The cybercriminal behind your next breach is probably not one person.

Modern attacks involve indirect coordination defined by a division of labor that most organizations are not equipped to detect or defend against.

Cybercriminals are often represented as loners: hooded, singular figures in front of a glowing screen. This stereotype is as inaccurate as it is dangerous. It misrepresents the formal and informal orchestration that defines modern-day cyberattacks and fails to identify where the real capabilities are located. The recent INTERPOL takedown of SniperDz, a phishing-as-a-service platform that operated for nearly a decade, demonstrates how one developer supplied ready-made phishing kits to an open market of criminal users.

Cybersecurity must adapt to this model of cybercrime. A growing number of social engineering campaigns are the product of collaboration, resembling supply chains. Each party performs a distinct role, and in many cases, these arrangements are impersonal, with participants offering their skills as a service. Threat actors can specialize, outsource, and scale with the same efficiency as legitimate businesses, creating an underground, industrialized economy.

What was once the purview of state actors is now available to threat groups like ShinyHunters, Scattered Spider, and Black Basta. Collectively, these groups have moved away from attacks focused on hardware and software and begun to focus on the human attack surface. In the same way that companies rely on partnerships to extend their capabilities, cybercriminal organizations can distribute labor to become more efficient. Surveys of the threat landscape can no longer be restricted to TTPs, indicators of compromise, and zero-day vulnerabilities; they must also focus on the network of threat actors and third parties that defines how attacks are actually assembled.

Division of Labor: How the Cybercrime Assembly Line Works

The window into this world is often opaque. Although researchers can gain a foothold in these groups, patterns of communication leave traces of organizational logic and structure. On a small scale, Scattered Lapsus$ Hunters (SLH) was found to be actively recruiting women into their vishing campaigns, offering $500 to $1000 for each call (Figure 1). This reflects a onboarding model that treats social engineering as a managed operation requiring staffing.

More comprehensive glimpses of expansive networks are also available. The Black Basta leak provided over 190,000 messages covering one year of exchanges from 2023 to 2024. The leak was the result of an “internal conflict,” after which the group became less active. Prior to the conflict, the group was defined by a division of labour among its members: “Credential management, negotiations, infrastructure and malware development were all covered… [and] a work schedule resembling a traditional nine-to-five office day.”

Table 1. Evidence of Black Basta members’ division of labor

Above, we see the distributed nature of this network, as well as the role of basic group processes. The voluntary gig-labor model Black Basta used sits at one end of a spectrum, while other groups achieve this through coercion. The internal conflict compromised the group’s ability to coordinate, leading to a collapse in operational tempo and the eventual exposure of members’ identities, infrastructure, and financial flows.

These are all features of a trust-dependent system. Part of the reason appears to be action taken against a Russian target, the presumed location of the threat actors in Black Basta. The leaker, @ExploitWhispers, stated that the group had been “crossing the line” by targeting Russian financial institutions, and that the group’s own operational security could not survive.

We also see that while a cohesive group on its own — it was also part of a larger, decentralized network.

The Com: How the Dark Supply Chain Works

The division of labor does not stop at the organizational boundary. Attacker groups like Scattered Spider do not build their own ransomware. They do not need to. Instead, they have affiliated with multiple groups, including ALPHV/BlackCat, RansomHub, and DragonForce, suggesting that while the encryptor can be substituted, social engineering resources remain core to the group.

Like a legitimate business, the supply chain is tiered and transactional. Each party performs a narrow task. The ransomware engineer only develops the product; they do not execute the attack. The Initial Access Broker does not conduct the full attack on a faceless organization; they merely sell access.

In addition to reducing risk, the division of labour also has a useful byproduct that reduces psychological friction from breaking the law: it diffuses responsibility, dilutes moral accountability, and dehumanizes the targets. The initial access broker sells access; they do not victimize people. This further entrenches anonymity and psychological distance from the attack. When bad things happen to companies and users whose information has been compromised, they can deny their role in the injury. After all, the targets have been reduced to ticket numbers on a spreadsheet. The Black Basta logs provide rare evidence of these mechanisms operating in a real criminal organization.

Like defenders, adversaries must trust each other to be successful. In an environment where contracts cannot be used, reputation is the primary currency. It cannot be debased. Dark web forums, Telegram, and Russian-language forums such as XSS and Exploit allow trust to accumulate and allow for the transmission and socialization of criminal norms, skills, and definitions of acceptable targets.

This is critical in shadow marketplaces where product quality cannot be verified before purchase and there are no external mechanisms available: in crime, there are no warranties or refunds. For instance, CrowdStrike reported over 4,400 access-broker advertisements in 2024, a 50% increase over 2023. This is clear evidence of a market defined by sufficient trust to sustain commercial scale. Collectively, these cybercrime chat communities are known as “The Com”, where reputations are negotiated through public claims and breach disclosures in channels that are marketplaces, portfolios, and social proof.

The social engineering layer of this market has its own service providers. Vishing-as-a-service operations offer callers, scripts, and target lists on a per-call or per-access basis. For example, since 2015, SniperDz supplied phishing kits across more than 30 platforms, in five languages, to any criminal with a Telegram account, free of charge. Such kits are available for under a hundred dollars, a minimal investment when the rewards of a large compromise are placed in the balance. The cognitive skills that once required years of practice can now be found in the gig economy of cybercrime.

AI Expands the Assembly Line

AI is the newest addition to attackers’ stack. LLMs can create and maintain personas, generate scripts, and adapt pretexts in real-time at scale. Voice cloning and video deepfakes remove the last perceptual cues employees rely on to detect deception. Commercial AI voice-agent platforms can run thousands of simultaneous calls from a single browser dashboard. Google’s recent lawsuit against Outsider Enterprise describes a PaaS network that created over 9,000 fake websites, 55,000 spam texts, and sent over 2.5 million messages over a two week period.

The scale supports the findings of security researchers who suggest that this is a serious emerging vector for mass vishing. At each layer, cognitive and financial costs fall, and the asymmetry between attacker and defender widens.

Insiders Extend the Supply Chain

Social engineering can also be used to recruit insiders. These individuals can range from new employees with little investment in the organization to disgruntled employees or employees under financial pressure that creates divided loyalties. They can be persuaded to divulge access credentials, intellectual property, or operational information.

For instance, in 2022, Lapsus$ openly recruited insiders at major ISPs and technology companies (Figure 2). In the most documented public case, security firm KnowBe4 reported in July 2024 that a hired operative began loading malware via a Raspberry Pi the moment the company-issued laptop was received.

What You Can Do to Dismantle the Assembly Line

Attackers’ assembly lines are growing more vast and efficient every day. Their networks are becoming more specialized, allowing for faster and larger-scale attacks. Your response needs to match theirs by understanding the organizational capabilities of adversaries.

A successful attack requires three elements to converge: a motivated offender, a suitable target, and the absence of a capable guardian. The assembly-line model above is a distributed effort to optimize target selection and neutralize defender capability. Although defenders can do little to control criminal motivation, there are actions they can take to address the others:

Understand the attacker’s assembly line, and review your own
‍Black Basta’s operation had six distinct roles from reconnaissance to negotiation. For your team to defend against it, you must map out your organizational processes. Run a tabletop exercise using Table 1 as the attacker’s kill chain. For each of the six roles, identify whether your organization has a detection control, a response procedure, or neither. Vulnerabilities at the reconnaissance and pretext-author stages are likely the most common because they precede any network event and generate no log data.

Protect your reconnaissance layer
‍The pretext that reaches your employee was assembled from ZoomInfo, LinkedIn, public organizational data, vendor presentations, and board reports. Conduct an audit of your organization’s exposure on ZoomInfo, RocketReach, LinkedIn, and the web. Submit removal requests where employee profiles include direct-dial numbers, reporting lines, or financial data. Publish a clear policy on what organizational information employees can list on professional profiles. Reducing target suitability at this stage raises the attacker’s cost before any call is made.

Understand cybercrime networks and monitor the supply chain
A single vishing call might be the only visible sign of a campaign, but understanding the assembly line and supply chain means knowing that the call was only the last step. Threat intelligence requires understanding the threat ecosystem to stay aware of the TTPs, tools, and targets of social engineers. Configure dark web monitoring for your organization’s domain across access-broker forums. A broker listing typically precedes the vishing call by weeks. Detection at this stage converts a reactive incident into a proactive response.

Harden your hiring process against manufactured insiders
‍Ensuring that employees know cybersecurity policies and promoting an organizational culture where issues can be discussed can reduce unintentional and ambivalent insider threats. External threats from malicious actors will still remain. For roles with privileged access, require live video identity verification against government-issued ID through a channel independent of the candidate’s own device. Enforce EDR enrollment before first system login.

Extend verification to your vendor perimeter
‍Your supply-chain model is also a vulnerability. Your organization will receive inbound communications through calls, emails, and Teams meetings from parties claiming to be trusted vendors. These identities are as available to attackers as employee names are, and they are less under your control. Establish a formal verification register for authorized third-party contacts: known numbers, named account representatives, and confirmation callbacks routed through independently verified channels. Treat any inbound vendor contact initiating a credential, access, or configuration request as one that requires verification.

Attackers succeed because businesses fail to organize. As the supply chains of cybercriminals formalize in dark economies, businesses cannot afford to remain ignorant of the competency and sophistication of these networks. As Brett Leatherman, Assistant Director of the FBI’s Cyber Division, has noted, “we can disrupt criminal networks in ways no single organization could on its own.”