Hybrid cyber/physical criminal operations – where network intrusions meet the physical world

1 September 2016

At some stage, almost every crime committed online has a physical element, often when the money obtained is used to purchase commodities. Of course crime ranges across a spectrum that blends digital and physical elements, often in unequal divisions. For example the recent exploitation of the SWIFT network in the Bangladesh Bank heist is an example of a fully online crime. At the other end of the spectrum, many crimes are entirely physical in nature and have no online component, such as a traditional armed robbery. However, some criminal actors adopt a hybrid approach in which a physical operation is facilitated by a network intrusion. A recent example has been the use of malware to facilitate the theft of cash from Taiwanese and Thai ATMs. This approach can demonstrably enhance the capability of “traditional” criminals to minimize risk, as well as maximize effectiveness and profitability.

The spectrum of physicality

There are many ways to steal money from a bank – you can walk in with a gun and hold up a cashier, harvest card information using an ATM skimmer, or compromise the banks network and use legitimate processes to effect transfers to accounts that you control, among many others. All of these approaches take place on a spectrum defined by the level of physical commitment required. Hybrid cyber/physical operations, where the physical aspect and the online aspect of an operation are co-dependent and are both required for success, occupy the middle ground in this spectrum.

Hybrid operations 

Although robbing a bank is an obvious example, hybrid operations could involve a range of approaches and objectives, such as using a network intrusion to obtain information to facilitate a break-in, geolocating high-value assets within an organization prior to a heist, or gathering information online relating to a target individual in order to facilitate a physical attack.

Planning and organization

Hybrid operations require access to both network operators and personnel willing to take the risks associated with the physical side of the operation – and require that these teams be coordinated. This type of approach is therefore likely to only be viable for organized criminal groups with sufficient capital, both financial and reputational, to hire or retain the necessary personnel. This type of operation would therefore be very well suited to, for example, an existing criminal group with experience in conducting traditional crime seeking to improve its capabilities by hiring technically proficient personnel. The technical operator can take on tasks that would otherwise have to be done physically, such as reconnaissance. Network intrusions can also be used to remove many of the barriers to success the group might face, thereby both reducing risk and increasing operational efficiency. This fusion approach is highly effective and has been used by NATO Special Operations Forces in military operations – specifically in the use of technical capabilities, such as Signals Intelligence (SIGINT), to locate a high-value target in order to facilitate a physical interdiction.


Hybrid operations do not change the basic nature of crime – robbing a bank is essentially the same crime however you do it – but they do involve the incorporation of new techniques to make criminal operations less risky and more efficient. Although they tend to be thought of in isolation, network operations of all types are just a tool used by threat actors to achieve a particular objective, and these objectives needn’t have changed from the days of Butch Cassidy and the Wild Bunch.