Top Ways Threat Actors Profit From Cyber Attacks

Today’s threat actors have numerous potential motivations for attacking systems and networks. Attackers may set out to destabilize economies, promote causes, infiltrate governments, or steal intellectual property. However, among all possible motivations, financial gain continues to be the most common. Knowing how attackers turn a profit from cybersecurity breaches can help you better understand the threats and risks your organization faces from cyber attacks.

The Sikich forensics and incident response team has performed numerous cybersecurity breach investigations and found the following to be the top ways that threat actors are profiting from cyber attacks.


Ransomware is currently the most common way that threat actors are capitalizing on network breaches. In a ransomware attack, threat actors work to encrypt your key data and applications and destroy backups, prompting you to pay a large ransom (typically six or seven figures) in the hopes of getting a decryption key that will allow you to unlock your data. The growing popularity and accessibility of cryptocurrencies has been a major driver of ransomware attacks, as threat actors can now demand large ransoms and get paid almost immediately while remaining more or less anonymous.

Extortion via disclosure threats

A close partner to ransomware is the theft of sensitive data with associated threats of disclosure. Oftentimes, before performing a ransomware attack, threat actors will hunt through the targeted network to identify and steal employee HR records, company financial data, customer data, intellectual property, and other private or sensitive data. After stealing this data, the threat actors will post the name of the hacked company to their “shaming” website and threaten to post all of the stolen data unless the compromised organization gives in to the threat actors’ extortion demands.

Electronic Payment Fraud

While electronic payment fraud, such as redirected wire and ACH transactions, has been a common tactic used by threat actors for the last 20 years, many organizations are still falling victim to these attacks. These types of events typically begin with a business-account-takeover attack, where threat actors gain unauthorized access to an employee or business partner email account through phishing, password guessing, and similar attacks. After gaining unauthorized access, threat actors wait and watch for emails referring to invoices or other electronic payments. The attackers will then redirect and manipulate messages to change the bank account details for where the funds are to be sent.

Cardholder data breach

While breaches of card-present point of sale (POS) systems (such as the well-publicized breaches) have declined in recent years as retailers have upgraded their cash registers and connected POS terminals, cardholder data breaches on ecommerce sites are still common. Today’s threat actors often rely on sophisticated techniques, such as skimming card data as it is typed into a web browser window and hiding card-skimming code on legitimate cloud services, to successfully steal cards while hiding the presence of the card-skimming malware.

Tax return fraud

Health care organizations have long been targets for cyber attacks, including well before ransomware and extortion attacks were the norm. But why? How does a threat actor make money off of stolen medical data?

It has historically been common for health care organizations to record patient Social Security numbers (SSNs). Threat actors can use SSNs stolen from health care organizations, together with other information about the victims gathered through open source intelligence (OSINT), to game the federal tax system. The threat actors then work to submit false tax returns, showing refunds that are sent to the attackers, before the individuals who actually have those SSNs have a chance to file their real tax returns.

Student loan fraud

Similar to tax return fraud, threat actors have figured out that stolen SSNs can be turned into income through student loan fraud. The threat actors register for student loans and even apply and register for classes using stolen data. Generally, the threat actors are looking to skim from the loan amounts that can be paid or reimbursed to a student, such as for housing and books. The fraud may not be identified until the university starts classes and the student never shows up.

If you’re concerned that your company could be a victim of any or all of these methods to profit from cyber attacks, please reach out to our cybersecurity experts.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author