Cybercriminals are increasingly using their digital proceeds, particularly from ransomware, phishing, and data theft, to invest in real business models.
This is shown by a recent investigation by security researchers at Sophos X-Ops. According to the study, illegal cryptocurrency profits are not only flowing into traditional money laundering schemes, but also into start-ups, real estate, educational institutions, and other—some legal—business areas.
The analysis, entitled “Beyond the Kill Chain: What Cybercriminals Do With Their Money,” highlights how cybercriminals are diverting their earnings into a variety of economic activities. In doing so, they are increasingly acting as investors, entrepreneurs, or operators of real businesses.
From digital attacks to strategic investments
According to Sophos experts, many criminal groups are shifting their focus from pure profit maximization to sustainable business models. They use platforms such as Telegram and WhatsApp Business to network with business partners, develop professional-looking brand identities, and operate in stable legal jurisdictions. The investments analyzed include:
- Cybersecurity startups and IT service providers, often to secure technical infrastructure or expand expertise
- Real estate, stocks, precious metals – preferably in countries such as Switzerland, the US, or the United Arab Emirates
- NGOs and educational institutions, for example in the form of coding schools or charitable projects
- Catering, tobacco, and alcohol sales, i.e., industries with high cash turnover and little regulation
Gray area between legality and organized structures
In addition to officially registered companies, activities in the shadow economy have also been identified. These range from bot and ad fraud, online gambling and pornographic content to illegal citizenship, commercial document trafficking and counterfeit drug platforms.
Complex financial crimes such as pyramid schemes, tax evasion, and insider trading also serve as vehicles for redistributing or reinvesting digital profits.
International structures, local presence
The cases analyzed affect numerous regions worldwide, including the UK, the US, China, South Korea, the United Arab Emirates, and Gibraltar. According to Sophos, many perpetrator groups operate internationally but are showing an increasing tendency to establish regional roots, for example by setting up companies or investing in local businesses.
“We are seeing an increasing blurring of the lines between digital and real-world crime,” explains John Shier, Field CISO at Sophos. “This development means that traditional cyber defense alone is not enough. Close cooperation between cybersecurity companies, law enforcement agencies, and civil society actors is essential.”
Findings from comprehensive data analysis
The findings presented here are based on several months of analysis by Sophos X-Ops. Darknet forums, blockchain transactions, and publicly available company registers were examined. The complete series of investigations is available online:
Part 1: Introduction with context and definition of key terms: https://news.sophos.com/en-us/2025-05-15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-1
Part 2: “White” (legitimate) business interests: https://news.sophos.com/en-us/2025-05-15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-2
Part 3: “Gray” business interests: https://news.sophos.com/en-us/2025-05-15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-3
Part 4: Criminal business interests: https://news.sophos.com/en-us/2025-05-15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-4
Part 5: Impact, conclusion: https://news.sophos.com/en-us/2025-05-15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-5
