← The Signal
13 min read

The $16.6 Billion Year: Inside the Economics of Cybercrime in 2024

$16.6 billion stolen. A ransomware gang that rebuilt itself in days. A healthcare company that paid $22 million and still got screwed. The full ledger.

The FBI’s Internet Crime Complaint Center dropped its 2024 annual report in early 2025. The number: $16.6 billion in reported cybercrime losses. Up 33% from 2023’s $12.5 billion. They logged 859,532 complaints, 256,256 with confirmed financial losses — averaging $19,372 per victim.

And those are just the people who reported it. The FBI admits most cybercrime never gets reported. The actual damage is worse. Much worse. But even the numbers we have paint a picture that should make anyone who touches the internet reconsider what they’re doing — or not doing — to protect themselves.

Where the Money Went

The breakdown reads like a franchise prospectus for organized crime:

Investment fraud: $6.57 billion. Largest single category and climbing fast. Crypto scams, pig butchering (those long-con schemes where victims get groomed for weeks into fake investment platforms), and synthetic trading apps that simulate returns while draining deposits. Crypto-related losses across all categories jumped from $5.6 billion in 2023 to $9.3 billion in 2024 — a 66% increase. The grifters found their medium.

Business Email Compromise (BEC): $2.77 billion. Attackers impersonate executives, vendors, or partners — usually via email — to redirect wire transfers. The finance worker at Arup who transferred $25 million after a deepfake video call is the headline version, but the median BEC attack costs less individually and hits far more businesses. The FBI has documented $8.5 billion in cumulative BEC losses over three years. This is a mature industry.

Tech support fraud: $1.46 billion. Pop-ups, phone calls, emails. Someone claims to be Microsoft or Apple or your bank. You grant remote access or transfer funds to “protect” your accounts. Simple, effective, endlessly repeatable.

Personal data breaches: $1.45 billion. The downstream financial wreckage of having your information compromised — identity theft, credential exploitation, data exposure. Somebody else’s bad security becomes your problem.

Elder fraud: $4.9 billion. People 60 and older got hit hardest across nearly every category. Investment fraud losses for seniors: $1.8 billion. Tech support fraud: $900 million. Confidence/romance fraud: nearly $400 million. Government impersonation: over $200 million. Nearly $5 billion total — extracted from the people most trusting of institutions by people pretending to be institutions.

2024 CYBERCRIME LOSSES BY CATEGORY $0 $1B $2B $3B $4B $5B $6B $7B Investment Fraud Elder Fraud (60+) Business Email Compromise Tech Support Fraud Personal Data Breaches $6.57B $4.90B $2.77B $1.46B $1.45B Total reported: $16.6B (+33% YoY) Source: FBI Internet Crime Complaint Center, 2024 Annual Report

The Ransomware Economy

Ransomware gets the most headlines. The economics behind it are what matter — because ransomware doesn’t work like a heist anymore. It works like a franchise.

How Ransomware-as-a-Service Works

The big operations — LockBit, BlackCat/ALPHV, Cl0p, Play, Royal — don’t function like traditional criminal gangs. They’re platform businesses. Core developers build and maintain the ransomware payload, encryption infrastructure, negotiation portals, and payment processing. Then they recruit affiliates — independent operators who run the actual attacks.

The split is explicit: LockBit’s standard deal was 80/20 — affiliates kept 80% of every ransom, core team took 20%. The affiliate handles recon, initial access, lateral movement, deployment. The platform handles everything else.

Scale without risk. Hundreds of affiliates, different sectors, different geographies, all feeding revenue into the same machine.

Chainalysis tracked $1.25 billion in ransomware payments in 2023 — highest year on record. Payments dropped to roughly $813 million in 2024 — a 35% decline — but not because the attacks slowed down. More victims refused to pay, and law enforcement pressure made laundering harder. The actual economic impact — downtime, recovery, legal liability, reputational damage — runs 10–20x the ransom payments themselves.

RANSOMWARE PAYMENTS: YEAR-OVER-YEAR $0 $0.4B $0.8B $1.2B $1.4B $1.25B $813M 2023 2024 -35% decline -- more victims refused to pay Source: Chainalysis

Operation Cronos: The LockBit Takedown

February 20, 2024. A coalition led by the UK’s National Crime Agency, the FBI, and Europol executed Operation Cronos — one of the most significant law enforcement actions against ransomware ever attempted.

LockBit was the largest ransomware operation in the world, responsible for 25% of all ransomware attacks in 2023–2024. Thousands of victims globally. Billions in ransom and recovery costs.

Operation Cronos seized 34 servers and 14,000 accounts, froze over 200 cryptocurrency wallets, and recovered roughly 1,000 decryption keys — which the FBI distributed to victims. Three affiliates arrested in Poland and Ukraine. In a deliberate act of psychological warfare, law enforcement hijacked LockBit’s own website — used it to publish press releases, reveal affiliate identities, and count down to the public naming of LockBit’s administrator.

LockBit’s response: back online within days, new infrastructure, same name. The administrator — identified by the FBI as Russian national Dmitry Khoroshev — issued a statement dismissing the whole thing. By September 2025, LockBit launched version 5.0 — new infrastructure, new victims, fully operational again.

You can dismantle the infrastructure. You can’t dismantle the incentive.

The Change Healthcare Catastrophe

February 21, 2024 — one day after the LockBit takedown — an ALPHV/BlackCat affiliate breached Change Healthcare, a subsidiary of Optum (owned by UnitedHealth Group). Change Healthcare processes approximately 15 billion healthcare transactions annually. Roughly one in three U.S. patient records flows through their systems.

The attack knocked everything offline for weeks. The downstream carnage:

  • Pharmacies couldn’t process prescriptions through insurance
  • Hospitals couldn’t verify patient coverage or submit claims
  • Medical practices couldn’t receive payments — an estimated $100 million per day in delayed reimbursements
  • Small and rural providers got devastated — the AMA surveyed physicians and found 80% reported lost revenue and 55% used personal funds to cover practice expenses

UnitedHealth Group CEO Andrew Witty testified before both the Senate Finance Committee and the House Energy and Commerce Committee in May 2024. He confirmed two things: the attackers got in through a Citrix remote access portal that lacked multi-factor authentication, and UnitedHealth paid a $22 million ransom (350 Bitcoin, confirmed on-chain by Chainalysis).

A Citrix portal without MFA. That’s it. That’s how one of the largest healthcare data breaches in U.S. history started.

UnitedHealth initially disclosed the breach affected approximately 100 million individuals in October 2024. The final count, confirmed in early 2025: 190 million people — the largest healthcare data breach in U.S. history. Stolen data: health insurance information, medical records, billing data, Social Security numbers. UnitedHealth’s total breach response cost for 2024: $3.1 billion.

Then it got worse. After receiving UnitedHealth’s $22 million payment, ALPHV/BlackCat’s core team pulled an exit scam on their own affiliates. They posted a fake FBI seizure notice on their website and disappeared with the money — stiffing the affiliate (known as “Notchy”) who actually conducted the attack. Notchy, left holding the stolen data and zero payment, joined RansomHub and attempted to extort UnitedHealth a second time using the same dataset.

No honor among thieves. But also — no competent security at one of the largest healthcare companies on Earth.

The Initial Access Market

Ransomware operators don’t always break in themselves. A specialized layer of the ecosystem — Initial Access Brokers (IABs) — does nothing but compromise networks and sell access to the highest bidder.

Pricing: a compromised corporate VPN credential goes for $500–$5,000 on dark web marketplaces. Access to a hospital or healthcare network with patient data: $10,000+. Fortune 500 company: $20,000–$100,000+.

In April 2023, law enforcement shut down Genesis Market, one of the largest IAB platforms, which had sold credentials and browser fingerprints for over 1.5 million compromised systems. Significant but temporary — competitors like Russian Market and 2easy absorbed the demand immediately.

The Breach That Broke the Broker

April 2024. A hacker infiltrated National Public Data — a Florida-based data brokerage that compiled and sold personal information aggregated from public records, court filings, and other sources.

The theft: 2.9 billion records. Full names, current and past addresses, Social Security numbers, dates of birth, phone numbers. The data covered individuals in the United States, United Kingdom, and Canada. The 2.9 billion figure includes multiple records per individual (separate entries for each known address), but the breach exposed the personal details of hundreds of millions of unique people.

A hacker operating as “USDoD” listed the data for $3.5 million on a dark web forum. No buyer met the price. So the dataset was released for free on a public hacking forum in August 2024 — available to anyone with an internet connection.

On October 2, 2024, Jerico Pictures — National Public Data’s parent company — filed for Chapter 11 bankruptcy, facing more than a dozen class-action lawsuits. By December 2024, National Public Data was gone entirely.

A company most people had never heard of. Holding the most sensitive personal information of hundreds of millions of people. Operating with minimal security. And when it failed, the data went to the entire internet — for free.

Why It Gets Worse From Here

Three structural forces guarantee cybercrime losses keep climbing:

1. AI demolished the barrier to entry. AI-generated phishing emails are grammatically perfect, contextually personalized, and psychologically targeted. SlashNext documented a 1,265% increase in AI-generated phishing between late 2022 and late 2023, followed by a 703% spike in credential phishing in the second half of 2024. The old tells — broken grammar, generic greetings, suspicious formatting — are gone. The new emails reference real projects, real colleagues, real deadlines, generated at scale from LinkedIn profiles and corporate websites. Your employees can’t spot them because there’s nothing to spot.

2. The attack surface won’t stop expanding. Every cloud service, IoT device, remote worker, AI tool, and third-party vendor is a new door. IBM’s 2024 Cost of a Data Breach Report: average breach cost hit $4.88 million globally — a 10% increase over 2023. Breaches involving AI and automation tools had the highest year-over-year cost increases.

3. Defense is structurally harder than offense. Defenders must protect every system, every account, every employee, every vendor. Attackers need one vulnerability. 86% of breaches start with a single compromised credential — one reused password, one successful phishing email, one employee who clicked the wrong link. The math is brutal and it doesn’t change.

What You Actually Control

You can’t fix the global cybercrime economy. You can’t make data brokers secure their databases. You can’t prevent ransomware groups from operating out of jurisdictions that welcome them.

What you can do is reduce the number of doors that lead to you.

Close the credential door. 86% of breaches start with stolen passwords. Use a password manager. Generate unique passwords for every account. Protect your critical accounts — email, banking, password manager — with a hardware security key. If your password gets stolen, the attacker still needs the physical key sitting in your pocket.

Reduce your data exposure. Every company holding your information is a potential National Public Data. Minimize accounts. Minimize the data you share. Freeze your credit with all three bureaus — free, takes 10 minutes, prevents new accounts from being opened in your name.

Assume breach. Check your exposure with a breach checker. Monitor financial accounts. Review credit reports. The question isn’t whether your data has been exposed. It’s whether you know about it.

Keep AI data local. If your team uses AI, run it on your own hardware. A Specter AI Node gives you the same capabilities as cloud AI tools — without sending your data to someone else’s servers, someone else’s terms of service, and someone else’s breach risk.

$16.6 billion in one year. That’s the reported number. The real number is higher. Every dollar extracted through doors somebody left open — reused passwords, unverified wire transfers, sensitive data pasted into tools with 30-day retention policies, personal information sold by companies nobody had ever heard of.

The criminals didn’t build the vulnerabilities. We did. They just walked through them and collected.

But understanding how they operate — the franchise models, the broker markets, the exact doors they walk through — is what makes you harder to hit. The companies and governments that were supposed to protect this data failed. The only reliable defense is knowing how these systems work and taking your security into your own hands.

cybercrimeransomwarephishingAI fraudthreat landscape
$199 Starter Kit — Most Popular