An Examination of Motivation and Routine Activity Theory to Account for Cyberattacks Against Dutch Web Sites

Abstract

This study provides a partial test of the relationship between actor motivations and target suitability using a routine activity framework to understand a form of cybercrime called web defacements. Specifically, the relationships between the visibility, inertia, value, and accessibility of the target in online spaces relative to the unique nonmonetary motivations of the attacker were examined. This study utilized a sample of 138,361 web defacements performed against websites hosted within the Netherlands IP space from January 2011 to April 2017. Seven multinomial logistic regression models were conducted for each self-identified motive for the attack, clustered by attacker to minimize the size of standard errors. The findings demonstrated partial support for aspects of routine activity theory to account for differences in offender motivation, suggesting web defacements are similar to other forms of cybercrime. At the same time, motivations differentially shape target selection.

Keywords

routine activity theory motivation hacking cybercrime decision-making

Criminological inquiry over the last 40 years has been defined in part by examinations of routine activity theory, which argues that for crime to occur, a motivated actor, suitable target, and an absence of guardian must converge in time and space (Cohen & Felson, 1979). This theory has found substantial empirical support to account for various forms of person-based (Fisher et al., 2002; Groff, 2007; Lauritsen et al., 1991; Mustaine & Tewksbury, 1999), as well as property crime victimization (Jensen & Brownfield, 1986; Pratt et al., 2010). Recently, researchers applied this theory to cybercrime victimization, or acts involving technology as either the target of or tool to facilitate the offense (Holt & Bossler, 2008; Leukfeldt, 2014; Maimon et al., 2013; Reyns, 2013).

Although these studies demonstrate the use of routine activity theory to account for victimization, they frequently exclude assessments of motivation where it is largely treated as a constant (Sasse, 2005; Schwartz et al., 2001). This is particularly evident in cybercrime scholarship (Holt & Bossler, 2013; Leukfeldt & Yar, 2016; Maimon et al., 2013). Motivation is not, however, a static characteristic and may reflect variations in opportunities and guardianship relative to target selection (Parkin & Freilich, 2015; Sasse, 2005). In online spaces, researchers argue that targets should be plentiful online due to the spatially and temporally disconnected nature of the internet (Yar, 2005). Individuals interested in committing a crime have greater proximity to potential targets around the world due to the lack of physical geographic distances. In addition, targets may be more visible online as most online services, such as retailers and financial institution websites, are active at all times (Yar, 2005).

There are also myriad motivations for cybercrimes, ranging from instrumental (Hutchings & Clayton, 2016; Leukfeldt, 2014) to expressive reasons (Holt et al., 2017; Jordan & Taylor, 2004). This is particularly true for acts of hacking, where individuals target computer systems based on an individual’s interests, geographic location, and overall knowledge of technology (Holt & Bossler, 2015; Kilger, 2011). For instance, individuals may attempt to compromise computer systems to demonstrate their capabilities (Jordan & Taylor, 1998; Steinmetz, 2016). Others may target systems out of ideological causes, such as the perception that a government or enterprise has acted inappropriately or has harmed a population (Denning, 2011; Holt et al., 2017; Jordan & Taylor, 2004). The methods of the attacker may also vary based on their motivation as those seeking to demonstrate technical mastery may employ more sophisticated techniques to affect their target.

The range of possible motives presents a challenge for our understanding of hacking as the outcome of an attack may be the same, regardless of the expressive or instrumental reasons of the attacker (Holt et al., 2017; Kirwan & Power, 2013; Woo et al., 2004). At present, most academic research and criminal justice policy is focused on profit-driven hacking, such as data breaches and malware (Holt & Bossler, 2015; Hutchings & Clayton, 2016; Leukfeldt, 2014). This calls to question our understanding of the practices and range of expressive motives reported by hackers generally. Examining these issues can improve our capability to not only defend against future attacks but also deter hackers through criminal justice processes in the event they transition to more instrumental attacks (Holt & Bossler, 2015; NCA, 2017).

This study attempted to address this gap in the literature through a quantitative assessment of routine activity theory to a specific form of hacking, called web defacements. These attacks involve using various techniques to change the original content of a target website to images, text, and sound files of their choice (Holt et al., 2017; Jordan & Taylor, 2004). Web defacements are an extremely common hack that can be performed for multiple expressive motives, making them ideal to assess the characteristics of targets that may be associated with distinct motivations. Seven multinomial logistic regression models were conducted using a sample of defacements targeting websites ending in the country code extension, .nl for the Netherlands, between 2010 and 2017. The findings demonstrate differences in the targets and practices of web defacers on the basis of their motivation. The implications for criminological theory, as well as cybersecurity and criminal justice practice are discussed in depth.

Assessing Motivations for Hacking and Web Defacements

The modern social dependence on the internet for communications, commerce, and critical infrastructure management has created massive opportunities for cyberattacks (Andress & Winterfeld, 2013; Ponemon Institute, 2017; Symantec Corporation, 2018). Most attempts to compromise this infrastructure can be attributed to computer hackers, defined as individuals who use their knowledge of technology to gain access to computer systems (Furnell, 2002; Holt, 2007; Jordan & Taylor, 1998). Computer hackers also exist within a subculture that emphasizes the importance of technological skill, as those with greater knowledge may be more effective in completing any hack (Holt, 2007; Jordan & Taylor, 1998; Steinmetz, 2016). Individuals are also judged by and gain social status through practical demonstrations of knowledge, usually through publicly verifiable hacks (Holt, 2007; Jordan & Taylor, 1998; Steinmetz, 2016).

The consequences of hacks are varied and depend largely on the target and interests of the actor. For instance, evidence suggests there are hundreds of denial of service attacks targeting networks every day in an attempt to keep others from using web-based services or online content (Arbor Networks, 2019). Another extremely common type of hack involves website defacements, where the attacker replaces the existing content of a website with images and text of their own design, including greetings to peers and taunts to security professionals (Denning, 2011; Romagna & Van den Hout, 2017; Woo et al., 2004; Zone-H, 2018). There are tens of thousands of web defacements performed every month (Zone-H, 2018), with estimates suggesting defacements comprise about 19.7% of all online attacks (Passeri, 2014). In fact, Romagna and Van den Hout (2017) noted there were over 1 million defacements reported to the Zone-H web defacement repository each year from 2010 to 2015.

The persistent nature of defacements may be a function of the various ways that websites may be compromised, and their value in the broader hacker subculture. Defacements can be performed through low-skill methods such as guessing a system administrator’s username and password may be employed, as well as more sophisticated techniques, including the use of vulnerabilities and malicious code (Andress & Winterfeld, 2013; Romagna & Van den Hout, 2017; Woo et al., 2004). Web defacements can cause economic harm to the target based on costs associated with repairing the site, lost revenue from website downtime, and potential reputational costs due to public nature of a defacement (Computer Security Institute, 2011; Kilger, 2011). The highly visible and verifiable nature of defacements also enables hackers to link defacements to their online identity as a way to gain status within the hacker subculture (Jordan & Taylor, 2004; Romagna & Van den Hout, 2017; Woo et al., 2004).

The potential influence of subcultural forces on hackers’ activities demonstrates the importance of understanding an actor’s motives for engaging in a defacement. There are multiple reasons an individual may target a site for defacement beyond the desire to gain social status and respect within the hacker community (Holt, 2007; Taylor, 1999). Some may engage in defacements for fun, as they may be entertained by changing online content and making computer systems display messages and content they created (e.g., Holt, 2007; Woo et al., 2004). A small proportion of attackers may also engage in defacements or attacks out of a desire for revenge against someone who they feel may have wronged them (Holt et al., 2017; Jordan & Taylor, 2004), or in support of nationalist, political, or ideological causes (Holt et al., 2017; Jordan & Taylor, 2004; Romagna & Van den Hout, 2017).

Routine Activity Theory, Offender Motivation, and Target Selection

The range of motives associated with web defacements calls to question whether a hacker’s rationale for an attack corresponds to any specific characteristics of websites that may increase their risk of victimization (Holt et al., 2017). Routine activity theory is ideal to address this question as it focuses on the convergence of motivated individuals, suitable targets, and an absence of guardians in time and space. Routine activity theory is argued to be a classical theory, as crime is thought to be a decision made through weighing costs and benefits associated with the offense, which can be shaped in part by motivations (Clarke & Felson, 1993; Felson, 1998). Cohen and Felson (1979) originally argued that motives vary based on the act and actor, although they do not define motive clearly. Social, economic, and structural conditions could all increase the perceived need to commit a crime, although that should not compel action. The situational characteristics evident in a given place and time instead mediated the relationship between actor and action (Birkbeck & LaFree, 1993; Cohen and Felson, 1979; Decoster et al., 1999; Mustaine & Tewksbury, 1999; Sasse, 2005).

Routine activity theory predicts that changes in legitimate opportunity structures, like technology, can increase the convergence of motivated actors and suitable targets in the absence of guardians (Holt et al., 2018; Pratt et al., 2010; Reyns, 2013; Yar, 2005). Felson (1994) argued that actors would consider targets attractive based on their perceived value, inertia in physical space, visibility, and accessibility to the actor (or VIVA). Value can differ by motive as noted in research examining interpersonal violence, which finds a significant relationship between actor motivation, target selection, and situational factors influencing the risk of victimization. Researchers largely separate motivation into two categories: instrumental and expressive (Decker, 1993; Katz, 1988). Instrumental motives focus on crime as a rational decision to gain something positively valued despite the risk of detection, such as financial gain (Katz, 1988). Expressive motivations involve emotions, such that rational calculations for action may be overwhelmed by feelings of anger, frustration, or revenge (Decker, 1993; Felson, 1998).

Evidence suggests there are clear patterns of victimization risk associated with specific motivations, through aspects of accessibility, visibility, and value. For instance, violence driven by expressive motives tends to affect intimate partners in their homes, whereas the majority of instrumental violence occurs between strangers (Decker, 1993). Similarly, individuals associated with far-right groups who performed acts of violence without an ideological motive were more likely to target White males indoors or in their homes, who knew the perpetrator, and were affiliated with a far-right movement (Parkin & Freilich, 2015). Victims of ideologically motivated violence were more likely to be from a minority group, had no relationship to the perpetrator, and be killed outdoors and during weekends (Parkin & Freilich, 2015).

Research applying routine activity theory to cybercrime has largely ignored motivation, instead focusing on measures of target suitability and guardianship (Leukfeldt & Yar, 2016). Most studies find target visibility and accessibility increased the risk of victimization, due to individual involvement in online deviance (Bossler & Holt, 2010; Holt & Bossler, 2008) or time spent in specific online environments (Holt & Bossler, 2015; Leukfeldt & Yar, 2016; Marcum et al., 2010; Pratt et al., 2010).

When applied to web defacements, the qualities of a target’s value to an actor, as well as its inertia may still be affected by motivation and attacker abilities (Leukfeldt & Yar, 2016; Yar, 2005). For instance, defacers may choose to target the home page of a website, which would be of high value due to its potential for visibility to the broader public. Attackers who target the home page of a site may be interested in promoting an ideological cause, seeking revenge for a perceived slight, or demonstrating their own abilities to the world (Jordan & Taylor, 2004). Alternatively, they may only be able to compromise a secondary page within the larger site due to either security protocols or perceptions of the value of that portion of the website to the attacker. For instance, individuals interested in defacing sites out of a desire to have fun may target the secondary pages of websites due to ease of access and a reduced risk of detection.

Web defacements also present a unique dynamic with respect to target inertia, as most digital content is thought to be weightless in a physical sense (Yar, 2005). The structure of web servers that host web pages creates targets with potentially substantial inertia, as their content may vary from as little as one website to hundreds of thousands of sites and their individual page content simultaneously. Individuals who engage in defacements can target either a single page within a website or all of those pages hosted on the server, which are commonly referred to as mass defacements (Romagna & Van den Hout, 2017; Woo et al., 2004).

From an inertia perspective, engaging in a mass defacement would take greater technical skill on the part of the hacker and may generate greater recognition for the defacer in the hacker subculture (Holt et al., 2017; Yar, 2005). Actors interested in demonstrating that they have substantial knowledge may be more interested in engaging in mass defacements. Individuals motivated by a desire to have fun may be more willing to simply complete a defacement of any target. Similarly, those interested in defacing sites for a cause or revenge may be more selective in their targeting, or simply affect single-page targets generally.

As websites are also theoretically always available online, their visibility and accessibility may disproportionately increase the risk of repeat victimization from defacers based in part on their motivation. Yar (2005) argued that physical accessibility in online spaces was relatively constant as websites and online content were almost always available online. Instead, accessibility may reflect the actor’s ability to utilize tools and resources to obviate security protocols in much the same way as the use of tools to break into physical buildings or gain access to targets (Bossler & Holt, 2010; Leukfeldt & Yar, 2016; Yar, 2005).

The potential value of a target may, however, be shaped by its association with physical space on the basis of its Top-Level Domain (TLD), or the extension appearing at the end of a Uniform Resource Locator (URL). The TLD of a website is directly associated with a physical space through the use of unique domains like .cn (China), .nl (the Netherlands), .co.uk (United Kingdom). The physical location need not match its TLD due to variations in the available number of web servers and hosting resources in a given country (Holt et al., 2018).

As a consequence, sites hosted outside of the physical boundaries of a country’s TLD may be more attractive for some actors due to differences in their accessibility. Individuals whose motives correspond to demonstrations of hacking for social status or skill may be more likely to target sites located outside a country’s physical boundaries due to the potential that they may be more difficult to access. Individuals seeking to compromise systems based on ideological beliefs may also be more likely to target websites in other nations than that of the designated TLD due to underlying factors associated with their cause.

The operating system software of the server hosting the targeted website may also reflect its accessibility (Holt et al., 2017; Leukfeldt & Yar, 2016; Taylor, 1999). Web servers utilize software programs that enable system administrators to configure and manage hosted content, as well as users’ behavior. There are two forms of operating systems: “open source” and “closed source” software. Open-source code is publicly accessible, enabling users to identify and publicly report flaws that could be used to compromise the system. Closed-source software is produced by companies like Microsoft and Apple who limit access to their source code and limit vulnerability reporting and production of security updates to repair the code (Andress & Winterfeld, 2013). As the majority of web servers online utilize open-source software, they may be more accessible to attackers compared with those using closed software (Leukfeldt & Yar, 2016). Actors seeking a challenge or hacking to gain status within the subculture may, therefore, target closed-source software programs to demonstrate their skills.

Accessibility may also be affected by a target’s prior victimization. A site that has been defaced previously may be more visible to the broader hacker subculture and appear more easily compromised than others. The potential accessibility of a target may lead some to redeface websites due in part to their motivation. For instance, those driven by an ideological agenda or revenge may be more likely to repeatedly deface the same sites because it either operates in contrast to their beliefs or causes harm to a certain group (Jordan & Taylor, 2004; Woo et al., 2004). Redefacements may not be associated with those driven by skill-based motives as an accessible target will not demonstrate their capacity as hackers.

Finally, the method of attack employed by a defacer may be a reflection of their ability to access the target. Hackers can use various techniques to complete an attack (Holt et al., 2017; Jordan & Taylor, 2004; Maimon et al., 2013; Romagna & Van den Hout, 2017), particularly in the case of defacements where they may be compromised using password guessing tools to unknown vulnerabilities to compromise the server OS. Actors with less skill may be more likely to use common methods of attack compared to those with greater knowledge of hacking (Holt et al., 2017; Jordan & Taylor, 2004; Romagna & Van den Hout, 2017).

There are two particularly common hacks used to deface websites, the first of which involves SQL injection, where an attacker exploits weaknesses in SQL database software to gain access to the site (Holt et al., 2017; Romagna & Van den Hout, 2017). The second form involves the use of known vulnerabilities present in server software that the attacker can use to compromise the system and facilitate the defacement (Andress & Winterfeld, 2013; Jordan & Taylor, 2004). The use of common attack methods may be associated with attacker motivations, as ideologically motivated actors and those seeking entertainment may use common attack techniques to ensure a successful outcome. Individuals interested in challenging themselves or demonstrating their mastery of technology may be less likely to use common techniques (Holt, 2007; Holt et al., 2017).

The Present Study

Taken as a whole, web defacements comprise a distinct form of cybercrime that may be performed for a variety of reasons. The targets of actors may vary, but the visibility and accessibility of web servers make them constant targets. The inertia of the target server may also relate to actor behavior, as individuals may seek to affect multiple sites in as little time as possible. This study examined aspects of routine activity theory by examining the relationship between self-reported motivations for performing defacements and victim characteristics through a quantitative analysis of all defacements performed against websites hosted with the Netherlands country code.

Method

Data

As noted in the broader cybercrime literature, there are few official data sources that provide a comprehensive enumeration of computer-focused offenses such as hacking (Holt & Bossler, 2015; Newman & Clarke, 2003; Wall, 2007). Few industry or open-source government resources are available due to underreporting on the part of victims, particularly within private industry over fear of economic losses and a drain in consumer confidence (Holt & Bossler, 2015; Wall, 2007). Web defacements are one of the few highly visible forms of computer hacking due to the publicly accessible nature of websites and individuals’ interest in demonstrating their skills (Jordan & Taylor, 2004; Romagna & Van den Hout, 2017; Woo et al., 2004).

One of the few existing resources for website defacements is the archive maintained at the website “Zone-H” (www.zone-h.com). This website has been active in various forms for more than a decade and is the most comprehensive source available on defacements (Maggi et al., 2018; Romagna & Van den Hout, 2017). Zone-H provides an outlet for individuals to publicly report and advertise websites that they have defaced. There are hundreds of thousands of defacements archived here against targets around the world, and has been used as a data source for several research studies (Maggi et al., 2018; Romagna & Van den Hout, 2017; Woo et al., 2004).

When an individual engages in a defacement, they can report their actions to the Zone-H website via an online form, where they are asked to provide a hacker handle (e.g., adopted online identity of the individual or group) that is labeled as the “notifier” for the defacement. Respondents are also asked to fill in some specific characteristics about the web defacements, including the web domain affected, the date and time, their nickname, the method used to engage in the defacement via a dropdown menu, and a rationale for the attack (options include just for fun, revenge against that website, political reasons, as a challenge, I just want to the best defacer, patriotism, and not available). The information is sent on to the Zone-H site administrators who validate the claims, and then archive the defacement (if accurate) so that it can be mirrored in perpetuity on their site. As a result, Zone-H reporting appears to be driven primarily by self-reports from defacers rather than proactive scans of the internet to identify defacements when they occur.

This study focused on all attacks directed against websites ending in the Netherlands’ country extension TLD (.nl). The research team was able to gain access to all reported defacements against Dutch targets through one of the authors’ institutional affiliations which has an existing relationship with Zone-H. The provides a convenience sample of attacks, but is also purposive due to the Netherlands’ position relative to other EU and western nations generally. First, the Netherlands has been recognized as a global hub of technological innovation and high-tech start-ups in the late 2000s (Egusa & Cohen, 2015; World Intellectual Property Organization, 2019). Second, the country has one of the highest overall rates of high-speed internet access in the EU (CIA World Factbook, 2019) which may increase the capacity for attacker access (Holt et al., 2018). Third, the Netherlands has been a persistent target for ideological defacers, with substantial attacks driven by political and religious motives in 2008 (Holt et al., 2017) and 2017 (Van Riper, 2017). Thus, the Netherlands provides a unique, high-profile target for potential defacers regardless of motivation.

This analysis focuses on 138,361 defacements affecting sites hosted in the .nl domain between January 1, 2011, and April 20, 2017. In a relatively small number of cases (N = 157), it was not possible to identify the hosting location. Once a website is no longer active, it is difficult to identify its hosting IP address and other pertinent background information. Thus, these cases were excluded from the analysis to improve the overall model.

Dependent Variables

The dependent variable for this analysis was the self-reported motivation provided as to why an individual completed a defacement. Zone-H data allow the reporter to indicate their reason for performing the defacement from a series of seven options: (a) just for fun, (b) as a challenge, (c) to be the best defacer, (d) patriotism, (e) political reasons, and (f) revenge against that website. In the event the individual does not want to report a motive, Zone-H scores their response as not available, creating a seventh category overall.

As this data set constitutes secondary data, it is unclear why and how the reporting site chose to use these seven reporting options, or why an opportunity to provide a different motive is not provided. These seven motives reflect recognized reasons for hacking that have been reported in the hacker subculture over time (Holt, 2007; Jordan & Taylor, 1998; Steinmetz, 2016). The most common reported reason for performing a defacement was for fun (54.8%), followed by a desire to be the best (25.9%), although 9.1% of respondents did not indicate a reason for their attacks. Patriotism (3.3%) and political (2.4%) motivations were less common, as were challenge (2.1%) and revenge-driven (2.0%) defacements.

It is possible that incidents with no ascribed motive may have been reported by someone other than the defacer. The respondent may have also opted not to express their motive at the time of the incident. In the absence of additional information about the actor, there is still inherent value in including this motivation to assess its correlates relative to all others reported. Thus, all motivations were included in this analysis to identify differences across motivation type, and any unique characteristics for those attacks with no identified motive.

As Zone-H is a historically recognized source for data on defacements (e.g., Romagna & Van den Hout, 2017), it is likely that the individuals who report their activities here do so to gain public recognition for their actions. The overt nature of defacements suggests defacers may be more motivated by notoriety than other hackers who operate in secrecy, such as malware writers and data thieves (Holt, 2013; Leukfeldt, 2014). Thus, the data may be reflective of individuals who are willing to not only hack but to report why they hack to others. Similar tensions between gaining recognition for criminal activities and the desire to remain anonymous have been historically observed in research on hacking (Holt, 2007). Examining the reported motivations of defacers in this data set is essential to better understand the more attention-seeking, active segments of the hacker subculture generally (Holt et al., 2017).

Independent Variables

A series of binary variables was created to measure factors associated with a target’s potential attractiveness to the actor. First, a variable was included to consider the potential value of a target on the basis of whether the defacement targeted the home page of a website or a secondary page (0 = secondary, 1 = home page). Home pages may generate greater attention for the attacker as they would be immediately visible to anyone visiting that URL, although secondary pages may be less secured enabling greater ease of access.

A second variable was included to assess the inertia of a target relative to motive based on whether the attacker engaged in a mass defacement targeting as many pages hosted on a server as possible, or a single page or url (0 = mass defacement, 1 = single defacement). Single defacements may be more carefully targeted, whereas a mass defacement may be more reflective of an individual’s skill or ability.

A third measure was included to consider the visibility of a target to the individual’s motivation based on whether the site was redefaced (0 = no, 1 = yes). This measure captured whether the website was attacked once or multiple times regardless of the defacer.

A final set of four binary measures were included to examine the associations between motivation and target accessibility. The first measure for the location of the server in physical space (0 = other nations, 1 = the Netherlands) explored whether a physical location in the Netherlands may be associated with the risk of defacement relative to actors motivations. Most of the websites in this sample (87%) were hosted in the Netherlands, given they use the .nl TLD.

Second, the operating system of the server was included to assess target suitability and attractiveness on the basis of the use of open- and closed-source programs. It is thought that open-source programs may be more secure than closed-source programs due to the public reporting and patching processes used by open platforms such as Linux (Taylor, 1999). In fact, the majority of servers in this sample utilized some variation of the Linux operating system (83.2%), with the remainder running Macintosh, Microsoft, or Unix-based programs. Those non-Linux systems were combined into a single measure (0 = Linux, 1 = non-Linux) based on their smaller representation in the sample.

Finally, two measures were included to examine any relationship between the use of specific attack methods to access a target and attacker motivation: (a) known vulnerabilities (abbreviated to known vuln.) and (b) SQL injection attacks (0 = no, 1 = yes for each). The use of known vulnerabilities within a server or operating system platform requires some technical proficiency on the part of the actor, and may be more common among those who hack for fun or to develop their skills. SQL injection attacks are also somewhat common, but are anecdotally associated with ideologically motivated defacers like those in the Turkish hacker community (Holt et al., 2017).

Analytic Approach

To examine the relationship between motivations and hypotheses related to routine activity theory, bivariate and multivariate analyses were conducted. First, bivariate analyses were used to show the average scores on the target characteristics by motivation. Second, a multinomial logistic regression model was conducted treating the most frequent reported motivation, just for fun, as the reference category (see Table 2). In additional sensitivity analyses, other reference categories were used to identify differences between other pairs of different motivations as well (see Table 3). The exponential function of the regression coefficients, that is the odds ratios (ORs), is displayed in the tables to indicate the strength of the associations.

Due to the extremely large number of defacements (N = 138,361) in the sample performed by a relatively small number of individuals (N = 3,463), the assumption of independent observations was violated. This would lead to an underestimation of the standard errors when not appropriately corrected for. The analyses were therefore conducted using STATA statistical software using the cluster command to compute robust standard errors. There was no evidence of multicollinearity as the lowest tolerance was .826 across all models and the highest variance inflation factor (VIF) was 1.211.

Results

Table 1 shows the results of the bivariate analyses in which the prevalence of all target characteristics is compared across the different motivations. Those who defaced the home page of websites were most likely to attack for the challenge (63.7%), political reasons (60.0%), and a desire for revenge (55.8%). Attackers using single-page defacements were more likely to be motivated by political reasons (31.9%), for fun (33.3%), and for an unknown or unreported motive (34.0%). Those who wanted to be the best defacer used single defacements less often (13.4%). In addition, site redefacements were more likely to be motivated by revenge (16.1%) and fun (13.6%; see Table 1).

Table 1:

Bivariate Analysis of Target Characteristics by Attacker Motivation

Variables	Fun (%)	Be the best (%)	NA (%)	Patriotism (%)	Political (%)	Challenge (%)	Revenge (%)
Home page	27.4	25.1	26.1	42.1	60.0	63.7	55.8
Single defacement	33.3	13.4	34.0	17.1	31.9	21.1	22.3
Redefacement	13.6	7.3	8.5	12.0	10.4	6.6	16.1
Location	10.8	7.1	9.0	7.0	18.3	19.1	12.6
Operating system	16.3	18.2	14.7	18.9	15.5	17.2	24.0
Known vuln.	16.8	1.1	2.4	13.7	3.4	2.0	22.0
SQL injection	22.5	1.4	2.3	22.5	17.2	26.3	9.1

Note. NA = not available.

Those who deface as a challenge (19.1%) and for political reasons (18.3%) were most likely to target servers located outside the Netherlands. Individuals who defaced websites to be the best (7.1%) and out of patriotism (7.0%) were the least likely to attack a server located outside the Netherlands. Those who defaced targets for revenge against the website (24.0%) were most likely to target servers using non-Linux software. Individuals who used known vulnerabilities were more likely to be motivated by a desire to have fun (16.8%), patriotism (13.7%), and revenge (22.0%). Finally, the use of SQL injection attacks were associated with those who were motivated by a challenge (26.3%), for fun (22.5%), patriotism (22.5%), and political reasons (17.2%). Those who wanted to be the best defacer (1.4%) or did not report a motivation (2.3%) were less likely to use SQL injection attacks.

Next, a multinomial logistic regression analysis was used to test whether the differences shown in Table 1 were significant, after controlling for the other independent variables and for the clustering of defacements within actors. The results of this analysis are shown in Tables 2 and 3. First, the results show that attacks performed for fun were significantly less likely to affect home pages than attacks performed for the challenge, political reasons, and out of revenge. The ORs indicate that attacks performed for these reasons had between 229% and 365% higher odds to target home pages than those performed for fun. Additional analyses with other reference categories (see Table 3) show that attacks performed to be the best, for patriotic reasons, or without a reported reason were also less likely to target home pages than attacks performed for the challenge, for political reasons, and out of revenge.

Table 2:

Multinomial Logistic Regression Model for Defacements (N = 138,361), Clustered by Attacker (N = 3,463)

	Fun	Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	Reference category	OR	SE	OR	SE	OR	SE	OR	SE	OR	SE	OR	SE
Home page		0.75	0.34	4.65	1.45***	1.82	0.78	4.14	0.98***	3.39	1.14***	0.87	0.53
Single defacement		0.53	0.22	0.74	0.20	0.44	0.21	1.47	0.34	0.81	0.21	1.75	0.67
Redefacement		0.66	0.13*	0.53	0.11**	0.96	0.26	0.82	0.19	1.44	0.52	0.65	0.11*
Location		0.82	0.25	1.88	0.59*	0.60	0.16	1.95	0.42**	1.12	0.28	0.94	0.24
Operating system		0.98	0.41	1.43	0.59	1.31	0.74	1.25	0.31	1.99	0.80	0.82	0.24
Known vuln.		0.05	0.02***	0.10	0.05**	0.94	0.63	0.14	0.07***	1.17	0.62	0.08	0.06**
SQL injection		0.05	0.03***	1.27	0.78	1.31	1.39	0.63	0.38	0.43	0.24	0.06	0.05**
Constant		0.97	0.43	0.02	0.01***	0.06	0.02***	0.02	0.01***	0.02	0.01***	0.25	0.16*

Note. OR = odds ratio; SE = robust standard error; χ = 349.87***; Pseudo R² = .1043; −2LL = −1,526,680.02.

p < .05. **p < .01. ***p < .001.

Table 3:

Multinomial Logistic Regression Model for Defacements (N = 138,361), Clustered by Attacker (N = 3,463)

	Fun		Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	OR	SE	Reference category		OR	SE	OR	SE	OR	SE	OR	SE	OR	SE
Home page	1.33	0.60			6.19	3.09***	2.42	1.35	5.52	2.59***	4.52	2.26**	1.16	0.82
Single defacement	1.89	0.80			1.40	0.63	0.84	0.39	2.77	1.16*	1.52	0.67	3.30	1.51**
Redefacement	1.52	0.30*			0.80	0.15	1.46	0.41	1.25	0.26	2.20	0.76*	0.99	0.19
Location	1.22	0.37			2.29	0.99	0.73	0.27	2.38	0.87*	1.36	0.55	1.15	0.43
Operating system	1.02	0.43			1.46	0.90	1.33	1.08	1.27	0.65	2.03	1.23	0.84	0.50
Known Vuln.	21.13	9.24***			2.14	1.10	19.88	14.50***	2.97	1.56*	24.71	13.81***	1.65	1.29
SQL injection	20.67	13.00***			26.18	13.50***	26.98	29.02**	13.10	6.19***	8.80	3.91***	1.14	0.91
	Fun		Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	OR	SE	OR	SE	Reference category		OR	SE	OR	SE	OR	SE	OR	SE
Home page	0.22	0.07***	0.16	0.08***			0.39	0.18*	0.89	0.24	0.73	0.26	0.19	0.12**
Single defacement	1.35	0.37	0.71	0.32			0.60	0.31	1.98	0.46**	1.09	0.31	2.36	0.83*
Redefacement	1.90	0.41**	1.24	0.23			1.82	0.51*	1.56	0.36	2.73	0.98**	1.23	0.25
Location	0.53	0.17*	0.44	0.19			0.32	0.13**	1.04	0.34	0.60	0.21	0.50	0.18*
Operating system	0.70	0.29	0.69	0.42			0.91	0.55	0.87	0.37	1.39	0.70	0.57	0.24
Known Vuln.	9.88	4.74***	0.47	0.24			9.30	6.47**	1.39	0.77	11.55	6.63***	0.77	0.62
SQL injection	0.79	0.48	0.04	0.02***			1.03	0.97	0.50	0.22	0.34	0.15*	0.04	0.03***
	Fun		Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	OR	SE	OR	SE	OR	SE	Reference category		OR	SE	OR	SE	OR	SE
Home page	0.55	0.24	0.41	0.23	2.28	0.93*			2.28	0.93*	1.87	0.87	0.48	0.33
Single defacement	2.26	1.05	1.20	0.55	1.68	0.88			3.32	1.71*	1.82	0.93	3.95	2.23*
Redefacement	1.04	0.29	0.68	0.19	0.55	0.15*			0.86	0.26	1.50	0.62	0.68	0.19
Location	1.66	0.45	1.37	0.51	3.12	1.24**			3.25	1.09***	1.86	0.68	1.57	0.56
Operating system	0.76	0.43	0.75	0.61	1.09	0.66			0.96	0.50	1.52	0.94	0.63	0.28
Known Vuln.	1.06	0.71	0.05	0.04***	0.11	0.07**			0.15	0.11**	1.24	0.91	0.08	0.08**
SQL injection	0.77	0.81	0.04	0.04**	0.97	0.92			0.49	0.40	0.33	0.29	0.04	0.05**
	Fun		Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	OR	SE	OR	SE	OR	SE	OR	SE	Reference category		OR	SE	OR	SE
Home page	0.24	0.06***	0.18	0.08***	1.12	0.30	0.44	0.18*			0.82	0.24	0.21	0.13**
Single defacement	0.68	0.16	0.36	0.15*	0.50	0.12**	0.30	0.15*			0.55	0.13*	1.19	0.35
Redefacement	1.22	0.29	0.80	0.17	0.64	0.15	1.17	0.35			1.75	0.66	0.79	0.18
Location	0.51	0.11**	0.42	0.15*	0.96	0.31	0.31	0.10***			0.57	0.15*	0.48	0.13**
Operating system	0.80	0.20	0.79	0.40	1.14	0.48	1.05	0.55			1.59	0.64	0.66	0.18
Known Vuln.	7.12	3.64***	0.34	0.18*	0.72	0.40	6.70	4.83**			8.32	4.88***	0.56	0.45
SQL injection	1.58	0.95	0.08	0.04***	2.00	0.87	2.06	1.71			0.67	0.21	0.09	0.06**
	Fun		Be the best		Challenge		Patriotism		Political		Revenge		Not available
Variables	OR	SE	OR	SE	OR	SE	OR	SE	OR	SE	Reference category		OR	SE
Home page	0.29	0.10***	0.22	0.11**	1.37	0.50	0.54	0.25	1.22	0.36			0.26	0.16*
Single defacement	1.24	0.32	0.66	0.29	0.92	0.27	0.55	0.28	1.82	0.43*			2.17	0.75*
Redefacement	0.69	0.25	0.46	0.16*	0.37	0.13**	0.66	0.27	0.57	0.21			0.45	0.16*
Location	0.89	0.23	0.73	0.29	1.68	0.59	0.54	0.20	1.74	0.45*			0.84	0.25
Operating system	0.50	0.20	0.49	0.30	0.72	0.36	0.66	0.41	0.63	0.25			0.41	0.17*
Known vuln.	0.86	0.46	0.04	0.02***	0.09	0.05***	0.80	0.59	0.12	0.07***			0.07	0.06**
SQL injection	2.35	1.34	0.11	0.05***	2.98	1.28*	3.07	2.77	1.49	0.47			0.13	0.10**

Note. OR = odds ratio; SE = robust standard error; χ = 349.87***; Pseudo R² = .1043; −2LL = −1,526,680.02.

p < .05. **p < .01. ***p < .001.

The results in Table 2 further show that attacks performed for fun were not significantly more or less likely to be a single defacement than attacks performed for other reasons. The additional analyses showed some significant differences between the other reported motivations. Those who defaced for political reasons or who did not report a motivation were significantly more likely to use single defacements than those motivated to be the best, for the challenge, patriotic reasons, and revenge (see Table 3).

Moreover, defacements performed for fun were commonly redefacements of the same targets. Table 2 shows that attacks performed to be the best, for the challenge, and without reported motivation had between 47% and 34% lower odds of being a redefacement than attacks performed for fun. The sensitivity analyses show similar results for attacks performed for revenge (see Table 3). Also, those driven by patriotic motives were more likely to perform redefacements than those who attack for a challenge (see Table 3).

Next, attacks performed for political reasons and as a challenge had 95% and 88% higher odds, respectively, of targeting a website hosted outside the Netherlands relative to those performed for fun. The sensitivity analyses presented in Table 3 show that attacks for those two reasons were also more likely to target websites hosted outside the Netherlands compared with almost all other motivation categories.

The type of operating system software used on the server hosting the target website did not have a strong association with attacker motivations. Table 2 shows that those who defaced websites for fun were not significantly more or less likely to target a Linux operating system than those who reported another motivation. In the additional analyses with other reference categories, only one significant difference was found: Those who defaced for revenge were more likely to target servers using non-Linux software than those who did not report a motivation (see Table 3).

The attack methods also differ significantly between reported motivations. Those who defaced websites to be the best, as a challenge, for political reasons, and unknown motivations were significantly less likely to exploit known vulnerabilities than those who attack for fun. This difference was the largest for defacers who wanted to be the best, who were 95% less likely to use this attack method. The additional analyses also show that defacers with patriotic motives or who wanted revenge were more likely to exploit known vulnerabilities than attackers with any of those four motivations (see Table 3).

Finally, SQL injections were significantly more often used when an attack was performed for fun than to be the best, or for unknown reasons. The ORs indicate a large difference, as attackers who reported these two motivations were 95% and 94% less likely to use SQL injections, respectively. Moreover, the results from the sensitivity analyses indicate that those attackers were also significantly less likely to use SQL injections compared with all other motivations reported (see Table 3).

Discussion

This study examined differences in the target selections of individuals who engage in web defacements based on the actor’s motivations using a routine activity theory model of target value, inertia, visibility, and accessibility. Although research has considered the applicability of routine activity theory to account for various forms of crime on- and offline, few consider the role of motivation in this theory or the extent to which motive shapes target suitability (Sasse, 2005; Schwartz et al., 2001), especially with respect to cybercrime (Holt & Bossler, 2015). As a result, this study sought to examine the relationship between motivation, target suitability, and the risk of experiencing a web defacement, or hack where the content of a website is changed by an attacker (Romagna & Van den Hout, 2017; Woo et al., 2004).

The results provided partial support for the postulates of visibility, inertia, and accessibility within routine activity theory to account for attacker motivation and target suitability (Cohen & Felson, 1979; Decker, 1993; Felson, 1998; Sasse, 2005). First, the value of a target based on its appearance within a website was associated with specific motives for defacement. Individuals were more likely to affect the home page of a site when they were motivated by an ideological or challenge-based motive, whereas those driven by a desire to have fun, be the best, for patriotism, and for no specific reason were more likely to target the secondary page of a website. This may be a reflection of the need to affect a high-visibility target to demonstrate skill within the hacker subculture (Holt, 2007; Steinmetz, 2016), or obtain more witnesses to political messaging (Holt et al., 2017; Jordan & Taylor, 2004).

This analysis also found partial support for aspects of inertia associated with defacer motivation. Individuals motivated by a desire to be the best were more likely to use mass defacements, suggesting the importance of large targets to gain greater social status (Holt, 2007; Jordan & Taylor, 1998). Defacers motivated by patriotism were more likely to use mass defacements in keeping with the need to generate the greatest possible visibility for their hack in a short amount of time (Romagna & Van den Hout, 2017; Woo et al., 2004). As a result, inertia may have some influence on target selection in virtual environments, despite the otherwise weightless nature of online content generally (Yar, 2005). Further study is needed examining target inertia dynamics with other forms of cybercrime, as it is largely ignored in the research literature (Leukfeldt & Yar, 2016).

The visibility of a target was also associated with entertainment and ideological motivations, as these motives were significantly associated with the use of redefacements. Actors may be more likely to target these sites repeatedly because of some perceived slight, or need to express their anger or displeasure at a specific target. These findings reinforce the broader cybercrime literature that demonstrates the importance of target visibility for both property and person-based cybercrimes (Leukfeldt & Yar, 2016).

Finally, this study found mixed support regarding the accessibility of targets. First, those who defaced sites for fun, to be the best, patriotism, revenge, and no specified motivation were more likely to target websites located within the Netherlands. Political defacements and those driven by a challenge were more likely to target sites physically of the Netherlands which may be a function of perceptual differences in the nature of these targets (Holt et al., 2017; Maimon et al., 2013). There was, however, no support found for a relationship between a target’s operating system and the motivation of an attacker. Further study is needed to assess these relationships as prior criminological inquiry has largely focused on home computer users as targets for hacks and malware infections, rather than web servers (see Holt et al., 2018; Leukfeldt & Yar, 2016).

Actors motivated by a desire to have fun, seek revenge, and patriotism were more likely to use known vulnerabilities in their attacks. Common attack methods may increase their potential likelihood of successful defacements (Holt et al., 2017; Romagna & Van den Hout, 2017). Those attackers who wanted to be the best, or had an unknown motive were less likely to use known vulnerabilities and SQL injection to perform their attacks. These results reinforce the notion that demonstrations of technological skill are of significant importance in the hacker subculture generally (Holt, 2007; Jordan & Taylor, 1998; Steinmetz, 2016).

In sum, this study demonstrated the value in examining the relationship between offender motivation and target selection with respect to cybercrime. The results are also similar to research on physical violence driven by ideological motives compared with expressive motives (Decker, 1993; Parkin & Freilich, 2015). Ideological actors were more likely to engage in repeated defacements of the same target and affect their home pages using common attack methods. Individuals driven by motives that reflect values of the hacker subculture were more likely to engage in mass defacements of targets and utilize less common attack methods. As such, defacers’ decisions to target certain websites may be understood as a function of their motivation and perceptions of target characteristics. Further study is needed with a larger sample of defacements from additional countries to consider whether these relationships persist across place.

There are several limitations in the data that require further analysis and replication to validate these findings. First, this analysis focused on an expressive form of cybercrime as defacers cannot necessarily monetize their attacks. The importance of economic gain as a motive for participation in cybercrime cannot be understated (Holt & Bossler, 2015; Leukfeldt, 2014). Additional research is needed to examine the ways instrumental motivations shape the target selection process relate to more expressive motivations, such as ideological or entertainment-related causes.

Furthermore, these data are derived from self-reports provided by individuals who notify the Zone-H website. The findings of this analysis may be generalizable only to hackers who are willing to discuss their actions with others. This likely differs from the actions and practices of individuals who seek to operate without drawing scrutiny to their actions (Holt, 2013; Hutchings & Clayton, 2016). It is also possible that the individual who made the report may not be the actual defacer, or that the notifier provided false information to conceal their true reasons for performing an attack. The forced choice options provided by the reporting site may also affect the respondents’ decision to select a specific motive over another.

Similarly, we do not know what factors may have precipitated attacks where the actor does not specify a motivation (Romagna & Van den Hout, 2017; Woo et al., 2004). It is unclear whether these defacements truly differ from all other categories or are a reflection of attacks reported by someone other than the original attacker. Further research is needed to more thoroughly analyze these incidents to determine how they differ from defacements with a clearly identified motivation. For instance, a multimethod analysis is needed combining qualitative and quantitative strategies to code the images, video, and text appearing in the defaced site to triangulate the extent to which this information corresponds to the self-reported motivation. Such strategies may be essential to clarify the nature of defacements by motive and validate the self-reported cause relative to language used in the attack text itself (e.g., Holt et al., 2017).

Although these data provide a comprehensive analysis of defacements targeting any site resolving to the .nl domain, the results may not be applicable to other European nations, or the rest of world. It is essential that researchers replicate this analysis using similar data sources from other nations to examine the relationship between target selection factors and motivation in a cross-national context. In turn, we may better identify variations in attacker behavior relative to the physical and technological resources of other nations. Finally, this study did not include any direct measures for guardianship, which may influence attacker decision-making. Future study is needed assessing factors associated with target hardening and protective measures to consider how guardianship affects the risk of defacement, and provide a more complete test of routine activity theory.

Despite these limitations, this study provides specific directions for cybersecurity and criminal justice policy and practice. First, this analysis demonstrates the need for cybersecurity practitioners to take more proactive steps to improve the security posture of their websites. Defacers appeared to utilize common vulnerabilities and means of attack, and engaged in repeat defacements when driven by an ideological motivation. The risk of such attacks being successfully completed could be reduced through the application of security patches, which insert new programming code to secure existing vulnerabilities in software (Holt & Bossler, 2015; Maimon et al., 2013; Newman & Clarke, 2003). Such methods align with aspects of situational crime prevention by hardening the target and increasing the difficulty required to complete an attack (Holt & Bossler, 2015; Newman & Clarke, 2003).

At the same time, security patching may not deter attackers driven by subcultural values like a desire to be known for their skill or a security challenge (Holt et al., 2017). These attackers were less likely to use common attack methods, making them capable of circumventing existing security tools and complete a defacement. One of the only way to reduce these threats would be through the use of careful security audits performed by independent third parties who can utilize so-called “penetration testing,” or ethical hacking techniques. These services operate similarly to a traditional external attacker to determine where vulnerabilities may be present within computer systems (Andress & Winterfeld, 2013; Holt & Bossler, 2015). Active attack and defense games performed by employees within an organization may also help identify less common, yet still potentially successful attack methods and secure them prior to a compromise (Holt & Bossler, 2015).

The findings of this analysis also provide direction for criminal justice system responses to computer hackers. Although hacking has been criminalized in Western nations since the 1980s, there have been a relatively small number of individuals arrested and prosecuted for these offenses (see Payne et al., 2019; Smith et al., 2004). This trend is particularly concerning given the increased economic harm resulting from hacks that affect retailers and payment processors (Holt & Bossler, 2015). Law enforcement and policy agencies have become increasingly focused on methods to detect and deter hackers at early ages toward prosocial hacking activities (Holt & Bossler, 2015; NCA, 2017). It is thought that early diversionary interventions may be effective in reducing the likelihood individuals engage in more serious, economically damaging hacks over time (NCA, 2017).

This study suggests there may be inherent value in pursing investigations against defacers, particularly those who report doing so for subcultural motives such as demonstrating their skill or to be the best. Defacements are inherently illegal as the attacker must utilize a service without permission from the system owner or operator and alter online content (Woo et al., 2004). Thus, defacements may present an excellent point for intervention as the attacker is broadcasting their abilities to the public in an overt manner that suggests their interests and intentions. The findings of this analysis suggest law enforcement may benefit from investigating individuals who engage in mass defacements due to an association between this attack practice and actor motivation. As these defacers are also less likely to use common attack methods, they may also be at a point where their skills are increasing and could be used for more malicious and damaging hacks (Holt, 2007). Thus, this may be a key point to intervene in the trajectory of hackers and minimize future criminality.

Footnotes

ORCID iDs

Thomas J. Holt

Steve van de Weijer

Thomas J. Holt is a professor in the School of Criminal Justice at Michigan State University whose research focuses on cybercrime and technology-related deviance. His work has been published in a range of journals, including Crime & Delinquency, Journal of Criminal Justice, and Terrorism & Political Violence. He is also a fellow in the cybercrime cluster at the Netherlands Institute for the Study of Crime and Law Enforcement (NSCR).

Rutger Leukfeldt is senior researcher and the cybercrime cluster coordinator at the Netherlands Institute for the Study of Crime and Law Enforcement (NSCR) and academic director of the Centre of Expertise Cybersecurity of the Hague University of Applied Sciences. His work focuses on the human factor in cybercrime and cybersecurity.

Steve van de Weijer is researcher at the NSCR, Amsterdam, the Netherlands. His research focuses on life-course criminology, intergenerational transmission of crime, genetic influences on criminal behavior, and cybercrime.

References

Andress

Winterfeld

(2013). Cyber warfare: Techniques, tactics and tools for security practitioners. Elsevier.

Arbor Networks. (2019). NETSCOUT’s 14th annual worldwide infrastructure security report. https://www.netscout.com/report/

Birkbeck

LaFree

(1993). The situational analysis of crime and deviance. Annual Review of Sociology, 19(1), 113–137.

Bossler

A. M.

Holt

T. J.

(2010). Online activities, guardianship, and malware infection: An examination of routine activities theory. International Journal of Cyber Criminology, 3(1), 30–55.

CIA World Factbook. (2019). The Netherlands. https://www.cia.gov/library/publications/the-world-factbook/geos/nl.html

Clarke

Felson

(1993). Routine activity and rational choice. Transaction Press.

Cohen

L. E.

Felson

(1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44(4), 588–608.

Computer Security Institute. (2011). 2010/2011 Computer crime and security survey. https://cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf

Decker

S. H.

(1993). Exploring victim-offender relationships in homicide: The role of individual and event characteristics. Justice Quarterly, 10, 585–612.

10.

Decoster

Estes

Mueller

(1999). Routine activities and sexual harassment in the workplace. Work and Occupations, 26, 21–49.

11.

Denning

D. E.

(2011). Cyber-conflict as an emergent social problem. In Holt

T. J.

Schell

B. H.

(Eds.), Corporate hacking and technology-driven crime: Social dynamics and implications (pp. 170–186). IGI Global.

12.

Egusa

Cohen

(2015, July 5). The Netherlands: A look at the world’s high-tech startup capital. Tech Crunch. https://techcrunch.com/2015/07/05/the-netherlands-a-look-at-the-worlds-high-tech-startup-capital/

13.

Felson

(1994). Crime and everyday life: Insight and implications for society. SAGE.

14.

Felson

(1998). Crime and everyday life (2nd ed.). Pine Forge Press.

15.

Fisher

B. S.

Cullen

F. T.

Turner

M. G.

(2002). Being pursued: Stalking victimization in a national study of college women. Criminology & Public Policy, 1, 257–308.

16.

Furnell

(2002). Cybercrime: Vandalizing the information society. Addison-Wesley.

17.

Groff

E. R.

(2007). Simulation for theory testing and experimentation: An example using routine activity theory and street robbery. Journal of Quantitative Criminology, 23(2), 75–103.

18.

Holt

T. J.

(2007). Subcultural evolution? Examining the influence of on- and off-line experiences on deviant subcultures. Deviant Behavior, 28, 171–198.

19.

Holt

T. J.

(2013). Exploring the social organisation and structure of stolen data markets. Global Crime, 14(2-3), 155–174.

20.

Holt

T. J.

Bossler

(2015). Cybercrime in progress: Theory and prevention of technology-enabled offenses. Routledge.

21.

Holt

T. J.

Bossler

A. M.

(2008). Examining the applicability of lifestyle-routine activities theory for cybercrime victimization. Deviant Behavior, 30, 1–25.

22.

Holt

T. J.

Bossler

A. M.

(2013). Examining the relationship between routine activities and malware infection indicators. Journal of Contemporary Criminal Justice, 29, 420–436.

23.

Holt

T. J.

Burruss

G. W.

Bossler

A. M.

(2018). Assessing the macro-level correlates of malware infections using a routine activities framework. International Journal of Offender Therapy and Comparative Criminology, 62(6), 1720–1741.

24.

Holt

T. J.

Freilich

J. D.

Chermak

S. M.

(2017). Exploring the subculture of ideologically motivated cyber-attackers. Journal of Contemporary Criminal Justice, 33(3), 212–233.

25.

Hutchings

Clayton

(2016). Exploring the provision of online booter services. Deviant Behavior, 37(10), 1163–1178.

26.

Jensen

G. F.

Brownfield

(1986). Gender, lifestyles, and victimization: Beyond routine activity. Violence and Victims, 1(2), 85–110.

27.

Jordan

Taylor

(1998). A sociology of hackers. The Sociological Review, 46, 757–780.

28.

Jordan

Taylor

(2004). Hacktivism and cyberwars: Rebels with a cause? Routledge.

29.

Katz

(1988). The seductions of crime. Basic Books.

30.

Kilger

(2011). Social dynamics and the future of technology-driven crime. In Holt

T. J.

Schell

B. H.

(Eds.), Corporate hacking and technology driven crime: Social dynamics and implications (pp. 205–227). IGI Global.

31.

Kirwan

Power

(2013). Cybercrime: The psychology of online offenders. Cambridge University Press.

32.

Lauritsen

J. L.

Sampson

R. J.

Laub

J. H.

(1991). The link between offending and victimization among adolescents. Criminology, 29, 265–292.

33.

Leukfeldt

E. R.

(2014). Cybercrime and social ties: Phishing in Amsterdam. Trends in Organized Crime, 17, 231–249.

34.

Leukfeldt

E. R.

Yar

(2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis. Deviant Behavior, 37, 263–280.

35.

Maggi

Balduzzi

Flores

Ciancaglini

(2018). Investigating web defacement campaigns at large. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (pp. 443–456). Association for Computing Machinery.

36.

Maimon

Kamerdze

Cukier

Sobesto

(2013). Daily trends and origin of computer-focused crimes against a large university computer network. British Journal of Criminology, 53, 319–343.

37.

Marcum

C. D.

Ricketts

M. L.

Higgins

G. E.

(2010). Assessing sex experiences of online victimization: An examination of adolescent online behaviors utilizing routine activity theory. Criminal Justice Review, 35(4), 412–437.

38.

Mustaine

E. E.

Tewksbury

(1999). A routine activity theory explanation for women’s stalking victimizations. Violence Against Women, 5, 43–62.

39.

NCA. (2017). Intelligence Assessment: Pathways Into Cybercrime. National Cyber Crime Unit/Prevent Team. London: National Crime Agency. https://www.nationalcrimeagency.gov.uk/who-we-are/publications/6-pathways-into-cyber-crime-1/file

40.

Newman

Clarke

(2003). Superhighway robbery: Preventing e-commerce crime. Willan Press.

41.

Parkin

W. S.

Freilich

J. D.

(2015). Routine activities and right-wing extremists: An empirical comparison of the victims of ideologically- and non-ideologically-motivated homicides committed by American far-rightists. Terrorism and Political Violence, 27, 182–203.

42.

Passeri

(2014, September 8). August 2014 cyber attacks statistics. Hackmageddon. http://hackmageddon.com/2014/09/08/august-2014-cyber-attacks-statistics/

43.

Payne

May

D. C.

Hadzhidimova

(2019). America’s most wanted criminals: Comparing cybercriminals and traditional criminals. Criminal Justice Studies, 32, 1–15.

44.

Ponemon Institute. (2017). 2016 cost of cyber crime study.

45.

Pratt

T. C.

Holtfreter

Reisig

M. D.

(2010). Routine online activity and internet fraud targeting: Extending the generality of routine activity theory. Journal of Research in Crime & Delinquency, 43, 267–296.

46.

Reyns

(2013). Online routines and identity theft victimization: Further expanding routine activity theory beyond direct-contact offenses. Journal of Research in Crime & Delinquency, 50, 216–238.

47.

Romagna

Van den Hout

N. J.

(2017). Hacktivism and website defacement: Motivations, capabilities and potential threats. 27th Virus Bulletin International Conference, 1, 1–10.

48.

Sasse

(2005). “Motivation” and routine activities theory. Deviant Behavior, 26, 547–570.

49.

Schwartz

M. D.

DeKeseredy

W. S.

Tait

Alvi

(2001). Male peer support and a feminist routing activities theory: Understanding sexual assault on the college campus. Justice Quarterly, 18(3), 623–649.

50.

Smith

R. G.

Grabosky

Urbas

(2004). Cyber criminals on trial. Cambridge University Press.

51.

Steinmetz

K. F.

(2016). Hacked: A radical approach to hacker culture and crime. New York University Press.

52.

Symantec Corporation. (2018). Symantec internet security threat report (Vol. 23). http://www.symantec.com/threatreport/

53.

Taylor

(1999). Hackers: Crime in the digital sublime. Routledge.

54.

Van Riper

. (2017, October 15). Turk Hack Tezm and the “Netherlands Operation.” Digital Shadows. https://www.digitalshadows.com/blog-and-research/turk-hack-team-and-the-netherlands-operation/

55.

Wall

D. S.

(2007). Cybercrime: The transformation of crime in the information age. Polity Press.

56.

World Intellectual Property Organization. (2019). The Netherlands. https://www.wipo.int/members/en/details.jsp?country_id=130

57.

Woo

Kim

Dominick

(2004). Hackers: Militants or merry pranksters? A content analysis of defaced web pages. Media Psychology, 6, 63–82.

58.

Yar

(2005). The novelty of “cybercrime”: An assessment in light of routine activity theory. European Journal of Criminology, 2, 407–427.

59.

Zone-H. (2018). News. http://www.zone-h.org/news/id/4737