A “sophisticated attack”? Innovation, technical sophistication, and creativity in the cybercrime ecosystem

We observe that almost every cybercrime is reported to be a “sophisticated attack” and explain how incentives align to misrepresent very run-of-the-mill events in this manner. We describe the cybercrime ecosystem, analysing the distinct parts and discussing what forms of sophistication and incentives can be found in each kind of work. We move on discuss how framing cybercrime as technically sophisticated attacks performed by skilled criminals has distorted criminological analysis and contributed to misaligned incentives within criminal justice and security policy. We conclude that the criminal justice system is aiming the wrong types of interventions at the wrong kinds of actor.