We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

  • Cookie
    _GRECAPTCHA
  • Duration
    180 days
  • Description
    This cookie is used by the Google reCAPTCHA service to protect the site from spam and abuse, distinguishing between real users and bots. It performs a risk analysis by collecting information on browsing behavior and device details, such as mouse movements, keystrokes, and technical data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

News

Cyber mafia and digital crime

Learn what cyber mafia is, how it operates online, its crimes, and how Europe and Italy fight digital money laundering.

Networks of cyber mafia

14 May 2025

Table of contents

  • What is the cyber mafia
  • Distinctive traits of cyber mafia
  • How cyber mafia is structured
  • Why cyberspace benefits organized crime
  • Major criminal activities in cyberspace
  • International cooperation
  • The new EU Anti-Money Laundering Regulation

Organized crime has evolved, adapting to the digital age. It’s no longer just about drug trafficking or extortion. Today, we face ransomware attacks, online fraud, and money laundering through cryptocurrencies.

This article takes a deep dive into the cyber mafia phenomenon, exploring its distinctive traits, operational structure, key criminal activities online, and the response from Italy and the European Union, including the new EU Anti-Money Laundering Regulation.

What is the cyber mafia

The cyber mafia represents the digital evolution of organized crime, groups that exploit technology and digital networks for profit.

These are not just isolated cybercriminals, but sophisticated organizations, often with ties to traditional mafias, using the internet to carry out large-scale operations while staying hidden.

Thanks to the dark web, encrypted communications, and untraceable payment systems, cyber mafias operate with high efficiency and relative anonymity. Their activities span the globe, unrestricted by national borders.

Distinctive traits of cyber mafia

The cyber mafia is not just a digital offshoot of traditional organized crime, it represents a new paradigm of criminal operations, one that is smarter, faster, and harder to detect.

Here’s a closer look at the most defining traits that set it apart from classic mafia structures.

Anonymity and decentralization

At the heart of the cyber mafia’s power lies its ability to operate anonymously and globally, leveraging sophisticated tools to conceal identities and locations.

Through the use of VPNs, Tor networks, encrypted messaging apps like Signal and Telegram, and cryptocurrencies such as Bitcoin or privacy-focused coins like Monero, cybercriminals can avoid surveillance and law enforcement.

Example
Silk Road, a dark web marketplace dismantled in 2013. It functioned like a criminal version of Amazon, selling drugs, weapons, and fake IDs.

Transactions were done exclusively in Bitcoin, and the platform’s operators never met in person. The decentralized and anonymous nature of its operations made law enforcement efforts incredibly complex.

Advanced technical skills

Unlike traditional mafias that rely on intimidation and brute force, cyber mafias depend on highly skilled professionals: ethical hackers turned rogue, malware developers, phishing experts, and insiders embedded in companies.

In 2021, the Conti ransomware group, linked to Eastern European criminal networks, attacked Ireland’s national healthcare system (HSE), crippling hospitals and IT infrastructure nationwide. The operation required deep knowledge of system vulnerabilities, advanced encryption algorithms, and negotiation techniques for ransomware payouts.

Groups like Conti function more like crime startups, with specialized departments handling development, public relations, and customer service, only their “clients” are ransomware victims.

Transnational reach

Traditional mafias often maintain strong ties to a territory. In contrast, the cyber mafia is borderless. A group can launch attacks from Russia, affect companies in Germany, and launder money through crypto exchanges in the Cayman Islands or Singapore.

One of the most striking cases is the REvil ransomware attack in 2021. REvil, based in Eastern Europe, targeted Kaseya, a US software provider.

The malware spread rapidly, affecting over 1,500 businesses worldwide. The group demanded $70 million in Bitcoin for a universal decryption key.

This global scalability and independence from geography give the cyber mafia a major operational edge and pose enormous challenges to national security agencies.

Collaboration with state actors

The boundary between cyber mafia and state-sponsored cybercrime is sometimes blurry. In some instances, criminal groups appear to operate with the cooperation or protection of government entities, particularly in authoritarian regimes.

APT28 (Fancy Bear), widely believed to be linked to the Russian GRU (military intelligence), has conducted numerous cyberattacks, including the hacking of the Democratic National Committee (DNC) during the 2016 US elections.

While their objectives were geopolitical, the methods and structure resembled those of cyber mafia networks.

China has also been accused of sponsoring groups such as APT41, which are active in both industrial espionage operations and criminal activities for profit.

Their hybrid operations combine data theft with financial gain, often leveraging the same ransomware and malware tools used by organized cybercriminals.

Infiltration into the legal market

One of the most insidious strategies adopted by the cyber mafia is its ability to blend in with legitimate businesses, exploiting the world of e-commerce, online gambling, and digital financial services to launder dirty money or conceal illegal activities.

In 2020, Italian authorities uncovered a money laundering scheme linked to the ‘Ndrangheta through an apparently legitimate online betting platform. The money flows, broken into small transactions, were managed by a network of offshore servers and passed through cryptocurrency wallets before re-entering clean financial circuits.

Another high-risk sector is that of ICOs (Initial Coin Offerings), where fake startups raise cryptocurrency funds from unsuspecting investors, only to vanish without a trace.

This type of infiltration into legal markets represents a form of “reputational laundering” that allows the cyber mafia to operate undisturbed, often under the guise of startups, fintech companies, or marketing agencies.

How cyber mafia is structured

Unlike traditional mafias built on rigid hierarchies and territorial control, the cyber mafia operates with a modular, decentralized structure, more akin to a multinational tech company than a criminal gang.

It’s composed of highly specialized operational units, often scattered across multiple countries, communicating through encrypted channels and coordinating only when necessary.

This hybrid structure gives the cyber mafia remarkable agility, allowing it to reorganize rapidly after arrests, leaks, or law enforcement disruptions, ensuring the continuity of its criminal enterprises.

The technological core

At the center of the cyber mafia is a highly skilled technical team, which includes:

  • Malware and ransomware developers, often recruited via dark web forums like Exploit.in or RaidForums;

  • Social engineering and phishing specialists, trained in manipulating human behavior to steal credentials and sensitive dat;

  • System administrators and network engineers, who maintain servers, botnets, encrypted tunnels, and backdoors;

  • Data analysts and OSINT specialists, who profile victims using public and private data to optimize attacks.

A well-known example is the Lazarus Group, linked to North Korea, which executed the $81 million heist from the Central Bank of Bangladesh in 2016. Their attack demonstrated technical excellence in malware development, bypassing security systems, and moving stolen funds across global banks, like FastCash.

The logistics unit

Working alongside the tech team is the logistics division, tasked with:

  • Handling ransom payments, often in cryptocurrencies through mixing services or privacy coins.

  • Purchasing and managing servers, VPNs, domain names, and hacking tools.

  • Coordinating recruitment, including advertising roles on dark web job boards, often using affiliate models like Ransomware-as-a-Service (RaaS).

  • Managing money mules, people who move money between bank accounts or crypto wallets to obscure its origin.

Example
A clear case is LockBit, a ransomware group that operates like a criminal franchise. Affiliates conduct attacks using LockBit’s software and infrastructure, while the central group provides support and takes a cut of the ransom, just like a business franchise model.

The white-collar layer

Modern cyber mafias rely heavily on white-collar professionals, financial consultants, lawyers, IT experts, and entrepreneurs, who act as intermediaries and enablers. Their tasks include:

  • Setting up shell companies in tax havens or high-risk sectors (crypto, gambling, real estate).

  • Facilitating banking or crypto transactions, often using legal loopholes and fake documentation.

  • Managing digital wallets and laundering funds through decentralized exchanges (DEXs) or crypto mixers like Tornado Cash.

  • Bypassing AML/CFT regulations (Anti-Money Laundering / Countering the Financing of Terrorism) by forging KYC documents or exploiting lax jurisdictions.

In 2022, Europol dismantled a multinational laundering network involving lawyers and accountants who helped clean ransomware proceeds through fake investment schemes and crypto platforms. This grey zone between legality and crime is one of the hardest for authorities to investigate and prosecute.

Physical enforcers and intimidation units

While most cyber mafia operations occur online, physical threats are still used in hybrid operations where digital crimes are paired with real-world extortion.

This can include:

  • a business affected by ransomware might receive a “casual” visit from mafia emissaries who “offer help” in negotiating or paying;
  • in local contexts, especially in southern Italy or Eastern Europe, digital and traditional mafia work together to extort money from entrepreneurs, exploiting both the web and force on the ground.

It happened in Sicily, where some Cosa Nostra-linked families began using spyware-type malware to monitor the devices of local business owners, subsequently facilitating “traditional” extortion demands.

A fluid and adaptive model

What makes the cyber mafia uniquely dangerous is its modular flexibility. Each operational unit works semi-independently, often without knowing the identities or locations of other cells. This “cellular model” is similar to how terrorist networks like Al-Qaeda or ISIS operate.

When a cell is discovered or compromised, it can be replaced quickly, without compromising the entire organization.
This also applies to the malware and tools used: most groups have up-to-date versions, parallel infrastructure, and distributed backups ready to use in case of seizure or takedown.

Why cyberspace benefits organized crime

Cyberspace offers significant advantages to organized crime. Remote operations reduce physical risk, while digital tools allow for:

  • Higher profits
    One ransomware attack can bring in millions of euros or dollars.

  • Speed
    Crimes that used to take months can now be executed in hours.

  • Low visibility
    Many cybercrimes go undetected or unreported.

  • Harder investigations
    Encryption and cross-border tactics make it difficult for law enforcement to trace actors.

The digital world provides an ideal environment for the new generation of mafia 4.0, which has rebranded itself for the modern era.

Major criminal activities in cyberspace

The cyber mafia has expanded its operations by harnessing the power of digital technologies, creating new and sophisticated forms of organized crime that are much harder to detect and disrupt than traditional criminal activities. These operations are constantly evolving, enabled by the anonymity of the internet, easy access to illicit tools, and the globalized nature of digital markets.

Ransomware-as-a-Service (RaaS)

One of the most profitable models used by cyber mafias is Ransomware-as-a-Service (RaaS). In this structure, well-organized criminal groups like Conti, LockBit, or BlackCat (ALPHV) develop and license out ransomware platforms to other criminals.

Even individuals without technical knowledge can launch highly damaging attacks against businesses, hospitals, or public institutions, simply by renting the platform and paying a percentage of the ransom to the developers.

A prime example is the 2021 Colonial Pipeline attack in the United States, claimed by the DarkSide ransomware group. The attack disrupted fuel supplies across the U.S. East Coast, proving that ransomware isn’t just a financial threat—it can also impact critical infrastructure and national security.

Phishing and identity theft

Phishing remains one of the most widespread tactics for identity theft, with cyber mafias running large-scale campaigns via email, SMS, and encrypted messaging apps to steal:

  • banking credentials;

  • tax and health data;

  • crypto wallet access codes;

  • social media and corporate account credentials.

In 2023, Italy was hit by a phishing campaign spoofing “INE Bank”, aimed at harvesting one-time passwords and login data from unsuspecting users. According to the Clusit Report, phishing is still the most common attack method in Italy, with a 61% increase over two years.

Stolen data are then resold on dark web data markets, fueling further fraud and identity-based scams.

EU Anti-Money Laundering Regulation

Money laundering through cryptocurrencies

Money laundering is central to cyber mafia operations, and cryptocurrencies are their tool of choice. Digital currencies like Bitcoin, Monero, and Zcash allow transactions that are pseudonymous or fully anonymous, making them ideal for hiding the source of illicit funds.

Criminal proceeds—whether from ransomware, fraud, or trafficking—are typically:

  • broken down into microtransactions;

  • passed through mixers or tumblers (like Tornado Cash or Blender.io);

  • converted into stablecoins (e.g., USDT or DAI);

  • reinvested in goods, NFTs, or real estate through shell companies.

In 2022, the U.S. Treasury sanctioned Blender.io, a mixing service used by the Lazarus Group (North Korea-linked) to launder part of the $620 million stolen from the Ronin Network, a blockchain associated with the game Axie Infinity.

Online scams and digital fraud

Online fraud is a booming business for cyber mafias, made easier by widespread digital illiteracy and the diversity of scam methods. Common schemes include:

  • fake investment platforms promising high crypto returns;

  • fraudulent e-commerce sites selling products that never arrive;

  • romance scams, using emotional manipulation for extortion;

  • tech support scams, where fake technicians gain remote access to victims’ devices.

According to Europol, financial scams are now among the top sources of income for cybercrime networks, many of which are run by Italo-Romanian, Balkan, or Nigerian mafias operating across Europe.

Dark web marketplaces

The dark web is the cyber mafia’s favorite marketplace for illegal trade. Criminal groups either manage or heavily participate in marketplaces that facilitate the sale of:

  • drugs, both synthetic and natural;

  • firearms and explosives;

  • forged documents, such as passports and driver’s licenses;

  • stolen data, including credit card numbers, login credentials, and full identity profiles.

A well-known case is Hydra Market, the largest Russian-language dark web marketplace, taken down in 2022 by joint operations between Germany and the U.S. At the time of its shutdown, it had over 17 million registered users and processed more than €1 billion annually, much of it laundered via Bitcoin.

Italy’s ‘Ndrangheta, according to reports from the DIA (Anti-Mafia Investigation Directorate), has also started using the dark web to traffic drugs and weapons, leveraging cryptocurrency and secure communication tools to bypass customs and financial surveillance.

Traditional mafias going digital

Historical organized crime groups like the Russian mafia, Chinese triads, ‘Ndrangheta, and Nigerian mafia have quickly adapted to the digital age. They don’t just use cyber tools to enhance existing operations—they’ve also created specialized cybercrime divisions, often in collaboration with hackers and dark web operators.

For instance, in Italy, investigations by the Guardia di Finanza have revealed how the ‘Ndrangheta uses anonymous crypto wallets and decentralized exchanges (DEXs) to launder drug trafficking profits. These funds are then transferred to corporate accounts in Latin America and reinvested in real estate and online betting companies.

Italy’s response to digital laundering and cyber mafia

Historical mafia groups, such as the Russian Mafia, the Chinese Triad, the ‘ndrangheta, or the Nigerian Mafia, have rapidly adapted to the digital environment. Not only do they use IT tools to enhance traditional activities, but they have also created specialized cybercrime branches in collaboration with hackers and dark web operators.

In the case of the ‘ndrangheta, for example, a number of operations coordinated by the Guardia di Finanza highlighted the use of anonymous cryptowallets and decentralized exchanges to manage the proceeds of cocaine trafficking, with funds then being transferred to corporate accounts in Latin America, reinvested in real estate and online betting.

‘Italy, historically committed to fighting organized crime, understood early on the urgency of strengthening its tools also in the digital domain, where traditional mafias and new criminal actors operate with increasing ease.

Italy’s system for combating digital money laundering has thus evolved on several levels: institutional, regulatory and operational.

Financial Intelligence Unit (UIF – Unità di Informazione Finanziaria)

At the core of the Italian system is the UIF, an independent unit within the Bank of Italy, responsible for receiving, analyzing, and forwarding suspicious transaction reports (STRs) related to money laundering and terrorism financing.

In recent years, UIF has expanded its focus to include cryptocurrency transactions, in collaboration with the Organismo Agenti e Mediatori (OAM), which maintains the register of crypto service providers (VASPs – Virtual Asset Service Providers). These operators are required to report:

  • trading volumes;

  • the origin of funds;

  • customer identification data.

In 2022 alone, the UIF received over 155,000 STRs, up 11% from the previous year. A significant portion of these involved transactions linked to anonymous crypto wallets, offshore platforms, or suspicious investment schemes.

Guardia di Finanza

The Guardia di Finanza (GdF), Italy’s financial police force, plays a critical role in both investigation and enforcement. It has developed specialized cybercrime and blockchain analysis units that work closely with the UIF to trace illicit financial flows, identify shell companies, and seize digital assets.

One major operation, “Crypto Wash” (2023), carried out jointly with Spanish authorities, led to the seizure of over €5 million in cryptocurrencies and the prosecution of 12 individuals involved in a transnational laundering network operating through unregulated crypto exchanges.

The Guardia di Finanza has also invested heavily in blockchain forensics training, using tools such as Chainalysis and CipherTrace to track cryptocurrency movements across multiple platforms and break anonymity chains.

CNAIPIC and infrastructure protection

The CNAIPIC (National Cybercrime Centre for the Protection of Critical Infrastructure), part of the Postal and Communications Police, handles Italy’s most serious cyber threats, particularly in sectors like energy, healthcare, transportation, finance, and telecommunications.

CNAIPIC has led investigations into ransomware networks, data breaches, and dark web marketplaces. In the 2021 “Deep Cyber” operation, it dismantled a criminal group trafficking stolen Italian health data across dark web forums.

CNAIPIC also serves as Italy’s liaison with Europol, Interpol, and other European CERTs, making it a key player in international cyber security cooperation.

National Anti-Mafia and Anti-Terrorism Prosecutor’s Office

The National Anti-Mafia and Counter-Terrorism Directorate (PNAA) has increasingly taken a leadership role in addressing cyber-enabled organized crime. It has created a task force dedicated to cyber-mafia coordination, with responsibilities including:

  • harmonizing digital crime investigations across regional prosecutors;

  • collecting evidence on financial crimes tied to mafia syndicates;

  • facilitating judicial cooperation via Eurojust and cross-border investigation teams.

According to the 2023 National Anti-Mafia Report, an increasing number of investigations reveal the use of crypto wallets and digital transactions to launder proceeds from traditional crimes such as drug trafficking, arms smuggling, and prostitution.

International cooperation

Since cybercrime transcends borders, international cooperation is vital. Italy is actively engaged in various global efforts:

  • Europol and Interpol, with cybercrime divisions.

  • Eurojust, for judicial coordination across countries.

  • FATF (Financial Action Task Force), which sets international anti-money laundering standards.

  • J-CAT (Joint Cybercrime Action Taskforce), facilitating joint operations against digital threats.

These platforms allow countries to share intelligence, pool technological resources, and conduct cross-border investigations—such as the takedowns of Hydra Market and DarkMarket on the dark web.

The new EU Anti-Money Laundering Regulation

In 2024, the European Union introduced a new Anti-Money Laundering Regulation (AMLR) to strengthen efforts against digital crime. Key elements include:

  • Creation of AMLA (Anti-Money Laundering Authority), with powers to supervise and sanction.

  • Mandatory registration and compliance for crypto service providers.

  • Stricter rules on digital asset transfers and financial transparency.

  • Requirements to disclose the beneficial owners behind companies and trusts.

This legal package aims to harmonize rules across member states and close regulatory gaps, making it harder for cybercriminals to launder illicit profits.

Frequently asked questions

  1. What is the cyber mafia?
     A form of organized crime that uses digital tools to commit cybercrime and launder money online.
  2. What types of crimes do cyber mafias commit?
     Ransomware attacks, phishing, identity theft, online fraud, and dark web trafficking.
  3. Who is involved in cyber mafia operations?
     Hackers, programmers, financial intermediaries, and members of traditional criminal networks.
  4. How are cryptocurrencies used in cybercrime?
     They enable semi-anonymous transactions, making them ideal for laundering illegal money.
  5. How does Italy fight cyber mafia and digital laundering?
     Through national bodies like UIF, CNAIPIC, and by applying EU directives and crypto regulations.
  6. What role does the EU play in combating cybercrime?
     The EU enforces anti-money laundering laws and established AMLA to oversee implementation.
  7. What’s new in the EU AML Regulation?
     It increases oversight of crypto transactions, enforces transparency, and enhances international coordination.
  8. Is there a difference between a hacker and a cyber mafia member?
     Yes, hackers can be independent, while cyber mafia actors work within criminal networks.
  9. Why is cyberspace attractive to criminal organizations?
     It offers high profits, low risk, anonymity, and operational speed.
  10. Does Italy collaborate internationally against cyber mafia?
     Yes, through Europol, Interpol, Eurojust, and international taskforces like J-CAT.
4
To top