Website Defacer Classification: A Finite Mixture Model Approach

Abstract

Hackers often engage in website defacement early in their criminal careers to establish a reputation. Some hackers become increasingly prolific and launch a large number of attacks against their targets, whereas others only launch a few attacks before eventually desisting from a life of crime. A better understanding of why some hackers launch a large number of attacks, while others do not, will assist in the implementation of targeted intervention strategies. Therefore, the current study, using a sample of 119 active hackers, seeks to answer two research questions: (1) Are there different groups of website defacers based on attack volume? (2) Which observed hacker-level characteristics can be used to predict latent class membership? We find that two unique groups of website defacers exist: low-volume defacers (69%) and high-volume defacers (31%). Social media presence, the content of the defacement, and the type of defacement are all predictive of latent class membership. Policy implications are discussed.

Keywords

cybercrime hackers website defacement offender classification finite mixture model

Website defacement (i.e., changing a website’s visual appearance without permission) is a major security concern for any organization with an online presence. Once a website is defaced, the associated organization’s reputation can be damaged, given it was unable to protect itself from an overt cyberattack. After a defacement, consumers may question whether to entrust personal information to a company; citizens may wonder whether they should handover sensitive data to their government.

Although over 1 million websites are defaced each year (Zone-h, 2019), scant criminological attention has been paid to website defacement. In recent years, however, some scholars have recognized the importance of studying website defacement behavior and have examined the correlates of both offending (Maimon, Fukuda, et al., 2017; Ooi et al., 2012) and victimization (Holt et al., 2020; Howell et al., 2019). Despite improving our understanding about the modus operandi and rationale of hackers who deface websites, we still do not have a solid typology of website defacers. It remains unclear, for example, whether these hackers can be classified based on the volume of attacks they generate or whether observable artifacts of their behavior can be used to classify group membership. Research into other types of criminality have demonstrated the existence of a class of chronic, persistent offenders (Moffitt, 1993); we should therefore also examine this facet of cybercrimes.

The utility of classification, organizing entities into discrete groups (Gottfredson, 1987), is well-known to criminologists and has been successfully used in both the physical world (e.g., Fox & Farrington, 2012) and in cyberspace (e.g., Zhang et al., 2015). In the physical world, Fox and Farrington (2012) developed an evidence-based approach to profiling burglars, which when implemented by police detectives, increased the number of arrests for burglary across agencies (Fox & Farrington, 2015). In addition to effectively aiding law enforcement, classification techniques have been used to develop criminological theory (Moffitt, 1993) and garner insight into troublesome behaviors (Jeanis et al., 2019).

In cyberspace, criminologists have used classification techniques to better understand cybercrimes and offenders (Burruss et al., 2019; Holt et al., 2012; Zhang et al., 2015). Hackers are often grouped based on their skills, knowledge, resources, access to the target organization, and motivation to offend (Maimon, Babko-Malaya, et al., 2017). The earliest known hacker typology was created by Landreth (1985), who grouped hackers into five categories: novices, students, tourists, crashers, and thieves. Landreth’s typology, and most subsequent classification attempts, is descriptive and lacks methodological rigor. A more meaningful, and scientifically rigorous, classification would group hackers based on observational differences. In other words, groups should be identified based on data rather than intuition.

From a security perspective, identifying distinct groups of website defacers would help system administrators better understand their adversary, thus allowing for the adoption of targeted countermeasures (Bendovschi, 2015). Moreover, website defacement is often the first step for many hackers entering into a life of online crime (Furnell, 2003). Although some hackers launch very few attacks before naturally desisting, others become increasingly prolific and advance to more sophisticated types of hacking (Kao et al., 2009). Classifying hackers across various attributes, such as attack volume, and identifying the factors associated with proliferation can aid in the creation of proactive policies aimed at identifying and deterring would-be prolific hackers early in their career. Conversely, treating website defacers as the same, if different groups do exist, can hamper targeted intervention attempts.

A cursory observation of defacers listed on the open-sourced website Zone-h reveals that some hackers appear many times in a short time frame while many are listed infrequently. The current study is the first attempt at discovering if, and how many, groups of website defacers exist based on the volume of website attacks. Using a sample of 119 active website defacers who are capable of launching attacks against important websites (i.e., special defacements), the current study employs finite mixture modeling to determine whether different distributions exist based on the volume of defacements. After categorizing the hackers by attack volume, we use negative binomial regression to model whether the correlates of defacement vary across the identified latent distributions.

Literature Review

Hacker Typologies

Although no known study has examined whether different types of website defacers exist, multiple attempts have been made to classify hackers into groups based on their skills, knowledge, resources, access to the target organization, and motivations to offend (Maimon, Babko-Malaya, et al., 2017). When computers entered mainstream markets in the 1980s, the term hacker was used to describe anyone capable of manipulating computer systems (Meyers et al., 2009). Soon after, the term hacker was reserved for those who engage in malicious behavior becoming synonymous with the word cybercriminal (Rogers, 2006).

An early attempt to further classify hackers, or cybercriminals, into groups was offered by Landreth (1985). Landreth, a hacker himself, argued for the existence of five groups of hackers: novices, students, tourists, crashers, and thieves. As the names suggest, novices are entry-level hackers, often younger with the inability to launch sophisticated attacks. Students engage in hacking for the intellectual challenge, typically without a criminal motivation. Tourists engage in attacks for the associated thrill. Crashers engage in destructive behavior and intentionally damage systems. Thieves are financially motivated professionals who launch strategic attacks against their targets. Since Landreth (1985), multiple other attempts have been made to categorize hackers (i.e., Chantler, 1996; Hollinger, 1988; Meyers et al., 2009; Parker, 1998; Power, 1998). Each categorization is slightly different, but all based largely on motivation and skill. Unfortunately, the majority of these classification attempts are descriptive and lack empirical support.

In recent years, a few scholars have found success in grouping hackers based on the content they post in popular hacker forums. For example, Zhang et al. (2015) used messages posted in hacker forums to classify hackers into four types: guru hackers, casual hackers, learning hackers, and novice hackers. Guru hackers are knowledgeable and educate other hackers on the forum. Casual hackers and learning hackers use the forums to enhance their knowledge. Novice hackers are the least knowledgeable group and are often only active on the forum for a short period of time. Similarly, Holt et al. (2012) examined the social network of Russian hackers finding only a limited number of skilled ones relative to the number of novices. Such forum data allow qualitative data (e.g., type of post) to be transformed into quantitative measures that can be used to systematically classify hackers. However, because forum data are limited to those active on the forum, these classification attempts suffer from limited generalizability. Therefore, researchers cannot be certain those posting on forums represent the larger population of hackers. The best solution for increased generalizability requires large data collection efforts focused on active offenders (Howell & Burruss, 2020).

Arguably, the most systematic profiling of hackers to date uses data from the hackers’ profiling project (HHP), which operates in cooperation with the United Nations. Using this rich data source, researchers were able to group hackers into multiple subtypes: script kiddies (i.e., low-level hackers), high-level hackers, and industrial espionage/terrorism hackers (Institute for Security and Open Methodologies, 2012). Script kiddies are typically financially motivated and execute low-skill attacks using classic phishing tactics or social engineering. Unlike script kiddies, high-level hackers seem to be motivated by intrinsic enjoyment and can launch sophisticated attacks against their targets. Industrial espionage/terrorism hackers are often hired mercenaries. Unfortunately, even the HHP classification fails to consider a multitude of distinguishing factors such as attack frequency, self-promotion through social media engagement, and (when examining hackers who attack websites) attack content.

Website Defacement

Less is known about hackers who engage in website defacement. Nevertheless, we do know that unlike many hackers who seek to erase evidence of their intrusion (Howell et al., 2017), hackers who engage in attacks against websites often brag about their successful exploits on various platforms (Maimon, Fukuda, et al., 2017), making them ideal subjects for empirical analysis (Howell & Burruss, 2020). Although website defacement originated to mock system administrators for poor security protocol (Kilger, 2011), hackers now engage in website defacement for a variety of reasons (Holt et al., 2020). Interestingly, Holt et al. (2020) found hackers’ motivations are predictive of target selection. Corroborating this finding, Holt et al. (2019) report that far-left extremists deface websites belonging to businesses they deem unethical in social protest. Moreover, Woo and colleagues (2004) examined the content of 464 defaced websites and found that 30% could be classified as political. Defacements categorized as political tend to be more aggressive than nonpolitical defacements (Woo et al., 2004) and often occur during wartime (Geers, 2008). Taken together, these studies show that hackers who engage in attacks against websites vary in the type of content used in an attack and their motivation for launching the attack.

Some criminologists also believe social media platforms serve as a vehicle through which individuals learn to engage in off-line (McCuddy & Vogel, 2015) and online (Maimon, Fukuda, et al., 2017) crime. In the physical world, Patton et al. (2014) show that gang members use social media platforms to sell drugs, post videos of violence and threats, display firearms and money, and taunt rival gangs’ members. Hackers who engage in website defacement also use social media platforms to brag about their successful exploits (Maimon, Fukuda, et al., 2017), discuss motivations and techniques (Aslan et al., 2020), and recruit hackers to join hacking teams (Babko-Malaya et al., 2017). Hackers’ use of social media platforms such as Facebook and Twitter are associated with increased website defacement frequency (Aslan et al., 2020; Maimon, Fukuda, et al., 2017); thus, we hypothesize that self-promotion through social media engagement will be predictive for the most prolific hackers.

Lastly, Ooi and colleagues (2012) found that website defacers are variety seeking; they attack targets in varying regions using different operating systems and attack methods. Corroborating this finding, Howell et al. (2019) show that hackers target websites hosted on servers around the globe based on the routine activities of the target country. Similarly, Holt et al. (2020) found that target characteristics vary across hackers. For example, some hackers engage in attacks against homepages, which may be viewed as having more value given their increased visibility (Holt et al., 2020). Other hackers redeface websites for revenge or because the site runs contrary to their ideological views (Holt et al., 2019, 2020; Jordan & Taylor, 2004; Woo et al., 2004). Finally, hackers can choose to generate mass defacements and simultaneously attack multiple websites belonging on a server (Holt et al., 2020). Taken together, it is evident hackers differ based on the type of attacks generated.

The studies discussed above provide meaningful insight into hackers’ behavior, but notable gaps in the literature exist. Specifically, no known study has attempted to determine whether different groups of website defacers exist or whether observable differences can be used to predict group membership. Given the success of past studies in their ability to classify hackers generally and our current knowledge about hackers who engage in attacks against websites, it is likely different groups exist based on attack volume (Zone-h, 2019) and that group membership can be distinguished based on motivation and content (Woo et al., 2004), self-promotion through social media engagement (Maimon, Fukuda, et al., 2017), and target selection (i.e., homepage defacements, redefacements, mass defacements; Holt et al., 2020). Therefore, the current study seeks to fill the aforementioned gaps in the literature by asking two research questions: (1) Are there different groups of website defacers based on the distribution of attack volume? and (2) Which observed hacker-level characteristics can be used to predict the volume of attacks across the identified distributions?

Method

Zone-h

Our sample of hackers, and a large majority of the data used in our analysis, comes from Zone-h (www.zone-h.com). Zone-h is a website repository that hackers use to showcase their successful defacements. Over 1 million defacements are reported to Zone-h each year, and it is the most widely used website of its kind (Zone-h, 2019). After hackers deface a website, they report the defacement to Zone-h. Once Zone-h verifies the legitimacy of the attack using automated software, it is permanently housed in the Zone-h archive. Zone-h was created in 2002 and has gained worldwide recognition within the hacker community. In fact, Zone-h receives notifications about attacks against websites hosted on servers all over the world (Howell et al., 2019).

Zone-h gathers a plethora of information about each defacement (Holt et al., 2020). It reports whether the attack was a mass defacement, a redefacement, and against a homepage. A mass defacement is an attack that is launched against multiple websites at once. In other words, a mass defacement involves attacking multiple websites hosted on a server simultaneously, resulting in a higher number of defacements. A redefacement is an attack against a website that has already been defaced. An attack against a homepage is a defacement that changes the visual image of the website’s main page that a visitor navigating to a website will first see.

Lastly, Zone-h reports whether the attack was launched against an important website, which Zone-H calls “special defacements.” After carefully examining the Zone-h archive, it is evident that special defacements are attacks against critical infrastructure; the majority of these are attacks against government websites (e.g., fbi.gov). Attacks against websites belonging to other institutions pertinent to the health, safety, security, and economic well-being have also been classified by Zone-h as special defacements (e.g., http://hospitalapia.gov.co; wadc.us; kex.com).

Sampling Procedure

As stated above, our sample is derived from the Zone-h archive. Specifically, we collected a convenience sample of defacements reported as special to Zone-h between June 1 and August 1, 2017. We focus on special defacements to garner insight into hackers who are capable of defacing websites deemed as important. In total, we gathered data on 1,062 defacements from 119 hackers. Because we conducted a content analysis of each defacement launched by our sample of hackers between our target dates (discussed in more depth below), we limited the number of defacements in our sample to make data collection manageable. Similarly, we restricted our time frame to 2 months in 2017 for two main reasons. First, because we manually coded each defacement, we needed to restrict our time frame to 2 months to ensure the coding process was manageable. Second, we chose 2017 because, at the time of data collection, it was the most recent year of fully published data.

Open-Source Intelligence

Using the hackers’ aliases, which were gathered from the Zone-h archive, we searched the clear web and dark web for additional information pertaining to the hackers in 2017.¹ Although we were unable to find information on the dark web, for this specific subset of hackers, many were active on various social media platforms. We were able to identify a sizable portion of the hackers in our sample on Facebook, Twitter, Instagram, YouTube, and Telegram. In total, we identified 57 hackers (48% of our sample) on at least one of the aforementioned platforms. Because prior research has found social media presence to be correlated with attack frequency (Aslan et al., 2020; Maimon, Fukuda, et al., 2017), we added binary variables into our data that indicate whether the hackers were active on these various social media platforms. It is important to note that the social media variables only reflect the presence of the hackers using the same notifier name in Zone-h and on social media. If we did not find the hacker’s name in social media, this does not mean they are not using social media under a different username. Similarly, it is possible the accounts we identified on social media do not belong to the hacker who reported to Zone-h but instead belong to a different hacker with the same alias. Being coded as having social media here suggests the hackers are promoting their own defacement exploits both on Zone-h and in social media (see Table 1 for descriptive statistics on social media engagement).

Content Analysis

Using images of the defaced websites archived on Zone-h, one member of our research team coded the content of each defacement between June 1 and August 1, 2017. In total, 1,292 defacements were identified, but only 1,062 were coded due to issues with translation. Our coder only reads English; therefore, she was only able to code defacements launched in English. It is possible that non-English content differs from English content, which is discussed as a limitation.

We coded whether the content of the attack was political, had music, had pictures, or had animation. We elected to use a binary coding scheme to reduce bias. By simply opening the mirroring image, one would immediately recognize whether music, pictures, and animation were present. Coding political content, however, was more open to interpretation. For the current study, political content was any content relating to the government or public affairs of a country (e.g., Free Palestine). After coding each defacement, we aggregated the number of defacements and content data to the hacker-level; that is, each defacement was nested within a hacker. This gave us the number of defacements for each hacker over the 2-month period. For the content, we coded the variables as 1 if any of the defacements included instances of a political message, music, a picture, or animation. Hackers having no defacements with these characteristics were coded 0 within each variable.

To code the content of the defaced websites, we used a single coder. We retrospectively evaluated the reliability of our coding scheme by selecting a random sample of 50 websites across three raters. The interrater reliability was excellent across all of the content variables political, music, animation, and pictures (percent agreement > 94% and Gwet’s AC₁ > 0.944).

We also used data published by Zone-h on the hackers, specifically we included a dichotomous variable coded 1 if the attacker launched mass defacements, redefacements, and attacks against homepages for any of the defacements and 0 if they had no such defacements. Also, using data gathered on the clear web, we include a series of binary measures indicative of whether the hackers are active on Facebook, Twitter, Instagram, YouTube, and Telegram.

Finite Mixture Models

Our research question centered on whether there were different groups of hackers in the Zone-h data not evident a priori; that is, we did not have any measure to classify the hackers based on the number of defacements, though it appears some deface often while others do so infrequently. Fortunately, finite mixture modeling is a latent class analysis technique that can classify different distributions within an overall spread of data (Fruhwirth-Schnatter, 2006). To estimate how many different distributions exist, the analyst must compare the fit measures for several models with differing numbers of classes, namely, the Akaike information criterion and the Bayesian information criterion. The model with the lowest values across the indices is considered the best fit to the data. For our analysis, we used Stata (Version 16.1), specifically the gsem command (StataCorp, 2017).²

Once the number of classes is determined, the analyst may then estimate separate regressions for each distribution. Given the nature and shape of the defacement distribution, we used negative binomial regression, appropriate for overdispersed count data. Furthermore, in the regressions, we included various nominal measures based on the content of the defacements (described above) and we also included indications of social media involvement for the aliases used by the hackers in Zone-h.

Results

Descriptive Statistics

Table 1 reports the descriptive information for the various measures for the 119 hackers in our analysis. The average number of defacements in the sample was 7.479 with a standard deviation of 14.059. A histogram of the defacement frequencies by hackers is shown in Figure 1. The count data are clearly skewed as the number of counts rises to over 70 while most are at the low end of the distribution. It appears the data are overdispersed, given the standard deviation is twice that of the mean. This suggests two kinds of hackers—those who deface occasionally (most hackers) and those who deface frequently (fewest hackers).

Table 1.

Descriptive Statistics for Defacement Data.

Variable	Min.	Max.	% Highest Category	n Highest Category	Mean	SD
Total defacements	1	70			7.479	14.059
Social media
Facebook	0	1	24.4	29
Twitter	0	1	22.7	27
Instagram	0	1	5.9	7
YouTube	0	1	17.7	21
Telegram	0	1	10.9	13
Content measures
Political	0	1	10.9	13
Music	0	1	2.5	3
Picture	0	1	55.5	66
Animation	0	1	32.8	39
Zone-h measures
Mass defacements	0	1	55.5	66
Redefacements	0	1	74.8	89
Attacked homepage	0	1	50.4	60

Note. n = 119.

Figure 1.

Histogram of number of defacements by individual hackers.

The distributions for the dichotomous variables are also reported in Table 1. For the social media variables, most of the hackers (52%) did not have a presence across platforms. Keep in mind, we only searched for the hacker alias used on Zone-h; therefore, we do not know how much they use social media with other account names. Facebook (24%) and Twitter (23%) had the largest number of users when we collected data in 2017, followed by YouTube (18%) and Telegram (11%). Instagram has the fewest accounts with Zone-h notifiers (6%).

For the content analysis variables, we saw that about 56% of hackers used pictures during their defacements, followed by animations (33%) and music (2.5%). Roughly 11% of hackers included political content in their defacements. The variables from the Zone-h data showed that a little over half (56%) used mass defacements, 74% redefaced a website, and about half (50%) attacked a website’s homepage.

Finite Mixture Models

To determine whether or how many distributions are mixed within the sample data, we ran several models with different latent classes. All models were run on a negative binomial distribution.³ Table 2 reports the model fit from one to four mixture models. The model with the lowest information criterion values was a two-class model. We then ran a two-class finite mixture model without any predictors. In this model, class 1 (about 78% or 92 hackers) had a latent class marginal mean of 1.960 (SE = 0.206, p < .000). We designated this class as the low-volume defacers. Class 2, about 22% or 27 hackers, had a latent class marginal mean of 26.761 (SE = 3.228, p < .000). We designated this class as the high-volume defacers. Compare these results to the overall sample defacement mean of 7.479. In sum, the finite mixture model indicated there were two different groups, one with a low count of defacements and one with a high count of defacements, and these were mixed in the sample’s overall distribution.

Table 2.

Model for Finite Mixture Models.

Model	n	Log Likelihood	df	AIC	BIC
One class	119	−358.629	2	721.259	726.817
Two class	119	−324.826	4	657.653	668.769
Three class	119	−324.826	6	661.653	678.327
Four class	119	−324.826	8	665.653	687.886

Note. The lowest information criterion values across models are given in bold. AIC = Akaike information criterion; BIC = Bayesian information criterion.

The results from the finite mixture model with predictors were similar to the model with no predictors: The low-volume defacer group had a marginal mean of 2.935 (SE = 0.273, p < .000), and the high-volume defacer group had a marginal mean of 18.299 (SE = 2.189, p < .000). For the low-volume defacers (about 69% of the sample), Facebook was the only social media variable that was predictive (b = −0.560), which decreased the counts by about 43%. For the content variables, defacements with political content, music, and animation were significant. Political content increased counts by a factor of 3. Defacements with music were associated with an increase by a factor of 3, and those including animations decreased the counts by about 60%. Finally, from the Zone-h variables, mass defacements and redefacements increased the counts by a factor of 2.76 and 1.64, respectively. It is important to note that a mass defacement, by definition, results in a higher number of defaced websites.

For the high-volume defacers, Twitter and YouTube were both significant predictors of an increase in defacement counts: Twitter increased counts by a factor of 2, but surprisingly YouTube reduced counts by about 74% (or a factor of about 3.77). As for the other variables, the high-volume defacers had the same significant predictors and in the same direction: political (incident risk ratio [IRR] = 2.1), music (IRR = 3.9), animation (IRR = 0.49), mass defacements (10.5), and redefacements (2.24). In sum, the same factors that were predictive of the counts of the low-volume defacers were the same as the high-volume defacers, with the exceptions of Twitter, YouTube, and Facebook. When we looked at the differences across coefficients between the low- and high-defacer groups, only mass defacements were statistically significant, χ²(1) = 8.57, p < .001; that is, the high-volume defacers’ increase in the logged odds of counts was greater and statistically different from the low-volume defacers. The difference between coefficients’ magnitude, though, must be considered with regard to the differences in range of defacements for the dependent variables within models. That is, the low-volume group has a range of 1–6 while the high-volume group has a range of 1–70. Thus, the differences in effect size are a function of variable range.

Finally, in Table 3 we include a negative binomial regression model on all 119 hackers; that is, the mix of both groups of hackers (the same as a one-class finite mixture model). The results are very similar to the group models with some exceptions. Facebook, for instance, is only significant for the low-volume defacers and not in the total sample model. YouTube is significant for the overall model and the high-volume, but not the low-volume group. The remaining significant variables in the overall model are also significant in the two groups: political, animation, mass defacements, and redefacements. Of course, both mixture models contribute to the overall model, but the differences highlight the value of uncovering the latent groups in both statistical significance and effect size. For example, in the overall model, mass defacements increase the counts by a factor of five, but when the high-volume group is modeled, the impact increases to a factor of 10. Considering a mass defacement, by definition, results in a higher count of attacked websites, this finding is not surprising.

Table 3.

Negative Binomial Model for Each Finite Mixture Model Class.

	Low-Volume Defacers 69%			High-Volume Defacers 31%			All Defacers (100%)
	b	SE	IRR	b	SE	IRR	b	SE	IRR
Facebook	−0.560**	.254	0.571	−0.178	.214	0.837	−0.208	.226	0.812
Twitter	0.316	.277	1.371	0.782***	.231	2.186	0.770***	.229	2.160
Instagram	0.212	.526	1.236	0.212	.695	1.236	0.065	.421	1.067
YouTube	−0.303	.333	0.739	−1.329***	.329	0.265	−0.765***	.281	0.465
Telegram	−0.250	.424	0.778	−0.104	.242	0.901	0.358	.306	1.431
Political	1.123***	.263	3.074	0.744**	.281	2.104	1.266***	.292	3.546
Music	1.118**	.386	3.060	1.362*	.639	3.905	0.896	.525	2.449
Picture	0.231	.180	1.260	0.190	.258	1.209	0.264	.204	1.302
Animation	−0.916***	.222	0.400	−0.716***	.198	0.489	−0.510***	.203	0.600
Mass defacements	1.015***	.237	2.759	2.353***	.343	10.513	1.631***	.211	5.108
Redefacements	0.494*	.255	1.638	0.806*	.394	2.239	0.694***	.243	2.001
Attacked homepage	−0.005	.236	0.995	0.333	.248	1.395	−0.242	.194	0.785
Constant	−0.058	.286	0.944	0.034	.388	1.035	−0.103	.250	0.903

Note. n = 119. The b is the change in the log of counts. The SE is the standard error of the mean. The IRR is the incident risk ratio, which is the change in the count of defacements for every one-unit increase in the independent variable.

*p < .050. **p < .010. ***p < .001.

Discussion

Although multiple studies have attempted to determine whether different hacker types exist (i.e., Chantler, 1996; Hollinger, 1988; Meyers et al., 2009; Parker, 1998; Power, 1998), no known study has examined whether different types of website defacers exist. Therefore, using open-source data gathered on a sample of 119 active hackers, we sought to determine whether different types of website defacers based on volume of attack exist. Using finite mixture modeling, we identified two groups of defacers within the data: high-frequency and low-frequency defacers. We then used multiple measures to model the change in the counts of defacements.

Social media appears to be associated with website defacement, given Twitter had a positive impact and YouTube a negative one for the high-volume defacer group. Twitter operates in a manner consistent with the findings presented by both Aslan et al. (2020) and Maimon, Fukuda, et al. (2017) and increases the count, whereas YouTube had an opposite effect. Hackers on YouTube often discuss various hacking and technology-related issues, so it is possible these hackers are less specialized and thus dedicate less time to attacking websites. For the low-volume defacer group, Facebook reduced the counts. At this point, the evidence is countervailing for social media—it both increases and decreases. It might be that some platforms are useful while others are not. Clearly, research into how and why hackers use social media to advance their reputations is needed. Specifically, future research should consider how hackers’ engagement with social media influences attack frequency. Perhaps the way hackers engage with social media is more important than merely having an account (Aslan et al., 2020). Regardless, social media seems to be a promising means to gather open-source intelligence on otherwise anonymous cybercriminals.

The content variables also shed some light on the volume of defacements: Hackers using political content and music both were associated with an increase in counts while animation, a decrease. The effect of political content makes sense as a motivation to spread one’s message about governments and policies across many websites (Holt et al., 2012). Unfortunately, we had to remove any of the defacements with content written in a language other than English; these defacements might change the results of the content variables as defacements written in Arabic, a large proportion of the cases, likely include political content. Thus, in this study, we can only generalize to defacements done in English. As for animation (33% of the hackers), it might be that it reduces counts because it requires more effort for the defacement. As for music, this is likely an artifact given only 3 of the 119 hackers employed it: two fell into the predicted low-volume class at the low end of the distribution (defacement counts ≤ 16) and one fell into the high-volume class at the higher end of the distribution (defacement counts = 62).

The findings presented here highlight the value of coding the defacements and combining the information with the self-reported data from Zone-h. The political variable is interesting in that it is associated with an increase in counts. We suspect that had we the means to translate and code the non-English defacements, we would find it to have an effect as well.

There are limitations with our analysis. While the small sample size allowed for the coding of many websites (n = 1,062), it left us with only 119 hackers, our unit of analysis. While a sample of 119 seems adequate, the two mixture distributions further reduced the power between the two groups. Nevertheless, we did find significant predictors, which is not surprising given the effect sizes (e.g., IRR > 2). Additionally, we focused exclusively on special defacements allowing us to focus our attention on a subset of hackers who are capable of defacing high-value targets. However, this introduces bias into our sample. It is unclear whether the same examination, using nonspecial defacements, would produce the same results. Moreover, it is possible that some of the “hackers” in our analysis are actually hacker teams, which would help explain the large volume of attacks generated by some “hackers.” Similarly, it is possible one hacker uses various aliases, which would help explain the low volume of attacks generated by some “hackers.”

Furthermore, our sample was restricted by numerous other self-imposed parameters that may limit generalizability. Specifically, we only analyzed special defacements that were reported to Zone-h between June 1 and August 1, 2017. It is likely that website defacements not self-reported to Zone-h are substantively different than those that are reported. Furthermore, it is possible that defacement content appearing during our time of data collection is reflective of a historical event occurring simultaneously. Future researchers may want to consider gathering additional data from other sources spanning a longer period.

Since high-volume defacers make up a small portion of offenders, yet launch many attacks, they may be the best group to target for intervention. Findings from the current study can aid in this effort. For example, we found that high-volume defacers operate on Twitter; therefore, Twitter may serve as a valuable platform to reach and possibly deter repeat offenders. Likewise, knowing that high-volume offenders are political may serve as a starting point for the creation of an evidence-based hacker profile. In conjunction with what we know about the correlates of defacement (i.e., Holt et al., 2017, 2019, 2020; Howell et al., 2019; Maimon, Fukuda, et al., 2017), the findings presented in the current study put us one step closer to having the intel needed to disrupt the hacking ecosystem.

Footnotes

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

Notes

Author Biographies

George W. Burruss is an associate professor in and associate department chair of the Department of Criminology at the University of South Florida. He is also affiliated with Cyber Florida, the Center for Cybersecurity at the University of South Florida. He also serves as editor in chief for the Journal of Crime & Justice. His main research interests focus on criminal justice organizations and cybercrime.

C. Jordan Howell is an assistant professor in Intelligence and National Security Studies at the University of Texas at El Paso. His main research interests involve cybercrime, cybersecurity, and criminological theory. He has published several papers examining the human factor in cybercrime.

David Maimon is an associate professor of criminal justice and criminology at Georgia State University. His research interests include cybercrime, experimental methods, and cybersecurity.

Fangzhou Wang is a PhD student in the Department of Criminal Justice and Criminology at Georgia State University. She also serves as a graduate research assistant for the Evidence-Based Cybersecurity Research Group. Her main research interests involve online fraud, romance scams, cybercrime, and criminological theory.

References

Aslan

Ç. B.

Çelebi

F. V.

Tian

(2020). The world of defacers: Looking through the lens of their activities on Twitter. IEEE Access, 8, 204132–204143.

Babko-Malaya

Cathey

Hinton

Maimon

Gladkova

(2017, December 11–14). Detection of hacking behaviors and communication patterns on social media. In 2017 IEEE International Conference on Big Data (Big Data) (pp. 4636–4641). IEEE. https://doi.org/10.1109/BigData.2017.8258508

Bendovschi

(2015). Cyber-attacks–trends, patterns and security countermeasures. Procedia Economics and Finance, 28, 24–31.

Burruss

B. W.

Howell

C. J.

Bossler

A. M.

Holt

T. J.

(2019). Self-perceptions of English and Welsh constables and sergeants’ preparedness for online crime: A latent class analysis. Policing: An International Journal, 42, 105–119.

Chantler

(1996). Profile of a computer hacker. Infowar.

Fox

B. H.

Farrington

D. P.

(2012). Creating burglary profiles using latent class analysis: A new approach to offender profiling. Criminal Justice and Behavior, 39(12), 1582–1611.

Fox

B. H.

Farrington

D. P.

(2015). An experimental evaluation on the utility of burglary profiles applied in active police investigations. Criminal Justice and Behavior, 42(2), 156–175.

Fruhwirth

S. S.

(2006). Finite mixture and Markov switching models. Springer.

Furnell

(2003, July 14–18). Cybercrime: vandalizing the information society. In International conference on web engineering (pp. 8–16). Springer. https://doi.org/10.1007/3-540-45068-8_2

10.

Geers

(2008). Cyberspace and the changing nature of warfare. SC Magazine , p. 27.

11.

Gottfredson

D. M.

(1987). Prediction and classification in criminal justice decision making. Crime and Justice, 9, 1–20.

12.

Hollinger

R. C.

(1988). Computer hackers follow a Guttman-like progression. Sociology and Social Research, 72(3), 199–200.

13.

Holt

T. J.

Kilger

Chiang

Yang

C. S.

(2017). Exploring the correlates of individual willingness to engage in ideologically motivated cyberattacks. Deviant Behavior, 38(3), 356–373.

14.

Holt

T. J.

Leukfeldt

Van De Weijer

(2020). An examination of motivation and routine activity theory to account for cyberattacks against Dutch web sites. Criminal Justice and Behavior, 47(4), 487–505.

15.

Holt

T. J.

Stonhouse

Freilich

Chermak

S. M.

(2019). Examining ideologically motivated cyberattacks performed by far-left groups. Terrorism and Political Violence, (January), 1–22. https://doi.org/10.1080/09546553.2018.1551213

16.

Holt

T. J.

Strumsky

Smirnova

Kilger

(2012). Examining the social networks of malware writers and hackers. International Journal of Cyber Criminology, 6(1), 891–903.

17.

Howell

C. J.

Burruss

G. W.

(2020). Datasets for analysis of cybercrime. In Holt

T. J.

Bossler

A. M.

(Eds.), The Palgrave handbook of international cybercrime and cyberdeviance (pp. 207–219). Palgrave Macmillan.

18.

Howell

C. J.

Burruss

B. W.

Maimon

Sahani

(2019). Website defacement and routine activities: Considering the importance of hackers’ valuations of potential targets. Journal of Crime and Justice, 42, 536–550.

19.

Howell

C. J.

Maimon

Cochran

J. K.

Jones

H. M.

Powers

R. A.

(2017). System trespasser behavior after exposure to warning messages at a Chinese computer network: An Examination. International Journal of Cyber Criminology, 11(1), 63–77.

20.

Institute for Security and Open Methodologies. (2012). The hacking profiling project: General overview [PowerPoint slides]. http://www.isecom.org/mirror/HPP.overview.v.1.1_eng.pdf

21.

Jeanis

M. N.

Fox

B. H.

Muniz

C. N.

(2019). Revitalizing profiles of runaways: A latent class analysis of delinquent runaway youth. Child and Adolescent Social Work Journal, 36(2), 171–187.

22.

Jordan

Taylor

P. A.

(2004). Hacktivism and cyberwars: Rebels with a cause? Psychology Press.

23.

Kao

D. Y.

Huang

F. F. Y.

Wang

S. J.

(2009). Persistence and desistance: examining the impact of re-integrative shaming to ethics in Taiwan juvenile hackers. Computer Law & Security Review, 25(5), 464–476.

24.

Kilger

(2011). Social dynamics and the future of technology-driven crime. In Schell

B. H.

Holt

T. J.

(Eds.), Corporate hacking and technology-driven crime: Social dynamics and implications (pp. 205–227). IGI Global.

25.

Landreth

(1985). Out of the inner circle: A hacker’s guide to computer security. Microsoft Press.

26.

Maimon

Babko-Malaya

Cathey

Hinton

(2017, November 6–10). Re-thinking online offenders’ SKRAM: Individual traits and situational motivations as additional risk factors for predicting cyber attacks. In 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech) (pp. 232–238). IEEE. https://doi.org/10.1109/DASC-PICom-DataCom-CyberSciTec.2017.50

27.

Maimon

Fukuda

Hinton

Babko-Malaya

Cathey

(2017, December 11–14). On the relevance of social media platforms in predicting the volume and patterns of web defacement attacks. In 2017 IEEE International Conference on Big Data (Big Data), (pp. 4668–4673). IEEE. https://doi.org/10.1109/BigData.2017.8258513

28.

McCuddy

Vogel

(2015). More than just friends: Online social networks and offending. Criminal Justice Review, 40(2), 169–189.

29.

Meyers

C. A.

Powers

S. S.

Faissol

D. M.

(2009). Taxonomies of cyber adversaries and attacks: A survey of incidents and approaches (No. LLNL-TR-419041). Lawrence Livermore National Lab. (LLNL).

30.

Moffitt

T. E.

(1993). A developmental taxonomy. Psychological Review, 100(4), 674–701.

31.

Ooi

K. W.

Kim

S. H.

Wang

Q. H.

Hui

K. L.

(2012). Do hackers seek variety? An empirical analysis of website defacements. AISs. https://ink.library.smu.edu.sg/sis_research/3299

32.

Parker

(1998). Fighting computer crime: A new framework for protecting information. John Wiley & Sons.

33.

Patton

D. U.

Hong

J. S.

Ranney

Patel

Kelley

Eschmann

Washington

(2014). Social media as a vector for youth violence: A review of the literature. Computers in Human Behavior, 35, 548–553.

34.

Power

(1998). Current and future danger. Computer Security Institute.

35.

Rogers

M. K.

(2006). A two-dimensional circumplex approach to the development of a hacker taxonomy. Digital Investigation, 3(2), 97–102.

36.

StataCorp. (2017). Stata statistical software: release 15. StataCorp LLC.

37.

Woo

H. J.

Kim

Dominick

(2004). Hackers: Militants or merry pranksters? A content analysis of defaced web pages. Media Psychology, 6(1), 63–82.

38.

Zhang

Tsang

Yue

W. T.

Chau

(2015). The classification of hackers by knowledge exchange behaviors. Information Systems Frontiers, 17(6), 1239–1251.

39.

Zone-h. (2019). Unrestricted information. http://www.zone-h.org