Breaking down the cyberattack lifecycle: Monetization

Nicholas Koken
May 24, 2024

Given the significant amount of work invested into a cyberattack, attackers want to be handsomely rewarded for their efforts. Verizon reports that 95% of system intrusions last year were financially motivated.

In this blog series, we’re describing every stage of the cyberattack lifecycle, how they’re perpetrated, and what defenses you can set against them. Before this, we detailed the Actions on Objectives stage. This is the final installment, Monetization.

Capitalizing off cyberattacks

Since data is such a valuable commodity today, attackers often levy it as a bargaining chip to earn money for their hard work. Depending on the data, attackers may be able to capitalize without interacting with their victims, too.

How are attackers making money?

There’s a reason cyberattacks are a lucrative business. Here are some of the ways attackers capitalize off breaches.


Often, attackers steal data to demand payment for its return. Tactics like ransomware encrypt said data to force organizations to pay up in return for the encryption key. These payments are almost always in Bitcoin or some other cryptocurrency so the attacker may remain anonymous.

For reference, ransom payments in 2023 totaled well over $1B. Despite efforts from government and industry bodies to stop ransom payments, the fear and uncertainty that ransomed data creates leads many organizations to pay out before their reputations are tarnished.

Access Brokerage

Initial access markets and other forums allow attackers to sell stolen data and other information to the highest bidder. Doing so gives the broker a quick payout and diverts any attention they may have garnered to the buyer. Like with ransoms, many of these transactions rely on cryptocurrency for anonymity.

Some attack groups specialize solely in initial access, finding the most efficient ways to breach an organization and steal information. This approach removes the burden of establishing persistence or installing weapons and still ensures a payout. And, since this approach can be carried out at scale, its payout can be more consistent, despite being less lucrative than ransom or other monetization methods.

Financial fraud

If an attacker can make off with financial information, they can commit fraud using credit cards, social security numbers, or other means. Credentials for bank accounts or similar financial institutions enable wire fraud as well.

Although the worst effects often hit individuals, businesses are also susceptible to financial fraud. And, if a compromised organization leads to an individual being affected, that organization is culpable for the outcome.

Moving forward: Defense-in-depth

Unfortunately, there is little to be done by way of defenses at this stage of the cyberattack lifecycle as the attack is usually already successful. For defending against initial access brokerage, read our piece on the Exploitation stage.

Otherwise, let’s step back and think about the underpinnings throughout the cyberattack lifecycle. Since many parts of the IT environment are affected throughout, organizations need to implement multiple layers of defense to prevent, detect, and respond to attacks.

A defense-in-depth approach helps cover all bases, making it difficult for attackers to successfully proceed through the kill chain and capitalize. To learn more about how to implement defense-in-depth, tune in to our upcoming webinar for techniques and further insights into the cyberattack lifecycle. Reserve your spot here.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.