The cybercrime landscape now looks increasingly like a shadow version of the tech industry, with similar tools, practices, and technological innovations.
October 9, 2025
The Hollywood image of a cybercriminal is a lone wolf in the shadows; a renegade thief or saboteur. But cybercrime today looks very different. The lone wolves have formed organized groups and are working together, learning from one another, and growing more sophisticated. As the cybercriminal ecosystem has matured, it has pivoted toward economies of scale, specialization of labor, and the trappings of modern professional life—less criminals in dark basements hunched over laptops and more payroll squabbles, program management software, and IT help desks.
The cybercrime landscape now looks increasingly like a shadow version of the tech industry, with similar tools, practices, and technological innovations. Just as Software-as-a-Service (SaaS) has transformed legitimate enterprises, a parallel trend has emerged in the criminal world: Cybercrime-as-a-Service (CaaS). Taking advantage of the same dynamics that make SaaS successful—modular services, pay-per-use economics, and ease of use for non-experts—CaaS makes cybercrime more accessible, scalable, and efficient.
The 2025 Microsoft Digital Defense Report (MDDR) will share the latest on how threat actors are using CaaS to outsource the technical aspects of cybercrime and ramp up their impact. Here’s what you need to know.
How does CaaS work?
CaaS is a business model for cybercrime in which specialized vendors sell packaged tools and services. They transact on encrypted messaging platforms and dark web marketplaces, with prices typically set in cryptocurrency. Tack “as a service” onto any common cyberthreat and you’ll probably find it in the CaaS economy: phishing, ransomware, malware, Distributed Denial-of-Service (DDoS), botnets, and more.
The growth of CaaS means that threat actors no longer need technical expertise to launch sophisticated attacks; they can simply purchase the tools and access from someone else. These purchases can range from a one-off, like a DDoS attack, to an ongoing subscription for botnets or malware. It’s analogous to an entrepreneur using a SaaS platform to set up an online marketplace in a day or two without writing a single line of code.
In just a few years, CaaS has gone from an emerging phenomenon to a robust economy that spans the globe. The barrier to entry for cybercrime has never been lower, which means more people have both the incentive and opportunity to get involved. That might be students with specialized tech skills looking to make extra money, or traditional organized crime groups expanding their scope—Europol has reported that criminal networks are increasingly operating in the digital realm.
How did CaaS come about?
It’s difficult to pinpoint exactly when CaaS emerged, but the concept has its roots in “kits” for phishing and exploit campaigns, which enable non-experts to purchase the technical components and deploy an attack themselves. As underground vendors recognized the economic potential of packaging tools and capabilities for sale, they took the idea further and began offering end-to-end services.
Phishing-as-a-Service, for example, packages phish kits with email templates, landing page hosting services, and tools to capture victims’ credentials. For as low as $50 per month, an actor can rent a kit and set their operations on autopilot, reaping the rewards with almost no effort 1 In the Ransomware-as-a-Service (RaaS) model, which has now become the norm for ransomware, vendors develop ransomware and work with “affiliates” who hack a network and deploy the ransomware. The ransomware group then negotiates with victims on the affiliate’s behalf, and profits are shared between the group and the affiliate in a transparent, publicly advertised royalty split.
CaaS today
With ongoing development of the cybercrime economy, the end-to-end CaaS model for specialized attacks such as phishing or ransomware has given way to a decentralized ecosystem of providers, each playing a specialized role in an attack:
Developers create the technical components, whether that’s phish kits, malware such as infostealers, or ransomware.
Access brokers breach computer systems, networks, and accounts, then monetize access—they sell the keys to the treasure chest, not the treasure itself. Access brokers sell everything from VPN logins and remote access credentials to company directories and admin privileges.
Operators use technical tools created by developers and access that’s bought or leased from brokers to deploy attacks. Operators are end users and could include ransomware affiliates, data extortion groups, cyber mercenaries, or nation-state actors.
This division of labor can be found in various types of attacks, thereby increasing efficiency and effectiveness and lowering prices. As CaaS has professionalized, vendors have adopted the structures of legitimate tech companies with branded services, marketing, tiered pricing, and even tech support.
What’s next?
Just as AI is empowering modern businesses to be more efficient, it is doing the same for the CaaS economy. AI is already beginning to streamline processes across the CaaS ecosystem, making cybercrime faster, easier, cheaper, and more effective. Operators can use AI to write effective phishing emails free of telltale grammar and spelling errors, and automate targeted spear phishing attacks. Ransomware groups are using AI translation tools for real-time negotiations. Access brokers can use AI to scan systems for vulnerabilities, finding chinks in the armor they can exploit, and then escalate privileges of stolen user accounts without human intervention.
Learn more
Microsoft’s threat analysts and digital crimes specialists track cybercrimes worldwide to understand the evolution and how to stay ahead of emerging threats. The 2025 Microsoft Digital Defense Report (MDDR) will break down recent developments and what organizations and individuals can do to protect themselves. Come back when the report is available for download on October 16, 2025.
