Hacks Then and Now: A Journey Through Cybercrime’s Evolution

Hacks Then and Now: A Journey Through Cybercrime's Evolution

In the early days of the internet, website breaches were often the work of curious hackers seeking recognition rather than profit. Stolen data might surface on underground forums as proof of concept, with limited real-world impact. Fast forward to today, and the landscape has transformed dramatically. Modern cybercriminals operate sophisticated marketplaces where personal information becomes currency, fuelling identity theft, financial fraud, and ransomware attacks. This development from digital mischief to organised crime reveals how our increasingly connected world has made data both more valuable and more vulnerable than ever before.

How Cybercrime Used to Be

How websites were breached

In the early days, breaking into websites was often a straightforward process. Hackers would manually probe for weaknesses, exploiting flaws in code to gradually escalate their access and siphon off sensitive information. While some basic automated tools existed, targeting common vulnerabilities like SQL Injection (SQLi) or Cross-Site Request Forgery (XSRF), many of the most notable breaches were achieved by hand. Another widespread technique was known as 'dorking', where attackers used search engines such as Google to uncover accidentally exposed files. For example, a query such as site:mycompany.com filetype:sql could reveal publicly accessible database files containing private data, unintentionally left on a server and indexed by Google.

How the breached data was distributed

In the past, stolen data typically spread through two main channels. Private or sensitive information was often sold in underground spaces. First on forums, and later via instant messaging platforms such as Telegram or Discord, where attackers could advertise their 'goods' to interested buyers. Public or less valuable data, on the other hand, was usually shared openly on forums at no cost. In some cases, especially with large or high-profile data dumps, access came with a small fee. These pay-to-unlock posts often charged just a couple of pounds, paid in credits that could be deposited but not converted back to real currency.

How the breached data was used

Stolen data was commonly exploited for account takeovers (ATO) and online account cracking. Gaming platforms and entertainment sites were prime targets, since accounts often carried real-world value. Popular titles like Roblox, Fortnite, RuneScape, and World of Warcraft were regularly compromised because in-game items could be traded or sold for cash, a practice known as real-world trading (RWT). Some stolen accounts were used for personal gain, while others became disposable accounts for rule-breaking activities such as botting or spamming, lasting longer than freshly created accounts thanks to their established reputations. Subscription services were another lucrative angle: accounts for Spotify Premium, YouTube Premium, or Netflix were frequently resold at a fraction of their legitimate monthly cost, offering buyers cheap access while leaving the original owner footing the bill.

How Cybercrime is Now

How websites are breached today

In recent years, attackers have shifted their methods as simple vulnerabilities have become harder to find. With the "low-hanging fruit" largely gone, cybercriminals now rely on more advanced and scalable techniques.

One approach is automated exploitation, where bots continuously scan the internet for weaknesses and launch attacks without human involvement. These tools are far more sophisticated than early scripts, capable of testing hundreds of thousands of potential exploits, identifying new targets, and extracting data in a fully automated cycle.

Another increasingly common tactic is social engineering, which exploits the weakest link in any system: people. Instead of breaking code, attackers impersonate trusted providers such as Microsoft, GitHub, or Salesforce to trick employees into handing over access. High-profile groups like ShinyHunters frequently use this strategy. Recent examples include the September 2024 case in which a 20-year-old named 'Malone Lam' impersonated Gemini and persuaded victims to transfer more than $250 million in Bitcoin, as well as the June 2025 breach of Google's Salesforce platform, where a malicious script exposed 2.5 million records.

Finally, stealer log malware has become a major threat. Spread through malicious downloads, this malware silently extracts sensitive data like browser-saved passwords, password manager entries, and cryptocurrency wallets. Unlike older breach data, these credentials are often up-to-date and highly reliable, making them especially valuable. With password reuse still common, a single stolen login can provide attackers with access to multiple services.

How the breached data is distributed today

Today, much of the underground data trade happens on encrypted messaging platforms such as Telegram, Signal, Tox, and SimpleX. Despite growing concerns about Telegram's security and privacy, it remains the dominant hub. Hackers frequently use invite-only channels or automated bots to share stolen files-ranging from stealer logs to full database dumps, making large volumes of data accessible within a few clicks.

Traditional cybercrime forums still exist, but their role has changed. Rather than hosting unique content, many now act as signposts, directing users to Telegram channels or sellers. While forum activity has increased in recent months, as shown in the graph below, most posts serve as teasers or samples of data available elsewhere, reinforcing the central role of encrypted messaging apps in today's cybercrime ecosystem.

Forum Activity - May to June 2025

*Data sources from 'Cracked' August 2025

How the breached data is used today

One of the most common uses for stolen data remains account cracking, but the focus has shifted. Instead of gaming or subscription accounts, attackers now primarily target email providers such as Outlook. Weak or inconsistent rate limits often allow attackers to attempt logins repeatedly, can be up to 10 times in one hour and sometimes indefinitely, making email accounts a prime target. Once compromised, an email account becomes a powerful tool, since it serves as the recovery point for countless other services. With access, criminals can reset passwords and take over banking, shopping, and social media accounts linked to that email.

Breached data is also widely used for social media scams. Attackers compromise accounts commonly taken from a breach, on platforms like Twitter (X), Instagram, or YouTube, then use them to push fraudulent schemes, often cryptocurrency "giveaways." For example, if you send $1,000 in Bitcoin, you will be sent back $2,000 as a form of philanthropy but it never gets received. These scams have even appeared on accounts belonging to high-profile figures such as Elon Musk, Bill Gates, Barack Obama, Joe Biden, and members of Donald Trump's family, showing just how damaging a single stolen login can be.

A particularly concerning trend is the rise of doxxing services. These underground platforms, often pay-to-use, allow anyone to search for personal information tied to a name or email address. The data-sourced from breaches, is usually accurate and can include passwords, home addresses, dates of birth, bank details, and in some cases, even passport or driver's license scans. Such services make it easy to strip away online anonymity and pose serious risks to individuals' safety and privacy.

What Changed?

How website breaches have changed

The move from traditional hacking methods like manual probing and dorking, to techniques such as automated exploitation, social engineering, and stealer log malware reflects a fundamental shift in the cybercrime environment. Most websites with simple flaws have already been breached, while smaller targets are no longer worth the time investment. Instead, attackers now aim at users and administrators rather than the websites themselves.

Stealer logs represent this pivot clearly: rather than breaching a site for its data, criminals infect personal devices to harvest credentials directly. Similarly, social engineering bypasses code-level defences by targeting the humans who hold the keys. This shift highlights a positive trend, websites are becoming harder to compromise as security practices improve. Looking ahead, continued training and awareness around phishing, vishing, and other social engineering tactics may gradually close this gap, reducing the effectiveness of human-focussed attacks and marking a meaningful win against cybercrime.

How the distribution of breached data has changed

The shift from traditional forums to encrypted messaging apps can be traced largely to increased law enforcement pressure. Forums, once central to the cybercrime ecosystem, have become riskier places to operate. A prime example came in June, when BreachForums-the most popular hacking forum was infiltrated by authorities, its five administrators arrested, and the site turned into a 'honeypot'. In this type of operation, law enforcement exploits vulnerabilities in the forum itself, silently collecting details such as visitor IP addresses and other identifying information.

This incident, along with the arrests of other well-known forum operators like Pompompurin, Omnipotent, Baphomet, and Rolex, has created deep distrust within these communities. Many now fear that forums could just as easily be monitored or outright controlled by agencies like the FBI.

While Telegram has become the primary alternative, it too faces growing scrutiny. Authorities are increasingly pressuring the platform to share user data, and although compliance is limited, it's eroding confidence. As a result, more privacy-focussed platforms such as Signal, Tox, and SimpleX are gaining traction, offering users stronger anonymity and reduced risk of exposure.

The change in how breached data is used

In the past, gaming and subscription services were prime targets for breached data. These accounts held real value, yet their defences were weak, poor rate limits made account cracking easy. Over time, most of these platforms introduced stronger protections, closing the door on widespread abuse and forcing attackers to adapt.

This led to the rise of stealer logs and other novel techniques. While account cracking still exists, it's far less effective, with stealer logs offering near-perfect accuracy by harvesting credentials directly from users' devices. Unfortunately, some providers most notably Outlook, still lag behind in adopting robust protections, leaving their users more exposed.

The monetisation of stolen data hasn't disappeared, it has simply evolved. Where once hackers profited by selling accounts, they now pivot to scams, identity abuse, and underground doxxing services, proving that while the methods change, the financial motive behind cybercrime remains constant.

Conclusion

Cybercrime has come a long way from crude website hacks and stolen gaming accounts. Today's attackers use automation, malware, and social engineering to steal data, distribute it through encrypted channels, and weaponise it for scams, fraud, and identity abuse. The underground economy is more sophisticated than ever, but so are the defences. Stronger coding practices, smarter security controls, and law enforcement pressure have forced criminals to change tactics.

But one thing hasn't changed: the human is still the weakest link. That's why organisations can't afford to rely on passwords, outdated defences, or hope alone. By adopting strong digital identity solutions, phishing-resistant authentication, and proactive protection, businesses can stay ahead of cybercriminals and protect what matters most-their people, their data, and their reputation.