Tag LLM

EU SOCTA report 2025 – The changing DNA of serious and organised crime

jjoerlemans

On 12 March 2025, Europol published its latest EU Serious and Organised Crime Threat Assessment (EU SOCTA) report (.pdf). The report immediately caught my attention, as it highlights how the DNA of serious and organised crime is evolving due to several key factors:

  1. Increasing entanglement between organised crime and state actors, leading to ‘hybrid threats’ that destabilise society.
  2. The growing role of the internet and digital communication tools in facilitating more traditional criminal activities.
  3. The acceleration of crime through emerging technologies such as artificial intelligence, which grant criminal networks new capabilities.

Europol concludes that these developments are transforming the tools, tactics, and structures employed by criminal organisations. This is reflected in the title of the report: ‘The changing DNA of serious and organised crime’.

This blog provides a summary of the report’s findings, particularly focusing on the intersection between organised crime and technology. Additionally, I have created a podcast on this topic with Notebook LM, and a Dutch version is available in .pdf format. The first episode of the official podcast by Europol is also about this report.

The EU SOCTA report identifies key threats to serious and organised crime in Europe. These threats include cyber-attacks, online fraud schemes, (online) child sexual exploitation, migrant smuggling, drug trafficking, firearms trafficking, and waste crime. The key threats encompass both crimes predominantly occurring in the digital and online realm, as well as more traditional crime areas involving physical trafficking and illicit cross-border activity. This summary focusses on crimes with a clear connection to the digital and online realm, following the same structure as the report.

1. Hybridisation of Organised Crime: Destabilising Society?

According to Europol, serious and organised crime has a dual destabilising effect on the EU and its Member States. It undermines and reduces trust in the EU’s economy, the rule of law, and society as a whole by generating illicit proceeds, spreading violence, and normalising corruption.

Hybrid threats

Criminal networks may be influenced by state actors and may target democratic processes, social cohesion, public security, or the rule of law. In some cases, it may also impact financial stability and economic prosperity. These are called ‘hybrid threats’ in the report.

Some states even provide safe havens for criminals in exchange for the services of criminals, allowing them to operate with impunity. This enables states to outsource crimes such as cyber-attacks, disinformation campaigns, and money laundering, making attribution more difficult.

Ransomware

Criminal networks contribute to hybrid threats through ransomware attacks on critical infrastructure, businesses, and government agencies. These attacks generate financial profits—often through cryptocurrency payments—while also disrupting services and undermining public trust.

Europol notes that ransomware attacks are becoming more targeted, focusing on private industries, critical infrastructure, and small-to-medium-sized businesses. Additionally, there has been a growing number of supply chain attacks. The ransomware landscape is also evolving due to law enforcement interventions, leading to fragmentation and rebranding of criminal groups.

Cyberespionage and desinformation

Criminal networks can also steal data on behalf of hybrid threat actors. By infiltrating secure systems, they might steal data of strategic importance for governance or business and provide hybrid threat actors with invaluable information that can be used for espionage, economic advantage, or even coercion.

Additionally, these networks are instrumental for propaganda campaigns aimed at spreading disinformation and influencing political systems. These networks can play a key role in disinformation campaigns, using fake social media accounts, coordinated troll operations, and manipulated news content to weaken democratic institutions from within.

Corruption

Criminal networks exploit corruption to secure protection from prosecution by trying to bribe law enforcement and the judiciary. This enables them to avoid arrests, obstruct investigations, and manipulate legal proceedings in their favour. Additionally, corrupt officials may provide criminals with classified information regarding operations, allowing them to evade detection and continue their activities with impunity. Beyond law enforcement and judiciary, public institutions are highly susceptible to infiltration by criminal networks.

Europol explains that corruption has adapted to the broader trends toward digitalisation and a crime-as-a-service model. Several issues become increasingly visible: the targeting of individuals with access to digital systems in public and private entities, the use of digital recruitment tactics, and the elevated role of corruption brokers. The recruitment of, and communication with corruptees takes place online. Bribes are transferred by criminally exploiting cryptocurrencies or fintech. In addition, individuals with access to digital systems become key targets for corruption as they can provide access to information relevant to the criminal enterprise.

2. Digitalisation of organised crime

Europol states that:

“Today, nearly all forms of serious and organised crime have a digital footprint.”

Criminal networks exploit digital infrastructure for recruitment, trade, and financial transactions. They use encrypted messaging apps to communicate, recruit members (including minors), and advertise illicit goods and services. These networks employ technical specialists to enhance their operations and evade law enforcement detection.

Europol identifies two primary forms of encrypted communication:

1. Dedicated criminal platforms – Platforms such as EncroChat, Sky ECC, Ghost and others provided a communication environment for serious and organised crime. Such systems are designed to provide an end-to-end encryption that prevents external interception

2. Mainstream communication tools – Criminals abuse end-to-end encrypted communication services, which are legally designed to protect users’ privacy. These over-the-top communication applications provide legitimate encryption, large user bases that allow criminals to blend in with ordinary users. Unlike the first category, these platforms or tools are not built for criminals, making it necessary for law enforcement to engage with private companies, navigate legal frameworks to investigate and disrupt criminal networks operating within them.

Recruitment and violence

Organised crime-related violence has intensified in certain regions, particularly in urban drug markets and port cities. Criminals use online platforms to recruit hitmen and coordinate violent attacks. Violence is now increasingly offered as a service and made possible by the availability of trafficked weapons.

Within criminal networks, low-ranking members commonly act as perpetrators, but violence is also outsourced to young perpetrators, assorted criminals, and professional hitmen or hit squads offering violence-as-a-service. They are contacted directly through a network of personal contacts, in prisons, or via intermediary contacts. Encrypted communications and online platforms are instrumental in finding and recruiting these executors.

Young perpetrators

Europol finds the involvement of young perpetrators in violent crimes of particular concern. The recruitment of young perpetrators, including young adolescents and children, into serious and organised crime and terrorism is not a new phenomenon. However, it has increasingly become a means used by criminal networks to remain out of reach of law enforcement and the judiciary.

Young perpetrators are frequently exploited in several criminal markets and in several roles. In cyber-attacks, script kiddies are influenced to conduct specific cyberactivities for a fee. In drug trafficking, young people are recruited in roles like dealers or couriers but also warehouse operators, and drug extractors from shipping containers. Young people are used as money mules, receiving and transferring illicit funds through their bank accounts, often in exchange for a small share of the money.

These young perpetrators are recruited through social media platforms and messaging applications, exploiting the anonymity and encryption they offer. Criminals use tactics to lure young people, including tailored language, coded communication, and gamification strategies. By glorifying a luxurious and violent lifestyle, they convince vulnerable young people to join their ranks.

3. The Role of Technology in Other Crimes

Europol’s report reveals surprising connections between technology and traditional crimes like human trafficking and firearms smuggling. For example, criminal networks use the internet to recruit victims, advertise illicit services, and exchange funds electronically. They also circulate forged identity documents online to facilitate trafficking.

AI and 3D printing technologies are increasing access to illicit firearms and enhancing weapon modification techniques. Encrypted communication platforms are expected to play a growing role in the trafficking of firearms and explosives.

Digital content piracy

Europol explains that the current cost-of-living crisis as well as the fragmentation of content across multiple legal streaming platforms prompt consumers to seek more cost-effective and unified packages regardless of their illegality.

Criminal networks often lease servers from legitimate hosting provider companies to ensure the anonymity and scalability of their operations. Others establish their own servers which may be outsourced to other criminal networks as a service. The increased use of anonymisation tools such as VPNs to avoid server blocks ordered by judicial or law enforcement authorities will continue to be a default modus operandi. Criminal actors also rely on a variety of professional expertise, mainly associated to information technology (IT) services such as technicians who build, operate and optimise the software and digital infrastructure for illegal streaming.

Digital pirates may also steal or purchase login credentials from legitimate subscribers — often sourced via phishing scams or data breaches — and then repackage multiple over-thetop libraries into a single, unauthorized service. They often use specialised software or devices to intercept and record live or on-demand streams, relaying the pirated content through internet protocol television (IPTV) servers or file-sharing platforms.

Online pharmaceuticals

Online platforms facilitate the sale of counterfeit falsified, substandard or fraudulently obtained legitimate medicines. These are often paid with cryptocurrencies, and the pharmaceuticals are delivered by postal and parcel services.

AI and technological advancements, including 3D printing, will continue to be leveraged by criminal networks to manufacture tablets.

4. Emerging Technologies and Organised Crime

Criminal organisations are quick to adopt emerging technologies, including artificial intelligence, to enhance their operations.

An “AI fraud epidemic”?

Europol described the current online fraud landscape as follows:

The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.

The scale of online fraud, driven by advancements in automation and AI, has reached an unprecedented magnitude and is projected to continue growing. Narratives are extremely realistic, crafted with the help of AI, and incorporating trending societal topics.

Investment fraud

Investment fraud is one of the most common and growing types of online fraud, nurtured through the use of digital tools and accelerated by new technologies. The main types are Ponzi schemes, pyramid schemes, and advance fee frauds. Cryptocurrencies remain the most significant investment fraud product in the EU. While fraudsters mostly target individuals, companies are also occasionally targeted. Criminal networks have been adapting the modus operandi to the availability of digital and AI tools and to exploit new and developing markets.

Internet-enabled investment fraud is becoming more prominent than unsolicited contacts, like cold calling. Online advertisements, including social media platforms, news sites and sponsored search engine results are the main advertisement channels used by criminal networks to attract victims.

Business email compromise

In business email compromise (BEC) cases, fraudsters gain unauthorised access to the mailbox of an employee to intercept and analyse information contained in official correspondence. Once email accounts are taken over, spoofed or new versions are created. Fraudsters request payment, misleading victim by closely resembling corporate communication style and accompanying their request with well-crafted, identical falsified documents such as invoices containing modified bank accounts.

Identity theft and identity fraud are an intrinsic part of the sophisticated and targeted scheme crafted around the victim. AI, including large language models (LLMs) and deepfakes, is creating new opportunities and capabilities for criminals active in BEC. As the rapid pace of technological development continues, BEC fraud is also expected to increase. Convincing fraud emails can be easily generated with the support of LLMs, while deepfake technologies, an emerging type of impersonation replicating people’s voices, images, and videos, are now being used in CEO fraud, in which fraudsters seek to trick an organisation’s employees by impersonating their CEO.

Romance fraud

Criminal actors from around the globe are actively involved in romance fraud. Victims seeking companionship are approached on social media or dating sites by fraudsters, who impersonate individuals using fake accounts and profiles

Romance scams are expected to increase in the future, accelerated by AI tools. Voice cloning technology, deepfakes, LLM-generated scripts, and AI-driven translation will all continue to enhance fraudulent schemes, creating new fake scenarios and social engineering techniques.

A ‘transformation in child sexual exploitation material’

Child sexual exploitation and the production and distribution of child sexual abuse material (CSAM) is transforming. By creating highly realistic synthetic media, criminals are able to deceive victims, impersonate individuals and discredit or blackmail targets. The addition of AI-powered voice cloning and live video deepfakes amplifies the threat, enabling new forms of fraud, extortion, and identity theft. These tools are easily accessible and do not require specific technical skills. The accessibility of AI tools has multiplied the volume of CSAM available online, creating challenges in the analysis of imagery and identification of offenders.

Generative AI has emerged as a new means to produce CSAM, leading to growing concerns. It can support the editing of existing CSAM and the creation of new content. Explicit pictures of adults can be manipulated to make the individual look younger or applications can ‘nudify’ non-explicit images. Text-to-video models have emerged, following the rapid development of text-to-image models. Given their pace of advancement, text-to-video technology is likely to evolve just as quickly. In one of the first cases of its kind, a suspect was recently arrested for running an online platform with AI generated CSAM which he produced and shared around the world (see also this press release about ‘Operation Cumberland’)

The majority of offenders take part in online communities on the dark web and clear web, including forums, groups, and chatrooms. They discuss abuse, fantasies, how to acquire original CSAM, techniques to groom children and tips related to operational security. Offenders also use online means other than chatrooms for one-on-one interactions, with different levels of encryption and data transfer methods.

Money laundering

In the financial realm, the emergence of blockchain technology and cryptocurrencies has been leveraged to facilitate payments and launder proceeds, supported by decentralised systems and unregulated exchanges.

Cash still features prominently in money laundering schemes today. Criminals often use cash-intensive businesses—such as restaurants, hotels, car washes—to mix illicit funds with the businesses’ legitimate income. When illicit proceeds are moved physically across borders, cash is often transported via cash couriers. Increasingly, young and vulnerable people are recruited, often via social media and gaming platforms, to act as money mules.

However, the criminal exploitation of cryptocurrency as a payment method now has moved beyond the scope of cybercrime, and is encountered increasingly in more traditional crime areas such as drug trafficking or migrant smuggling.

Europol also points out a mix of digital crime and traditional crime through the report. According to Europol, professional money launderers, increasingly with specialised knowledge in digital asset trading, have developed parallel, underground financial systems that operate outside the regulatory frameworks governing legal financial institutions.

Reflection: Methodology and a Word of caution

The EU SOCTA report is based on intelligence generated by Europol analysts from data from national law enforcement agencies. While many of its findings seem to align with criminological research and Dutch court cases relating to cryptophone operations, it is important to remember that the report is not a scientific study.

At the end of the report, there is a section: “Reflection of the academic advisory group”. This group mostly praises the report, but do have one important suggestion:

“While the current approach provides significant added value to policymakers and law enforcement agencies, the inclusion of even more peer-reviewed research, established theoretical frameworks, and interdisciplinary expertise would further enhance EU-SOCTA’s analytical depth and academic rigor”.

They welcome Europol’s decision to involve the academic community in refining the methodology for the next edition.

Involving the academic community is indeed a good step and presumably a big task. Academics will look at these contents from their own perspective and knowledge base.

For example, while the academic advisory group “particularly appreciated” the chapter on hybrid threats, I found this chapter particularly weak. The underlying message of “destabilising society” is very alarming, but I don’t think it is argued well, as it lacks clear definitions, evidence thresholds, and references. Statements about “undermining democracy” or “destabilising economies” are not well substantiated, raising questions about the frequency and impact of these threats. But then again, my view is also influenced by my own perspective, experiences, and research interests 😊!

Despite this criticism and questions, the report may provide valuable and new insights to policy makers and professionals seeking to understand the digital transformation of organised crime.

Europol waarschuwt over het gevaar van ChatGPT en Large Language Models

jjoerlemans

Op 27 maart 2023 heeft Europol het rapport ‘ChatGPT. The impact of Large Language Model on Law Enforcement’ gepubliceerd.

ChatGPT (versie GPT-3.5) kan tekst verwerken en genereren in antwoord op opdrachten (‘prompts’) van gebruikers. Het kan vragen beantwoorden over uiteenlopende onderwerpen, tekst vertalen, conversaties aangaan en tekst samenvatten om de belangrijkste punten aan te geven. Het kan daarnaast sentimentanalyse uitvoeren, tekst genereren op basis van een gegeven opdracht (bijvoorbeeld een verhaal of gedicht schrijven), en code uitleggen, produceren en verbeteren in enkele van de meest gangbare programmeertalen (Python, Java, C++, JavaScript, PHP, Ruby, HTML, CSS, SQL). In essentie is ChatGPT dus erg goed in het begrijpen van menselijke input, rekening houdend met de context, en het produceren van bruikbare antwoorden. In maart 2023 lanceerde het bedrijf OpenAI overigens voor abonnees van ChatGPT Plus zijn nieuwste model, GPT-4. Volgens OpenAI is GPT-4 in staat om meer geavanceerde problemen nauwkeuriger op te lossen en kan het beelden als input verwerken, classificeren en analyseren.

De beveiligingsmechanismen van ChatGPT om kwaadwillend gebruik van het model te beperken kunnen relatief eenvoudig worden omzeild. Volgens Europol kan ChatGPT worden gebruikt om verschillende soorten misdrijven beter uit te voeren. Als een potentiële crimineel niets weet over een bepaald misdaadgebied, kan ChatGPT het onderzoeksproces aanzienlijk versnellen door het aanbieden van belangrijke informatie die dan in volgende stappen verder kunnen worden onderzocht. Als zodanig kan ChatGPT worden gebruikt om te leren over een groot aantal potentiële misdaadgebieden zonder voorkennis. Het biedt nieuwe mogelijkheden, met name voor misdrijven door middel van ‘social engineering’, phishing en online fraude, maar ook voor het genereren van propaganda, desinformatie en nepnieuws.   

Waarbij vroeger bijvoorbeeld een eenvoudige phishing-zwendel gemakkelijker was op te sporen vanwege duidelijke grammaticale en spelfouten, is het nu mogelijk om zich op een zeer realistische manier voor te doen als een organisatie of individu, zelfs met slechts een basiskennis van de Engelse taal. Ook kan de stijl van berichten worden aangepast. Het vermogen van ChatGPT om natuurlijke taal te transformeren in werkende code werd snel uitgebuit door kwaadwillenden door code voor malware te produceren. Dit maakt ChatGPT volgens Europol tot een instrument voor cybercriminelen.

In de toekomst kan de universele beschikbaarheid van grote taalmodellen nog meer uitdagingen met zich meebrengen. Europol wijst op de integratie van andere AI-diensten (zoals voor het genereren van synthetische media). Een voorbeeld zijn multimodale AI-systemen, die conversationele chatbots combineren met systemen die synthetische media kunnen produceren, zoals zeer overtuigende deepfakes, of systemen die zintuiglijke vermogens zoals zien en horen omvatten. De Europese politiedienst wijst ook op de opkomst van “dark LLM’s”, die op het dark web kunnen worden gehost om een chatbot te leveren zonder enige beveiliging, alsmede LLM’s die worden getraind op bepaalde – wellicht bijzonder schadelijke – gegevens. Opsporingsinstanties zullen zich hierop moeten voorbereiden, onder andere door bewustwording en het ontwikkelen van vaardigheden om zelf deze technologie voor de eigen taakuitvoering te gebruiken.