisdictional complexity makes enforcement harder and because some regions have well-established criminal marketplaces and support services. No, it isn’t “all abroad”: plenty of low-level fraud and access activity happens locally too, but the higher-end supply chain is often international. What this means in real terms for English networks and public bodies The threat isn’t just “hackers”, it’s a market that makes hacking scalable When criminal capability is bought as services: attacks become faster to launch, cheaper to run, and easier to repeat defenders face volume plus specialisation taking down one “gang” doesn’t end it, because the market reroutes around disruption The NCSC’s framing of ransomware as a major UK threat and its focus on the wider ecosystem (not just “a strain”) is basically an admission that the enemy is the supply chain. Post navigation An English White Hacker Thinking of Going to the Dark Side For Easy Money How Much UK Businesses Lose Annually to Invoice Fraud and BEC