What it is
In cybercrime, the affiliate model mirrors legitimate partner programmes. A core group supplies malware, infrastructure, and payment handling, while affiliates perform intrusion, lateral movement, and extortion. Profits are split according to agreed percentages, incentivising rapid and widespread attacks.
Why it matters
The affiliate model scales cybercrime efficiently. It enables rapid innovation, parallel attacks, and global reach without central coordination of every operation. This structure is a key reason ransomware and extortion campaigns have become persistent, adaptable, and difficult to dismantle.
How to reduce risk
- Focus on preventing early-stage intrusion rather than payload detection alone.
- Monitor for attacker behaviours linked to affiliate activity (credential abuse, tooling reuse).
- Reduce dwell time through rapid detection and response.
- Assume attackers may be financially motivated but operationally inconsistent.
External resources
- https://www.europol.europa.eu/publications-events/publications/internet-organised-crime-threat-assessment-iocta
- https://www.ncsc.gov.uk/blog-post/ransomware-evolving-threat
- https://www.mandiant.com/resources/ransomware-affiliate-ecosystem