Predicting which hackers will become persistent threats

January 26, 2023  |  Dr. C. Jordan Howell

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the authors in this article. This blog was jointly written with David Maimon, Professor at Georgia State University.

Website defacement

Websites are central to business operations but are also the target of various cyber-attacks. Malicious hackers have found several ways to compromise websites, with the most common attack vector being SQL injection: the act of injecting malicious SQL code to gain unauthorized access to the server hosting the website. Once on the server, the hacker can compromise the target organization's website, and vandalize it by replacing the original content with content of their own choosing. This criminal act is referred to as website defacement. See Figure 1 for examples of past website defacements.

example website defacementdefacement 2Figure 1. Examples of past website defacements.

While the act of vandalizing a website may seem trivial, it can be devastating for the victimized entities. If an e-commerce site is publicly compromised, for example, they suffer direct and indirect financial loss. The direct losses can be measured by the amount of revenue that would have been generated had the website not been compromised, and by the time and money spent to repair the damaged site. Indirect losses occur because of reputational damage. Potential customers may be deterred from providing their banking information to an organization portrayed and perceived as incapable of protecting their assets.

Threat actors

Unlike most forms of hacking, website defacement has a public facing component. Assailants are eager to get credit for their success in compromising websites and are notorious for bragging about their exploits across various platforms, including general social media (e.g., Facebook, Twitter, Youtube, etc.) and hacking specific sites. The most popular platform on which hackers report successful defacements is Zone-H. Users of the platform upload evidence of their attack, and once the attack is verified by the site’s administrators, it is permanently housed in the archive and viewable on Zone-H’s webpage. Zone-H is the largest hacking archive in the world: over 15 million attacks have been verified by Zone-H thus far, with over 160,000 unique active users. The archive, as depicted in Figure 2, includes the hackers’ moniker, the attacked website's domain name, and an image of the defacement content (resembling the images depicted in Figure 1).


Figure 2. Zone-H: The largest hacking archive in the world.

Hackers tend to use the same moniker across platforms to bolster the reputation and status of their online identity, which allows for the gathering of digital artifacts and threat intelligence pertinent to the attack and attacker, respectively. Indeed, we have been systematically gathering data on active malicious hackers who report their successful defacements to Zone-H since 2017 and, in doing so, have uncovered several interesting findings that shed light on this underground community. For example, and in direct contrast to Hollywood’s stereotype of the lone actor, we observed an interconnected community of hackers who form teams and develop their skills through collaboration and camaraderie. We also found variation in hackers’ attack frequency: some hackers are extremely prolific and can be classified as persistent threats, while others only engage in a few attacks before disappearing. These findings served as motivation for this study.

Criminal trajectories           

Recently, we built an analytic model capable of predicting which new hackers will become persistent threats at the onset of their criminal career. The study began by identifying 241 new hackers on the Zone-H archive. We then tracked each of these hackers for one year (52 weeks) following their first disclosed website defacement. We recorded their total number of attacks, extracted and analyzed content from their defacements, and gathered open-source intelligence from a litany of social media and hacking sites. In total, the 241 hackers in our study defaced 39,428 websites within the first year of their hacking career. We identified 73% of our sample on a social media site and found that 50% also report their defacements to other hacking archives. Finally, we extracted and analyzed the content of each new hacker's first defacement and found that 39% of hackers indicated involvement with a hacking team, 12% posted political content, and 34% left their contact information directly on the compromised site. 

To plot trajectories, we had to first disaggregate the dataset to determine whether each of the hackers in our sample defaced at least one website each week for the 52 weeks following their first defacement. Upon completion, we employed latent group-based trajectory modeling to determine if, and how many, unique criminal trajectories exist. Results are presented in Figure 3. We found that new hackers follow one of four patterns: low threat (28.8%), naturally desisting (23.9%), increasingly prolific (25.8%), and persistent threat (21.5%). Hackers classified as low threat (blue line) engage in very few defacements and do not increase their attack frequency within one year of their first attack. Those labeled as naturally desisting (red line) begin their careers with velocity, but this is short-lived. Conversely, those classified as increasingly prolific (green line) engage in more attacks as they advance in their criminal careers. Finally, those deemed as persistent threats (yellow line) begin their careers with velocity and remain prolific. To our knowledge, we are the first to plot the trajectories of new malicious hackers.

hacker trajectory

Figure 3. The one-year trajectory of new malicious hackers.

After plotting the trajectories, we employed a series of regression models to determine if open-source intelligence and digital artifacts can be used to predict the evolution of a new hacker's criminal career. Contrary to our expectation, we found politically driven hackers are at an increased odds of naturally desisting. While these hackers may engage in a high number of attacks at the onset of their career, this is short-lived. We suspect eager new hacktivists simply lose sight, or get bored, of their cause. Conversely, new hackers who post their contact information directly to the compromised site are at a decreased odds of naturally desisting. Tagging a virtual crime scene with contact information is a bold move. We suspect these hackers are rewarded for their boldness and initiated into the hacking community, where they continue defacing websites alongside their peers.

Different patterns emerged when predicting who will become a persistent threat. We found that social media engagement and reporting defacement activity to other platforms increase the odds of being a persistent threat. This may boil down to commitment: hackers committed to building their brand by posting on multiple platforms are also committed to building their brand through continual and frequent defacement activity. The most interesting, yet also intuitive, patterns emerge when predicting who will become increasingly prolific. We found that hackers who report to other platforms and indicate team involvement engage in more attacks as they progress in their career. Joining a hacking team is a valuable educational experience for a new hacker. As a novice hacker learns new skills, it is no surprise they demonstrate their capabilities by defacing more websites.

Taken together, these findings offer insight into the development of proactive cybersecurity solutions. We demonstrate that open-source intelligence can be used to predict which hackers will become persistent threats. Upon identifying high-risk hackers, we believe the next logical step is to launch early intervention programs aimed at redirecting their talent toward something more constructive. Recruiting young hackers for cybersecurity positions could create a safer cyberspace by filling the nation’s skills shortage while simultaneously removing persistent threat actors from the equation.


This work was conducted alongside several members of the Evidence-Based Cybersecurity Research Laboratory. We thank Cameron Hoffman and Robert Perkins for their continual involvement on the hacking project. For more information about our team of researchers and this project visit Follow @Dr_Cybercrime on Twitter for more cutting-edge cybersecurity research.

Share this with others

Get price Free trial