Cybercrime Is converging. The response must converge faster | #cybercrime | #infosec

Cybercrime is evolving into a converged criminal economy that connects online fraud, ransomware, extortion, money laundering, human trafficking, organized crime and, in some cases, state-aligned activity.

This convergence changes the nature of the threat. Criminal groups are not merely adopting new tools. They are combining capabilities, sharing infrastructure and building operating models that span technical, geographic and jurisdictional boundaries. The same ecosystem that supports credential theft or ransomware can also fund scam compounds, exploit trafficked labor, move illicit proceeds and goods and enable broader organized crime.

For defenders, this requires a radical shift in thinking. Cybercrime can no longer be treated as a series of isolated technical incidents. It is an economic system with supply chains, service providers, affiliates, recruiters, money movers and physical infrastructure. Disrupting it requires a shared understanding of how these networks operate, supported by coordinated action across cybersecurity, law enforcement, government, financial institutions, civil society and the private sector.

Convergence is happening in several ways at once. The first trend is the convergence of cybercriminal platforms and threat actor capabilities. Groups that once had separate and specific areas of expertise are now collaborating or sharing services. Some specialize in social engineering, while others focus on SaaS intrusion, credential theft, ransomware, data extortion or monetization. When these skills are combined, the operation becomes more agile and more dangerous.

A group with strong intrusion capabilities can become significantly more effective when paired with another group that specializes in ransomware or extortion. Criminal marketplaces and cybercrime-as-a-service platforms worsen this problem by providing specialized tools and access to a wider range of actors. The result is a more modular, professionalized criminal ecosystem.

A second form of convergence is emerging between cybercrime and advanced persistent threat activity. State-aligned and criminal actors may have different motivations, but their methods, infrastructure and enabling services increasingly overlap. This convergence makes attribution harder, complicates response and gives criminal actors access to techniques once associated primarily with nation-state operations.

This is one reason the World Economic Forum’s Cybercrime Atlas is so valuable. Hosted by the Forum’s Centre for Cybersecurity, the Cybercrime Atlas uses open-source intelligence (OSINT) and shared expertise to map cybercriminal networks, infrastructure, services and monetization pathways, helping public- and private-sector stakeholders better understand and disrupt cybercrime ecosystems.

A third type of convergence is the increasing connection between cybercrime and physical crime, where the impact has become especially clear. Scam farms in Southeast Asia demonstrate how online fraud, human trafficking, forced labour, money laundering and physical coercion can all be integrated into a single criminal operation. These are not merely digital scams but human exploitation networks driven by cyber-enabled criminal activities.

In these environments, people may be recruited under false pretences, trafficked, detained and forced to engage in large-scale online fraud. Cybercrime revenue funds the construction of compounds, logistics, bribery, recruitment channels and the overall criminal infrastructure that sustain these activities. Victims are not only those who lose money to scams but also the people forced into executing them.

The good news is that coordinated disruption is effective, as demonstrated by INTERPOL’s Operation Red Card 2.0. Executed from December 2025 to January 2026, this operation united law enforcement agencies from 16 African countries, resulting in 651 arrests and the recovery of over $4.3 million. It focused on infrastructure and individuals involved in high-yield investment scams, mobile money fraud and fake mobile loan apps.

These operations are important because they do more than just make arrests. They target the underlying systems that support cybercrime, such as infrastructure, financial channels, devices, accounts and physical assets. This approach is crucial, especially when the threat functions as an ecosystem.

The U.S. Department of Justice has taken action through its Scam Centre Strike Force, targeting Southeast Asian scam centres that target Americans. These initiatives not only seek to prosecute individual perpetrators but also dismantle the underlying infrastructure, financial channels and criminal networks responsible for extensive fraud.

Singapore’s anti-scam efforts offer another useful model. ScamShield is a joint effort by the Ministry of Home Affairs, the Singapore Police Force, Open Government Products and the National Crime Prevention Council, combining public education, reporting channels and operational tools to help citizens identify and respond to scams.

While these efforts are not identical, they share a common principle: cybercrime disruption improves when information moves faster than the criminal ecosystem can adapt.

Cybercriminal networks depend on a fragmented response ecosystem. Different organizations witness different aspects of a cyber incident: one might see the phishing domain, another the infrastructure provider, a bank sees the fraudulent transfer, law enforcement receives the victim’s report, a nonprofit sees indicators of human trafficking and cybersecurity firms see the malware, command-and-control infrastructure, or the actor’s behavior.

Individually, these signals might appear incomplete, but collectively, they can reveal the operating model. That is the value of initiatives like the Cybercrime Atlas. By charting the cybercriminal ecosystem, the community can identify relationships among threat actors, infrastructure, marketplaces, criminal services and monetization chains. In May 2026, the Cybercrime Atlas community introduced Cosmos, an open-source map of the cybercrime ecosystem designed to foster shared understanding and facilitate coordinated responses.

This shared ecosystem view is crucial because defenders don’t need to eliminate every criminal actor immediately to have an impact. Instead, they can target chokepoints, identify shared infrastructure, expose service providers, disrupt financial transactions and help law enforcement link digital evidence to physical operations. That is how disruption becomes scalable.

At Fortinet, our work with global partners has reinforced a key point: cyber intelligence becomes more powerful when it is integrated with other forms of intelligence.

Fortinet’s threat research and telemetry provide visibility into cybercriminal infrastructure, malware, campaigns, techniques and actor behavior. Organizations such as Crimestoppers International bring decades of expertise in physical crime reporting, community-based intelligence and tips related to real-world criminal activities. Merging these viewpoints provides an opportunity to enhance understanding of the overlaps between cybercrime and physical crime.

That is the idea behind a fusion-center approach. Cybercrime intelligence, law enforcement insight, financial indicators, victim reporting, NGO data and physical crime tips can help reveal connections that no single participant can see on their own.

This is especially critical in cases involving scams, sextortion, trafficking and other types of exploitation. Interrupting the cyber component can diminish funding for activities that cause physical harm, while disrupting the physical infrastructure can limit the ability to carry out cyber-enabled fraud. These are not separate efforts. They are interconnected components of the same disruption strategy.

The convergence of crime is also relevant to the future of technology. As physical AI (systems that interact with the physical world, such as industrial equipment, medical systems, supply chains, logistics networks and robotics) becomes more distributed, with AI models and compute moving closer to the edge, it delivers major benefits such as real-time signal processing, faster pattern detection and more autonomous decision-making.

But they also create new dependencies. When AI is integrated with physical infrastructure, a cyber intrusion can have consequences beyond data theft or system downtime. It can affect production, logistics, healthcare delivery, safety systems and the movement of goods. That makes these environments especially attractive targets for converged criminal actors who already know how to combine cyber intrusion, fraud, extortion and physical-world exploitation.

This is a strategic warning. As organizations deploy more connected, autonomous and distributed systems, security and resilience must account for both cyber and physical exposures. The actors targeting these systems will not respect the boundaries among IT, OT, the supply chain, fraud and organized crime.

Organizations have a critical role to play beyond improving their own defences.

1. They should share threat intelligence through trusted channels. Indicators, infrastructure details, actor behaviours, fraud patterns and observed tactics become more valuable when connected to data from other organizations.

2. They should report cyber incidents and attempted fraud. Underreporting benefits criminal groups. Even when an incident seems minor, timely reporting helps law enforcement and industry partners identify broader campaigns, infrastructure reuse and victim patterns.

3. Organizations should participate in public-private partnerships. Cybercrime is too distributed for any single company, government or agency to address alone. Initiatives such as the World Economic Forum’s Partnership Against Cybercrime and Cybercrime Atlas provide mechanisms for shared research, coordination and disruption.

4. They must foster cross-domain collaboration. Cybersecurity teams need established channels with fraud, legal and financial departments, as well as with financial institutions, law enforcement, NGOs and specialized information-sharing groups. Addressing converged crimes requires integrated responses. Isolated efforts are insufficient.

5. Organizations should focus on disruption, not just prevention. While prevention remains necessary, it is not enough. The broader objective is to increase friction across the criminal ecosystem. That means making infrastructure harder to reuse, money harder to move, victims harder to exploit and criminal operations harder to scale.

Cybercrime has become a networked, transnational and increasingly converged enterprise. Our response must reflect that reality.

As with our cyber adversaries, our advantage lies in collaboration. We can share intelligence, correlate signals, support law enforcement, report incidents and participate in collective initiatives that map, expose and disrupt criminal ecosystems. The goal is not only to stop attacks after they reach individual organizations but also to make cybercrime less profitable, less scalable and less able to fund broader harm.

That requires a converged response: cybersecurity expertise, law enforcement action, financial intelligence, civil society insight and global cooperation, all working together against a shared criminal economy.