Today, cyber attacks no longer demand advanced technical knowledge—all you need is money (or crypto assets). This is due to the consolidation of a dangerous and efficient business model:

Cybercrime-as-a-Service (CaaS).

This model has transformed cybercrime into a modular and professionalized ecosystem where everything can be hired: malware, credentials, access, infrastructure, technical support, and even ways to evade detection. In this underground market, ransomware, phishing, and infostealers are just the visible tip of a billion-dollar industry.

In this article, we explore how this clandestine market operates, what can be acquired in it, and how threat intelligence (CTI) helps to map, understand, and anticipate risks linked to CaaS.

What is Cybercrime as a Service?

CaaS is the commercialization of software tools, infrastructure resources, and other services geared toward criminal activities. It conceptually replicates the logic of SaaS (Software as a Service) but for the digital underworld. Just as you subscribe to an online corporate tool, criminals subscribe to packages to:

• Infect devices with malware
• Steal credentials
• Launch phishing campaigns
• Breach corporate networks
• Automate social engineering scams
• Monetize stolen data

Digital crime is no longer an isolated act but has become a supply chain, where each actor plays a specific role, complete with specializations, reputation, and technical support.

The Components of the CaaS Ecosystem

Within this parallel economy, we find several “as-a-service” models, each with its own role:

• Malware-as-a-Service (MaaS) Ready-to-use malware (stealers, ransomware, trojans), offered under license, with updates and control panels. Example: RedLine, Lumma, Raccoon—infostealers sold by subscription with support via Telegram or through management panels.
• Initial Access Brokers (IABs) Specialists in breaching corporate networks and selling that access to other actors, such as ransomware groups. Example: RDP access to a company with 5,000 employees sold for $5,000 on a clandestine forum.
• Infrastructure-as-a-Service Providers of malicious infrastructure: anonymous hosting, ready-to-use C2 servers, fraudulent digital certificates, or even networks to redirect victim connections through various internet paths to complicate analysis by security professionals. Many of these services accept crypto assets and operate in regions with little international cooperation.
• Phishing-as-a-Service (PhaaS) Ready-made phishing kits, credential collection panels, and campaign automation (email, SMS, social media). Example: services that include customized bank login templates, malicious QR code generation, and legitimate URL shorteners.

How CTI Works to Monitor and Mitigate CaaS-Related Risks

The role of Cyber Threat Intelligence is essential to understand how this ecosystem works, anticipate trends, and protect organizations against emerging threats. Here are some ways it operates:

• Monitoring of Clandestine Forums and Marketplaces
  • Identifying new tools and services for sale
  • Mapping recurring actors and their specializations
  • Tracking the movements and advertisements of IABs, identifying trends and patterns in their targets
• Behavior-Based Threat Profiling
  • Associating sold techniques with active groups or campaigns
  • Detecting patterns of sale and exploitation by geography or sector
• Campaign Anticipation
  • Observing kits and templates being prepared for specific dates (Black Friday, tax season, elections)
  • Tracking keywords and infrastructure being set up
• Integration with Technical Defenses
  • Providing IoCs, samples, and tactics to feed detection rules (SIEM, EDR, NDR)
  • Mapping recurring TTPs with frameworks like MITRE ATT&CK

Practical Example: The Crime-as-a-Service Cycle

An Initial Access Broker breaches a logistics company and sells this access on a forum. A ransomware group buys the access and uses it to spread an Infostealer to steal credentials. With the credentials, they perform lateral movement and exfiltrate data. They use an encryption service to package the final payload. After the attack, they sell the stolen data on another forum and hire phishing campaigns to monetize the collected credentials.

This is the power of CaaS modularity: a single attack can involve 4 or 5 distinct groups, each with its own role.

Conclusion

Modern cybercrime is no longer improvised. It operates as a structured parallel economy, with supply, demand, reputation, and technical support. Understanding CaaS means understanding why generic and static defenses no longer work.

The good news is that with visibility and intelligence, it’s possible to anticipate these moves and disrupt this chain—before it reaches your company.

Want to understand how Resonant’s CTI can strengthen your defense against this threat ecosystem? Click here and speak with an expert