Steal, deal and repeat: the commodification of personal data as the backbone of the digital criminal ecosystem

Data beyond the offence: target, instrument and commodity

Data plays a multifunctional role in contemporary cybercrime. First, it is frequently the direct object of criminal attacks. Ransomware operations, large-scale data breaches and espionage-oriented intrusions aim to achieve the unauthorised acquisition of information that can later be monetised, leveraged for extortion or strategically exploited.

Secondly, personal data functions as a means of committing further offences. Stolen credentials and personal identifiers enable fraud, account takeovers, impersonation and social engineering. This instrumental use of data has long been recognised at international level as a structural feature of cyber-enabled crime.[2]

Most significantly, data has become a commodity in its own right. Illicit markets trade in credentials, the granting of access to compromised systems and personal records, which is often facilitated through encrypted platforms and invitation-only forums. These markets form the backbone of a service-based criminal economy characterised by outsourcing, efficiency and risk distribution. From a legal standpoint, the circulation of illicit data produces cumulative and systemic harm that extends far beyond the initial act of unauthorised access.

Specialisation, outsourcing and fragmented responsibility

One of the defining features of the current cybercrime landscape is functional specialisation. Offenders increasingly operate within loosely connected supply chains rather than stable, vertically integrated groups. Initial access brokers provide a clear example of this model, their role involves obtaining and selling access to compromised systems, which are subsequently exploited by other actors for ransomware deployment, fraud or data theft.

This separation between access acquisition and exploitation not only enhances criminal efficiency, but also complicates the attribution of liability. Actors operating upstream may be temporally and geographically remote from the final offence, despite their contribution being indispensable. European cybersecurity analysis describes this structure as a mature ‘crime-as-a-service’ ecosystem in which criminal roles increasingly mirror legitimate digital markets.[3]

Traditional concepts of participation and complicity struggle to capture this reality. Where liability depends on the proximity to the final act, facilitators such as access brokers and data traders risk falling outside the scope of criminal responsibility, despite their central role in enabling harm.

Obtaining access: exploiting human vulnerability

While technical vulnerabilities remain relevant, human behaviour has become the primary entry point for cybercriminal activity. Social engineering techniques, including phishing and vishing, exploit trust, authority and routine, rather than flaws in code.

This dynamic has intensified with the use of generative artificial intelligence (AI). Automated tools now allow offenders to personalise deceptive communications at scale, increasing success rates, while lowering the barriers to entry. European analysis highlights that this adoption of large language models has ‘improved the efficacy of social engineering techniques by tailoring communication to the victims and automating criminal processes’.

From a criminal law perspective, the automation of deception complicates the assessments of intent and foreseeability. When harmful conduct is mediated through technological systems, the traditional link between individual decision-making and the outcome becomes increasingly attenuated.

AI and the expansion of criminal capacity

Beyond social engineering, AI supports identity fabrication, voice impersonation and automated victim selection. Research on the malicious use of AI confirms that these technologies operate as force multipliers, enabling individual actors to scale cybercriminal activity, achieving unprecedented speed and reach.[4]

This expansion of criminal capacity has direct implications for enforcement. Investigative and prosecutorial models focused on discrete cases and identifiable perpetrators struggle to respond to offences characterised by speed, volume and transnational dispersion. Criminal law, traditionally reactive, faces difficulties in regard to addressing systems designed for continuous and adaptive offending.

Criminal law responses and international cooperation

The transnational structure of data markets exposes the limitations of territorially bounded legal systems. Offenders, infrastructure, victims and evidence are frequently dispersed across jurisdictions, creating enforcement gaps that cannot be addressed through domestic law alone. European authorities, therefore, emphasise the importance of intelligence-led cooperation and coordinated disruption strategies.

International research has also highlighted the need to focus on enabling and preparatory conduct. The UN Office on Drugs and Crime has observed that cybercrime often consists of interconnected acts rather than isolated offences, requiring legal frameworks that are capable of addressing facilitation and market-based contributions to harm.

Conclusion

The contemporary cybercrime landscape reflects a structural transformation of organised crime. Personal data is no longer a passive object of protection, but the economic backbone of a criminal ecosystem built around reuse, outsourcing and scale. The repeated theft, circulation and exploitation of data creates a self-reinforcing cycle in which the initial access generates ongoing criminal opportunities.

This reality challenges criminal law at a fundamental level. Concepts developed for territorially bounded, linear offences struggle to capture harm that is cumulative, distributed and mediated through digital markets. Facilitators operating upstream, access brokers, data traders and service providers, generate systemic risk, while remaining formally distant from the final offence.

As Europol succinctly observes, ‘access to a victim’s account or system is the critical part of most cybercrime kill chains’. Recognising this centrality requires a recalibration of the legal focus towards enabling conduct and structural contributions to harm.

Ultimately, addressing the commodification of data is not merely a matter of cybersecurity policy. It is a test of criminal law’s capacity to adapt to digital economies, while preserving the core principles of legality, proportionality and individual responsibility.