See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/357938938
Hacker types, motivations and strategies: A comprehensive framework
Article in Computers in Human Behavior Reports · January 2022
DOI: 10.1016/j.chbr.2022.100167
CITATIONS
READS
25
3,187
4 authors, including:
Samuel Chng
Ayush Kumar
Singapore University of Technology and Design
Integral University
45 PUBLICATIONS 801 CITATIONS
6 PUBLICATIONS 33 CITATIONS
SEE PROFILE
All content following this page was uploaded by Samuel Chng on 20 January 2022.
The user has requested enhancement of the downloaded file.
SEE PROFILE
Computers in Human Behavior Reports 5 (2022) 100167
Contents lists available at ScienceDirect
Computers in Human Behavior Reports
journal homepage: www.sciencedirect.com/journal/computers-in-human-behavior-reports
Hacker types, motivations and strategies: A comprehensive framework
Samuel Chng a, *, Han Yu Lu b, Ayush Kumar b, David Yau c
a
Lee Kuan Yew Centre for Innovative Cities, Singapore University of Technology and Design, Singapore
ST Engineering-Singapore University of Technology and Design Cyber Security Laboratory, Singapore
c
Information Systems Technology and Design, Singapore University of Technology and Design, Singapore
b
A R T I C L E I N F O
A B S T R A C T
Keywords:
Cybersecurity
Cyberpsychology
Hacker
Motivation
Cyberattack
Typology
Understanding and predicting cyber malfeasance is an emerging area of research with the increase in cyber­
crimes and heightened awareness about cybersecurity in recent years. The nature of cybercrimes is also
becoming increasingly complex as hackers are more proficient and well-financed than earlier. Thus, our un­
derstanding of the various types of hackers and their motivations needs to be consistently updated. We identified
and reviewed 11 classifications and typologies of hackers and their motivations published over three decades to
consolidate our understanding in this area and summarize the state of the art. Following that, we present a
unified framework of 13 hacker types and 7 unique motivations. In addition, we detail the strategies each hacker
type typically employs. This framework, applicable to various domains, allows readers to map various motiva­
tions to each hacker type and understand that hackers often hold multiple motivations at once. It also allows for
the identification of specific hacker types based on the strategies used during a cyberattack.
1. Introduction
Cybercrimes are on the rise globally (International Telecommuni­
cation Union, 2019; Rege-Patwardhan, 2009), including “damage and
destruction of data, stolen money, lost productivity, theft of intellectual
property, theft of personal and financial data, embezzlement, fraud,
post-attack disruption to the normal course of business, forensic inves­
tigation, restoration and deletion of hacked data and systems, and
reputational harm” (Cybersecurity Ventures, 2020). These cybercrimes
can be transnational, and we expect the number of cybercrimes to
continue to increase with the rise in the number of Internet users. It is
projected that there will be 6 billion Internet users globally by 2022 and
more than 7.5 billion by 2030 (Cybersecurity Ventures, 2020).
In the United States alone, cybercrimes are the fastest growing crime
and are increasing in size, complexity, and cost (Cybersecurity Ventures,
2019). The Federal Bureau Investigation (FBI)’s Internet Crime
Complaint Center reported 467,361 complaints and more than US$3.5
billion in losses in 2019, the highest numbers recorded since the centre
was established in 2000 (FBI, 2019). The techniques employed by
cybercriminals have become increasingly sophisticated over the years,
with victims finding it more and more difficult to notice any red flags
(FBI, 2019).
The COVID-19 pandemic has pushed the world towards increased
technological innovation and online collaboration, and unsurprisingly,
the occurrence of cybercrimes has also increased. The United Nations’
disarmament chief reported a 600% uptick in cybercrimes, specifically
in sophisticated phishing schemes, during the COVID-19 pandemic
(Lederer, 2020). For instance, cybercriminals are posing as Centers for
Disease Control and Prevention or World Health Organization repre­
sentatives to deceive online victims into taking actions such as clicking
on a malicious web link or opening an e-mail attachment containing a
virus (PurpleSec, 2020).
With cybercrimes causing damage to both private and public enter­
prises, it is estimated that global spending on cybersecurity will exceed
$1 trillion cumulatively between 2017 and 2021 (Cybersecurity Ven­
tures, 2019). To date, most research in cybersecurity has focused on
technological aspects with less emphasis on the human factors behind
cybercrimes. Today, cybercrimes are detected much faster than before,
but there continues to be a limited ability to determine who is behind the
cybercrime and what are their intentions. This is particularly true for
hackers, a group of cybercriminals who work with relative impunity,
beyond traditional jurisdictions and physical borders (Rogers, 2011). To
answer the above questions, we need a strong understanding of the
motivations that underpin the intentions and actions of hackers, and the
strategies that they employ to achieve them. This augments cyberse­
curity technologies that are being developed and helps operators decide
on appropriate actions during attacks on their systems and networks.
* Corresponding author.
E-mail address: samuel_chng@sutd.edu.sg (S. Chng).
https://doi.org/10.1016/j.chbr.2022.100167
Received 24 September 2021; Received in revised form 3 January 2022; Accepted 14 January 2022
Available online 19 January 2022
2451-9588/© 2022 The Authors.
Published by Elsevier Ltd.
This is an open
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
access
article
under
the
CC
BY-NC-ND
license
S. Chng et al.
Computers in Human Behavior Reports 5 (2022) 100167
Beveren’s (2001) model assumed that the majority of hackers begin
as a novice (e.g., toolkit newbies) before acquiring more skills, knowl­
edge and experience to become semi-professionals (e.g., cyberpunks, old
guards). This suggests that as hackers develop their skills, the intentions
and motivations sustaining their activities might also evolve. Six prop­
ositions were presented for the development of a novice hacker: (a)
positive feedback must be present within the toolkits and information
gathered, (b) development of skills is dependent on the available tools
and challenges faced within the online environment, (c) flow occurs
when there is a correspondence between skills and challenges, (d) a
novice turns into a semi-professional via the development of appropriate
skills, (e) the flow experience rapidly increases the motivation to further
develop skills and search for more challenges, (f) a novice hacker would
be drawn toward less sophisticated cybercrimes if there are criminal
tendencies within the individual.
Abbreviations
DDoS
SQL
PC
IT
RDP
VPN
Distributed Denial-of-Service
Structured Query Language
Personal Computer
Information Technology
Remote Desktop Protocol
Virtual Private Network
Historically, hackers were known as one generic group. This was akin
to grouping all cybercriminals into a general category, regardless of
their actions and motivations (Rogers, 2006). Today, cybersecurity ex­
perts have access to typologies of hackers and their motivations, which
provide them with a better understanding of the constellation of
cybercrimes. However, the hackers’ motivations, the types of attacks
they use, and their level of sophistication continue to evolve. Hence, the
typologies of hackers developed in the past few decades need to be
updated. In addition, there is a need for typologies to go beyond
describing the type of hacker and their motivation by providing further
information about how the hackers would typically go about their ac­
tivities. Doing so will aid the cybersecurity community in understanding
and analyzing the potential threats from hackers.
To address the above, we reviewed existing research and typologies
to present a comprehensive framework that maps different types of
hackers to their motivations and the typical attack strategies that they
employ. This paper is organised in the following manner. In Section 2,
we review existing theories on the factors that motivate hackers to hack.
In Section 3, we present and discuss the proposed framework. Finally, in
Section 4, we discuss ways in which the proposed framework may be
used by the cybersecurity community to analyse cyberattacks.
2.2. Bandura’s social learning theory
Albert Bandura’s (1977) social learning theory posits that in­
dividuals pick up criminal behaviours through associating with crimi­
nals in personal or social groups. The basic premise here is that both
deviant and conforming behaviours are produced by the same high-level
learning process whereby learning takes place in the context of social
structure, interactions, and situations. Hence, an individual is likely to
engage in criminal behaviour if he chooses to differentially associate
with criminals and imitate their behaviours, is exposed to definitions
(attitudes, norms, orientations) that justify or rationalize such behav­
iour, and whether he received differential reinforcement that rewarded
similar behaviour in the past. The positive reinforcement hackers
receive from the community often outweighs the punishment received
from the real world. Therefore, deviant cyber behaviours might continue
unabated or even increase when the overall ratio of positive reinforce­
ment to punishment for the hacker is very disproportionately enticing.
However, as existing social norms suggest, humans tend not to
engage in deviant behaviours unless otherwise having convinced
themselves that their actions are justified. This makes it likely that
cybercriminals would then feel a need to justify their illicit activities in
the form of pursuing a noble or higher cause (Rogers, 2011). This is
encapsulated in the concept of moral disengagement (Bandura, 2014).
For example, hackers who have engaged in malicious insider cyber­
crimes may justify their actions as a result of access given to them and
enabled by the system’s weakness (Atkinson, 2019). This is similarly
observed among hackers who are part of state actors or organizations,
whereby they can justify their actions as patriotism or loyalty.
2. Theories on why hackers hack
Behavioural science plays a complementary role in cybersecurity,
helping develop a stronger understanding of why hackers do what they
do, because hackers are, at the end of the day, still humans. That is to
say, they possess both rational and irrational cognitive processes and
motivations that determine their actions. Different theories across
different disciplines have been put forward to postulate why hackers
engage in cybercrimes. In this section, we briefly review them and
elaborate on their relevance to hackers and their actions.
2.1. Beveren’s model of hacker development
Beveren (2001) proposed a model of hacker development based on
traditional theories of psychology and the flow construct. Flow, coined
by psychologist Mihaly Csikszentmihalyi, is a sense of effortless action
felt when highly involved in an activity to the degree whereby attention
becomes undivided, and time is obscured by the involvement in the
activity (Csikszentmihalyi, 1990). This suggests that there is an under­
lying tendency that causes a person to commit a crime, leading Beveren
(2001) to theorize that such a tendency is what leads a hacker to grav­
itate towards criminal behaviour as they develop their skills in this area.
Accordingly, the motivations to hack were divided into four themes: 1)
compulsion to hack, 2) curiosity, 3) control and attraction to power, and
4) peer recognition and belonging to a group. Beveren (2001) theorized
that flow occurs within the human-computer interaction experience
when (a) the hacker perceives a sense of control over the interaction, (b)
the hacker perceives his or her attention to be focused on the interaction,
(c) the hacker’s curiosity is aroused by the interaction, and (d) the
hacker finds the interaction to be intrinsically interesting. Hence, flow
was considered to be a moderator for the development from a low-level
to a high-level hacker.
2.3. Theories linking cognition with behavior
The Theory of Reasoned Action (Ajzen & Fishbein, 1980) posits that
an individual’s intention to hack predicts their actual hacking behav­
iour. In turn, their intentions are predicted by their attitudes toward
hacking and the subjective norms. Subjective norms are created by the
reinforcement and feedback they receive in the hacker community as
they develop their skills and are influenced by the community’s norms
(Owen, 2016). The Theory of Planned Behavior (Azjen, 1991) further
adds that the hacker’s appraisal of whether the hacking is within their
locus of control directly influences their hacking intentions and the
subsequent hacking behaviour, termed as perceived behavioural control
(Owen, 2016). Further, the General Deterrence Theory (Gibbs, 1985)
posits that the knowledge of negative consequences from hacking will
deter potential hackers while positive consequences will attract them to
support the theorizations of hacking as fundamentally rational behav­
iours and these are moderated by the perceptions of certainty, severity,
and celerity of punishments that are potentially meted out when caught
(Owen, 2016).
2
S. Chng et al.
Computers in Human Behavior Reports 5 (2022) 100167
2.4. Other aspects leading to hacking behaviors
for personal privacy and include white hats, sneakers, grey hats, and
tourists. They are motivated by curiosity, notoriety, recreation, and
ideology.
Insiders are disgruntled current or ex-employees who abuse their
access to get what they want. They include internals, user malcontents
and corporate raiders, and they are motivated by financial gain,
revenge, and ideology. Petty thieves refer to criminals who have moved
their nefarious activities online and are motivated by financial gain and
revenge. They include extortionists, scammers, fraudsters, thieves, and
digital robbers. Digital pirates, also known as copyright infringers,
possess and engage in the illegal duplication, distribution, download, or
sale of copyrighted materials. They are financially motivated.
Crime facilitators, including supporters, provide the necessary tools
and technical know-how to cybercriminals, thus enabling them to
launch sophisticated attacks which would not have been possible
otherwise. They can have specific skill sets or areas of expertise and are
usually financially motivated.
Professionals are highly skilled individuals who act as guns for hire
or with the intent of furthering their criminal empire. They are moti­
vated by financial gain and revenge. They are also known as black hats,
elites, criminals, organized criminals, information brokers, and thieves.
Nation states hackers are highly trained and extremely skilled who work
directly or indirectly for one government to destabilize, disrupt, and
destroy the systems and networks of a nation or government. They are
motivated by financial gain, revenge, and ideology. This category in­
cludes information warriors, cyber terrorists, cyber warriors, state ac­
tors, state-sponsored networks, and spies.
Crowdsourcers are individuals who come together to solve a prob­
lem, often using questionable methods or chasing dubious goals. They
are motivated by notoriety, revenge, recreation, and ideology. Hackti­
vists, also known as political activists and ideologists, use their technical
skills to further their political agendas or use the Internet as a tool for
political change. They are motivated by notoriety, revenge, recreation,
and ideology.
Within our framework, each hacker type and motivation are titled
using terminologies widely used within the cybercommunity. Hence,
few hacker types proposed by different authors were replaced with the
updated terminology instead. For example, script kiddies were renamed
as novices. In addition, a separate column in Table 1 listing the different
terms these hacker types go by is also included. This also includes terms
that were previously known to a specific author. Due to its ambiguous
nature, Barber (2001)’s cracker type was not included within the
framework. While it referred to hackers who intentionally cause damage
to systems, it could also represent a wide range of hacker types ranging
from cyberpunks to nation states. Notably, each of the 11 typologies
reviewed proposed multiple hacker types and while some shared the
same terminologies, others differed. Therefore, hacker types that
appeared to share the same characteristics and motivations were
combined.
Landreth (1985)’s thieves, who had the primary goal of profiting
from their nefarious activities, were placed into both professionals and
petty thieves hacker types in our framework with their shared similarities
in profiting from illegal conducts. Hackers, individuals who possessed
deep technical knowledge and were motivated by their curiosity to gain
unauthorized access into systems to peek at internal information, were
placed under our old guards category given their similarities in charac­
teristics and motivations. Virus writers by Rogers (2006; 2011) as well as
coders and writers by Meyers et al. (2009) were moved to our cyberpunks
category given the overlap in their threat profiles (Hald & Pedersen,
2012) and similarities in characteristics and motivations with cyber­
punks. Novice, insider, and professional “loners” by Rege-Patwardhan
(2009) were placed within our novices, insiders, and professionals cate­
gories respectively.
Corporate raiders by Donalds and Osei-Bryson (2014) were placed
under insiders given their shared characteristic of belonging to an or­
ganization and betraying their trust for financial gain. Similar to
Studies of hacker cultures suggest that the sub-cultural aspects
inherent within the hacker community provide them space where they
are allowed to freely express themselves with like-minded individuals
(Holt, 2005; Lu et al., 2010; Meyer, 1989). This is particularly applicable
to novice hackers as they tend to search for ways to ingratiate them­
selves into the sub-cultural group. However, within this sub-culture,
there are different communities of hackers, including those who might
possess higher conscience to not engage in deviant behaviour and those
with lower conscience and may choose to engage in nefarious activities
if it is beneficial to them (i.e., ingratiating to become part of the
sub-cultural group; Atkinson, 2019).
Relatedly, the concept of depersonalized obedience suggests that the
reduced level of obedience yielded to social constructs and norms, in
addition to the depersonalization afforded by cybercrimes motivate
hackers and afford them the ability to act without regard for the impact
of their actions (Bandura, 1999; Bocij & McFarlane, 2003). This is
especially relevant since cybercrimes occur within digital, non-physical,
environments that are more likely also geographically distant. This is
seen in hackers who are also activists for causes or terrorists who
motivate them to look beyond the impact of their actions and view
victimization as a way of promoting their message or ideas or beliefs.
The theories discussed above provide greater insights into why
hackers engage in their activities, and it is noteworthy that hackers are
represented by a community of diverse individuals and organizations
who possess varying motivations, intentions and levels of expertise.
Being able to identify the perpetrators during cyberattacks accurately
and expediently is critical for assessing the level of threat they possess
and the countermeasures to deploy. Hence, the next section proposes an
up-to-date typology of hackers with their motivations and strategies that
are typically employed to aid this process.
3. Proposed framework
First, we searched existing academic and grey literature to identify
existing typologies of hackers using electronic academic databases, web
searches, and forward and backward searching of reference lists. We
identified 11 different typologies published up to 2020 that illustrate the
evolution of cybercrimes and the types of cybercriminals and their
motivations. Synthesizing these typologies, we identify 13 distinct types
of hackers (novices, students, cyberpunks, old guards, insiders, petty
thieves, professionals, nation states, hacktivists, digital pirates, online
sex offenders, crowdsourcers, and crime facilitators) along with seven
core motivations (curiosity, financial, notoriety, revenge, recreation,
ideology, and sexual impulses). In the following sub-sections, we explain
in detail how each hacker type uniquely contributes to cyber malfea­
sance, their motivations while doing so (section 3.1; see Tables 1 and 2),
and their strategies/modus operandi when engaging in malicious ac­
tivities (section 3.2; see Table 3).
3.1. Hacker types and their motivations
Novices refer to hackers who are less skilled and heavily rely on
online toolkits developed and provided by others. Alternative names for
this type of hackers include script kiddies, newbies, and system chal­
lenges. Novices are defined by their motivational characteristics of cu­
riosity, notoriety, and recreation. Students have no malicious intent to
hack but do so only to gain knowledge. They are motivated by curiosity.
Cyberpunks are low- to medium-skilled hackers who wreak havoc for
fun and alternative names for this type of hackers include crashers,
thugs, and crackers. They are motivated by financial gain, notoriety,
revenge, and recreation. Online sex offenders are sexually motivated
individuals who misuse the Internet to engage in sexually deviant be­
haviours with children. They include cyber predators and pedophiles.
Old guards, like students, are non-malicious hackers who have no regard
3
S. Chng et al.
Table 1
Hacker types and authors of existing typologies.
Hacker
Types
Novices
Cyberpunks
Insiders
Old Guards
Professionals
Hacktivists
4
Nation States
Petty Thieves
Digital Pirates
Online Sex
Offenders
Lowly skilled hackers
who heavily rely on
online toolkits
Low to medium-skilled
hackers who wreak
havoc for fun
Disgruntled current or
ex-employees who abuse
their access to get what
they want
Hackers who do not hack
for malicious reasons yet
have no respect for
personal privacy
Extremely skilful hackers
who hack to further their
criminal empire or are
guns-for-hire
Hackers who use their
technical skills to further
their political agendas or
use the Internet as a tool
for political change
Highly trained and
extremely skilled
hackers who work
directly or indirectly for
one government to
destabilize, disrupt, and
destroy the systems and
networks of a nation or
government
Hackers with no
malicious intent, who
hack to gain knowledge
Criminals who move
their activities online,
using their low to
medium skills
Hackers who possess and
engage in illegal
duplicating, distributing,
downloading, or sale of
copyrighted materials
Hackers who misuse the
Internet to engage in
sexually deviant
behaviour with children
Alternative
Names
Author (Year)
Landreth &
Rheingold
(1985)
Barber
(2001)
Rogers
(2006)
Rogers
(2011)
Rege-Patwardhan
(2009)
Meyers
et al.
(2009)
Hald and
Pedersen
(2012)
Donalds and
Osei-Bryson
(2014)
Seebruck
(2015)
de
Bruijne
et al.
(2017)
Atkinson
(2019)
Moeckel
(2019)
Script Kiddies,
Newbies
✓
✓
✓
✓
✓
✓
✓
✓
✓
–
✓
✓
Crashers, Thugs,
Crackers
✓
–
✓
✓
–
✓
✓
✓
✓
✓
–
–
Internals, User
Malcontents,
Corporate Raiders
–
–
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
White Hats,
Sneakers, Grey
Hats, Tourists
–
✓
✓
✓
–
✓
✓
✓
✓
–
–
–
Black Hats, Elites,
Criminals,
Organized Crime,
Information
Brokers
Political Activists,
Ideologists
✓
–
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
–
–
✓
✓
–
✓
✓
✓
✓
✓
✓
✓
Information
Warriors, Cyber
Terrorists, Cyber
Warriors, State
Actors, StateSponsored
Networks
–
–
✓
✓
–
✓
✓
✓
✓
✓
✓
✓
–
✓
–
–
–
–
–
–
–
–
–
–
–
Extortionists,
Scammers,
Fraudsters,
Thieves
Copyright
Infringers
✓
–
✓
✓
–
–
✓
–
✓
✓
–
✓
–
–
–
–
–
–
–
✓
–
–
–
–
Cyber Predators,
Pedophiles
–
–
–
–
–
–
–
✓
–
–
–
–
(continued on next page)
Computers in Human Behavior Reports 5 (2022) 100167
Students
Definition
S. Chng et al.
–
–
✓
3.2. Hacker types and their strategies
–
–
–
–
–
–
–
–
–
✓
Landreth (1985)’s thieves, Seebruck (2015)’s criminals were placed in
both our professionals and petty thieves categories. Extortionists, scam­
mers, and fraudsters by de Bruijne et al. (2017) were replaced with petty
thieves under our framework given their shared characteristic of con­
ducting nefarious activities for financial gain. Toolkit users, proposed by
Moeckel (2019), were moved under our professionals and petty thieves
categories. Although they rely on online toolkits, these users may
already possess a few skills and use them to engage in illegal activities to
earn money.
Similarly, for motivations, multiple types proposed by different au­
thors were changed to reflect the most up-to-date terminologies used
within the cybercommunity. A few types were also combined under an
umbrella term that carried a broader meaning. For instance, challenge
and thrill-seeking were placed under recreation. In the case of Barber
(2001), vandalism was replaced with notoriety, hacktivism with ideology,
industrial espionage was split into ideology and financial, extortion or
fraud was replaced with financial, and information warfare with ideol­
ogy. Donalds and Osei-Bryson (2014)’s status, fame, and
self-aggrandizement, as well as Seebruck (2015)’s prestige, were
replaced with notoriety within our framework. de Bruijne et al. (2017)’s
personal motivation was split into notoriety, revenge, and recreation,
while geo-political was combined within our ideology motivation.
Atkinson (2019)’s espionage motivation was split into both ideology and
financial while the destruction was also split into revenge and ideology
under our framework.
Supporters
–
–
–
–
–
The strategies employed by each hacker type (see Table 3) are also
documented. Novices typically re-use codes/scripts/malware found
from the Internet and Dark web with little modification as their hacking
skills are low-level. They do not possess a proper plan of action in terms
of the attack steps to be executed to realize their goal. Also, in many
cases, they are not careful enough to cover their online tracks to escape
from the law and authorities (Riley, 2015; SecureWorld News Team,
2016; Donnel, 2020). Attack vectors include malware installation,
phishing, SQL injection attack, password re-use, simple DDoS, etc. Stu­
dents may also use existing codes/scripts like novices but with some
modifications to experiment and study vulnerabilities in systems such
web servers, databases, cloud storage servers, etc. They are likely to
report the vulnerabilities to concerned companies, security researchers
or relevant authorities (Young & Wan, 2019).
Cyberpunks may use existing codes/scripts but with some modifi­
cations or write their own ones to suit their goals. They may use attack
vectors to cause damage to victim systems, such as bricking PCs or
embedded devices so that they cannot be used anymore (Trend Micro,
2019), exploiting bugs in software running on victim’s devices to crash
it, and carrying out DoS attacks to deny legitimate users access to the
victim machines. Other attack vectors such as phishing, spamming, SQL
injection, simple malware/ransomware may also be used for stealing
credit card information, unauthorized account transactions, identity
fraud, bitcoin theft, etc. These types of hackers are known for garnering
public and media attention by targeting high profile victims, posting on
their social media accounts (Conger & Popper, 2020) or leaving boastful
and demeaning messages on social media accounts/dark web forum­
s/targeted devices’ displays (Sussman, 2019).
Old guards use customized codes/scripts/penetration testing tools to
reveal vulnerabilities in existing systems such as websites, software, and
servers/computers/devices, find new malware using professional hon­
eypots, and track malicious hackers using cyber forensic techniques
(Caldwell, 2011; Palmer, 2001). They may take over the vulnerable
system and inform their owners about the vulnerability directly, or
report the vulnerabilities to concerned companies, security researchers
or relevant authorities, or decide to make the vulnerability public. In
some cases (e.g., white hat hackers), old guards work with security
companies and law enforcement authorities, and in other cases (e.g.,
Crime
Facilitators
Crowdsourcers
Crowdsourcers are
individuals who come
together to solve a
problem, often using
questionable methods or
chasing dubious goals
Hackers who provide
necessary tools and
technical knowhow to
cybercriminals, enabling
them to launch
sophisticated attacks
–
–
–
–
–
–
–
Donalds and
Osei-Bryson
(2014)
Landreth &
Rheingold
(1985)
Definition
Hacker
Types
Table 1 (continued )
Alternative
Names
Author (Year)
Barber
(2001)
Rogers
(2006)
Rogers
(2011)
Rege-Patwardhan
(2009)
Meyers
et al.
(2009)
Hald and
Pedersen
(2012)
Seebruck
(2015)
de
Bruijne
et al.
(2017)
Atkinson
(2019)
Moeckel
(2019)
Computers in Human Behavior Reports 5 (2022) 100167
5
S. Chng et al.
Computers in Human Behavior Reports 5 (2022) 100167
Table 2
Hacker types and their underlying motivations.
Motivations
Hacker Types
Novices
Cyberpunks
Insiders
Old Guards
Professionals
Hacktivists
Nation States
Students
Petty Thieves
Digital Pirates
Online Sex Offenders
Crowdsourcers
Crime Facilitators
Curiosity
Financial
Notoriety
Revenge
Recreation
Ideology
Sexual Impulses
✓
–
–
✓
–
–
–
✓
–
–
–
–
–
–
✓
✓
–
✓
–
✓
–
✓
✓
–
–
✓
✓
✓
–
✓
–
✓
–
–
–
–
–
✓
–
–
✓
✓
–
✓
✓
✓
–
✓
–
–
✓
–
✓
✓
–
✓
–
✓
–
–
–
–
–
✓
–
–
–
✓
✓
–
✓
✓
–
–
–
–
✓
–
–
–
–
–
–
–
–
–
–
–
✓
–
–
buyers and competitors for financial gains. The typical modes of oper­
ation are transferring sensitive organizational data to their own devices,
accessing company databases/servers, cloud storage, etc. (Petters,
2021). They may also inadvertently leak employees’ company record­
s/customer information or end up infecting the company’s enterprise
network with virus/trojan/malware (Nurse et al., 2014) due to lack of
due diligence in their online activities such as emailing, browsing on
company IT equipment (e.g., workstation, laptop, tablet). Petty thieves
who are mainly financially motivated, use attack vectors such as trojans,
keylogging, phishing and ransomware which are easily available on the
Internet or hacking forums to gain credit card or bank account details of
users, or blackmail users into directly transferring a ransom amount in
bank currency (e.g., US dollars) or cryptocurrency (e.g., bitcoin; Peters,
2015).
Crime facilitators may offer cybercrime-as-a-service to criminals by
helping them carry out phishing campaigns (via exploits kits, compro­
mised system access, vulnerable RDPs), renting out malware (generic
and customized) and botnets, renting infrastructure (bullet-proof host­
ing, VPN, proxy services), launching DoS attacks against certain targets
on the criminals’ behalf, providing access to personal and financial data
(credit card numbers, online banking credentials, phone numbers, email
addresses) leaked from compromised databases, hacking of email and
social media accounts, and managing cryptocurrency wallets to hide
illegal transactions. They operate from underground forums and web­
sites on the Dark web which serves as markets connecting buyers and
sellers (Europol, 2020).
Professionals perform sophisticated attacks using the full repertoire
of attack vectors (phishing, ransomware, SQL injection, DoS, cross-site
scripting, supply chain attack, session hijacking, trojan/virus/mal­
ware, social media account compromises, etc.) and customized code/
scripts. They are careful to not leave any trail behind which may lead
authorities to them or leave clues that are meant to confuse in­
vestigators. They typically operate on their own, in small groups or with
criminal organizations. Many of them are active on hacking forums and
the Dark web, where they are hired by criminal groups (Kaspersky,
2018).
Nation states (Tankard, 2011; Chen, Desmet & Huygens, 2014)
perform sophisticated attacks following a series of stages: first, they gain
access to a target network through social engineering techniques,
spear-phishing emails, malicious files, vulnerable apps; second, they
gain a foothold by installing malware on a system inside the network,
performing reconnaissance and installing malware on more systems;
third, they try to gain administrative rights using techniques such as
password cracking to deepen their control of the network, move around
and access more secure parts; fourth, they identify and prepare the
valuable data for exfiltration and then transfer it to their machines; fifth,
they persist and continue the above process for a long time trying not to
attract any attention until they are detected or decide to relinquish
Table 3
Hacker types and their strategies.
Types
Strategies
Novices
Re-use codes/scripts/malware found from Internet. Do not
possess a proper plan of action in terms of attack steps. Not
careful enough to cover their online tracks.
May use existing codes/scripts but with some modifications or
write their own ones. Attack vectors include bricking to cause
damage to victim systems, exploiting bugs in software running
on victim’s devices, and carrying out Denial of Service (DoS)
attacks. Focused on garnering public and media attention.
Use internal confidential knowledge of a company’s
cyberinfrastructure to launch attacks or sell that information.
May transfer sensitive organizational data to their own devices,
access company databases/servers, cloud storage, etc.
Use customized codes/scripts/penetration testing tools to
reveal vulnerabilities in existing systems. Find new malware
using professional honeypots, track malicious hackers using
cyber forensic techniques. Include white hats and grey hats.
Perform sophisticated attacks using the full repertoire of attack
vectors and customized code/scripts. Careful to not leave any
online trail behind.
Employ attack vectors such as SQL injection, web server
misconfiguration to take over databases and leak their
contents, deface high-profile websites, disable widely-used
public services, etc.
Perform sophisticated attacks following a series of stages. First,
they gain access to a target network, second, they gain a
foothold by installing malware on a system, third, they try to
gain administrative rights, fourth, they identify and prepare
valuable data for exfiltration, fifth, they persist and continue
above process for a long time.
May use existing codes/scripts like novices but with some
modifications to experiment and study vulnerabilities in
systems. Likely to report the vulnerabilities.
Use attack vectors such as trojans, ransomware which is easily
available on the Internet to gain credit card or bank account
details.
Steal copyrighted content directly or indirectly and leak them.
Befriend potentially vulnerable victims on Facebook or other
social media, get hold of compromising pictures/videos
directly or through emails/chats embedded with malicious
attachments.
Join forces and pool their skills together for tasks such as
developing new malware, managing botnets, etc.
May offer cybercrime-as-a-service to criminals by helping them
carry out phishing campaigns, renting out malware and
botnets, etc.
Cyberpunks
Insiders
Old Guards
Professionals
Hacktivists
Nation States
Students
Petty Thieves
Digital Pirates
Online Sex
Offenders
Crowdsourcers
Crime Facilitators
grey hat hackers, sneakers), they carry out their operations anony­
mously to hide their real identities as they may not respect user privacy
or authorization boundaries (Kirsch, 2014).
Insiders use internal confidential knowledge of a company’s cyber
infrastructure (e.g., account credentials, security policies, system vul­
nerabilities) to launch attacks or sell that information to Dark web
6
S. Chng et al.
Computers in Human Behavior Reports 5 (2022) 100167
control after meeting their planned objectives, though often a backdoor
is left open so that they can access the network again at some point in the
future. While withdrawing from the targeted network, they take care to
cover their tracks, e.g., removing malware and other tools from the
compromised machines/devices connected to the network or deliber­
ately leave clues that are meant to confuse investigators. Nation states
typically work in a group and systematically coordinate with each other.
They target high-profile state/provincial or national government web­
sites, cloud services, critical power generation and distribution systems,
government and hospital IT infrastructure, etc.
Hacktivists usually operate in a group. They employ certain types of
attack vectors (SQL injection, web server misconfiguration, DDoS, social
media account compromises, etc.) to take over databases and leak their
contents which may contain sensitive and private information, deface
high-profile websites, disable widely-used public services, send fake
news or posts containing phishing/malware/trojan links to a large fol­
lower audience which can help them gain the attention of public and
authorities to give publicity to their cause (Caldwell, 2015; Man­
sfield-Devine, 2011). They are careful to cover their tracks which may
otherwise lead authorities to them. Crowdsourcers operate in a group for
most purposes. They are typical visitors of a hacking forum who join
forces and pool their skills together for various tasks such as developing
new malware, managing botnets, sharing network infiltration tools and
techniques, and stealing financial information.
Digital pirates steal copyrighted content (e.g., media- music/movies/
photos, games, software) directly or indirectly and leak them using
online websites, torrents, etc. For example, they may maintain websites
that illegally stream copyrighted movies, TV shows, music, or use free/
subscription-based file-sharing services to distribute digital content files,
links to which are further shared on social media, blogs and forums
(Poort et al., 2018). Online sex offenders (Briggs et al., 2011; Chan et al.,
2016) view or post child pornography on the Internet, initiate sexual
online chats with a child/adolescent and have them share sexual con­
tent, and use online blackmailing and luring tactics to force victims for
sexual favours. Their tactics include befriending potentially vulnerable
victims on Facebook or other social media and getting hold of
compromising pictures/videos directly or through emails/chats
embedded with malicious attachments.
respectively. Unlike extant typologies, our framework was created with
the intention to be useful across in various domains and to allow users to
also backward trace the history and research available by mapping
alternative names given for each hacker type and the typologies that
detail them.
More importantly, our framework presents the typical attack stra­
tegies employed by each of the proposed 13 hacker types. This con­
tributes significantly towards the value and utility of the framework
over previous typologies. Here, it is possible to determine the specific
type of hacker or at least the broad group to which a hacker belongs (e.
g., based on skill level: low, medium or high) by observing their actions
in preparation for or during an attack. For instance, if the victim of the
attack is an enterprise/government entity/critical infrastructure, it is
found that sophisticated malware/scripts were used for the attack and it
is difficult for cyber investigators to trace the online activity of the
hacker(s), it can be inferred that the hacker(s) is(are) highly skilled. In
this case, the hacker(s) can be a professional, a nation state group or a
hacktivist group. Based on the complexity of the attack and the various
kinds of expertise required, it can also be concluded if multiple hackers
were involved (national state, hacktivist) or it was the work of a single
hacker (professional). An analysis of the tools used for the attack and
their similarity with the ones used by other known hackers can help
investigators further narrow down the hacker type and the specific in­
dividual/group behind the attack.
Our proposed framework will continue to be a work in progress as
cybercrimes and cybercriminals evolve and the motivation and strate­
gies for engaging in cybercrimes expand further. For instance, with the
advancement in tools and increased sophistication in cybercrimes, the
strategies employed by hackers will continue to evolve. In addition, new
types of hackers would likely emerge as our economy and society evolve
to create new possibility for exploitations and cybercrimes. Hence, this
framework should be updated periodically to reflect these developments
and remain relevant. Nevertheless, we hope that this framework will
serve as a useful tool for cybersecurity analysts in detecting and
defending against future cyberattacks as well as post-attack forensics.
5. Conclusion
A unified framework detailing 13 hacker types, 7 unique motiva­
tions, and the strategies each hacker type typically employ is presented
here to contribute towards a better understanding of hackers to address
the rising cyber malfeasance in recent years. This was developed after
reviewing 11 classifications and typologies of hackers and their moti­
vations published over the last three decades. As the nature of cyber­
crimes evolve and hackers become are more skilled and well-equipped
than before, the proposed framework will serve as a useful tool for
cybersecurity analysts and researchers.
4. Discussion
In this paper, we reviewed the theories and models that explain the
development and motivation of hackers. This helps us with the funda­
mental understanding of why hackers hack and what sustains or con­
tributes to their activities. We learnt from Beveren (2001) that flow is
pivotal for an individual’s growth from an amateur to a competent
hacker and only with an extra variable of a tendency to commit a crime
would these hackers further develop into cybercriminals. However, it is
limited in that it shows only two ways in which a lowly skilled hacker
can develop into a cybercriminal. In describing hackers’ motivations,
Atkinson (2019) went on further to map which psychological model or
theory applies to each hacker type. This was useful as it allowed us to
gain an insight into not only their motivations but also why a specific
motivation applied to a hacker type.
However, we identified that despite the large number of typologies
that exist today, they need to be updated to be more comprehensive
either in the types of hackers, types of motivations or both. Hence, we
developed an up-to-date framework of hacker typology and motivations
that comprises 13 different groups of hackers and seven unique moti­
vations. The typology posited by Rogers (2006, 2011) emerged as the
most influential typology in our earlier review and heavily influenced
the development of eight of the 13 hacker types and four of the seven
motivations that were proposed within this unified framework.
Furthermore, three hacker types (students, crowdsourcers, digital pi­
rates, and online sex offenders) were unique to specific authors: Land­
reth (1985), Seebruck (2015), and Donalds and Osei-Bryson (2014),
Author contribution
Samuel Chng: Conceptualization, Writing - review & editing. Han Yu
Lu: Data curation, Writing - Original Draft. Ayush Kumar: Data curation,
Writing - Original Draft, review & editing. David Yau: Writing - review &
editing.
Funding
This research is supported by both ST Engineering Electronics and
National Research Foundation, Singapore, under its Corporate Labora­
tory @ University Scheme (Programme Title: STEE Infosec-SUTD
Corporate Laboratory). Any opinions, findings and conclusions or rec­
ommendations expressed in this material are those of the author(s) and
do not reflect the views of the National Research Foundation, Singapore.
7
S. Chng et al.
Computers in Human Behavior Reports 5 (2022) 100167
Declaration of competing interest
Holt, T. J. (2005). Hacks, cracks, and crime: An examination of the subculture and social
organization of computer hackers. University of Missouri-Saint Louis.
International Telecommunication Union. (2019). Statistics. Retrieved from https://www.
itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx.
Kaspersky. (2018). What is a Black-Hat hacker?. Retrieved from https://www.kaspersky.
com/resource-center/threats/black-hat-hackerLandreth (1985). Out of the inner
circle: a hacker’s guide to computer security. Microsoft Press.
Kirsch, C. (2014). The grey hat hacker: Reconciling cyberspace reality and the law,.
Northern Kentucky Law Review, 41(3), 383–403.
Landreth, B., & Rheingold, H. (1985). Out of the Inner Circle: A Hacker’s Guide to Computer
Security. Bellevue, Washington: Microsoft Press.
Lederer, E. M. (2020). Top UN official warns malicious emails on rise in pandemic.
Retrieved from https://apnews.com/article/c7e7fc7e582351f8f55293d0bf21d7fb.
Lu, Y., Luo, X., Polgar, M., & Cao, Y. (2010). Social network analysis of a criminal hacker
community. Journal of Computer Information Systems, 51(2), 31–41.
Mansfield-Devine. (2011). Hacktivism: Assessing the damage. Network Security, 2011(8),
5–13.
Meyer, G. R. (1989). The social organization of the computer underground. Northern Illinois
Univ De Kalb.
Meyers, Powers, & Faissol. (2009). Taxonomies of cyber adversaries and attacks: A
survey of incidents and approaches. Retrieved from https://www.osti.gov/bibl
io/967712.
Moeckel, C. (2019). Examining and constructing attacker categorisations: An
experimental typology for digital banking. In Paper presented at the 14th International
Conference on Availability, Reliability and Security, Canterbury, United Kingdom.
Nurse, J. R., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R., &
Whitty, M. (2014). Understanding insider threat: A framework for characterising
attacks. In 2014 IEEE security and privacy workshops (pp. 214–228). IEEE.
Owen, K. (2016). Motivation and demotivation of hackers in the selection of a hacking task: A
contextual approach. PhD thesis. McMaster University. Open Access Dissertations and
Theses Community.
Palmer, C. C. (2001). Ethical hacking. IBM Systems Journal, 40(3), 769–780.
Peters, S. (2015). Profile of A cybercrime petty thief. Retrieved from https://www.da
rkreading.com/analytics/threat-intelligence/profile-of-a-cybercrime-petty-thie
f/d/d-id/1320559.
Petters, J. (2021). What is an insider threat? Definition and examples. Retrieved from
https://www.varonis.com/blog/insider-threats/.
Poort, J., Quintais, J., van der Ende, M. A., Yagafarova, A., & Hageraats, M. (2018).
Global online piracy study. Amsterdam Law School Research Paper, 2018–2021.
PurpleSec. (2020). 2020 cyber security statistics: The ultimate list of stats, data & trends.
Retrieved from https://purplesec.us/resources/cyber-security-statistics/ .
Rege-Patwardhan, A. (2009). Cybercrimes against critical infrastructures: A study of
online criminal organization and techniques. Criminal Justice Studies, 22(3),
261–271.
Riley, D. (2015). 15-year-old script kiddie arrested in TalkTalk hacking investigation.
Retrieved from https://siliconangle.com/2015/10/27/15-year-old-script-kiddie
-arrested-in-talktalk-hacking-investigation/.
Rogers, M. K. (2006). A two-dimensional circumplex approach to the development of a
hacker taxonomy. Digital Investigation, 3(2), 97–102.
Rogers, M. K. (2011). The psyche of cybercriminals: A psycho-social perspective. In
Ghosh, & Turrini (Eds.), Cybercrimes: A multidisciplinary analysis (pp. 217–235).
Springer Berlin Heidelberg.
SecureWorld News Team. (2016). Europol arrests 34 DDoS script kiddies Who are actual
kids. Retrieved from https://www.secureworldexpo.com/industry-news/europol-a
rrests-34-ddos-script-kiddies-who-are-actual-kids.
Seebruck, R. (2015). A typology of hackers: Classifying cyber malfeasance using a
weighted arc circumplex model. Digital Investigation, 14, 36–45.
Sussman, B. (2019). Hackers bragging, taunting victims publicly. Retrieved from https://
www.secureworldexpo.com/industry-news/hackers-brag-taunting.
Tankard, C. (2011). Advanced Persistent threats and how to monitor and deter them.
Network Security, 2011(8), 16–19.
Trend Micro. (2019). Silex malware bricks IoT devices with weak passwords. Retrieved
from https://www.trendmicro.com/vinfo/sg/security/news/cybercrime-and-dig
ital-threats/-silex-malware-bricks-iot-devices-with-weak-passwords.
The authors declare that they have no known competing financial
interests or personal relationships that could have appeared to influence
the work reported in this paper.
References
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human
Decision Processes, 50(2), 179–211.
Ajzen, I., & Fishbein, M. (1980). Understanding attitudes and predicting social behaviour.
Englewood Cliffs, N.J: Prentice-Hall.
Atkinson. (2019). Psychology and the hacker: Psychological incident handling. White Paper.
SANS Institute.
Bandura, A. (1977). Social learning theory. Englewood Cliffs, NJ: Prentice Hall.
Bandura, A. (1999). Social cognitive theory of personality. Handbook of Personality, 2,
154–196.
Bandura, A. (2014). Moral disengagement in the perpetration of inhumanities. In
Perspectives on evil and violence (pp. 193–209). Psychology Press.
Barber. (2001). Hackers profiled: Who are they and what are their motivations? Computer
Fraud & Security, 2001(2), 14–17.
Beveren, J. (2001). A conceptual model of hacker development and motivations. Journal
of E-Business, 1(2).
Bocij, P., & McFarlane, L. (2003). Cyberstalking: The technology of hate. Police Journal,
76(3), 204–221.
Briggs, P., Simon, W. T., & Simonsen, S. (2011). An exploratory study of internetinitiated sexual offenses and the chat room sex offender: Has the internet enabled a
new typology of sex offender? Sexual Abuse, 23(1), 72–91.
de Bruijne, van Eeten, Gañán, & Pieters. (2017). Towards a new cyber threat actor
typology: A hybrid method for the NCSC cybersecurity assessment. Retrieved from
https://repository.wodc.nl/handle/20.500.12832/2299.
Caldwell, T. (2011). Ethical hackers: Putting on the white hat. Network Security, 2011(7),
1–9.
Caldwell, T. (2015). Hacktivism goes hardcore. Network Security, 2015(5), 12–17.
Chan, E. J., McNiel, D. E., & Binder, R. L. (2016). Sex offenders in the digital age. The
Journal of the American Academy of Psychiatry and the Law, 44(3), 368–375.
September Chen, P., Desmet, L., & Huygens, C. (2014). A study on advanced persistent
threats. In IFIP International Conference on Communications and Multimedia Security
(pp. 63–72). Berlin, Heidelberg: Springer.
Conger, & Popper. (2020). Florida teenager is charged as ‘Mastermind’ of twitter hack.
Retrieved from https://www.nytimes.com/2020/07/31/technology/twitter-hac
k-arrest.html.
Csikszentmihalyi, M. (1990). Flow: The psychology of optimal experience. New York:
Harper & Row.
Cybersecurity Ventures. (2019). 2019 official annual cybercrime report. Retrieved from
https://www.herjavecgroup.com/wp-content/uploads/2018/12/CV-HG-201
9-Official-Annual-Cybercrime-Report.pdf .
Cybersecurity Ventures. (2020). Cybercrime to cost the world $10.5 trillion annually by
2025. Cybercrime Magazine. Retrieved from https://cybersecurityventures.com/ha
ckerpocalypse-cybercrime-report-2016/.
Donalds, C. M., & Osei-Bryson, K. M. (2014). A cybercrime taxonomy: Case of the
Jamaican jurisdiction. In Paper presented at the International Conference on Information
Resources Management (Conf-IRM), Ho Chi Minh City, Vietnam.
Europol. (2020). Internet organised crime threat assessment (IOCTA) 2020. Retrieved
from https://www.europol.europa.eu/activities-services/main-reports/internet
-organised-crime-threat-assessment-iocta-2020.
Federal Bureau of Investigation. (2019). 2019 internet crime report. Retrieved from http
s://pdf.ic3.gov/2019_IC3Report.pdf .
Gibbs, J. P. (1985). Deterrence theory and research. In Nebraska symposium on motivation.
University of Nebraska Press.
Hald, & Pedersen. (2012). An updated taxonomy for characterizing hackers according to
their threat properties. In Paper presented at the 14th international Conference on
Advanced Communication Technology (ICACT), PyeongChang, South Korea.
8
View publication stats