Asking how I first learned about cybercrime is like asking when I first noticed the room I was born in. It has always been there as a vivid backdrop to Nigeria’s urban culture. Where there was urban youth and the internet, there was cyber-fraud — or at least the rumor and fear of it. One time I showed too much interest in visiting a cybercafe nearby and a neighbor reported to my mum that I was veering too close to cybercrime. I have a friend who, as a kid, was flogged and humiliated on school grounds because he had a Yahoo e-mail account.
The fear of cybercrime goes in hand with economic hardship. Parents call their coming-of-age male children to private corners and give them the talk — don’t let the tough economy push you to cybercrime, it will get better.
Years later, as a tech journalist covering cybercrime and cybersecurity in Africa, I keep finding myself coming across the same relationship: Across many African countries, there is an almost direct relationship between cybercrime and bleak socioeconomic realities. At the risk of sounding simplistic, I dare say cybercrime in Africa isn’t so much a problem as it is a symptom.
A Vicious Cycle
In 2020, I covered a story about one of the largest booms in Nigeria’s cybercrime population. Essentially, as the pandemic led to a tightening in the economy, many young Nigerians at the cusp of economic independence were pushed into cybercrime. Every expert I spoke with emphasized that the issue was much broader than just Nigeria or West Africa.
As Ashraf Koheil, META director of Group-IB put it, “The economic challenges created by the pandemic made it difficult for a significant number of young, university-educated professionals to find legitimate work, leading some to join cybercriminal groups. These individuals have the capability to act as educators, passing on their digital skills with others, creating networks of cybercriminals who are able to launch wave upon wave of fraudulent attacks.”
Across Africa, tough economic realities during the pandemic led to more crime, especially cybercrime.
“The perpetrators always have a motive to enrich themselves and make personal selfish gains,” said Gilbert Nyandeje, head of the Africa Cyber Defense Forum. “There is no doubt that the major goal of these criminals is financial gain.”
To be clear, financial gain is the biggest driver for cybercrime across the world – roughly 80% of it – but in Africa, persistent socioeconomic issues exacerbate the situation.
On a larger scale, this system creates a vicious cycle that is difficult to break. As cybercrime continues to proliferate, it further damages the reputation of African countries in the eyes of the international community.
During the COVID-19 pandemic, economic conditions worsened across the continent. According to a report by ONE that analyzed socioeconomic conditions in fifteen African countries, one-third of workers stopped working during the pandemic and the remaining two-thirds of workers who managed to keep their jobs saw their income decrease between 11.5% and 15.6%. In Kenya, close to 900,000 people lost their jobs and 2 million slipped into poverty.
At the heart of this problem lies the economic challenges facing many African nations. Decades of high unemployment rates, low wages, and limited opportunities for upward mobility have created a situation where certain young Africans are willing to turn to cybercrime as a means of making money, even if they are aware of the risks involved. I know this all too well from personal experience. Growing up in proletariat Nigeria, I was constantly surrounded by people who were struggling to make ends meet. More than half of my friends and the kids I grew up with have engaged in cybercrime at some point in their lives. A vicious system creates vicious people. Not just in Africa, but across the world, African cyber threat groups have quite a population. Nigerians and by extension, West African cyber threat actors are known to be pioneers in Business Email Compromise (BEC) scams and advance-fee fraud, South Africa is known as a hub for organized cybercrime in Africa, and Kenya is fast gaining a reputation as a cybercrime hotspot.
Tough situations do not redeem the cyber criminals of the absolute carnage they unleash, which mostly ends up impacting ordinary people. African threat actors are known mostly for complex social engineering schemes whose recipients are ordinary people rather than systems or institutions. These people lose their savings, credit allowance, and social capital to the scams run by African threat actors. Behind every cyberattack, there are real people with real lives and families who are affected by the consequences. And nothing excuses the devastating effects on their lives.
But understanding the larger picture of what drives cybercrime in Africa is important to fixing it. Unlike threat groups from many other countries who can have a plethora of motivations, before anything else, African cybercriminals are financially-driven.
I know too many friends and relatives who say they do cybercrime because they need to make the next check somehow. Yet, the fight against cybercrime has focused more heavily on whack-a-mole than fixing the institutional issues that drive the problem.
The Challenges To Combatting Cybercrime
One challenge in combating cybercrime in Africa is that many of the actors are decentralized and have brute force in their population. These groups are often barely funded, loosely-organized, and rely largely on their impressive social engineering skills and off-the-shelf tools accessed on the dark web. All that and they have nimble adaptation.
“It influences the type of cybercrime individuals are engaged in,” said Ashraf. “The most common types of attacks that we at Group-IB see in Africa are online scams, phishing, and business email compromise.”
Their sophistication – or lack thereof – is synonymous with the socioeconomic issues driving them. For many young Africans, the lure of cybercrime can be very strong, especially as it is normalized in music and fashion, and exacerbated by contemporary numbness to morality.
On a larger scale, this system creates a vicious cycle that is difficult to break. As cybercrime continues to proliferate, it further damages the reputation of African countries in the eyes of the international community. This, in turn, leads to increased discrimination against Africans looking for work internationally, making it even harder for them to escape the economic state that led them there in the first place. In a way, they are not different from the neighbor who reported my visit to the cybercafe to my mum, or my friend’s proprietor who beat him for opening a Yahoo account because it seemed like the first step to becoming a Yahoo boy — Nigerian slang for petty cybercriminals.
This problem cannot be solved without addressing the underlying economic factors that drive it. Until African countries can provide their citizens with better opportunities for education, employment, and upward mobility, cybercrime will continue to be a tempting option for those who are struggling to make ends meet.
Both Gilbert and Ashraf are experts who have spent decades helping institutions fight African cybercriminals, and they both outlined recent progress in investigations and law enforcement efforts, but they also noted how fast the cybercriminals were evolving to escape whack-a-mole law enforcement efforts. “Now, cybercriminals in Africa are more sophisticated and organized, resembling those from other global regions,” said Ashraf. Gilbert noted how they were “getting more sophisticated tools to further their selfish gains.”
There is an existential bane in trying to thwart cybercrime in African countries without creating overall better economic situations. But addressing the root causes is easier said than done. The challenges facing many African countries are complex and multifaceted, requiring a comprehensive approach that includes everything from education and training programs to infrastructure development and economic policy reform, all at a scale large enough to daunt anyone. And even with these measures in place, there is no guarantee that cybercrime will be completely eliminated.
What is clearer to me, as a young African and cybersecurity reporter, however, is that better socioeconomic conditions would have prevented this from becoming the menace it is today.
While government and stakeholders focus resources on arrests, every day, it becomes harder to refuse to participate in cybercrime as economic conditions continue to worsen. This is obvious from the many people I see, every day, who accept cybercrime as a valid means to escape poverty. For each person arrested, I’m afraid, two more are recruited.
We need to approach the fight against cybercrime within the context of broader societal dysfunction.