Jana Ringwald – “Digitalisation has changed crime.”

Ms Ringwald, what does being a Cybercrime Prosecutor involve?

Jana Ringwald: With the support of a contingent of colleagues, including some based abroad, my team and I hunt down cybercriminals. Digitalisation has changed the world and how people commit crimes. Carrying out a bank robbery these days is remarkably different to 30 years ago because the digital world has opened the door to so many opportunities to get our hands on money and commit fraud.

It’s quite a volatile environment, isn’t it.

Yes, and we are forever working in uncharted legal and technical territory. Criminals are constantly changing their modus operandi and that means we have to keep up our training, but I am very privileged to work with top investigators, technicians and cyberanalysts.

Cybercriminality is a global enterprise and Bitkom reports that data theft, espionage and sabotage accounted for 267 billion euros of annual losses for German businesses.

The damage is colossal. Most people don’t realise that the ransom demanded in an attack is often the least of a company’s worries. Indirect damages can be significantly higher when, for example, building management systems are down for several days, the air conditioning fails or it becomes impossible to communicate for several weeks. These are exactly the type of cases we work on, but we view the incident from a completely different perspective to the company itself, which simply wants to make it out the other side in any way possible. After all, this can be one of the worst things to ever happen to an organisation. Our aim is simply to track down those responsible.

Do these interests sometimes clash?

Not really, but one important part of our job is to explain our work to the businesses we work with because they will have other things to worry about than talking to the police. For us, companies are the key sources of data, providing a starting point for our investigations, allowing us to search out other pieces of the puzzle to find, understand and take apart the attackers’ infrastructure.

How do criminals go about attacking companies?

The most frequent methods are ransomware, DDoS attacks and all forms of social engineering like CEO fraud with the aim of exploiting people in the most basic way possible.

And what is the best way for affected businesses to respond?

Each of the 16 German states has a Criminal Police Office with a Central Cybercrime Unit and 24 × 7 hotline, manned by experts offering advice after a company has been blackmailed, who also inform investigators and help them coordinate their interactions with the business in order to reduce disruption during this difficult time. The fears that we remove all the hardware, take over all decision-making and then also have a quick look at the company’s tax returns are completely unfounded.

What does a company gain by filing a report with the police?

Probably nothing tangible as it’s very rare for us to get ransoms back, but there are very good reasons to report the crime. All unreported attacks are obviously not included in crime statistics and so, to all intents and purposes, don’t exist—neither at a political level nor in the public’s perception—and that just adds to the gulf between reality and theory. From a cybersecurity perspective, it would be good if everyone understood that companies could be attacked at any time and that this is actually part and parcel of business, which is why I would always encourage people to get in touch with the police and work with us to help reduce the collective burden.

Let’s talk about a specific case. Back in 2019, you were involved in bringing down the dark net platform “Wall Street Market”. How did you go about doing that?

It might be strange to hear, but these marketplaces have a public face. They want to be found by their customers. Wall Street Market was available in German, so we assumed the people behind it were German nationals, which really piqued our interest. Investigations like this aren’t necessarily triggered by some high-tech probe. Sometimes, we get a tip-off or we flex our forensic muscles. Wall Street Market was on the normal internet, aka the clear net, for a while, but was then moved to the dark net. The front end at least. We assumed that the criminals behind it had become a little too comfortable and not rebuilt their entire infrastructure, and we were right, which means we knew where at least some part of it could be found.

But then you need to gather evidence ...

The Criminal Procedure Code gives us the tools we need to work. If we carry out any kind of search, that’s something that will happen in the later stages of an investigation. We need data and data traces and back then, we invested a lot of time working with the Federal Criminal Police Office to analyse streams of data, looking for admin accesses that seem out of place when compared to other users. We focus on communication, because even cybercriminals have to talk to each other.

They aren’t all in one place?

That’s extremely rare. When it came to Wall Street Market, those running it didn’t know each other personally. They didn’t even know each other’s names despite being at the top of a multi-million euro criminal enterprise.

How do you go about cracking a case like that?

Despite this extreme level of anonymisation, they have to communicate with each other, and with a huge amount of technical nous, this can tracked in the hope someone slips up. 

Even though we are talking about highly professional criminals?

 Yes, even they make mistakes sometimes. What’s most interesting is that they act completely differently to criminals operating in the real world. The underground economy has different structures and for many years, German criminal law operated on the premise that gangs were particularly dangerous. However, it’s a completely different ball game in the digital world, where being in a gang is more of a hindrance as it’s more likely to leave traces.

Cybercrime as a Service is a term that is heard frequently.

Criminals build their business models and draw together the components they need to launch an attack from anywhere in the world. It doesn’t matter where they are located, which means they don’t have to be all-powerful. One person is responsible for coding, the other for encryption, a third handles distribution channels, the fourth mixes cryptocurrencies while the fifth deals with cash out systems. The cryptocurrency has to be exchanged for real money, after all. All of this represents a paradigm shift that shapes our work. Collaborating across borders with Europol and Eurojust is standard practice for us. We do our best not to impose leadership responsibility on one country or authority, so, for example, one country will handle all sales transactions on a platform, the second focuses on money laundering, and the third is dedicated to server infrastructure, making us much more flexible in our investigations.

With a few programmers here and a couple of blackmailers there, aren’t you fighting a losing battle?

That’s why we focus on the bigger marketplaces that are critical for the underground economy and a springboard for cybercrime. Unfortunately, we can’t go after every individual.

But even then, as soon as you shut down one marketplace, another opens, doesn’t it?

 Exactly. It’s like battling a Hydra. There was a Russian-language marketplace called Hydra Market, which we managed to take down a few years ago. Our seizure banner cheekily showed each head with handcuffs around its neck. Joking aside, it is of course a Herculean task, but that has always been the case. Crime might change, but it remains a human, social and societal issue. We’ll never be able to prevent it, but we have to respond and limit it as much as possible.