The Alliance Security Council ™
The Business Model of the Serial Hacker

Paul Michael Viollis, Sr., Ph.D., Chief Executive Officer

Risk Control Strategies, Inc.


Unequivocally, one of the most fecund business models known to the global community is the malicious interception of personal and business information for financial gain, personal defamation and or business interruption; otherwise known as hacking.  Yet, at its origin in the 1950′s at MIT, hacking was anything but malicious and was nothing more than a harmless component of technical-based experiments.  However, today, it remains one of, if not the, fastest growing businesses in the world. For a criminal to create a business case to launch a career in hacking is the proverbial, “no brainier.” Constructed upon a minimal risk – maximum gain foundation, such an enterprise has a value proposition second only to its ROI. Specifically, cyber-crime generates a revenue stream in excess of $500 billion/year in reported losses and collaterally has accounted for the loss of over 500,000 jobs in the US alone.  Additionally, from a corporate perspective, a cyber-attack takes an average of 32 days to resolve costing an average of $1,035,769 per incident. Clearly in its embryonic stage and rich with unmined potential, this business model will continue to grow stronger by the day unless we embrace the very fabric of its mantra and expeditiously begin to preemptively implement mitigation protocols.

The Actors

Unfortunately, there are a plethora of contributors to this criminal epidemic but as it relates to the HNW community, our primary focus is on the group based in eastern Europe. Extremely well-funded and fueled by some of the most brilliant minds on the planet, this transnational criminal enterprise is staffed and positioned throughout the US and abroad concentrating their efforts in locations where the affluent are communicating electronically. The simplicity of their model is perhaps the most extraordinary part. Go where the money is as that is where it is least protected. Having studied the culture of Americans, this group plays off of the inherent vulnerabilities our laissez-faire attitude on personal security creates and invests its time in intercepting the transmission of financial data (actual account information) from unprotected email transmissions.  Not a bad job if you can get it!

The Business Model

Brilliant, to say the very least.  The textbook definition is called “negative migration,” meaning, negative behavior migrates to the path of least resistance. With the affluent being seen as the low hanging fruit, the attack trajectory is directed at the end users machine itself as opposed to businesses (I.e., Family Offices) where they focus on the corporate server. Hackers position themselves outside of residences located in wealthy neighborhoods, in frequent flyer lounges and in luxury resorts, and basically hack away.  With convenience a main factor in our lives, communicating via wireless communications is almost a necessity. That being said, right next to common sense, secured wireless is perhaps the greatest oxymoron of all time. Carrying encryption levels which pale in comparison to the hacking software in place today, the criminal gains access into the machine and downloads sophisticated key loggers (software used to visualize every key stroke you make) unto the machine.  From there, they study how you communicate and learn everything about you.  What you do, where you travel, how you write, everything. In essence, they conduct due diligence while inside your life so they can essentially, become you. From there, they send emails from your IP address, as you, with knowledge of all your account numbers and electronic credentials and commence with the theft which in many cases is in the 6 figures. As this model grows, SFO’s and MFO’s will become center radar in concert with all other wealth advisors because the vast majority are not properly protecting data from this type of advanced attack, they house all the required information for a successful hit and have placed all their trust in basic IT, not Cyber Security, as their line of defense.  Also, to add insult to injury, most of these networks were placed in the cloud which bleeds profusely from a risk perspective. This threat was recently crystallized by the SEC’s announcement for their intentions to immediately begin closely scrutinizing how asset managers “prevent, detect and respond to cyber attacks.” We need not play into the hackers’ hand!


When one examines the realized return on investment this model brings, huge is the only word that comes to mind. Let’s break that down. The criminal buys an airplane ticket for a flight leaving a major city that attracts the wealthy traveler (average $250.00) then buys a day pass at a frequent flyer lounge ($150.00/day) grabs himself/herself something to eat and drink and goes to work using their advanced hacking software ($1000.00) stored on their lap top($3000).  On a slow day, he/she could obtain several hundred new identities filled with everything you have on that laptop. Sitting outside someone’s home or at a luxury resort incur even a smaller front end investment. You do the math!

The Future

Perhaps the most frustrating part of what lies ahead is not the intellect of the attacker or the sophistication of their methodology but the reluctance of the potential victim to accept the severity of this crisis and invest in appropriate protection.  My anecdote bucket is overflowing with cases that more than validate that statement but I’ll spare you the horror stories. The glaring truth is no one can create an impenetrable solution, no one.  But given the negative migration model, our objective is to create an environment that has the hacker bouncing off your outer wall and redirecting their efforts elsewhere.  The bottom line is they simply don’t waste time with robust systems given the enormous amount of insufficiently protected ones. Time is money and they are always on the clock. That said, the mitigation strategy which has become a “Best Practice” is as follows:

Step 1. Have a Cyber Security professional, not your IT person (you wouldn’t have your accounting firm audit themselves), analyze your current machines to verify you have not already been compromised. If so, remove it and harden the device.

Step 2. From an anti-crime perspective, have the cyber security professional install advanced software to appropriately fortify communication from ho0me and while traveling

Step 3. Have a comprehensive vulnerability assessment and penetration test conducted on your business servers to ensure they have not been breached and to identify any vulnerabilities whether they be electronic or human.

In sum, you have the joy stick—you are in control. You can clearly construct a communications environment that will avert attacks or you can bet on the come line that it won’t happen to you.  It’s your call.

About The Alliance Security Council

Sign up for weekly emails to be notified of new Alliance Security Council research, free articles, and upcoming events.

First Name:
Last Name:

Two Ways to Subscribe to the Alliance Security Council

For less than $99 per month, The Alliance Security Council is your guide in safeguarding the lives and livelihoods of ...  ... more