WASHINGTON — Hackers from the United States, Russia, and Ukraine hawk computer exploits for as much as $300,000 on an underground market fueled by digital currencies like Bitcoin, a report by RAND and Juniper Networks shows.
The thriving trade in software, data, or commands that takes advantage of bugs and glitches generates billions of dollars using digital storefronts that connect sellers with buyers or where mercenaries can be hired to do the job, according to the report released Tuesday.
‘‘Anyone with an Internet connection can get involved,’’ Lillian Ablon, an information systems analyst at RAND and the study’s lead author, said by phone. ‘‘If you can’t do something, you can find someone else to do it for you.’’
Advertisement
One of the first comprehensive efforts to map how criminal hackers operate using anonymous networks, encrypted communications, and digital currencies, the report comes amid warnings by US government and industry officials that digital attacks are getting more sophisticated and dangerous.
Exploits, the tools for conducting attacks, can be used for a range of illegal actions, from stealing data off a user’s mobile device to breaching corporate databases, according to the report. In the past year, the networks of retailers Target Corp. and Neiman Marcus Group were breached, while JPMorgan Chase & Co. and other US banks have defended against attacks aimed at shutting down their computers.
‘‘You have to conclude from this that the rise of these markets is giving cyber criminals more power,’’ said Martin Libicki, a senior scientist at RAND, a Santa Monica, Calif.- based nonprofit that does research for governments and companies.
The findings were based on interviews with more than two dozen cybersecurity specialists, including researchers and law enforcement officials. The report was sponsored by Sunnyvale, Calif.-based Juniper Networks, which sells network security products and services.
Hackers are increasingly using Bitcoins and other virtual currencies to hide their identities. This is in response to traditional banks cooperating with law enforcement agencies on investigations that could end in their arrests, Libicki said.
Advertisement
Bitcoin is a legitimate currency with lawful uses, said Jim Harper, global policy counsel for the Bitcoin Foundation, the trade group that promotes the currency. Criminals will use it, just like they use cash, Harper said in an e-mail. ‘‘Bitcoin is far from the magic cloak for criminality that early news reports portrayed it to be,’’ he said.
Prices for the tools to attack software vulnerabilities that are not known or fixed by manufacturers — commonly called zero-day exploits — are the highest. One targeting Apple Inc.’s iOS operating system in 2012 sold for as much as $250,000, according to the report.
Governments, which were not identified, ‘‘are increasingly showing up as buyers’’ for zero-day exploits, the report said.
Simple malicious programs, such as a do-it-yourself kit called WebAttacker that uses spam to lure victims to fake websites, sold for $15 in 2006.
Stolen data, such as credit card numbers and technology designs, are bought and sold through illicit forums with as many as 80,000 members that are accessed through virtual private networks, according to the report. Experienced hackers vet participants and restrict those who consistently fail to deliver goods and services.
Credit-card data acquired in the breach of Target’s payment processing system initially fetched anywhere from $20 to $135, according to the report.
The underground economy, however, operates in many of the same ways as traditional markets. Supply and demand affect prices and large-scale data thefts like the Target attack occur about once every three years, according to the report.
Advertisement
The United States has become fertile ground for homegrown hackers, the report found. ‘‘In 2013, almost a fifth of the market was US-based, ranked third behind Ukraine and Romania,’’ the researchers said. ‘‘The United States has more home-grown hackers than Russia.’’
One reason for the rise in US hackers is that perpetrators are learning about hacking and financial crimes in prison ‘‘so people are getting released on streets and that becomes their new set of tactics,’’ the report found. ‘‘Violent crimes go down, but financial crimes more than make up the difference.’’
Despite efforts by law enforcement in the United States, and other countries to crack down on financing or some of the popular marketplaces, ‘‘the hacker economy has proved to be quite resilient,’’ the researchers said.
‘‘The market bounces back after a takedown or arrest.’’