Continuous developments in the field of AI have led to the rise of new applications across various industries, such as that of cybersecurity. AI’s ability to quickly process large amounts of data makes it a valuable tool for protecting IT systems.
The development and deployment of new AI systems in the European Union (EU) is, now regulated by the EU’s new AI Act, a landmark regulatory framework designed to promote responsible AI development and usage. The AI Act imposes regulations on the protection and use of AI systems, particularly in regards to the explainability and traceability required of these systems. Further developments in industry standards, such as the new ISO 42001 norm, also aim to provide guidance for the use and development of AI systems. Both regulatory and industry standards pose requirements regarding the implementation of safeguards for explainability and transparency for AI systems. These regulations and standards emphasize the need for safeguards that enhance transparency and accountability, ensuring both meaningful insight into AI-driven decision-making and effective mechanisms for human oversight.

This research seeks to consolidate legal and industry standards into a unified framework that offers clear guidance on the implementation of AI-driven cybersecurity solutions in the public sector. The framework aims to outline the current legislatory boundaries, including how regulations such as the GDPR and the forthcoming EU AI Act affect the design, deployment, and monitoring of AI systems. It also proposes different methods to comply with current regulations, such as best practices and industry standards, as well as tools from the field of Explainable AI (XAI) than can be implemented to comply with current regulatory requirements.
These methods were combined to answer the main research question:

How can compliance with current EU regulations be ensured in AI-powered cybersecurity monitoring solutions for public organizations?

An exploratory literature study was conducted to look at the current legal requirements regarding the use of AI systems, as well as any potential additional requirements for their application in the public sector. This was expanded upon by conducting with subject matter experts at DTACT, as well as external experts, to form cybersecurity, regulatory, and public sector perspectives. further elaborated upon by conducting interviews with subject matter experts at DTACT, as well as external experts. A case study was conducted on the cybersecurity solution currently developed and used at DTACT, using the constructed framework. This is followed by a discussion on the public sector implementation of AI solutions for cybersecurity, to gather further insights into the limitations of the framework and to increase its applicability on the needs and requirements of DTACT’s current client base.

The rapid digitalisation of healthcare has underscored the importance of cybersecurity in hospitals. Yet, there is an untapped potential to consider cybersecurity from the start, during the procurement of medical devices. This thesis investigates the current procurement practices in Dutch hospitals, focusing on how cybersecurity considerations are integrated into these processes. Despite the critical role of cybersecurity in protecting patient safety and data integrity, there is a notable gap in the literature regarding its integration into medical device procurement. This research aims to fill this gap by providing a comprehensive analysis of procurement practices and offering insights for improvement.

The study is structured into five phases: an initial literature review to define the research problem and identify knowledge gaps, desk research to overview existing policies, regulations, and scientific literature, semi-structured interviews with stakeholders in three Dutch hospitals and one external stakeholder, a framework analysis of the interview data to identify key themes and dynamics, and synthesis of findings into a comparative case study with practical recommendations.

The findings reveal that the procurement process in Dutch hospitals is multifaceted, involving various stakeholders from within the hospital and outside, such as doctors, IT staff, procurement departments, and manufacturers. The procurement process across the three participating hospitals showed a remarkable resemblance, generally following a similar structured approach. However, it falls short in prioritising cybersecurity, often treating it as a baseline requirement. In addition, external influences, including manufacturers, medical conferences, and peer opinions, could impact procurement decisions. Manufacturers often engage directly with doctors and provide trial installations to promote their devices. However, cybersecurity is often not prioritised, with functional and financial requirements taking precedence.

This thesis makes significant contributions to the field by providing detailed empirical data on procurement practices and stakeholder dynamics, highlighting the role of cybersecurity plays in Dutch hospitals, and offering practical recommendations for enhancing cybersecurity integration. By addressing the gaps in existing literature, this research provides a foundation for future studies and practical improvements in healthcare procurement.

The findings underscore the need for hospitals to adopt more structured and standardised approaches to integrating cybersecurity into procurement decisions, ultimately enhancing the security and resilience of healthcare systems against evolving cyber threats. This research contributes to both the scientific community and healthcare practitioners, providing valuable insights and practical guidance for improving procurement practices and ensuring better patient safety and data protection.

Cryptocurrency investment scams have become an increasingly prevalent threat, leveraging sophisticated methods to deceive and exploit victims. The phenomenon of pig butchering has gained prominence, but victims rarely see the perpetrators getting justice. There is a need for more decisive action of law enforcement, but several factors limit the feasibility of prosecution. In order to strengthen the knowledge position of law enforcement, this research aims to capture the Tactics, Techniques, and Procedures (TTP) of the owners and creators of cryptocurrency investment scam websites. The feasibility of conducting a criminal investigation into a scam operation is assessed. This feasibility is compared to that of a Notice and Takedown procedure. This is done by focusing on clusters of scam websites with very similar content. We created a dataset consisting of 436 websites. Each website belongs to one of four identified scam website templates. By monitoring the websites in the dataset over a period of 40 days, it was discovered that the majority of the websites goes offline after exactly one year. The contents of the webpages in the dataset are scraped and the similarities between the websites are measured. It was found that instances of the same template are similar enough, allowing us to use known scams to automatically detect new scam websites. Until generative AI becomes more widely used by scam website creators to fill their templates, fingerprints of known templates can be used to discover new templates. Clustering the websites based on their contents can identify which websites are likely to follow identical scamming procedures and which websites deviate from this. This can inform law enforcement on how to funnel investigative resources. The study was not able to conclude whether a template has one owner with multiple scammers hosting their own acquired instance(s) or that a template owner themself hosts multiple instances – with the existence of some copycats. There was evidence for both scenarios. The process of gathering metadata and content data revealed that free Cloudflare services provide scammers with additional security. Firstly, the Cloudflare Turnstile page prevents the website from being archived, which causes a lack of evidence about the website’s content at the time of a scam. Secondly, Cloudflare’s function as proxy hides the website’s IP address, which creates an accountability void due to the absence of a geolocation. This complicates the process of starting a criminal investigation. In order for law enforcement to make a difference, it is advised to invest effort and money into creating an automated Notice and Takedown pipeline. This will reduce the effort needed to take down a scam and will simultaneously increase the effort and financial means needed by scam operations.

The rapid growth of internet-connected devices has led to a significant increase in the number of cyber attacks, resulting in security challenges related to IoT. Researchers have discovered a new attack technique that can be used for launching large DDoS attacks, which involves TCP reflective amplification by abusing middleboxes and IoT devices. In order to assist Internet Service Providers (ISP's) in mitigating this vulnerability present at their customers, a deeper understanding of this novel attack technique is needed.
The thesis primarily focuses on exploring vulnerable devices and their end-users within the consumer network of a Dutch ISP, KPN. The ultimate goal is to gather more information on the types of vulnerable devices and actors involved to eventually assist an ISP in making informed decisions to remediate the vulnerability in their network.
The study found that the problem can be described in two different issues: vulnerable middleboxes and vulnerable consumer IoT devices with broken TCP protocols. The problem of vulnerable middleboxes has been solved in the network of the Dutch ISP as manufacturers have released updates remediating the vulnerability. This is not the case for vulnerable consumer IoT, as updating consumer IoT devices does not necessarily address the vulnerability present in the devices that have been identified. However, vulnerability notifications can potentially be useful for end-users to encourage them to update their vulnerable devices.
The study highlights the presence of vulnerable devices in the ISP network that cannot be remediated by updating the device due to the unavailability of a fix. This calls for the exploration of alternative notification methods like walled garden notifications for ISP's to address the issue as mail notifications seem not feasible at the moment of writing. While updating devices is a suggested solution, it may not be feasible for end-users with vulnerable consumer IoT devices, making it crucial for manufacturers to ensure their products have secure TCP protocols. While end-users are motivated and capable to keep their vulnerable devices up to date, whether or not they receive a vulnerability notification from their ISP, this action alone will not fully address the vulnerability as long as manufacturers remain unaware of the issue or fail to provide updates to remedy it.

In recent years, more and more emphasis has been put on the importance of good preventative cyber security and vulnerability management techniques such as "Patch Tuesday".
Despite the increased importance, not all organisations have the same resources and knowledge when it comes to securing their networks against cyber adversaries.

This research tries to examine the vulnerability posture of Dutch municipal ICT networks.
To accomplish this a network ranges dataset was curated using open source intelligence techniques.
These networks, related to current and previous Dutch municipalities, have been used to collect network data scans and observe the changes in software products and versions.
Based on the data collected we can observe the software update moments for different organisations and analyse how often software products are kept up to date.
Using this network scan data and a subset of open-source products, we were able to construct a case study analysis about the general trends of vulnerability management and the influencing factors thereof.
This was done through timeline analysis, involving also software update releases, security advisories, and publicly disclosed vulnerability exploits.
Our findings show uncoordinated strategies within the different organisations and rare proactive security behaviour.

Another contribution of this study is in the sphere of reconnaissance and open source intelligence gathering, showing that publicly available information alone is a time-consuming procedure that renders very few useful data points.
These later findings have implications for both adversaries as well as security organisations, as reliable data could only be obtained through direct contact with the underlying municipality.

Ransomware has evolved over the years, shifting from widespread attacks targeting individuals to focused attacks on businesses and agencies. These attacks are performed by ransomware gangs while establishing interaction within the ransomware ecosystem. In this thesis, the ransomware ecosystem is posited as being constructed of three separate sub-ecosystems: the attacker sub-system, the defender sub-system, and the governance sub-system. Since ransomware gangs put in an effort to hide their internal communication and operation from the outer world, difficulties arise in correctly understanding the ransomware ecosystem and a ransomware gang’s establishment of interactions within this ecosystem. As a result, current interventions are ineffective.

While earlier research has been conducted on ransomware, we observe two knowledge gaps: 1) there is a lack of understanding of how ransomware gangs establish interactions with actors in the ransomware ecosystem, and 2) There has been a lack of research that uses ground truth data due to ransomware gangs keeping their internal communication and operations hidden. This thesis uses the leaked internal communication data of the Conti ransomware gang to fill these knowledge gaps and answer the research question: To which extent can the ransomware ecosystem be reconstructed using ground truth communication data of the Conti ransomware gang?”.

To answer this question, a novel methodology is proposed that uses Latent Dirichlet Allocation (LDA) topic modeling to empirically determine overarching topics in Conti's internal communication. It is then researched how these overarching topics map to Conti’s tactics, techniques, and procedures (TTP) which is a commonly used methodology to better understand how ransomware gangs operate. Subsequently, these TTP are leveraged to reconstruct the ransomware ecosystem while taking the perspective of how the Conti ransomware gang establishes interactions within the ransomware ecosystem.

The findings of this thesis indicate that Conti is a large and professional organization that incorporates and adjusts services of service-providing cybercriminals in the attacker ecosystem rather than developing their ransomware themselves using scarce IT talent. In addition, reconnaissance is one of the most critical activities that ransomware gangs perform to get to a successful ransomware attack. While researching Conti's TTP, this thesis identifies novel TTP of ransomware gangs, such as Conti's attack chain, reconnaissance procedure, and money laundering procedure.

We conclude that the ransomware ecosystem can be reconstructed from the attacker ecosystem, the defender ecosystem, and the governance ecosystem, in which ransomware gangs establish interactions within each sub-ecosystem while operating from the attacker ecosystem. In the attacker ecosystem, ransomware gangs establish interactions with service-providing cybercriminals to outsource sub-commodities of their ransomware value chain. This allows them to strengthen their attack vectors by relying on the expertise of others and have a more varied set of attacks. The defender ecosystem is comprised of defenders that defend themselves against ransomware. Ransomware gangs establish interactions by performing extensive reconnaissance on defender territories and valuable information and open-source tools that strengthen their attack vectors. The governance ecosystem comprises governance actors that create and maintain the governance framework that influences the attacker ecosystem and defender ecosystem. Ransomware gangs establish interactions with actors in the governance ecosystem to observe the regulatory frameworks in place and adjust their TTP based on the involved risks of getting caught.

Money laundering has been in existence for a long time, but with recent developments in cryptocurrency technologies, using them as a new method of laundering criminal proceeds has become available to a wider audience of criminals due to mixer services. Bitcoin can be considered pseudonymous, and Mixer services attempt to obfuscate the money trail further by creating transactional chaos. Little is known about the exact functioning of these mixers and how criminals interact with these services. In this thesis, a literature study on existing anti- money laundering (AML) technologies and pattern analysis are applied. Unique to this research is the use of insider mixer administration data combined with the use of public blockchain data. The goal of this research is to gain insight into the degree with which mixer transactions can be identified as money laundering. This will increase the foundation for AML regulation and Law Enforcement procedures. The results show that a small share of the transactions can strongly be identified as money laundering, while for a large share of transactions the identification as money laundering is less strong. In addition, some unexpected phenomena such as reverse money laundering were identified.

Mixing services try to distort cash flow tracking of cryptocurrencies and obfuscate the origin of customers’ earnings by substituting customers’ cryptocurrency funds with the funds of other customers or the mixers’ private assets. This quality makes mixing services interesting for money laundering, and they are therefore often used by criminals. As such, there is an urgent need to systematically understand how to restore the relationship between deposits and payouts of centralized mixing services. Unfortunately, there is minimal knowledge of how mixing processes of centralized mixing services work, and few attempts exist to create these demixing methods. This research aimed to develop a demixing method for centralized mixers with knowledge gained from ground-truth data. The ground-truth data contains information on orders and the transaction history of mixing service BestMixer. Demixing consists of collecting all addresses that are part of the mixer (attribution) and finding the correct payout to a deposit (reconstruction). Multiple statistical analysis techniques were applied to this data to verify existing attribution heuristics and find new characteristics of mixing services. Also, filtering techniques to reconstruct the relation between deposits and payouts were tested on the order data. This research verifies that BestMixer likely did not reuse addresses in the mixing process. It also showed that the lifespan of most addresses was shorter than 24 hours. In addition, many BestMixer addresses received or sent a transaction to another BestMixer address, which created sequences of BestMixer transactions. The sequences show that the mixer used a peeling chain pattern in combination with multi-input transactions. These characteristics can be used to attribute other centralized mixing services. The results also show that the mixer increased in popularity throughout time.
Overall, the reconstruction attempt with filtering techniques did not perform well on BestMixer orders, as it returned an impracticable amount of possible payout combinations. The mixer showed less activity in the beginning days of the service, and there are signs that the reconstruction works better in this earlier stage of the mixer. This means that when a mixer becomes more popular, it could become more difficult to demix the orders correctly.
From this research can be concluded that the ground-truth data of BestMixer does help in developing attribution heuristics for centralized mixers, but not in developing a general reconstruction method that correctly restores the relation between deposits and payouts, thus not suffice in demixing centralized mixers.

How did Avalanche, a botnet with an active lifetime of 8 years while serving 20+ malware families, ensure a smooth operation of business? Avalanche had the attention of security researchers and law enforcement, yet it managed to persevere for a long period of time.
In this work, we answer this question by analyzing Avalanche’s security controls and its business model based on longitudinal ground truth data from its criminal investigation by German law enforcement. We first analyzed previous botnet research and identified five research challenges: (1) the botnet phenomenon keeps evolving, so continuous research is required, (2) there is not yet a framework to categorize or interpret botnet evasion techniques, (3) botnet research is challenging due to the lack of large real-world datasets, (4) botnet takedowns are challenging and costly, so other avenues for intervening in botnets should be explored, and (5) more research is being done into botnet economics, but it is mostly based on case studies methodologies without access to ground truth data.
We defined the adversarial context of botnets and showed how their responses – evasion techniques – can be interpreted as security controls according to deviant security theory. We created a framework for categorizing these security controls, based on security control types and the type of threat. Turning to our data, we performed an exploratory analysis in which we processed, validated and interpreted the available data based on their different types: server images, network data and databases. Based on the insights from this analysis, we applied the business model canvas and described Avalanche’s business model. We describe how Avalanche provides it customers with proxying and domain registration services, generating on aver- age $7,500 of revenue per month from 59 customers. We identified seven security controls, three technical controls and four administrative controls, that were applied to evade detection, to increase resilience against takedowns and to conceal the ownership by the botnet operators.
Our findings show that Avalanche configured itself to adequately respond to the threats in its adversarial context. Its business model – through using different key partners and many replaceable resources – and its application of security controls – such as backups, bot monitoring and proxy architecture – created redun- dancy in Avalanche’s operation, allowing it to detect and resolve threats quickly.

In order to combat financially-economically related crime the government implemented a new directive ensuring that virtual currency exchanges now have to adhere to requirements from legislation countering money laundering. This thesis researches what the extent is of effects that this legislation posed to the daily operations of virtual currency exchanges.

This study aims to make recommendations about how the Internet can be more thoroughly cleaned of Child Sexual Abuse Material (CSAM), focusing on the Dutch government policies. In the past years, several organizations, including the European Commission, called out the Netherlands for the role Dutch companies have in the hosting of CSAM. According to INHOPE, the CSAM hotline umbrella organization, the Netherlands is responsible for 20\% of the hosted CSAM worldwide and 79\% within the EU. For this study, a mixed-methods approach is chosen. A mixed-methods approach combines a qualitative and a quantitative method. The qualitative analysis is used to reveal relevant stakeholders, their positions, how they participate in the policymaking process, how they evaluate the government policies, and what they believe are the most significant improvements to the system. The quantitative results map information flows and processing times of the Dutch CSAM NTD mechanism. Combining the qualitative and quantitative research has revealed several pitfalls. Firstly, much CSAM remains unfound. Secondly, hotlines have a very important but also insecure position in the government policies. Further, are direct incentives for the sector more than moral duty are missing and the organizational degree of the sector is low. Also, the set norms and policies of the government and self-regulation are not accounting for the high diversity of the sector. There is a lack of financial resources. Finally, several stakeholders question the adequacy of law enforcement in regard to CSAM. Consequently, recommendations in three areas are made: (1) expanding and strengthen the current policies, (2) enhancing the collaboration between the stakeholders and their own position and (3) introducing new policy initiatives.

Cybercrime thrives and online anonymous markets, or darknet markets, play an important role in the cybercriminal ecosystem. Vendors active on darknet markets invest in security mechanisms to compromise the availability or usefulness of evidence to Law Enforcement Agencies. Therefore, difficulties arise in linking identities or machines to cybercrimes facilitated by darknet markets. As a result, many cybercrime investigations are ineffective. This thesis consists of an exploratory case study based on the full administration of the Hansa Market. The Hansa Market (2015-2017) was infiltrated and eventually taken over and shut down by the Dutch Police. The data used in this thesis originates from the server that hosted the market and is made available by the Dutch National High Tech Crime Unit (NHTCU) and the Fiscal Information and Investigation Service (FIOD). This data is used to answer the research question: “Which factors influence the security behaviour of darknet market vendors active on Hansa Market?”. To answer this question, vendors that are similar regarding a) their experience, b) the activity on other markets, c) the amount of physical items sold, e.g. drugs and d) the amount of digital items sold, e.g. stolen credit card information, are clustered into five `vendor types' using Latent Profile Analysis. It is researched whether these clusters of vendors differ in terms of the following security behaviours observed: a) authentication related security practices (password strength, password uniqueness and two-factor authentication usage), b) encryption of communication, in the form of PGP-adoption and PGP-key strengths used, c) the linkability of a vendors' pseudonym through PGP-key matching and d) a vendors' choice of Online Financial Service Providers within the bitcoin ecosystem, measured by querying a service that provides contextual information on bitcoin transactions and addresses. The findings indicate that approximately causal relationships may be inferred between on the one hand vendor types, that represent a combination of business success in terms of physical and digital sales, experience and activity on other markets and on the other hand security behaviour. Vendors offering digital items tend to behave less securely than vendors selling large amounts of drugs. This thesis explains the observed (differences in) suboptimal security behaviours by arguing that vendors on Hansa Market conduct subjective risk assessments. This implies that the probability of being targeted by LEA and the value of the vendors' assets that are at stake (e.g. informational assets containing incriminating evidence or `years of freedom') are of influence on security behaviour. Lastly, recommendations to Law Enforcement Agencies include to exploit the subjectiveness in cybercriminals' risk assessments and to consider focusing on vendors transacting digital items. Academics are recommended to extend this research by investigating cybercriminal security behaviours through improved measurement methodologies in larger and more recent datasets.

To provide insight into factors that play a role for DT in the humanitarian sector, a combination of literature and expert interviews was used to identify relevant criteria for the humanitarian sector. In accordance with prevailing literature, these factors have been categorised in people, process and technology factors. People factors include leadership, human resources, culture, organisational structure. Process factors were: alignment operations & IT, long term commitment Management, long term commitment network, long term commitment donor, crisis response, Legal issues. Finally, technology factors included both data and digital. The identified critical DT factors were translated into an assessment framework making use of the CMMi Maturity Model approach. For each factor and maturity level combination, there is an explanation of what a humanitarian organisation has to comply with, before advancing to the next level. This ensures that national societies can generate an overview where they currently are and what steps to take to advance. To adequately deal with the barriers and increase practical applicability of the framework, separate barrier-overcoming-strategies have been formulated.

Background: A lot of scientists have tried to shed light on dark web markets. They did this by scraping these marketplaces over a period of time and describe what they were seeing. However, the methods used to measure these markets were never validated before. Research goal: This research will identify and validate the methods that are used in the literature to measure darknet marketplaces. Methods: To validate these methods, a novel dataset is used, namely the confiscated backend of a market. This dataset is cleaned and used to analyze the accuracy of these proxies on. Results: It is found that the number of transactions, revenue, and market share can be estimated with a high amount of explained variance. The predictions are precise enough to find prominent vendors on the market. The designed method of calculating the illegally obtained profits of a darknet vendor is easy to understand and could be used by law enforcement agencies. Finally, it is found that some vendors register to a market early as a strategy to ensure their business continuity.

Dit rapport is geschreven in het kader van de tweede fase van het vak ’Bachelor-eindproject’ van de bacheloropleiding Technische Bestuurskunde aan de Technische Universiteit Delft. Het rapport is geschreven naar aanleiding van het issue-paper dat ik voor de eerste fase van dit project geschreven heb over het bestrijden van financiële, economische en fiscale fraude met een cybercomponent. Het onderzoek betreft het ontwerp van een methode om de betrokkenheid van een land bij de handel op online anonieme markten in kaart te brengen op productniveau. Deze methode is ontworpen aan de hand van het proces voor Data Mining en maakt voor de analyse gebruik van machine learning technieken en methodes voor content-based geo-location estimation ontworpen voor social media platformen zoals Twitter. De toepasbaarheid en het resultaat van de methode is in de praktijk getest door de toepassing van de methode op de casus van de FIOD.