AI | jjoerlemans.com

On 12 March 2025, Europol published its latest EU Serious and Organised Crime Threat Assessment (EU SOCTA) report (.pdf). The report immediately caught my attention, as it highlights how the DNA of serious and organised crime is evolving due to several key factors:

Increasing entanglement between organised crime and state actors, leading to ‘hybrid threats’ that destabilise society.
The growing role of the internet and digital communication tools in facilitating more traditional criminal activities.
The acceleration of crime through emerging technologies such as artificial intelligence, which grant criminal networks new capabilities.

Europol concludes that these developments are transforming the tools, tactics, and structures employed by criminal organisations. This is reflected in the title of the report: ‘The changing DNA of serious and organised crime’.

This blog provides a summary of the report’s findings, particularly focusing on the intersection between organised crime and technology. Additionally, I have created a podcast on this topic with Notebook LM, and a Dutch version is available in .pdf format. The first episode of the official podcast by Europol is also about this report.

The EU SOCTA report identifies key threats to serious and organised crime in Europe. These threats include cyber-attacks, online fraud schemes, (online) child sexual exploitation, migrant smuggling, drug trafficking, firearms trafficking, and waste crime. The key threats encompass both crimes predominantly occurring in the digital and online realm, as well as more traditional crime areas involving physical trafficking and illicit cross-border activity. This summary focusses on crimes with a clear connection to the digital and online realm, following the same structure as the report.

1. Hybridisation of Organised Crime: Destabilising Society?

According to Europol, serious and organised crime has a dual destabilising effect on the EU and its Member States. It undermines and reduces trust in the EU’s economy, the rule of law, and society as a whole by generating illicit proceeds, spreading violence, and normalising corruption.

Hybrid threats

Criminal networks may be influenced by state actors and may target democratic processes, social cohesion, public security, or the rule of law. In some cases, it may also impact financial stability and economic prosperity. These are called ‘hybrid threats’ in the report.

Some states even provide safe havens for criminals in exchange for the services of criminals, allowing them to operate with impunity. This enables states to outsource crimes such as cyber-attacks, disinformation campaigns, and money laundering, making attribution more difficult.

Ransomware

Criminal networks contribute to hybrid threats through ransomware attacks on critical infrastructure, businesses, and government agencies. These attacks generate financial profits—often through cryptocurrency payments—while also disrupting services and undermining public trust.

Europol notes that ransomware attacks are becoming more targeted, focusing on private industries, critical infrastructure, and small-to-medium-sized businesses. Additionally, there has been a growing number of supply chain attacks. The ransomware landscape is also evolving due to law enforcement interventions, leading to fragmentation and rebranding of criminal groups.

Cyberespionage and desinformation

Criminal networks can also steal data on behalf of hybrid threat actors. By infiltrating secure systems, they might steal data of strategic importance for governance or business and provide hybrid threat actors with invaluable information that can be used for espionage, economic advantage, or even coercion.

Additionally, these networks are instrumental for propaganda campaigns aimed at spreading disinformation and influencing political systems. These networks can play a key role in disinformation campaigns, using fake social media accounts, coordinated troll operations, and manipulated news content to weaken democratic institutions from within.

Corruption

Criminal networks exploit corruption to secure protection from prosecution by trying to bribe law enforcement and the judiciary. This enables them to avoid arrests, obstruct investigations, and manipulate legal proceedings in their favour. Additionally, corrupt officials may provide criminals with classified information regarding operations, allowing them to evade detection and continue their activities with impunity. Beyond law enforcement and judiciary, public institutions are highly susceptible to infiltration by criminal networks.

Europol explains that corruption has adapted to the broader trends toward digitalisation and a crime-as-a-service model. Several issues become increasingly visible: the targeting of individuals with access to digital systems in public and private entities, the use of digital recruitment tactics, and the elevated role of corruption brokers. The recruitment of, and communication with corruptees takes place online. Bribes are transferred by criminally exploiting cryptocurrencies or fintech. In addition, individuals with access to digital systems become key targets for corruption as they can provide access to information relevant to the criminal enterprise.

2. Digitalisation of organised crime

Europol states that:

“Today, nearly all forms of serious and organised crime have a digital footprint.”

Criminal networks exploit digital infrastructure for recruitment, trade, and financial transactions. They use encrypted messaging apps to communicate, recruit members (including minors), and advertise illicit goods and services. These networks employ technical specialists to enhance their operations and evade law enforcement detection.

Europol identifies two primary forms of encrypted communication:

1. Dedicated criminal platforms – Platforms such as EncroChat, Sky ECC, Ghost and others provided a communication environment for serious and organised crime. Such systems are designed to provide an end-to-end encryption that prevents external interception

2. Mainstream communication tools – Criminals abuse end-to-end encrypted communication services, which are legally designed to protect users’ privacy. These over-the-top communication applications provide legitimate encryption, large user bases that allow criminals to blend in with ordinary users. Unlike the first category, these platforms or tools are not built for criminals, making it necessary for law enforcement to engage with private companies, navigate legal frameworks to investigate and disrupt criminal networks operating within them.

Recruitment and violence

Organised crime-related violence has intensified in certain regions, particularly in urban drug markets and port cities. Criminals use online platforms to recruit hitmen and coordinate violent attacks. Violence is now increasingly offered as a service and made possible by the availability of trafficked weapons.

Within criminal networks, low-ranking members commonly act as perpetrators, but violence is also outsourced to young perpetrators, assorted criminals, and professional hitmen or hit squads offering violence-as-a-service. They are contacted directly through a network of personal contacts, in prisons, or via intermediary contacts. Encrypted communications and online platforms are instrumental in finding and recruiting these executors.

Young perpetrators

Europol finds the involvement of young perpetrators in violent crimes of particular concern. The recruitment of young perpetrators, including young adolescents and children, into serious and organised crime and terrorism is not a new phenomenon. However, it has increasingly become a means used by criminal networks to remain out of reach of law enforcement and the judiciary.

Young perpetrators are frequently exploited in several criminal markets and in several roles. In cyber-attacks, script kiddies are influenced to conduct specific cyberactivities for a fee. In drug trafficking, young people are recruited in roles like dealers or couriers but also warehouse operators, and drug extractors from shipping containers. Young people are used as money mules, receiving and transferring illicit funds through their bank accounts, often in exchange for a small share of the money.

These young perpetrators are recruited through social media platforms and messaging applications, exploiting the anonymity and encryption they offer. Criminals use tactics to lure young people, including tailored language, coded communication, and gamification strategies. By glorifying a luxurious and violent lifestyle, they convince vulnerable young people to join their ranks.

3. The Role of Technology in Other Crimes

Europol’s report reveals surprising connections between technology and traditional crimes like human trafficking and firearms smuggling. For example, criminal networks use the internet to recruit victims, advertise illicit services, and exchange funds electronically. They also circulate forged identity documents online to facilitate trafficking.

AI and 3D printing technologies are increasing access to illicit firearms and enhancing weapon modification techniques. Encrypted communication platforms are expected to play a growing role in the trafficking of firearms and explosives.

Digital content piracy

Europol explains that the current cost-of-living crisis as well as the fragmentation of content across multiple legal streaming platforms prompt consumers to seek more cost-effective and unified packages regardless of their illegality.

Criminal networks often lease servers from legitimate hosting provider companies to ensure the anonymity and scalability of their operations. Others establish their own servers which may be outsourced to other criminal networks as a service. The increased use of anonymisation tools such as VPNs to avoid server blocks ordered by judicial or law enforcement authorities will continue to be a default modus operandi. Criminal actors also rely on a variety of professional expertise, mainly associated to information technology (IT) services such as technicians who build, operate and optimise the software and digital infrastructure for illegal streaming.

Digital pirates may also steal or purchase login credentials from legitimate subscribers — often sourced via phishing scams or data breaches — and then repackage multiple over-thetop libraries into a single, unauthorized service. They often use specialised software or devices to intercept and record live or on-demand streams, relaying the pirated content through internet protocol television (IPTV) servers or file-sharing platforms.

Online pharmaceuticals

Online platforms facilitate the sale of counterfeit falsified, substandard or fraudulently obtained legitimate medicines. These are often paid with cryptocurrencies, and the pharmaceuticals are delivered by postal and parcel services.

AI and technological advancements, including 3D printing, will continue to be leveraged by criminal networks to manufacture tablets.

4. Emerging Technologies and Organised Crime

Criminal organisations are quick to adopt emerging technologies, including artificial intelligence, to enhance their operations.

An “AI fraud epidemic”?

Europol described the current online fraud landscape as follows:

The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.

The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.

Investment fraud

Investment fraud is one of the most common and growing types of online fraud, nurtured through the use of digital tools and accelerated by new technologies. The main types are Ponzi schemes, pyramid schemes, and advance fee frauds. Cryptocurrencies remain the most significant investment fraud product in the EU. While fraudsters mostly target individuals, companies are also occasionally targeted. Criminal networks have been adapting the modus operandi to the availability of digital and AI tools and to exploit new and developing markets.

Internet-enabled investment fraud is becoming more prominent than unsolicited contacts, like cold calling. Online advertisements, including social media platforms, news sites and sponsored search engine results are the main advertisement channels used by criminal networks to attract victims.

Business email compromise

In business email compromise (BEC) cases, fraudsters gain unauthorised access to the mailbox of an employee to intercept and analyse information contained in official correspondence. Once email accounts are taken over, spoofed or new versions are created. Fraudsters request payment, misleading victim by closely resembling corporate communication style and accompanying their request with well-crafted, identical falsified documents such as invoices containing modified bank accounts.

Identity theft and identity fraud are an intrinsic part of the sophisticated and targeted scheme crafted around the victim. AI, including large language models (LLMs) and deepfakes, is creating new opportunities and capabilities for criminals active in BEC. As the rapid pace of technological development continues, BEC fraud is also expected to increase. Convincing fraud emails can be easily generated with the support of LLMs, while deepfake technologies, an emerging type of impersonation replicating people’s voices, images, and videos, are now being used in CEO fraud, in which fraudsters seek to trick an organisation’s employees by impersonating their CEO.

Romance fraud

Criminal actors from around the globe are actively involved in romance fraud. Victims seeking companionship are approached on social media or dating sites by fraudsters, who impersonate individuals using fake accounts and profiles

Romance scams are expected to increase in the future, accelerated by AI tools. Voice cloning technology, deepfakes, LLM-generated scripts, and AI-driven translation will all continue to enhance fraudulent schemes, creating new fake scenarios and social engineering techniques.

A ‘transformation in child sexual exploitation material’

Child sexual exploitation and the production and distribution of child sexual abuse material (CSAM) is transforming. By creating highly realistic synthetic media, criminals are able to deceive victims, impersonate individuals and discredit or blackmail targets. The addition of AI-powered voice cloning and live video deepfakes amplifies the threat, enabling new forms of fraud, extortion, and identity theft. These tools are easily accessible and do not require specific technical skills. The accessibility of AI tools has multiplied the volume of CSAM available online, creating challenges in the analysis of imagery and identification of offenders.

Generative AI has emerged as a new means to produce CSAM, leading to growing concerns. It can support the editing of existing CSAM and the creation of new content. Explicit pictures of adults can be manipulated to make the individual look younger or applications can ‘nudify’ non-explicit images. Text-to-video models have emerged, following the rapid development of text-to-image models. Given their pace of advancement, text-to-video technology is likely to evolve just as quickly. In one of the first cases of its kind, a suspect was recently arrested for running an online platform with AI generated CSAM which he produced and shared around the world (see also this press release about ‘Operation Cumberland’)

The majority of offenders take part in online communities on the dark web and clear web, including forums, groups, and chatrooms. They discuss abuse, fantasies, how to acquire original CSAM, techniques to groom children and tips related to operational security. Offenders also use online means other than chatrooms for one-on-one interactions, with different levels of encryption and data transfer methods.

Money laundering

In the financial realm, the emergence of blockchain technology and cryptocurrencies has been leveraged to facilitate payments and launder proceeds, supported by decentralised systems and unregulated exchanges.

Cash still features prominently in money laundering schemes today. Criminals often use cash-intensive businesses—such as restaurants, hotels, car washes—to mix illicit funds with the businesses’ legitimate income. When illicit proceeds are moved physically across borders, cash is often transported via cash couriers. Increasingly, young and vulnerable people are recruited, often via social media and gaming platforms, to act as money mules.

However, the criminal exploitation of cryptocurrency as a payment method now has moved beyond the scope of cybercrime, and is encountered increasingly in more traditional crime areas such as drug trafficking or migrant smuggling.

Europol also points out a mix of digital crime and traditional crime through the report. According to Europol, professional money launderers, increasingly with specialised knowledge in digital asset trading, have developed parallel, underground financial systems that operate outside the regulatory frameworks governing legal financial institutions.

Reflection: Methodology and a Word of caution

The EU SOCTA report is based on intelligence generated by Europol analysts from data from national law enforcement agencies. While many of its findings seem to align with criminological research and Dutch court cases relating to cryptophone operations, it is important to remember that the report is not a scientific study.

At the end of the report, there is a section: “Reflection of the academic advisory group”. This group mostly praises the report, but do have one important suggestion:

“While the current approach provides significant added value to policymakers and law enforcement agencies, the inclusion of even more peer-reviewed research, established theoretical frameworks, and interdisciplinary expertise would further enhance EU-SOCTA’s analytical depth and academic rigor”.

They welcome Europol’s decision to involve the academic community in refining the methodology for the next edition.

Involving the academic community is indeed a good step and presumably a big task. Academics will look at these contents from their own perspective and knowledge base.

For example, while the academic advisory group “particularly appreciated” the chapter on hybrid threats, I found this chapter particularly weak. The underlying message of “destabilising society” is very alarming, but I don’t think it is argued well, as it lacks clear definitions, evidence thresholds, and references. Statements about “undermining democracy” or “destabilising economies” are not well substantiated, raising questions about the frequency and impact of these threats. But then again, my view is also influenced by my own perspective, experiences, and research interests 😊!

Despite this criticism and questions, the report may provide valuable and new insights to policy makers and professionals seeking to understand the digital transformation of organised crime.

Voor het themanummer ‘AI en Recht’ van het tijdschrift Computerrecht, hebben Bart Schermer en ik een artikel geschreven over AI, strafrecht en het recht op een eerlijk proces (.pdf). Mijn annotatie over de veroordeling van de oprichter van Ennetcom in het Tijdschrift voor Bijzonder Strafrecht & Handhaving is ook hier (.pdf) te lezen.

Het artikel bespreekt eerst de zogenoemde ‘Ennetcom-casus’ en gaat daarna in op de inzet van kunstmatige intelligentie voor het (geautomatiseerd) nemen van strafvorderlijke beslissingen.

Ennetcom

In 2016 heeft het Nederlandse Team High Tech Crime een grote hoeveelheid gegevens (7 Terabyte) in beslag genomen van ‘Ennetcom’, een bedrijf dat werd verdacht van witwassen. Het Nederlandse bedrijf Ennetcom leverde diensten op het gebied van versleutelde communicatie. Tijdens een doorzoeking bij het bedrijf BitFlow Technologies Inc. in Canada (op basis van een rechtshulpverzoek) zijn 3,6 miljoen versleutelde berichten in beslag genomen die zijn verstuurd via zo’n 40.000 smartphones van naar schatting 19.000 klanten.

Klanten konden met speciale BlackBerry-telefoons, voorzien van specifieke software, versleutelde tekstberichten en notities versturen. De encryptiesleutels waren opgeslagen op de ‘Blackberry Enterprise Servers’ van Ennetcom. Deze servers bevonden zich bij BitFlow Technologies Inc. in Toronto, Canada. Na een rechtshulpverzoek van Nederland en een machtiging van een rechter-commissaris aan de Canadese autoriteiten zijn op 19 april 2016 de encryptiesleutels op de servers veilig gesteld zodat daarmee de berichten konden worden ontsleuteld door de Nederlandse opsporingsautoriteiten.

Het Nederlands Forensisch Instituut (NFI) heeft software ontwikkeld waarmee zeer grote hoeveelheden gegevens snel en diepgaand geanalyseerd kunnen worden. Datasets zijn snel te doorzoeken om zo verbanden te leggen tussen verschillende attributen, zoals gebruikersnamen, bijnamen, telefoonnummers en e-mailadressen. Hierdoor kunnen rechercheurs en analisten vele malen sneller en effectiever werken in een opsporingsonderzoek. De software, genaamd ‘Hansken’, is ook ingezet voor de analyse van de Ennetcom-data.

Verdachten worden in strafzaken geconfronteerd met belastend bewijs dat afkomstig is uit een grootschalige data-analyse met het Hansken systeem. In het artikel leggen wij uit dat het recht op een eerlijk proces in artikel 6 EVRM het deelrecht kan worden afgeleid dat de verdachte toegang moet hebben tot gegevens die tegen hem worden gebruikt in belastende en ontlastende zin. De verdediging moet daarbij de mogelijkheid hebben de gegevens met betrekking tot de verdachte te bestuderen en te betwisten. Het openbaar ministerie heeft volgens ons ook tot op zekere hoogte ook zelf een verantwoordelijkheid de technische mogelijkheden aan de verdediging te bieden om de gegevens in een strafproces te bestuderen en te betwisten.

De inrichting van een ‘data room’, waarbij de gegevens die betrekking hebben op de verdachte veilig en relatief eenvoudig kunnen worden geraadpleegd, betreft een voorstel die wij doen om aan het recht invulling te geven. In de toekomst zullen nog veel zaken volgen waarbij verdachten geconfronteerd worden met het resultaat van een grootschalige data-analyse die zijn veilig gesteld in andere strafzaken.

AI en geautomatiseerde besluitvorming

Naast geavanceerde data-analyse of data mining kan ook kunstmatige intelligentie worden toegepast in het kader van de opsporing en vervolging. Zo zijn er onder de noemer predictive policing tal van experimenten binnen de politie die er op gericht zijn om met behulp van kunstmatige intelligentie crimineel gedrag te voorspellen. Daarnaast kan kunstmatige intelligentie worden ingezet voor het nemen of ondersteunen van strafvorderlijke beslissingen door de officier van justitie, rechter-commissaris en rechter.

In het tweede deel gaan wij na in hoeverre de inzet van kunstmatige intelligentie raakt aan de beginselen van een eerlijk proces bij het geautomatiseerd nemen van strafvorderlijke beslissingen.

In het artikel leggen wij uit dat het in het bijzonder bij geautomatiseerde besluitvorming van belang is dat de motivering van de besluitvorming deugdelijk is. Dit betekent dat de gekozen toepassingen transparant, uitlegbaar en controleerbaar zijn.

Hoe deugdelijk de motivering van algoritmische besluitvorming in de praktijk moet zijn, is echter nog onduidelijk. Grofweg zijn er in de context van het strafrecht twee problemen met betrekking tot een voor deugdelijke motivering noodzakelijke transparantie van algoritmes, te weten 1) complexiteit, en 2) de angst voor manipulatie/misbruik. In het artikel gaan we verder in op deze problemen en leggen wij uit hoe met deze problemen kan worden omgegaan.

Gaming the system?

Met betrekking tot het tweede probleem is de angst dat kwaadwillenden het systeem gaan manipuleren of beïnvloeden om tot voor hen gunstige uitkomsten te komen (gaming the system). Inzicht in algoritmische besluitvorming kan daarmee de effectiviteit van de opsporing ondermijnen.

Het kabinet lijkt in haar bijlage bij een Kamerbrief uit oktober 2019 over algoritmes in de opsporing het transparantiebeginsel uit te zonderen door hen in een aparte categorie te plaatsen. In een meer recente beantwoording van Kamervragen over het gebruik van AI bij de politie wordt in punt 76 herhaald dat:

“het voor de politie in voorkomende gevallen noodzakelijk is om (delen van) de gegevensverwerking niet inzichtelijk te maken. Dit kan nodig zijn om te voorkomen dat personen zich kunnen onttrekken aan een effectieve taakuitoefening door de politie. Inzicht in de gebruikte analysemethode kan immers aanleiding zijn om het gedrag bewust zodanig aan te passen dat men in de gegevensanalyse buiten zicht blijft. Daarnaast kan geheimhouding nodig zijn omdat inzicht in de gegevensverwerking raakt aan de nationale veiligheid”

(deze antwoorden op Kamervragen zijn na het artikel gepubliceerd en daarom niet meegenomen in het artikel zelf).

Conclusie

Wij waarschuwen dat het voornemen van het kabinet om algoritmische besluitvorming in de opsporing niet te onderwerpen aan de eisen van transparantie en uitlegbaarheid zorgelijk zijn, omdat zij een bedreiging vormen voor de equality of arms en het recht op een eerlijk proces.

Ook in de opsporing moet een concrete invulling worden gegeven aan het recht op een eerlijk proces bij grootschalige data-analyes en het gebruik van algoritmes voor algoritmische besluitvorming. De komende jaren zullen we zien wat van deze invulling terecht komt.

Bart Schermer & Jan-Jaap Oerlemans

B.W. Schermer en J.J. Oerlemans – AI strafrecht en het recht op een eerlijk proces – 2020 Download

jjoerlemans.com

Tag AI

EU SOCTA report 2025 – The changing DNA of serious and organised crime