Saturday, November 3, 2018

The Social Network of Hackers

Authors: David Décary-Hétu, Benoit Dupont
Institution: University of Montreal
Journal: Global Crime
Date: August 2012

The premise of the article is to assess the value of social network analysis in criminal investigations especially as it has to do with hackers and cybercriminals. Canadian law enforcement provided the authors raw data from the criminal investigation of a group of hackers operating botnets for commercial gain. The authors used the raw conversation logs from the arrested hackers’ computers to conduct the analysis.

The authors begin the article by explaining the value of social network analysis in criminal investigations. The authors state that in comparison to criminal organizations of the 1970’s, today’s criminal enterprises bear little resemblance in form and function. Modern organizations are more resilient and robust whereby removing important members from the network doesn’t necessarily destabilize the rest of the network. Since important members may not destabilize operations, understanding the entirety of the network becomes a relevant and necessary task.

In the modern age of information gathering, intelligence and law enforcement have an increased number of tools they can use to generate and process information about networks. The authors believe that social network analysis is suitable to process large sets of structured and unstructured data to better understand opaque networks seen commonly in criminal organizations but also potentially in more unformal organizations like those seen online.

The data provided by Canadian police included 4714 messages between individuals in the hacking network under investigation. The authors identified 771 individuals including the 10 arrested hackers in the network. The authors decided to focus the analysis on 38 individuals: the 10 arrested hackers and 28 other Persons of Interest.

The authors examined conversations between the hackers and the POI’s to determine the centrality and power of the individuals in the network. The authors assess centrality through looking at ingoing and outgoing messages between individuals in the network. The pattern that is revealed is an indicator of status or prestige in the network. Additionally, the authors assessed centrality using “flow betweenness centrality” which posits that the more often an individual is located between other individuals, the more important they are in the control and flow of information within the network.

The authors recognized some significant limitations in their study, specifically that they may not have a full record of conversations between individuals in the network. Additionally, the conversation records were only between hackers or hackers and POI’s. The authors did not have conversation records between POI’s.

Figure 1. The social network of the arrested hackers, shown in red, and Persons of Interest (POI's), shown in blue. 

The authors built a social network using the data, which is shown above.

The authors state:
In Figure 3, the squares represent the arrested hackers and the circles represent POI. A few nodes stand out in this graphic. N505 (bottom right) looks isolated from the network and even more so from the other arrested hackers. Although some arrested hackers seem to have many contacts (N2 and N29), others have very few ties (N73 and N505). Moreover, some POI – such as N217 – seem to have a more central position in the network than some of the arrested hackers. This suggests that some important players might have been ignored while some ‘fringe’ people were arrested.”

Initial conclusions derived from the pattern of conversations suggested that the network was broken into groups of highly connected, mildly connected, and disconnected hackers. Overall the network was not very cohesive or connected, shown by an overall low number of messages between 2004 and 2008. Based on their analysis of the pattern of conversations, the authors believe the arrested hackers were less involved in the group based on their connectedness.

The arrested hackers were also more connected with POI’s than other hackers, which the authors believe is indicate of either the network was tightly organized or whether part of the network was overlooked. The premise of the second hypothesis is that some of the POI’s may be more important to the network than the hackers that were arrested.

The authors ranked individuals in the network using degree centrality coefficients. Of the top 10 individuals, 8 were arrested. The other 2 ranked poorly. Using flow betweenness centrality, which helps to identify information brokers in the network, the authors identified that the top 7 individuals were among the arrested hackers, suggesting that the police targeted individuals who control the information in the network.

In contrast the authors found that while the hackers acted as brokers of information, they were not necessarily the most powerful actors in the network. POI’s were assessed to have more power in the network. The authors state “this indicates…[hackers] are not positioned so efficiently in the network as to be indispensable. The actors they are tied to usually have other alternatives to get information they need…” The authors conclude this section by suggesting that the social network of these actors resembles an association between individuals rather than an organization.

By targeting the information brokers, the arrested hackers, the police were able to disrupt the network, was borne out by the social network analysis. Being brokers meant that the hackers were more visible in the network, increasing their chance of arrest. While the authors found that these individuals were most central, they were not the most powerful. Again, the POI’s were shown to be more powerful within the network. Even though the POI’s were assumed to be periphery in the network and overlooked, the analysis revealed that a select number of POI’s may have been more important in the network because of their power rather than their centrality or visibility.
The authors conclude the piece by suggesting that the police need to have an intimate knowledge of how hacking communities function to determine how is relevant in the network beyond their visibility. The authors further recommend that the police should monitor the powerful individuals in the network, the POI’s, to detect how the network rebuilds after the arrest.

Given the data available, the authors were able to identify individuals in the network that may have been of more importance than the hackers that were arrested. I believe that this highlights an advantage to social network analysis when investigating opaque networks. Given that the most visible or connected individuals in the network may not be the most powerful, the police may have overlooked key individuals based on their intuitive judgement of the evidence. The authors state that after the arrest of 6 of the 10 hackers, the fragmentation increased exponentially. After the 6th arrest, subsequent arrests had much more limited effects on the network fragmentation. This could have been the result of misidentifying key players in the network. By suggesting this, the authors indicate that one of the neglected POI’s may have been more worthwhile in investigating further prior to making the arrests in order to destabilize the network.

At the same time the authors highlight the key problem and limitation which is the availability and abundance of the data. The authors had the cooperation of the investigation authorities who provided the data, which enhances the efficacy of the study. At the same time, the authors believe that if they had more information that would have resulted from a deeper investigation of  the POI’s, they might have been able to draw additional conclusions as to the importance and relevance of the POI’s.
Overall, social network analysis was able to gather impressive insights using the limited data, showing its relevance in understanding networks with a limited amount of information.

Link 1:
Link 2:


  1. Hi Harry,
    This study appears to illustrate a limitation of social network analysis. Although arresting information brokers can help break down communication, this study shows that those information brokers may not be the most powerful individuals. Due to this, analysts would benefit greatly from looking at the content of what is being communicated because the messages themselves can reveal the nature of relationships. However, considering the content is not always accessible, analysts must make inferences based on frequency of communication.

    1. I believe there was a limitation in the study in that the authors did not attempt to use content analysis to determine the common content of the messages. That being said, there was nearly 4,000 or more messages between 771 actors in the network but on average there was a low amount of communication between actors in the network. Remember that SNA works on the number of interactions, who acts as a conduit for interactions, etc... In actuality, SNA was able to find something that the police missed so I'm not sure its really a limitation in that regard.