Cybercrime has rapidly evolved into a global threat, facilitated by advancements in digital technology and the emergence of illicit online marketplaces. Among these, Telegram has become a key platform for criminal activity, offering an environment where illicit goods and services are traded with relative ease and anonymity. Its minimal content moderation, group and search functionalities have made it attractive for criminals. However, despite its increasing role in cybercrime, law enforcement struggles to effectively disrupt illicit activities, as traditional enforcement strategies face challenges to address the resilience and adaptability of such networks.

Despite extensive research on cybercrime, illicit Telegram marketplaces remain poorly understood, particularly in how they sustain resilience and adapt modi operandi despite enforcement. The role of automation and commoditisation in shaping these exchanges is largely overlooked, while reliance on outdated data limits insight into recent adaptive strategies. A community-centric approach is needed to examine marketplace dynamics, the impact of disruptions, and assess the impact of specified targeting on the adaptation of crime. This study answers these knowledge gaps by using the following research question: What ecosystemic mechanisms stimulate the resilience of Telegram as an illicit market? To answer this research question, a mixed-methods approach is used, where an extensive literature study and expert interviews are enriched with a large-scale data analysis with 1.4M independently sourced Telegram messages. These messages stem from 2021 to 2024 and are sent by 14,856 unique Telegram users in 45 Dutch Telegram channels. Using machine learning-based classification (SVM), topic modelling (LDA) and automated indexing, this study identifies modi operandi, payment preferences and patterns in communication. Ultimately, this research aims to uncover the systemic mechanisms driving adaptive cybercrime behaviours on Telegram by analysing the impact of automation, commoditisation, platform regulations, and law enforcement interventions. It examines how illicit markets sustain resilience, whether enforcement efforts lead to disruption or displacement, and how vendor specialisation and payment preferences shape underground economies. Thereby, this study provides insights to improve law enforcement strategies, inform policy development, and establish a scalable framework for future illicit ecosystems understandings.

The findings highlight automation and self-regulation as key factors in Telegram’s resilience. Thereby, bots play a central role in message auto-deletion, channel moderation, scam detection, and mass message distribution, reducing exposure to law enforcement and increasing efficiency. Auto-deletion is widely used, with most channels setting messages to expire, effectively erasing digital footprints. The dataset shows that only 5.3% of messages are unique, a stark contrast to the 21.8% uniqueness rate in the reference dataset (2017-2021), underscoring the dominance of mass-distributed, repetitive advertisements. Additionally, vendors increasingly rely on outsourced advertising services, where intermediaries automate message forwarding across multiple channels (multi-homing), ensuring that criminal listings remain visible and accessible and minimising the impact of platform takedowns. This transformation shifts Telegram from a socially driven chat platform to an automated and heavily commoditised illicit marketplace.

Despite Telegram’s recent increased moderation efforts, the study finds no empirical evidence of mass migration to alternative platforms. During the analyses, 33 channels ceased existence, resulting in only 38 of the 71 initially identified channels remaining active, indicating a deterrence effect, but no full elimination. This study further presents internal displacement mechanisms, such as invitation-based access systems and broadcasting channels for fast internal displacement.

Market specialisation primarily occurs at the vendor level, rather than the channel level. While channels present mixed products and services interchangeably, 67.6% of vendors specialise in offering a single crime category, whereas 32.4% engage in multi-category sales. Multi-category vendors display professionalism to an extent, as indicated by their broader range of accepted payment methods (1.63 on average, compared to 1.37 for single-category vendors). Furthermore, scarcity-driven demand is evident, observed in categories with fewer advertisements, such as firearms and explosives, where user requests are more frequent. These observations suggest that law enforcement actions targeting specific markets do not eliminate demand but instead push buyers toward more proactive search behaviours. Besides, a shift in financial strategies is also observed. Cash has become the dominant payment method for drug-related transactions, replacing cryptocurrencies, likely driven by the physical nature of exchanges and pre-existing in-person contact. Cybercrime and financial fraud remain dominated by PayPal, Paysafecard, and cryptocurrencies due to their pseudo-anonymity and the online nature of the committed crimes. Last, a decline in Tikkie and bank transfers is observed, impacted by the traceability of these payments.

This study contributes to society and literature by revealing how Telegram has transformed into an automated, self-regulating and heavily commoditised illicit marketplace, challenging conventional views on cybercrime communities. It demonstrates that automation, self-regulation, and vendor specialisation drive market resilience, reducing reliance on social trust and replacing it with bot-driven enforcement mechanisms. Unlike assumptions that enforcement actions lead to cross-platform migration, findings suggest that crime displacement occurs within Telegram itself, facilitated by broadcasting channels and invitation-based access systems for wide automatic dispersion of invitation links. Additionally, the study uncovers scarcity-driven demand, where illicit products with limited supply generate increased user requests, shifting markets towards demand-based interactions rather than reducing crime. The commoditisation of services, including outsourced advertising and scam prevention, lowers barriers to entry, allowing even low-skilled actors to engage in cybercrime.

These insights provide a new perspective on digital illicit markets, emphasizing the need for enforcement strategies targeting the disruption of technological enablers in the ecosystem, namely automation, bot networks, and broadcasting channels, as these infrastructural mechanisms sustain illicit trade. Disrupting bots, scam registries, and invitation-based access can destabilise criminal networks. Instead of forcing criminals off Telegram, increased enforcement often pushes them towards demand-based interactions or into private invite-only spaces, (infiltration) strategies should therefore adapt accordingly. Besides, a differentiated approach is needed: casual users may be deterred through awareness campaigns, while professional criminals require direct disruption of their security measures. Proactive monitoring using Telegram’s API by tracking high-risk keywords, administrator activities, and advertising patterns could provide real-time intelligence to disrupt criminal networks before they scale. For policymakers, legal clarity is needed on passive group membership and dual-use automation tools that enable crime. Strengthening regulatory frameworks and forcing providers to monitor misuse can curb illicit activities. Future research should focus on tracking internal crime displacement within Telegram, identifying central network hubs, and understanding how bot-driven automation influences illicit trade dynamics, including more research into the distribution techniques, executive actors, rates and the reach of these advertisements. Furthermore, future research can build on the applied methods and the intermediate outcomes, as it has some unresolved aspects. Last, establishing benchmark datasets will help track long-term market evolution and measure the true impact of enforcement measures.

Ransomware attacks, orchestrated by cybercriminal organizations, pose a global threat in our digital era by exploiting system vulnerabilities and demanding ransoms for seized and encrypted data. Conti, a Russian ransomware group, ceased to exist after a 2022 data leak, offering a unique opportunity to study their modus operandi. The leak includes chat transcripts containing indicators of value, like compensation agreements and digital transaction details. By using the value chain lens, these indicators can be used to determine how ransomware groups create and allocate value within their operations. This understanding is essential for law enforcement aiming to disrupt ransomware activities more effectively, as targeting the most valuable components of their operations can result in significant disruptions to the organization. This value attribution is currently unknown. The question this thesis attempts to answer is: How do ransomware groups allocate value to the activities of the ransomware value chain, and how can this inform law enforcement in developing effective intervention strategies? The methodology involves an exploratory research approach to Conti's public chat transcript data, supported by blockchain analysis. The final deliverable includes a value analysis through the value chain lens and recommendations for the FIOD. These recommendations include insights gained from studying the value creation, compensation, and allocation of ransomware groups, highlighting strategic points along the value chain where disruption would result in the most significant impact. These insights are crucial for enhancing criminal investigations and guiding authorities to disrupt valuable and critical activities within ransomware operations effectively.

Recent advances in the field of ‘Zero Trust’ security strategies have revealed that there is still much novelty regarding the concept of Zero Trust architecture (ZTA). Zero Trust has recently gained attention as the traditional approach, based on network perimeter security, is being outplayed by sophisticated cyber attacks. This research contributes significantly to the scientific knowledge base, as ZTA is hardly investigated. Moreover, recent developments are causing the perimeter to disappear, such as increasing collaboration between companies, ecosystem connections, and working from home due to Covid-19. As a result, public and private organizations need to rethink how to protect their IT infrastructure, assets and data better.
Several organizations are willing to opt for a Zero Trust approach because of its benefits. These benefits include improved security, reduced complexity, and lower overhead and operational costs. Additionally, innovation in enterprise architecture security is urgently needed as it can reduce data breaches, decrease lateral movement, and avoid ransom payments and a company freeze.

Even though Zero Trust brings many advantages, it has not yet replaced existing perimeter-based security approaches. The complication is that many organizations struggle with the implementation of ZTA due to a lack of knowledge and clarity on how to implement the Zero Trust security strategy. Additionally, “Zero Trust” is one of the most frequently used buzzwords in cybersecurity, making it hard to distinguish an actual ZTA. Complexity and misunderstandings of Zero Trust lead to failed projects and implementations. Furthermore, ZTA implementations are complex, and a predefined one-size-fits-all approach does not exist.

Moreover, organizations willing to transform their traditional architecture to a more advanced ZTA lack guidance in their transformation. However, Zero Trust solutions are marketed by multiple vendors, including Zscalar, IBM, Microsoft, and Palo Alto. There is no clear guidance for Enterprise Architects to support organizations in the transformation to a ZTA. Thus, research is needed to investigate 1) what Zero Trust architectures are, 2) what the challenges are, and 3) what the design principles for a successful ZTA transformation are.

The thesis reconstructed and analysed transaction-level data of a particular darknet market. Moreover, the thesis reveals what kind of vendors are active on this darknet market, based on their characteristics. Finally, this research identified what the relative importance is of different vendor characteristics for vendor performance on darknet markets.