Introduction
The progressive digitalisation of economic activity, public services and social interaction has profoundly reshaped the environment in which serious and organised crime operates. Criminal conduct increasingly unfolds online, relying on digital infrastructure and exploiting the vast volumes of data generated and stored in contemporary societies. As a result, cybercrime has evolved from a collection of technically driven offences into a structured, transnational and market-oriented criminal phenomenon.
Recent European assessments underline that personal and corporate data have moved to the centre of this ecosystem, no longer as incidental targets but as the core resource enabling criminal activity. This shift is explicitly acknowledged in the latest European analysis, which states that “data is the central commodity of the cybercrime economy- sought after, stolen, bought and exploited by a wide range of offenders”.
From a criminal-law perspective, this evolution is significant. Legal frameworks remain largely anchored in offence-based models focused on direct harm, identifiable victims and linear chains of causation. Data-driven cybercrime, by contrast, is characterised by fragmentation, delegation and the repeated reuse of illicitly obtained resources, challenging traditional assumptions about attribution and responsibility.
Data beyond the offence: target, instrument and commodity
Data plays a multifunctional role in contemporary cybercrime. First, it is frequently the direct object of criminal attacks. Ransomware operations, large-scale breaches and espionage-oriented intrusions aim at the unauthorised acquisition of information that can later be monetised, leveraged for extortion or strategically exploited.
Secondly, personal data functions as a means of committing further offences. Stolen credentials and personal identifiers enable fraud, account takeover, impersonation and social engineering. This instrumental use of data has long been recognised at international level as a structural feature of cyber-enabled crime.
Most significantly, data has become a commodity in its own right. Illicit markets trade in credentials, access to compromised systems and personal records, often through encrypted platforms and invitation-only forums. These markets form the backbone of a service-based criminal economy characterised by outsourcing, efficiency and risk distribution. From a legal standpoint, the circulation of illicit data produces cumulative and systemic harm that extends far beyond the initial act of unauthorised access.
Specialisation, outsourcing and fragmented responsibility
One of the defining features of the current cybercrime landscape is functional specialisation. Offenders increasingly operate within loosely connected supply chains rather than stable, vertically integrated groups. Initial access brokers provide a clear example of this model, their role consists in obtaining and selling access to compromised systems, which are subsequently exploited by other actors for ransomware deployment, fraud or data theft.
This separation between access acquisition and exploitation enhances criminal efficiency, but it also complicates the attribution of liability. Actors operating upstream may be temporally and geographically remote from the final offence, despite their contribution being indispensable. European cybersecurity analysis describes this structure as a mature “crime-as-a-service” ecosystem in which criminal roles increasingly mirror legitimate digital markets.
Traditional concepts of participation and complicity struggle to capture this reality. Where liability depends on proximity to the final act, facilitators such as access brokers and data traders risk falling outside the scope of criminal responsibility, despite their central role in enabling harm.
Obtaining access: exploiting human vulnerability
While technical vulnerabilities remain relevant, human behaviour has become the primary entry point for cybercriminal activity. Social engineering techniques, including phishing and vishing, exploit trust, authority and routine rather than flaws in code.
This dynamic has intensified with the use of generative artificial intelligence. Automated tools now allow offenders to personalise deceptive communication at scale, increasing success rates while lowering barriers to entry. European analysis highlights that the adoption of large language models has “improved the efficacy of social engineering techniques by tailoring communication with the victims and automating criminal processes”.
From a criminal-law perspective, the automation of deception complicates assessments of intent and foreseeability. When harmful conduct is mediated through technological systems, the traditional link between individual decision-making and outcome becomes increasingly attenuated.
Artificial intelligence and the expansion of criminal capacity
Beyond social engineering, artificial intelligence supports identity fabrication, voice impersonation and automated victim selection. Research on the malicious use of AI confirms that these technologies operate as force multipliers, enabling individual actors to scale cybercriminal activity with unprecedented speed and reach.
This expansion of criminal capacity has direct implications for enforcement. Investigative and prosecutorial models focused on discrete cases and identifiable perpetrators struggle to respond to offences characterised by speed, volume and transnational dispersion. Criminal law, traditionally reactive, faces difficulty addressing systems designed for continuous and adaptive offending.
Criminal law responses and international cooperation
The transnational structure of data markets exposes the limitations of territorially bounded legal systems. Offenders, infrastructure, victims and evidence are frequently dispersed across jurisdictions, creating enforcement gaps that cannot be addressed through domestic law alone. European authorities therefore emphasise the importance of intelligence-led cooperation and coordinated disruption strategies.
International research has also highlighted the need to focus on enabling and preparatory conduct. The UN Office on Drugs and Crime has observed that cybercrime often consists of interconnected acts rather than isolated offences, requiring legal frameworks capable of addressing facilitation and market-based contribution to harm.
7. Conclusion
The contemporary cybercrime landscape reflects a structural transformation in organised crime. Personal data is no longer a passive object of protection, but the economic backbone of a criminal ecosystem built around reuse, outsourcing and scale. The repeated theft, circulation and exploitation of data create a self-reinforcing cycle in which initial access generates ongoing criminal opportunity.
This reality challenges criminal law at a fundamental level. Concepts developed for territorially bounded, linear offences struggle to capture harm that is cumulative, distributed and mediated through digital markets. Facilitators operating upstream, access brokers, data traders and service providers, generate systemic risk while remaining formally distant from the final offence.
As Europol succinctly observes, “access to a victim’s account or system is the critical part of most cybercrime kill chains”. Recognising this centrality requires a recalibration of legal focus towards enabling conduct and structural contribution to harm.
Ultimately, addressing the commodification of data is not merely a matter of cybersecurity policy. It is a test of criminal law’s capacity to adapt to digital economies while preserving core principles of legality, proportionality and individual responsibility.
A version of this article has been published on the website of the International Bar Association and is available at: https://www.ibanet.org/The-commodification-of-personal-data
